|By Tomer Teller||
|February 23, 2012 06:45 AM EST||
Quick Response (QR) codes are intended to help direct users quickly and easily to information about products and services, but they are also starting to be used for social engineering exploits. This article looks at the emergence of QR scan scams and the rising concern for users today.
You don't have to look far these days to spot a QR code. From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.
QR codes are a jumping-off point from the offline to the online world. By simply scanning the code with your smartphone, people can quickly access the digital content triggered by the code - making them a marketer's dream because they make it easy to direct users toward information and services. What's more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.
However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. While the concept of ‘drive-by downloads' is already well established as a stealthy tactic for stealing user data when web browsing, QR codes offer a new method for manipulating mobile users in a similar way.
A Matter of Trust
The issue with QR codes is that it forces users to trust the integrity of the code's provider and assume that the destination it leads to is legitimate. This is almost impossible for individuals to gauge because the QR code actually conceals the site and content it leads to. While social engineering exploits have evolved from the email worms of the early 2000s, they still rely on human curiosity to see what might happen when users click on an attachment or a QR code is scanned, which often leads to security problems.
Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, location-based services and application installations - further extending the potential risks to mobile devices. Let's look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.
The first step in mounting a QR exploit is to distribute the code, to get it in front of potential victims. This could happen by embedding the QR code in an email - making it an elaborate phishing exploit - or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.
Once the QR code is distributed, the attacker has a multitude of scam options to choose from. At a basic level, the code could simply redirect users to fake websites for phishing purposes - such as a fake online store or a payment site.
More sophisticated exploits involve hackers using the QR code to direct users to websites that will ‘jailbreak' their mobile device - that is, allow root access to the device's operating system and install malware. This is essentially a drive-by download attack on the device, enabling additional software or applications, such as key loggers and GPS trackers, to be installed without the user's knowledge or permission.
Targeting the Mobile Wallet
Perhaps the biggest potential risk to users is the rising use of mobile banking and payments via smartphones. With the ability of QR codes to jailbreak devices and tap into applications, this could give hackers virtual pick-pocket access to mobile wallets, especially as QR-based payment solutions already exist and are in use. While the uptake of these is currently small, it will grow as public acceptance of QR codes increases.
What can organizations and individual users do to mitigate the risks from QR codes? The most important precaution is being able to establish exactly what link or resource the QR code is going to launch when it's scanned. Some (not all) QR scanning applications give this visibility and - critically - ask the user to confirm if they wish to take the action. This gives users the opportunity to assess the link's validity before the code is activated.
For corporate smartphones, consider deploying data encryption so that even if a malicious QR code manages to install a Trojan on the device, sensitive data is still protected and not immediately accessible or usable by hackers.
In conclusion, the risks presented by QR codes are really a new spin on well-established hacking tricks and exploits. The security basics still apply - be cautious about what you scan, and use data encryption where possible. Or put simply: look before the QR leap.
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
Aug. 31, 2016 04:45 PM EDT Reads: 3,836
Thomas Bitman of Gartner wrote a blog post last year about why OpenStack projects fail. In that article, he outlined three particular metrics which together cause 60% of OpenStack projects to fall short of expectations: Wrong people (31% of failures): a successful cloud needs commitment both from the operations team as well as from "anchor" tenants. Wrong processes (19% of failures): a successful cloud automates across silos in the software development lifecycle, not just within silos.
Aug. 31, 2016 04:30 PM EDT Reads: 2,244
[session] Architecting for the Cloud By @RagsS | @CloudExpo @IBMBluemix #Cloud #Docker #Microservices
As the world moves toward more DevOps and Microservices, application deployment to the cloud ought to become a lot simpler. The Microservices architecture, which is the basis of many new age distributed systems such as OpenStack, NetFlix and so on, is at the heart of Cloud Foundry - a complete developer-oriented Platform as a Service (PaaS) that is IaaS agnostic and supports vCloud, OpenStack and AWS. Serverless computing is revolutionizing computing. In his session at 19th Cloud Expo, Raghav...
Aug. 31, 2016 04:00 PM EDT Reads: 1,123
19th Cloud Expo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterpri...
Aug. 31, 2016 02:00 PM EDT Reads: 3,280
This complete kit provides a proven process and customizable documents that will help you evaluate rapid application delivery platforms and select the ideal partner for building mobile and web apps for your organization.
Aug. 31, 2016 01:30 PM EDT Reads: 3,250
The following fictional case study is a composite of actual horror stories I’ve heard over the years. Unfortunately, this scenario often occurs when in-house integration teams take on the complexities of DevOps and ALM integration with an enterprise service bus (ESB) or custom integration. It is written from the perspective of an enterprise architect tasked with leading an organization’s effort to adopt Agile to become more competitive. The company has turned to Scaled Agile Framework (SAFe) as ...
Aug. 31, 2016 12:00 PM EDT Reads: 1,054
SYS-CON Events announced today that eCube Systems, a leading provider of middleware modernization, integration, and management solutions, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. eCube Systems offers a family of middleware evolution products and services that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
Aug. 31, 2016 11:15 AM EDT Reads: 926
This is a no-hype, pragmatic post about why I think you should consider architecting your next project the way SOA and/or microservices suggest. No matter if it’s a greenfield approach or if you’re in dire need of refactoring. Please note: considering still keeps open the option of not taking that approach. After reading this, you will have a better idea about whether building multiple small components instead of a single, large component makes sense for your project. This post assumes that you...
Aug. 31, 2016 08:45 AM EDT Reads: 5,356
Monitoring of Docker environments is challenging. Why? Because each container typically runs a single process, has its own environment, utilizes virtual networks, or has various methods of managing storage. Traditional monitoring solutions take metrics from each server and applications they run. These servers and applications running on them are typically very static, with very long uptimes. Docker deployments are different: a set of containers may run many applications, all sharing the resource...
Aug. 31, 2016 07:00 AM EDT Reads: 2,178
With so much going on in this space you could be forgiven for thinking you were always working with yesterday’s technologies. So much change, so quickly. What do you do if you have to build a solution from the ground up that is expected to live in the field for at least 5-10 years? This is the challenge we faced when we looked to refresh our existing 10-year-old custom hardware stack to measure the fullness of trash cans and compactors.
Aug. 31, 2016 02:45 AM EDT Reads: 1,917
The emerging Internet of Everything creates tremendous new opportunities for customer engagement and business model innovation. However, enterprises must overcome a number of critical challenges to bring these new solutions to market. In his session at @ThingsExpo, Michael Martin, CTO/CIO at nfrastructure, outlined these key challenges and recommended approaches for overcoming them to achieve speed and agility in the design, development and implementation of Internet of Everything solutions wi...
Aug. 31, 2016 02:15 AM EDT Reads: 2,311
Aug. 30, 2016 11:15 PM EDT Reads: 5,008
There's a lot of things we do to improve the performance of web and mobile applications. We use caching. We use compression. We offload security (SSL and TLS) to a proxy with greater compute capacity. We apply image optimization and minification to content. We do all that because performance is king. Failure to perform can be, for many businesses, equivalent to an outage with increased abandonment rates and angry customers taking to the Internet to express their extreme displeasure.
Aug. 30, 2016 08:45 PM EDT Reads: 2,481
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...
Aug. 30, 2016 08:00 PM EDT Reads: 2,065
Right off the bat, Newman advises that we should "think of microservices as a specific approach for SOA in the same way that XP or Scrum are specific approaches for Agile Software development". These analogies are very interesting because my expectation was that microservices is a pattern. So I might infer that microservices is a set of process techniques as opposed to an architectural approach. Yet in the book, Newman clearly includes some elements of concept model and architecture as well as p...
Aug. 30, 2016 07:45 PM EDT Reads: 10,952
Before becoming a developer, I was in the high school band. I played several brass instruments - including French horn and cornet - as well as keyboards in the jazz stage band. A musician and a nerd, what can I say? I even dabbled in writing music for the band. Okay, mostly I wrote arrangements of pop music, so the band could keep the crowd entertained during Friday night football games. What struck me then was that, to write parts for all the instruments - brass, woodwind, percussion, even k...
Aug. 30, 2016 07:45 PM EDT Reads: 3,246
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
Aug. 30, 2016 05:45 PM EDT Reads: 3,611
Modern organizations face great challenges as they embrace innovation and integrate new tools and services. They begin to mature and move away from the complacency of maintaining traditional technologies and systems that only solve individual, siloed problems and work “well enough.” In order to build...
Let's just nip the conflation of these terms in the bud, shall we?
"MIcro" is big these days. Both microservices and microsegmentation are having and will continue to have an impact on data center architecture, but not necessarily for the same reasons. There's a growing trend in which folks - particularly those with a network background - conflate the two and use them to mean the same thing.
They are not.
One is about the application. The other, the network. T...
Aug. 30, 2016 09:45 AM EDT Reads: 4,790
If you are within a stones throw of the DevOps marketplace you have undoubtably noticed the growing trend in Microservices. Whether you have been staying up to date with the latest articles and blogs or you just read the definition for the first time, these 5 Microservices Resources You Need In Your Life will guide you through the ins and outs of Microservices in today’s world.
Aug. 30, 2016 08:45 AM EDT Reads: 5,286