Security

LAS VEGAS--Showing off technology that James Bond would love, two researchers at Defcon on Friday demonstrated tools that allow people to eavesdrop on video conference calls and intercept surveillance camera video.

An attacker needs to be in the same building as the victims to carry out the man-in-the-middle attacks over the network.

The free UCSniff tool, available in Linux and Windows versions, offers a slick graphical user interface for sniffing video, said Jason Ostrom, director of the Viper Lab at Sipera Systems. The tool basically tricks the voice-over-IP network carrying the video into sending the data packets to the attacker's computer, he said.

This could be used to spy on people. For instance, an attacker could listen in on and record confidential conversations between an executive who is on a video conference call with another remote executive, according to Ostrom.

Ostrom and Arjun Sambamoorthy, a research engineer at Viper Lab, also have developed another free tool called VideoJak that can be used to intercept video streams.

Thieves planning to steal from a museum, for example, could use the tool to change live surveillance video being watched by a museum security guard so that it replayed previous video of the art, giving thieves time to steal art without detection.

Attackers can replay video from the same stream or inject other video, like pornography, the researchers said.

Companies can use encryption on the network server to protect against these attacks, but encryption is not enabled by default, Ostrom said.

"These assessment tools can show you the impact of the vulnerability to your network," he said.

John Draper, aka "Capt. Crunch," said he is interested in using the UCSniff tool to test the systems at start-up En2Go where he is chief technology officer. En2Go is signing up with companies to deliver high-definition media, including movies and corporate videos, to desktops.

"I want to ensure customers and clients that someone can't steal movies off Flyxo," En2Go's system, he said.

Intercepting streaming video isn't new, but UCSniff "makes it easier; it makes it plug and play," Draper said.

Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.

There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.

This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.

Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.

Asked to explain what is meant by "no by-design uses," Christopher Budd, Security Response Communications lead, said: "In older operating systems like Windows XP that were originally developed under older programming methodologies, this ActiveX control was enabled for use within Internet Explorer by default to allow for possible future uses. These uses never materialized and as part of the more stringent security requirements that Windows Vista was developed under, this control was later disabled for use within Internet Explorer."

Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.

Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.

The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.

When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.

Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of Web sites are hosting the exploit.

Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.

Updated July 7 8:25 a.m. PDT with Microsoft explanation of "by-design," and July 6 at 11:45 a.m. PDT with background on a previous DirectShow hole and more details on exploits of the most recent hole.

Goodmail Systems unveiled on Thursday its CertifiedVideo, which offers streaming video capabilities within e-mail.

Goodmail, which provides companies and nonprofits with encrypted e-mail, is adding embedded streaming video capabilities to its service.

"Americans watched more than 14 billion online videos this past January alone. With CertifiedVideo, consumers can now watch videos within their e-mail in-box without having to click to an external Web site, and brands can tap into shifting media consumption habits and craft truly interactive, e-mail 3.0 marketing campaigns," Peter Horan, Goodmail CEO, said in a statement.

AOL is the first e-mail provider to offer Certified Video. Among the companies sending footage over the e-mail service are Country Music TV, LiveNation, The New York Times, and Target.

With its CertifiedVideo service, Goodmail first analyzes a prospective sender's video player for code stability and platform compatibility, with the aim of ensuring the video can be delivered and viewed. After it's been approved, a sender can use Goodmail's CertifiedEmail system to add encrypted video tokens to outbound messages.

The outbound messages are designed to notify the recipient's e-mail provider to deliver the message directly to the recipient with the video content enabled, according to Goodmail.

Brickhouse Security's local tracking system for kids, up to 500 feet range

(Credit: Marc Weber Tobias)

I spent several hours at ISC East in New York last week to see the latest security hardware and software.

I was disappointed because the conference and expo offered more of the same; nothing really innovative caught my attention, or that of my associates. It seems the industry is focusing on video technology: cameras, DVRs, IP, wireless, remote surveillance, and many flavors of software that all essentially accomplish the same result. There were a few lock manufacturers, alarm distributors, monitoring centers, and access control providers, but I thought the number of exhibitors was relatively slim.

The integration of sophisticated electronics, RF and transmission technology, optics, and RFID is all a matter of course now, which perhaps was the most incredible aspect of the show. However, the event did not present a wide enough view of the available security hardware and truly unique applications that I saw three weeks ago at Security Essen in Germany. For those of you that are responsible for keeping abreast of the incredible array of technology and applications that are available, Essen is one of the prime venues every October. Virtually everyone is there, representing every security and software vendor in the incredibly diverse security sector.

What did intrigue me at ISC East were the number applications that involve GPS technology and how it is being applied to anticipate and solve security issues. Location-based service, utilized by commercial and government sectors, will dramatically increase in the future. Already, there is a proliferation of this technology in phones, computers, vehicles, watches, cameras, communications hardware, tracking devices, and a host of other implementations.

Government has employed GPS and Assisted GPS for quite some time for tracking criminal suspects. In fact, Nextel was an early provider of location-based services for the trucking industry and, in so doing, also developed sophisticated mapping capabilities that were used by federal law enforcement agencies for determining the precise location of cell phones. The technology was so good, even five years ago, that the specific floor within a building where a suspect was located could be determined.

Law enforcement has been able to take advantage of GPS technology for tracking and catching criminals and terrorists. Almost everyone who uses a cell phone that was manufactured within the last few years is carrying a personal tracking device. The options available to investigative agencies are awesome, and I believe the public would be more than concerned if everyone realized the extent to which their "personal communicator"--first characterized in the Man from U.N.C.L.E. TV show in the 1960s--has evolved and come to fruition.

Cellular telephones and personal privacy are anathema to each other, especially if there are abuses by government agencies in exploiting the capabilities of the technology.

At ISC East, there were several vendors that specialize in the implementation of GPS technology for use in both the private and public sectors. One of those companies is Brickhouse Security, located in New York. It has been a leader in supplying and implementing this technology in a wide array of products for businesses and police. GPS can provide efficiencies in personnel and fleet management, asset tracking, and employee location and protection. Perhaps as important is the prevention of theft, which is a significant problem and is likely to increase as the economy slows down. Brickhouse also has developed hardware for video and audio surveillance, countermeasures, wireless solutions, biometrics, and other restricted applications.

I interviewed Todd Morris, president of Brickhouse, with regard to the current state of the art and two of his company's products. Brickhouse offers a device for tracking kids, up to 500 feet. It is simple and clever and can also be used to keep an eye on elderly people with dementia. The other system is the P-Track Pro, which uses a CDMA cellular link on Sprint to report the location of an embedded tracking device that can be placed virtually anywhere.

The proliferation of GPS already affects many facets of our mobile life. Although the integration of location-based technologies is almost endless, it does not come without risk. The potential to track the movements of a person and his or her vehicle can seriously erode rights of privacy. Already, spouses are placing store-and-forward or real-time tracking devices in cars to spy on their wives or husbands. Best Buy sells a system called Zoombak, which is a small package that can be implemented by anyone to instantly ping the location of a target and display the data on any computer that is connected to the Net.

By law, every phone in the U.S. must be capable of reporting its location for E911 services. The ability to locate someone who calls for help is obviously a desirable and necessary feature for public safety providers, but the flip side can lead to abuse. We have far surpassed the capabilities that were dramatized in 1984. While we are lucky that we have these sophisticated capabilities, we must also be vigilant as to their use. Presently, there is little legislation dealing with GPS applications to surveillance. I am quite sure that when lawmakers realize that their whereabouts can be instantly tracked, legislation will be enacted, just like when their cell phone call logs were obtained.

Brickhouse Security's P-Track device can be placed anywhere and will report its location via CDMA link.

(Credit: Marc Weber Tobias)