Month: October 2017

Put It in the Cloud, They Said. It’ll Be Fun, They Said.

Not only do you not own devices that are dependent on online services but those devices are also more vulnerable to unauthorized remote access. If your Internet connected devices aren’t secure, they can be accessed by unauthorized third parties, which can make for an awkward time when said device is capable of playing audio:

That suave chat is a translation of what webcam owner and shocked F-bomb flinger Rilana Hamer, of the Netherlands, related in a 1 October Facebook post.

Hamer says that a month or two ago, she picked up a Wi-Fi enabled camera to keep an eye on the house. Most particularly, to keep an eye on her puppy, who has a penchant for turning everything upside down. She bought the device at Action—a local discount-chain store that mostly sells low-budget convenience utilities.

Hamer’s experience isn’t unusual. In fact, there’s a website dedicated to providing remote feeds to insecure video cameras. Internet of Things (IoT) manufacturers have a pretty dismal record when it comes to security and few have shown any notable effort to improve that record. While the ramifications of this lack of security awareness aren’t immediately obvious for many IoT devices, they are obvious when it comes to devices that allow unauthorized third-parties to interact with you.

What Happens When You Don’t Own Something

The cloud is good. The cloud is holy. The cloud is our savior. If you listen to the marketing departments of online service providers and Internet of Things manufacturers, you’d be lead to believe that the cloud will soon cure cancer. While there can be advantages to moving services online there are also major disadvantages. The biggest disadvantage, in my opinion, is the fact that you don’t own anything that is dependent on an online service. People who bought the Canary security camera are learning this lesson the hard way:

Canary, a connected home security camera company, announced changes to its free service last week that went into effect on Tuesday. Under the new terms, non-paying users will no longer be able to freely access night mode on their cameras nor will they be able to record video for later viewing. Night mode is a feature that lets you set a schedule for your Canary camera to monitor your home while you sleep without sending notifications.

On top of that, all the videos the company previously recorded for free will be converted into 10-second clips called “video previews.” Essentially, important features are being taken away from users unless they’re willing to pay $9.99 a month.

People will likely blame this on greed but the real culprit is the lack of ownership. The Canary camera isn’t free but paying money to acquire one doesn’t mean you’re paying money to own it. In reality, you’re paying money for the privilege of paying a monthly fee to tie a camera to an online service. The terms of accessing that online service can change on a whim and, in this case, the change left people who decided not to pay the $9.99 per month fee with a paperweight that used to be a security camera (albeit a limited one).

The Internet of Things means never owning the devices you pay money for and if you don’t own it, you don’t control it.

NIST Publishes New Password Best Practices

g’70A32KsZQ8H2n0JkJ__rfy[JsFzJ(wN(y1,F’Ou1kH(TQcSyNYs”3CSXYPbXQm

That looks like a secure password, right? It is. However, there’s no way I could possibly type that in accurately or remember it. Passwords that cannot be typed or remembered aren’t a big deal for online services if you use a password manager. They are a big deal for passwords you have to type in, like the one to log into your computer. Unfortunately, conventional password wisdom has it that users should be required to have complex passwords instead of memorable passwords. The National Institute of Standards and Technology (NIST) recently published changes to its password best practices. Its changes reflect conventional wisdom when it comes to password security:

Among other things, they make three important suggestions when it comes to passwords:

  1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
  2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
  3. Let people use password managers. This is how we deal with all the passwords we need.

The good news here isn’t so much that NIST published these recommendations but that system administrators are willing to follow NIST’s guidelines. None of the changes published by NIST are new, these practices have been advocated by security professionals for some time now. Unfortunately, many, if not most, system administrators have kept the old guidelines in place, which has lead to users having to come up with passwords that are complex enough to satisfy password policy requirements but simple enough to remember for the several months that password is valid for. Hopefully NIST publishing these changes will convince those administrators of the errors of their ways.

With “Friends” Like These

The National Rifle Association (NRA) has a history of supporting gun rights when its convenient but throwing gun rights under the buss when its politically expedient. That being the case, it probably came as no surprise that the organization expressed support for legal restrictions on bump stocks:

The National Rifle Association has called for “additional regulations” on bump-stocks, a rapid fire device used by the Las Vegas massacre gunman.

The group said: “Devices designed to allow semi-automatic rifles to function like fully-automatic rifles should be subject to additional regulations.”

It would have been nice if the NRA would have at least waited until the fight began before capitulating. Not surprisingly, the Republicans have expressed a willingness to implement such a restriction. Despite their rhetoric, like the NRA, Republicans have a tendency to support gun control whenever opposing it becomes politically inconvenient.

The Number of Guns is Irrelevant

The media and gun control advocates are making a big deal about the number of guns recovered from the hotel room the Las Vegas attacker used. According to ABC News law enforcers found 47 guns in the room.

Realistically an individual can operate one gun at a time. Technically an individual can operate two handguns simultaneously but not very effectively. So why does it matter how many guns an individual owns? It doesn’t. The media makes a big deal out of the number of guns because it catches people’s attention and therefore leads to more page hits and accompanying ad impressions. Media outlets exist to make money so that isn’t surprising. Gun control advocates make a big deal out of the number of guns for similar reasons although their goal isn’t as noble as making money, their goal is to drum up outrage so they can coax politicians into punishing innocent gun owners by passing restrictive laws.

Having more guns doesn’t make a mass shooter more deadly so the number of guns recovered by law enforcers is irrelevant.

Defense Distributed Enters the Handgun Market

Defense Distributed, Cody Wilson’s enterprise that proves the fallacy of gun control, released the Ghost Gunner, a computer numerically controlled (CNC) machine that specializes in milling AR-15 lower receivers, to the chagrin of gun control advocates. The Ghost Gunner made it simple for individuals with relatively little skill to manufacture an AR-15 lower receiver, the part of the gun that is serialized and therefore regulated. Now Defense Distributed has entered the handgun market:

Today, that scope widens: Wilson and Defense Distributed are now in the handgun business, too.

Defense Distributed will offer two of the most common handgun “80 percent” receivers—for Glocks and single-stack M1911s—for interested customers to complete using the Ghost Gunner. “What we’ve done for ARs we’re going to do for handguns now,” Wilson tells Ars. Defense Distributed’s store now carries new fixtures, frames, and tooling to create these two handguns, in addition to its previously offered AR-15 lower receivers and jig sets.

Building a firearm isn’t rocket science. Anybody with basic machining knowledge and competency in firearm design can do it. This fact has always made gun control a pipe dream. But as technology improves so does the ease of manufacturing. CNC machines reduced the machining knowledge necessary to manufacture a great many goods, which made controlling those goods even less feasible.

I’m sure gun control advocates will demand that the Ghost Gunner be prohibited but it’s nothing more than a specialized CNC machine and there is no way gun control advocates are going to get CNC machines banned. Likewise, CNC machines will continue to drop in price and increase in capabilities. In a few years it will be easy to pick up a general CNC machines that is as affordable as the Ghost Gunner and even more capable.

Gun control is effectively dead. Technology killed it just as it ultimately kills all restrictions.

Assume All Source Code is Open Source

Let’s pretend that you’re a fool and believe that security through obscurity works. Because of your foolish belief you sought closed source security software. Since potential adversaries can’t see the source code, they can’t find vulnerabilities in it to attack you with, right? Not so much. Just because software is closed source doesn’t mean nobody is allowed to see the source code. HP recently granted Russia permission to review the source code of one of its security software packages:

Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the Pentagon, Reuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity — such as a high number of failed login attempts — that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia’s Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks.

I don’t subscribe to the belief that open source software is inherently more secure (however, I do believe open source software offers several advantages over closed source software that are unrelated to security). I think the numerous critical vulnerabilities discovered in OpenSSL put that belief to bed. However, I also don’t believe that closed source software is inherently more secure. Just because a developer doesn’t share its source code with everybody doesn’t mean it doesn’t share its source code with third parties. In the case of HP, one of the third parties granted access to its source code was an adversary of one of its customers.

If you’re purchasing software from a third party, you have no control over who it shares its source code with. So if you believe in security through obscurity, closed source software won’t offer you any advantage, perceived or otherwise.

You Have Access to the Collective Knowledge of Humanity, Use It

If I had a dollar for every time somebody gave incorrect firearm legal advice, I’d be sitting on a mega yacht in the middle of the Atlantic Ocean drinking scotch that is older than I am.

People who have no knowledge about something but talking about it authoritatively isn’t a new phenomenon nor is it restricted solely to gun laws. However, it was far more excusable in the past because the people who did it didn’t have access to the collective knowledge of humanity at their fingertips. If you’re posting something to Facebook then you’re using the Internet. Since you’re using the Internet, you can quickly look things up. For example, if I search for “machine gun law” in Google, the very first link that appears is the Wikipedia article on the National Firearms Act. A brief reading of that article will debunk the claim that anybody can easily buy a machine gun, which is a claim that I’ve seen posted a lot since the attack in Las Vegas.

There is no excuse to not perform at least a basic amount of due diligence this day and age. If you can post to Facebook, you can perform a search on Google to verify whether or not the claim you’re about to make it true or at least plausible. “But Chris,” I can hear somebody say, “why would I suspect that the thing I believe is false and needs to be verified?” Simple, if you didn’t come by that belief by doing your own search, you should suspect it of being false.

There’s already enough bad information being circulated. Rise above the masses, use your access to the collective knowledge of humanity and verify claims before you post them.

If You Had a Yahoo Account in 2013, It Was Compromised

Yahoo suffered one hell of a database breach in 2013. However, it was only recently that the scale of the breach has become known. As it turns out, every account that existed during the time of the breach was compromised:

Yahoo said a major security breach in 2013 compromised all three billion accounts the company maintained, a three-fold increase over the estimate it disclosed previously.

The revelation, contained in an updated page about the 2013 hack, is the result of new information and the forensic analysis of an unnamed security consultant. Previously, Yahoo officials said about one billion accounts were compromised. With Yahoo maintaining roughly three billion accounts at the time, the 2013 hack would be among the biggest ever reported.

“We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected,” Yahoo officials wrote in the update. “Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.”

This should have been everybody’s assumption from the beginning. If an unauthorized individual had access to 1 billion accounts, it’s safe to say they had access to every account.