|Elliott Sound Products||Is Your Security at Risk|
Copyright © 2001 - Rod Elliott (ESP)
Page Updated 20 Sept 2003
Your security - and that of your credit card - is important, but do you realise how easily either can be compromised? Cordless phones and thermal transfer plain paper fax machines may be responsible for more card fraud that we ever thought. In fact, they are downright dangerous. They are not the only grave security risks either. Wireless LANs (Local Area Networks) are now commonplace, even in SOHO (Small Office, Home Office) environments. They are very convenient, and don't require any cabling. Many of them also have virtually no worthwhile security, and anyone with a suitable receiver may be able to pick up every character sent from one machine to another.
It is difficult to know which of these is the worst - the potential for exploitation is just as high with all of these modern conveniences. This is not a trivial matter, but the instruction books and magazine advertisements for these devices are very good at telling you the features and how to use them, but are woefully lax in advising you of security issues.
This is not meant to scare you, although it probably should.
It is worth noting that the only worthwhile reference I found on the topic of cordless phones was at the US site www.privacyrights.org - there is some good info there for US readers, but it's not much use for the rest of us (other than to verify what I have to say here).
I have found no reference at all to security issues with the developer roll used by thermal transfer plain paper facsimile (fax) machines, but phone line scramblers for fax use are readily available in the US. Use of any security device is completely pointless if the developer roll is just tossed in the dustbin when it is depleted!
I have never seen a reference to this topic - anywhere! A full year after I published this, and still nothing! What happens when you fax an order through to your supplier, complete with credit card details and whatever else? Perhaps your doctor uses a plain paper fax for medical records, so what of these? Chances are, they are using a plain paper fax machine. If it is a laser fax, then there is nothing to worry about, but the extremely popular, and relatively inexpensive thermal transfer plain paper machines use a developer roll. What happens to the old rolls? The developer roll (thermal transfer roll) just happens to have every detail that was printed, and it shows in negative where the thermal head transferred the toner from the film to the paper. The rendition is perfect, and if they are simply tossed into the bin (the most likely probability), then any unscrupulous person with access to the company rubbish has access to your card details, medical records, bank details, etc.
Naturally, the problem is not limited to credit cards or medical records - almost everyone uses faxes. Government departments, schools, hotels, the list is endless - and every one of them has some of your personal details or credit card information. By rights, the instruction books for these machines should advise the owner that if sensitive information is received by the fax machine, then the thermal "ink" developer roll should be shredded before disposal. Needless to say they offer no such advice.
My machine's instructions do have a note about the developer roll - it tells you that the ink will not rub off on your hands, so it is safe to handle it. That's it!
We know that credit card fraud, identity theft and all sorts of other ill defined crimes are being committed every day - how do people get hold of our details so they can perpetrate their dastardly deeds? Well, this is one way, and as the owner of such a machine I was horrified when I changed out the first developer roll.
Being an inquisitive type (always :-), I wanted to see if the machine was smart enough to "scrunch" everything up on the developer to make maximum use of it. As it turns out, it isn't smart enough, or the manufacturers are smart enough to realise that the developer rolls are a cash cow!
What I saw on the roll was a perfect reversed (negative) image of every fax I'd received and every copy I made. All lettering was perfectly legible - credit card numbers, names, addresses, the lot. All of this, and not a single, solitary warning anywhere in the manual about the security hazard of the roll. Scared me, I can tell you!
What You Can Do
Before you send a fax with potentially sensitive information, check with the recipient if they use a thermal plain paper machine, and ask if they shred the developer rolls. We know exactly what the answer will be in most cases - either ...
Note that as stated above, laser and inkjet fax machines (or even the old thermal paper faxes) do not have this problem - they don't use a developer roll, so the details are confined to the page that is printed.
If the person cannot (or will not) tell you what sort of machine it is, and what they do with the rolls, then ask them to get you the information, or you will take your custom elsewhere. You have every right to know.
In just the same way, the carbon paper on the credit card voucher (in the "old" mechanical imprinting machines) has a negative imprint of your card - always, always make sure that it is torn up into small pieces in front of you. Otherwise, anyone can get hold of it, and they then have your card details.
Remember - just because you are paranoid, it doesn't mean "they" are not out to get you.
The cordless telephone is now in a huge number of households and businesses. How many movies have you seen where the baddie arranges a hit, deal, or whatever else - and uses a cordless phone? I have seen quite a few such movies, and even the old analogue mobile (cell) phones are/were not secured in any form at all. The proof of that was Prince Charles' infamous mobile phone conversation with Camilla Parker-Bowles - that was picked up using a scanner, and in no time at all was all over the radio and newspapers.
"But!" the legislators and lawyers will cry "to use this information is illegal, and is in violation of the 'Listening Devices for Complete Morons act [of Parliament (or Congress)] of 1902' - everyone knows that." Big deal. Since when has any criminal been afraid of some antiquated law that prohibits them from using something that no-one can prove they have obtained anyway? (BTW, the answer to that little quiz is "never", but you knew that already :-)
The common cordless phone is not encrypted, and uses one of perhaps 10 open frequencies that any scanner can pick up. In many cases, you don't even need a scanner. Take your phone around the block, and the chances are that you will be able to get dialtone from someone else's phone line, or listen to their conversation. At this point, it may not even be illegal in many cases. It may only become an illegal act if you make a call from someone else's phone, thus defrauding them of the call and the cost thereof, or if you use the information you obtain by listening to their call. But who can prove it? What if it happens to you?
Some time ago, I was chatting to a fellow at my local pub (watering hole). He has a scanner, and told me that he has heard countless banking transactions and credit card payments made on cordless phones - account numbers, PINs, the lot. If he were of a criminal bent, all he'd need is a tape recorder to record the transaction details. With the aid of a DTMF (Dual Tone Multi Frequency) decoder, it would then be possible (easy, more like it) to convert the tones recorded from the phone into numbers. This is not science fiction, it is extremely easy to do - the decoder ICs are available from many chip makers, and are dead simple to use by anyone who knows electronics.
What about if you suspect criminal activity in a neighbouring house? You call the police using your cordless phone (since you can stay by the window and advise them of what you see). What if the activity were completely kosher, but someone else (with a scanner) heard it, and went and told everyone else in your street. Your neighbour would be quite rightly pissed off, and your name would be mud.
Worse still! What if you were 100% right, and the activities you saw were indeed criminal? What if the person with the scanner were one of "them"? Now you are in serious danger. Admittedly, these are extreme cases, but are nonetheless quite plausible and may have already happened - in fact, both scenarios probably have happened!
Few of us are going to find ourselves in either of those situations, but there are obviously a great many people using cordless phones for banking, paying bills using their credit cards, discussing possibly sensitive details about their job, or arranging the odd "discrete" meeting.
So, how many times have you done any of those things? Who was listening? If it's a scanner, you will never know if you are being heard or not, since there is only a one-way communication (scanners are receivers only - they don't have a transmitter). Forget that bollocks you see on TV where the line makes clicking noises if there is a bug of some kind - they don't make noise! What sensible criminal (ok, I know that's an oxymoron :-) would make a silent listening device that wasn't actually silent?
What You Can Do
Use a DECT (Digitally Enhanced Cordless Telephony) phone - these are encrypted, as are the new "spread spectrum" handsets. Either of these will give you much greater security than the standard cordless telephone.
Even if you have a secure cordless phone, to be safe, use a wired phone for all banking or credit card transactions.
If you call someone to give or receive highly sensitive information, ask if they are using a cordless phone. If so, ask them to use a wired phone instead. Explain the reason, and if they refuse to listen to you (the potential for similar conversations as for the fax issue is quite high), do not continue with the conversation. You have a right to privacy, and if others put that in jeopardy, you are not obligated to continue.
There can be no doubt that the wireless LAN is a wonderful thing for many people. You can move about with a notebook computer just like you can wander around while chatting on a cordless phone (not quite the same thing, but you get the idea). There are no wires to run, and it all seems so easy ... until someone is able to attach to your LAN, or just "listen" to the LAN traffic.
Most of the earlier generation of wireless LANs were extremely susceptible to eavesdropping, and some of the later offerings are not much better. The level of security with any wireless system is nowhere near as high as a wired LAN. An optical LAN is virtually impenetrable, but is much more than most people need or can afford.
There is not so much to say on this topic, as it has been covered fairly extensively in many computer magazines, and even the popular press has made its comments. It would have been remiss of me not to have mentioned this potential security hazard though, and it is worth mentioning that if someone really thinks that you have something they can steal, they will go to all sorts of measures to do so. Even better if you have no idea, since you will keep feeding them information.
The world's military establishments have used encryption for a long time, and there are big stakes indeed in cracking a code (the Enigma machine used by Germany in the WW2 is a perfect example). Enormous expense and time is spent on trying to break any code that is created - even the encryption used in SSL (Secure Socket Layer) TCP/IP transactions over the internet has been cracked - it's not easy, but it can be (and has been) done.
What You Can Do
Fairly obviously, don't use a wireless LAN for sensitive information. If you absolutely have to do so, then make sure that it uses a level of security that is appropriate to the sensitivity of your data.
For reasons that remain entirely obscure to me, nearly all IT departments seem to think that making you change your password every 5 minutes enhances security. It does not! People get frustrated, and either write it down somewhere (where they - or anyone else - will be able to find it), or end up using simple passwords (swearwords are quite common for a lot of people). These will be cracked with only a half-hearted attempt by the cat.
A relatively simple first attempt at cracking a password will "throw" a dictionary at it. Start from Aabec (Australian tree bark) or Aardvark (burrowing animal) and continue through to Zyzomma (it's a dragon fly). They (the baddies) might even add the digits 0 to 9 at the end on subsequent passes. Any normal word will offer no resistance at all.
A good password does not appear in a dictionary, and is not the name of your dog, cat, mother, girl/boy friend, or anything else that people might be able to work out. Changing a password of "password" to "passw0rd" is no better - it is still painfully obvious. Besides, any password cracking program worth its salt will know of the standard digit substitutions used. A good password does not appear in a dictionary, and is easily remembered.
Weird "invented" words, bizarre word combinations, or even changing a single letter can make a great password. Consider "happiness" as a password - lousy isn't it? It's in the dictionary and will be found easily. How about "happenis"? (A tad risqué perhaps, but you will remember it! And it's not a real word.) As a password, the latter is much, much better.
As an example of a good password, one I introduced at work (and no, I am not going to tell you what it was) was used for over 5 years on customer machines. It was never compromised in all that time, and no-one who needed it ever forgot it once I explained how it was derived. It would appear in no dictionary, so was effectively random. That's a good password!
Completely random passwords would seem to offer the best security, but this is not really the case. No-one ever remembers them, so they will be written down somewhere, and they are hard to type, which makes it easier for someone "spying" to catch what you type in.
The Windows operating system doesn't help either - by default, filename extensions are hidden in later versions, so the user does not get to see the .com, .exe, .pif, .scr (etc.) at the end of the filename. One can "unhide" extensions easily enough, but most users never do so. The filename extension is a sure way to tell that "picture.jpg" is really "picture.jpg.exe" - naturally it will be a virus!
The frightening thing about some of the newer worm viruses is that they open a path into your computer, and as you type your user name and password into your internet banking site, the criminals who wrote the virus may be able to capture this information (plus anything else that may be useful to the criminal elements). The "Sobig" worm has this ability, and it is bound to become more common. It is now commonly believed that Sobig was not the work of a computer geek, but was very carefully written by a criminal gang, with the sole intention of using the worm to "open" as many PCs as possible for intrusion. If you have had the Sobig worm on your machine, consider changing bank account PINs and other sensitive material you may have stored on your hard disk.
Also, it is important to bear in mind that Microsoft never sends spam e-mails with attached "patches" for your operating system, and nor does any other s/w provider. The ability to obtain patches, updates and the like is either built into the program or is available from the manufacturer's website. (MS will also never pay you to read and forward e-mails!)
What You Can Do
Never open any attachment without first scanning it for viruses, using the latest virus signature file for your virus scanner. If you do not have anti-virus software installed, then get a copy now!!! Consider the cost of someone being able to acquire your bank details vs. the cost of the software - it really is a no-brainer.
If you have a broadband connection, use a firewall! To remain on-line without one is asking for trouble. I have one installed on my PC, and almost daily I get pop-up messages telling me that "someone on [ip.address] wants to ping your machine", or "send a UDP datagram" or whatever. These are probes from hackers and/or criminals looking for vulnerable machines on the internet. If your machine is open to the outside world (and most are), then you are at serious risk.
In fact, I strongly recommend using a firewall even for a dial-up connection. Yes, a firewall may be a nuisance, must be configured (so you have to learn how to do that), and may even cost you money (although there are many freeware versions available). Compare that to the potential loss (monetary, identity theft, etc.) if someone were to gain free access to your computer and all your files. If you are not scared by this, you either have nothing at all on your PC, or believe in the theory that "it will never happen to me". Yes it will - eventually, or maybe it just did!
To make it look authentic, many such e-mails have links to the "real" site included, but the form data will be sent somewhere completely different. If you are unsure, e-mail the site's help desk and ask them - forward the entire e-mail you were sent, and have them verify its authenticity. 99% of the time, you will be told it's a scam, and not to provide the details requested.
In some cases, you may be taken to a website that looks "exactly" the same as the real thing. A recent PayPal scam did just that - the only difference between the fake PayPal site and the real one was in the URL in the browser's URL window.
What You Can Do
Always be suspicious of any e-mail that tells you that you must "verify" your account details. Be doubly suspicious of any request that seems unreasonable, asks too many questions of a personal or financial nature, or that just seems "wrong" somehow. If there is the slightest suspicion on your part, you are probably right!
Anything that seems too good to be true is! The Nigerian money scam and its derivitaves have netted the criminals involved millions of dollars, and this will continue as long as people see a "golden opportunity" and leap into it without so much as a web search.
Always, always do a search on anything that seems odd. Most times, you will find that some helpful individual somewhere (or many of them) has already investigated it, and you can find out what "they" are up to.
We are not really secure, but there is no reason to make it easy for anyone to get hold of our personal details. Take sensible precautions. As well as the points mentioned above, beware of the following security holes ...
Remember that just as locks are made to keep honest people out, encryption and other precautions are the same. If someone really wants your data, they will get it. Much of the time, sensitive information is leaked by someone with a big mouth, or is acquired by happenstance. There is however, a growing trend for people to obtain information by stealth or deception, and it is up to all of us to make it as hard as we possibly can for others to obtain our details - "accidentally" or otherwise.
For those who visit my pages regularly, this may be seen as somewhat "off topic" for a hi-fi audio site, but I thought that this information was too important not to share. Should anyone have other information, or feels that I have left out some detail, please send me an e-mail with your query or comments.
|Copyright Notice. This article, including but not limited to all text and diagrams, is the intellectual property of Rod Elliott, and is Copyright © 2002. Reproduction or re-publication by any means whatsoever, whether electronic, mechanical or electro-mechanical, is strictly prohibited under International Copyright laws. The author (Rod Elliott) grants the reader the right to use this information for personal use only, and further allows that one (1) copy may be made for reference. Commercial use is prohibited without express written authorisation from Rod Elliott.|