Juice Jacking: Do you practice safe charging?

For at least the past five years “juice jacking” has been fairly well known in the security community.  Juice jacking is a term to describe stealing data from or implanting malicious data on mobile devices when they are plugged into a “charging kiosk”.

Anyone who has traveled in the past few years has seen these kiosks setup in airports, hotels, concerts, conferences, and other public areas.  They are becoming so common that it is hardly though about who installed it.

In 2011 the folks at Wall of Sheep tested people at security conferences by installing a hoax kiosk that captured information off cell phones that were plugged into charge.  Even at a security conference, many people plugged in.

So how do you prevent this type of attack?  Well, one choice is to abstain from using these kiosks.  But come on, we know you’re going to be weak.  You’ll be sitting in the airport with a slowly fading battery.  The kiosk will entice you.

Another option is to practice safe charging using a device like a USB condom (yes, it is real thing.)  The device blocks the data connections on the USB device, only allowing the power connections through.  This guarantees that no one can read or write data to or from your device.

A third option is to not use the kiosks directly.  Many now carry around a simple battery charger like this (I’m not endorsing that brand, just providinng an example.)  These are so common that they sell them at convenience stores now.  Plug that device into the kiosk, then use the device to charge your phone.

Which ever route you choose, think first, then charge.


Phishing still king

Again this last year phishing lead the charge in most data breaches.  According to the latest phishme “2016 Enterprise Phishing Susceptibility and Resiliency Report” 91% of data breaches begin with spearphishing.  This is supported by the 2016 Verizon Data Breach Report.

Both companies warn that phishing attacks are a significant threat, potentially the most significant.

Phishing has reportedly been at the heart of many high profile data breaches including Anthem, JP Morgan, and others.

Unfortunately there are not great technological solutions to prevent phishing.  Spam tools or anti-virus may help, but phishers continually evolve their messages and approaches.

Training, in my opinion, is still the best way to prevent phishing or any type of social engineering.  Through targeted training and testing, organizations have the ability to reduce a persistent threat

Data classification: Attempting to solve for x without knowing a, b, and c.

Computerweekly.com has an interesting post on federal government security classifications and cloud provisioning.  The TLDR is that many federal agencies are paying too much, because they are classifying information incorrectly and vendors are happy to upsell protections.

In my experience in state government, the problem is very different.  To begin with few agencies have strong data classification policies.  In Texas, the Department of Information Resources published a data classification template that agencies can use to develop a classification scheme.  Personally, I think the template (and associate white paper) is a marvelous piece of work :).  It is unclear how many actually used the template, though.

The problem isn’t limited to Texas.  Based on discussion with the CISOs from other states, data classification is a difficult problem for many.

The issue raised is how to determine the appropriate protections for data when classification programs don’t exist.  The result is agencies will either over protect public data or under protect sensitive data.  Several states have a de facto policy of requiring all data to be hosted in the continental United States (conus).  While this is appealing, it also drives up prices for cloud services.

Many of the regulations that affect states (most recently CJIS) have dropped the conus requirements.  Requiring conus storage for “public” data is probably not the best use of taxpayer money.  Without a strong data classification program, though, it is hard to make informed decisions.