A caution, in particular, about "dropshippers" who offer lowest price but have no inventory or track record

14 posts / 0 new
Last post
hank
hank's picture
Offline
Last seen: 5 days 6 hours ago
Joined: 09/04/2011 - 21:52
Posts: 9634
Location: Berkeley, California
A caution, in particular, about "dropshippers" who offer lowest price but have no inventory or track record

This caution recently appeared at Slashdot:

Quote:
Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don’t have a clue. If they’re the lowest price, it may be because they’re skimping on things like security and not because they have bulk buying power

Dropshippers can get wholesale prices from the big sources, advertise things very cheap, collect your payment information, send it back to the big source and have the item shipped.
They never touch it, they never see it, they have no clue what it is they’re selling.

Slashdot cautions that people selling very cheap, with no track record, may also be cutting security corners.

And in other recent news, anything USB now can come with automounting malware — the fact that USB is inherently insecure on almost all computers was very quickly followed by people discovering that e-cigarette chargers and USB cables may come with malware ready to load onto your computer the first time you insert the USB device.
http://www.reddit.com/r/hacking/comments/2nzsfj/badusb_ecigarettes/

(I’ll be curious to see how long ago this selling hacked USB cheap cables and stuff started —- whether it’s a new problem for us customers and just the hardware people rushing the crap into production, or a longterm problem of stuff being sold that attacked your computer for months or years and just now becoming public[

People selling stuff really cheap may be making their real profits elsewhere than the few pennies they get from you.

Also, people selling stuff really expensive may just be reselling stuff they got really cheap, of course.

Point is — watch out, out there.

hank
hank's picture
Offline
Last seen: 5 days 6 hours ago
Joined: 09/04/2011 - 21:52
Posts: 9634
Location: Berkeley, California

I know a few things to watch out for:
— sites that send you your new password in plain text (and keep doing it each time you change it)
— sites using HTTP instead of HTTPS

What else do you think twice about, on a new web page offering cheap cheap cheap — do you look for a security policy?

(Me, mostly, I just register with a disposable email address and see if spam starts showing up to that address, an early detection system for crap artists)

eas
eas's picture
Offline
Last seen: 1 year 12 months ago
Joined: 07/14/2014 - 18:53
Posts: 1363
Location: PNW

Buyer beware is always good advice. For most stuff, I’d rather pay an extra 10% to get something from a reputable seller, or a marketplace that provides good buyer protection. If the savings is more than that, I start to get suspicious.

That said, that ecig malware looks like a bunch of crap. Sure, it is theoretically possible and I’m sure we’ll be hearing more and more about USB security issues in the coming years, but that reddit thing isn’t credible. Just look at the original “report” on /r/talesfromtechsupport.

Quote:
I have a story I wanted to share about a data security breach at a large corporation.

Is it the posters story? It isn’t clear, until you look at the OP’s follow-up comments, particularly this one:

Quote:
No it is just a story, i am sorry no details.

So, something he heard somewhere once. Ok.

Anyway, lets look at the rest…

Quote:
One particular executive had a malware infection on his computer from which the source could not be determined. The executive’s system was patched up to date, had antivirus and up to date anti-malware protection. Web logs were scoured and all attempts made to identify the source of the infection but to no avail. Finally after all traditional means of infection were covered; IT started looking into other possibilities. They finally asked the Executive, “Have there been any changes in your life recently”? The executive answer “Well yes, I quit smoking two weeks ago and switched to e-cigarettes”. And that was the answer they were looking for, the made in china e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system. Moral of the story is have you ever question the legitimacy of the $5 dollar EBay made in China USB item that you just plugged into your computer? Because you should, you damn well should. Sincerely, An IT guy

The answer they were looking for? So, basically, they now had a plausible explanation, and so they accepted it as true. Good enough to close the ticket, maybe, good enough for a story. Not good enough to count as an in-the-wild sighting of a theoretical exploit.

I regard the story itself as a type of social-malware. It’s worth some consideration on its own.

It is, ostensibly, constructed to encourage “safe” behavior, but as such, I’d say it rates up there with telling pre-teens that kissing a boy will make a girl pregnant — impractical, and so oversimplified that as soon as people inevitably see through it, they will be dubious about any “adult” advice on the topic.

Then there are the narrative elements: A mystery, a persistent hero the intended audience can identify with, finding that their “superior’s” foolish actions have been the cause of the superior’s own undoing. Plus, the unseen villain is, basically, China, playing to people’s xenophobia and insecurity about their financial security in a global marketplace.

(Yeah, I’m lots of fun at parties.)

hank
hank's picture
Offline
Last seen: 5 days 6 hours ago
Joined: 09/04/2011 - 21:52
Posts: 9634
Location: Berkeley, California
Quote:
The answer they were looking for? So, basically, they now had a plausible explanation, and so they accepted it as true. Good enough to close the ticket,

Certainly likely, and I have the same suspicion any time an IT department says they’re happy now, please don’t ask anything more about this.

From the descriptions of this USB security hole, for any given USB item, it does sound like if something hasn’t been weaponized yet, it probably will be.

The caution is — for anything we buy with USB — that this is a new thing to watch out for.

And how do we watch out for it? ….

snakebite
snakebite's picture
Offline
Last seen: 1 month 1 week ago
Joined: 11/20/2013 - 20:21
Posts: 2066
Location: dayton oh

disable autorun globally.
its more an annoyance to me anyway.
i always saw it as a risk too.
no autorun=no way for the embedded malware to execute.

hank
hank's picture
Offline
Last seen: 5 days 6 hours ago
Joined: 09/04/2011 - 21:52
Posts: 9634
Location: Berkeley, California

Also, and in particular, what to watch out for on new sales sites with no history or recommendations — the ones that you never heard of, that show up in Google when you search for a flashlight.

Those, often, are dropshippers — and may have real low prices, or may have issues. I’m just wondering what to watch for besides
— using https not http
— not sending passwords in plain text

What else can you look for to tell who’s going to become a reliable supplier?
Or what can you ask a new supplier to do to be a good reliable source?

Muto
Offline
Last seen: 2 hours 59 min ago
Joined: 09/04/2012 - 16:42
Posts: 2699
Location: Southeast, PA

http://budgetlightforum.com/node/31141?page=2#comment-674231

Solarforce, supposed to be “Friends of BLF” and still they will not pay the money to clean up their sloppy security.

I for one, have not and will not buy anything from them directly because of this.
There has to be repercussions of sloppy/cheap/amateur web sites with no safeguards .

It starts here, vote with your wallet!

Later,
Keith

The difference between Hoarding and Collecting is the illusion of Organization
.
.“I will get one of flashlight from patrol car”

“History doesn’t repeat itself, but it sometimes rhymes,” Mark Twain

After the Apocalypse there will be only 2 things left alive, Cockroaches and Keith Richards

WarHawk-AVG
WarHawk-AVG's picture
Offline
Last seen: 1 year 7 months ago
Joined: 01/04/2014 - 06:47
Posts: 5071
Location: H-Town

My DCP enumerator boards (both versions) also double as USB wrappers…no juice jacking or syncing up with devices that could be a problem…just straight up 5vdc charging power and no data transfer at all

But yes..you never know what kind of security a vendor has, or doesn’t have…just ask the customers of Home Depot and Target about that

texaspyro
Offline
Last seen: 2 years 6 months ago
Joined: 04/29/2011 - 12:43
Posts: 4593
snakebite wrote:
no autorun=no way for the embedded malware to execute.

Actually not! Analysis of the STUXNET virus revealed a 0-day exploit that used a corrupted .LNK file to auto-run a file and install malware. That exploit has since been used by a lot of evil foers.

And a Snowdon leak showed that the NSA has been tricked-up using USB cables for years. There are LOTs of USB devices/cables out there now that carry malware. Some of the trickier exploits actually re-write the firmware of some USB device which will then re-infect any computer it is hooked to… and no anti-virus can will find it.

And then there is malware that re-flashes the computer BIOS ROM. And supposedly some laptops made by Lenovo (and other Chinese makers) come with spyware built into their BIOS or even basic hardware chips:

http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_...

hank
hank's picture
Offline
Last seen: 5 days 6 hours ago
Joined: 09/04/2011 - 21:52
Posts: 9634
Location: Berkeley, California

> LOTS of USB devices/cables out there now that carry malware.

I predict a wave of sites hyping “Protected Secure USB Cable With Malware Filter, Discount, 80 percent off ….”

snakebite
snakebite's picture
Offline
Last seen: 1 month 1 week ago
Joined: 11/20/2013 - 20:21
Posts: 2066
Location: dayton oh

i had seen the lnk exploit but i remembered that got patched fast.
looks like we will be xraying cables,opening devices,ect to look for stuff that does not belong.
maybe this will deter folks from buying cheap usb junk and plugging it in .

texaspyro
Offline
Last seen: 2 years 6 months ago
Joined: 04/29/2011 - 12:43
Posts: 4593
Fritz t. Cat
Fritz t. Cat's picture
Offline
Last seen: 3 years 1 month ago
Joined: 05/07/2013 - 00:33
Posts: 2535
Location: Si Valley

hank wrote:

And in other recent news, anything USB now can come with automounting malware — the fact that USB is inherently insecure on almost all computers was very quickly followed by people discovering that e-cigarette chargers and USB cables may come with malware ready to load onto your computer the first time you insert the USB device.
http://www.reddit.com/r/hacking/comments/2nzsfj/badusb_ecigarettes/

Power supplies are probably safe, because they only connect to the power pins. If in doubt, one can check that. So USB chargers seem to be safe unless the thieves pay to add signal pins.

Flashlight designers should look at lighthouses and pottery.
这些谁设计的手电筒应该看灯塔,以及在陶器。

texaspyro
Offline
Last seen: 2 years 6 months ago
Joined: 04/29/2011 - 12:43
Posts: 4593
Fritz t. Cat wrote:
Power supplies are probably safe, because they only connect to the power pins. If in doubt, one can check that. So USB chargers seem to be safe unless the thieves pay to add signal pins.

No, chargers are VERY likely to be sources of attack. Almost all chargers these days have connections to the data lines. They signal the charger how much current the device wants to use. There are. That is why “USB condom” devices exist… to block data from passing, but (the good ones) allow the charging current state to be passed.

There have been several charger based hacks spotted in the wild… airport/coffee shop charging stations are popular attack points.