Monday, October 6, 2014

The Coyote and Road Runner from cyberspace

In the mid 50s, young animator Chuck Jones created Wile E. Coyote and the Road Runner, a series of cartoons. It started as a parody, shortly after acquiring an unexpected success that allowed them to reach many of the Western countries, and even some in Asia. Wile E. Coyote used to patrol the desert of the southwestern United States, a common area for the Road Runner, the fastest bird, who enjoyed watching his nemesis failed once and over again. Over half a century later, what began as a simple hobby represents the antithesis of what is experienced in the cyberspace everyday.

One fact shows our concerns about being hunted by the Coyote: Over 21% of American citizens have never destroyed (both digital and physical) correspondence with private content (such as invoices or bank details). Moreover 45% of them use the same passwords for all services, and 49% have not changed their password in the last six months, according to the percentages recently published by AARP on the risk of becoming victim of identity theft.

Moving from data to money hunting, this morning we learn of a technique that allows an expert to send requests to an ATM to take control of its security camera and withdraw money, in an interview on FMT. In order to carry out such attack, the Coyote would need a RM100 chip, which would be responsible for installing a Trojan on an specific (and old) type of cash machine. Later, with a phone specifically prepared with software available for free on the web deep, the attacker should send the appropriate codes to obtain the coveted reward.

Coyotes have multiples ways to hunt down clueless road runners. One of the most common is to install backdoors on payment tools freely available for the victim. Some pirated copies of Adobe Photoshop CS and Adobe Illustrator CS available via Torrent, one of the busiest roads in the third environment, as a bait. They contain a hole large enough to allow remote control of the OS X devices where they are installed. 17,000 infected computers became "free" thanks to a joint operation by Apple and Reddit.

What can a Road runner do against a Coyote if this one is always one step ahead? A good alternative is to lift walls that make its work more difficult. For instance,  a (computer) mouse that analyzes the way you hold it and our tics to establish a pattern of use that could be used as identification. Besides this identification is not based on a physical pattern (such as fingerprints) but on a neurological one, and therefore it is more complex to cheat.

The combination of local and cloud passwords is another good alternative increasingly common in the industry. Matthew Green tells how encryption internally works in the iPhone 6 and iPhone 6 Plus based on the same principle. A unique ID needs to be validated both on the device (via an internal chip inaccessible by software) and check on the company’s servers (where it is associated with different account ID). Due to all this the company itself can not decrypt the data of a client without physhically having the device, which prevents theft of data on the company’s servers or the delivery of such information to law enforcement.

Road Runner’s security often clash with the usability and freedom he has when running around the desert. Siri strikes again allowing anyone access messages, recent calls, notes and calendar with no need to unlock the device. Fortunately, a simple change in iOS settings prevents Apple’s wizard from going around your data facilitating the hunter’s work.

Whatever fable you choose between coyotes and road runners, or between cats and mouses, remember that reality outdoes fiction.


Post a Comment