The Dark Side and Physical Security.

I recently saw a vine on Twitter, that joking shows someone plugging a USB keyboard into a USB charger, acting like the Hollywood style of hacking. The amateur didn't wear gloves. I myself have pictured a cute, spunky bubble-gum chewing teen with pink and black hair, completing a hack, then turning to the camera, pulling the gum from her mouth and shoving it into the RJ45 port she was using on the wall, whispering in a sultry voice, something along the lines of “always cover your tracks.” While the saliva on the gum might short something, it’s not the real threat. Physical security is a real necessity; watch Twitter and Facebook and you see RJ45 connections, open USB ports, and all sorts of other connections just waiting for the right person, with the right know-how to steal or manipulate information in systems acting as things like standalone ATM machines, voting machines, and Point-of-sale terminals. Undetectable in some cases, these are real threats.

There are a lot of articles out there about key loggers and computers on a stick that people can plug into systems and television sets, but there is a dark side to physical security as well; the people who don’t want information, but rather to cause downtime, expense, confusion, chaos, and distraction. Anyone who has soldered wire understands about heat and protective coatings. When I worked IT, I never patched a cable into a network switch where I wasn’t expecting a live connection. Too many people can sit down with a personal laptop and plug in, but it’s not the real threat to the machines on the other end unless it’s the right person.

Often, a real threat is less than a meter away.

See, the electronic world we live in runs on low voltage and amperage. It expects 5v, 2 volts, and a single volt on a connection sometimes. It’s not designed for someone to take an extension cord with an RJ45 tip on it, and shove it into the socket. A couple of things happen: if that cable is connected to anything that makes a short, it will likely trip the breaker, depending on the device, but prior to that it sends a surge of electricity down the line that can melt the jackets off of thin UTP CAT-5 cable, potentially causing a fire, and additionally it can pop multiple resistors, capacitors, and switches in expensive, highly-sensitive equipment. Plugged into a disconnected battery back-up, it can produce a charge that repeats with a simple reset. This can fry motherboards, breadboards, and simple circuits with ease.

In terms of operation security, or opsec, someone may use a device such as this to plug into USB ports to short motherboards, CAT 5e to damage network connections and network hardware, and even phone terminals, shorting switchboards. Additionally, someone could melt components in cell phone, rendering data unreadable, inaccessible, or very difficult to obtain in a time of need. Can’t call in emergency with no working devices.

I’ve seen homemade devices as well, where someone takes the guts from a $5 disposable camera with flash, and uses the step-up transformer and high-output capacitor to deliver a charge to electronics. It’s some scary things to consider. So if it doesn’t need to be connected, disconnect it, and cover unnecessary ports on open machines. Additionally, remember not to leave portable devices laying around. While someone could use your phone to take obscene pictures, they can also prevent you from making a call if you’re being set up.

Threat of a lack of maintenance in regard to PHP, and MySQL code on existing websites

I've a few clients who outsourced their initial site builds to companies in India. The developers used teams of people who used 2001 best practices to build these sites circa 2009. The sites are mostly on shared hosting, a few on managed hosting, but here it the thing: while I'm working on the sites to upgrade their code it occurred to me that there are likely thousands of PHP websites running the old MySQL database connectors on shared hosting and some managed hosting plans at various hosts and nobody knows about the underlying issue at hand.

From a security standpoint, anything that prints an error on a website or webpage that allows an attacker to see the directory structure of the server can provide information to help them better improve their attacks and scans for vulnerabilities.

According to the PHP documentation, these database connectors are deprecated as of PHP 5.5

Since functions like mysql_connect, mysql_query, and the like have been deprecated, any websites using these functions need to be brought relatively current with updated code using something like PDO (PHP Data Objects) database connectors and classes. What will happen is any webserver that is upgraded by a host who is hosting sites using this older code will ultimately break all of the database connections. Since a large percentage of websites pull all of their content from the database, this will be a major issue. The database connections won't work, so depending on the level of error messages, people may see problems or they may see nothing, but a few placeholders in an empty interface.

SEO and regular organic will be negatively impacted. If a site doesn't work for a few weeks while someone is making repairs it can be costly for a business.

What can be done?

1. If the site is running PHP, then the code can be examined for functions beginning with mysql_ . Simply adding an "i" to the end of mysql can fix these issues in many cases, however this is not as good of a solution as using PHP's PDO library for connection.
2. Any functions and the output of those functions all need to be rewritten to use the newer standards.
3. While this can be a time consuming and sometimes expensive process; it is a lot less expensive to fix it before a server is upgraded, rather than having developers make edits to code on deadline when the website is down.