Category: Technology

A Security Issue Is Still a Security Issue Even If It’s a Hit Job

A series of flaws were revealed in AMD’s line of processors. The aftermath of these kinds of revelations usually involves a lot of people trying to assess the impact and threat. Can the flaws be exploited remotely? If they can be exploited remotely, is there a way to detect if a system has been exploited? What actions can be taken to mitigate these flaws? Instead of the usual assessment, the aftermath of this revelation has been dominated by people claiming that this revelation was actually a hit job secretly instigated by Intel and individuals wanting to manipulate AMD’s stock price:

Here’s a histrionic quote for you: “AMD must cease the sale of Ryzen and EPYC chips in the interest of public safety.”

That’s a real quote from Viceroy Research’s deranged, apoplectic report on CTS Labs’ security allegations against AMD’s Ryzen architecture. The big story today seemed to mirror Meltdown, except for AMD: CTS Labs, a research company supposedly started in 2017, has launched a report declaring glaring security flaws for AMD’s processors. By and large, the biggest flaw revolves around the user installing bad microcode.

There are roots in legitimacy here, but as we dug deep into the origins of the companies involved in this new hit piece on AMD, we found peculiar financial connections that make us question the motive behind the reportage.

The goal here is to research whether the hysterical whitepapers — hysterical as in “crazy,” not “funny” — have any weight to them, and where these previously unknown companies come from.

A lot of people seem to have lost sight of the fact that just because a revelation is a hit job (which I’m not saying this revelation is) doesn’t mean that the revealed exploit isn’t a legitimate exploit. Even if CTS Labs is a company secretly created by Intel for the specific purpose of wrecking AMD’s reputation, the revealed exploits need to be assessed and, if they’re found to be legitimate exploits, addressed.

Finding Alternatives to Advertisements

People often make the mistake that many webpages are free but there ain’t no such thing as a free lunch. Most websites still use the age old monetization technique of displaying advertisements. However, advertisements quickly evolved from relatively safe static imagines. They started becoming more annoying. Imagines turned into animations. Animations turned into full video that also played sound. These “enhancements” also requires clients to run code. Needless to say, users started getting annoyed and their annoyance lead to the creation of browser plugins that block advertisements.

Online advertising has turned into an arms race. Website visitors use an ad blocker, advertisers create a method to bypass ad blockers, visitors upgrade their ad blockers to bypass the bypass, and so on. This is leading a lot of people to question whether the online advertisement model can remain feasible. Fortunately, some websites that rely on online advertisements have begun experimenting with alternative revenue sources. Salon, for example, recently launched an experiment where visitors blocking advertisements are given the option to run cryptocurrency mining code in their browser:

Salon.com has a new, cryptocurrency-driven strategy for making money when readers block ads. If you want to read Salon without seeing ads, you can do so—as long as you let the website use your spare computing power to mine some coins.

If you visit Salon with an ad blocker enabled, you might see a pop-up that asks you to disable the ad blocker or “Block ads by allowing Salon to use your unused computing power.”

A lot of people are pissed about this but I, possibly for the first time ever, actually agree with what Salon is doing.

Unlike a lot of sites that are experimenting with running cryptocurrency mining code in visitors’ browsers, Salon is being entirely transparent about doing so. If you visit the site with an ad blocker enabled, you are presented with a very clear option to either disable your ad blocker or run cryptocurrency mining code. If you choose the latter, your computer’s fans will likely kick on as your processor ramps up.

I doubt browser based cryptocurrency mining will be a viable alternative to online advertising. Cryptocurrency mining, as the linked article shows, requires a lot of processing power. On a desktop that isn’t much of a concern. On a laptop or other battery powered device, that increased processor usage will drain the battery quickly. With more computing being done on battery powered devices, anything that noticeably reduces battery life will likely anger visitors. But I’m happy that websites are finally exploring alternatives to advertisements. It’s clear that visitors aren’t happy with the current state of the online advertising model. If website operators want to continue being profitable, they need to find a way to raise money that their visitors find acceptable.

Postliterate America

A few science fiction novels explore the concept of a postliterate society. In a postliterate society, reading and writing have been predominantly or entirely replaced by multimedia. Could the United States be transitioning into a postliterate society? The question may have been absurd to ask just a few years ago but I think there is reason today to give the question serious consideration:

I’ll make this short: The thing you’re doing now, reading prose on a screen, is going out of fashion.

We’re taking stock of the internet right now, with writers who cover the digital world cataloging some of the most consequential currents shaping it. If you probe those currents and look ahead to the coming year online, one truth becomes clear. The defining narrative of our online moment concerns the decline of text, and the exploding reach and power of audio and video.

Writing has been the predominant method of recording information since, at least, the fourth millennium BC when cuneiform first emerged (but for all we know there could have been an even older writing system that hasn’t been discovered yet). This shouldn’t surprise anybody. Writing systems have many advantages but one of their biggest advantages is versatility. You can scratch written information into a wet piece of clay, chisel it into stone, mark it on a piece of paper with ink, or record it to a hard drive. Whether you have access to no technology, modern technology, or anything in between, you can write information.

The biggest limitation of alternative forms of recording information such as pictures, audio, and video has been the cost of creating and consuming them. Only in the last century have photo cameras, audio recorders, video cameras, and televisions become widely available. And only only in very recent times have computers powerful enough and software advanced enough to enable individuals to easily create and consume media become widely available. Thanks to those advancements we live in a society where postliteracy is a possibility.

For the cost of even a low spec smartphone any individual can create a video and upload it to YouTube. For a little more money any individual can acquire a computer powerful enough for them to do based video editing. As with computing power, video editing software continues to become cheaper. It also continues to become easier to use and more featureful, which is why so many people are able to harness the power of artificial intelligence to make fake porn videos.

This widespread availability of media creation and consumption technology has already had a tremendous impact. You can find instructional videos online for almost anything you could want to do. Do you want to fix a running toilet? A quick YouTube search will show you tons of videos walking you through how to fix one. Do you want to learn proper squatting form? Once again, a quick YouTube search will result in tons of videos of professional and amateur weight lifters explaining and showing how to properly squat. But the explosion of media hasn’t stopped at instructional videos.

Most political discussion online seem to involve memes, images with a bit of text bolted on. At one time creating and viewing even the simplest of memes was no simple feat. Today there are free websites that allow you to upload a picture and enter some text and it will spit out and even host your meme. In a few seconds you can create and then share your meme with the world without investing anything more than your time.

I’m not saying the United States is a postliterate society at this point but I believe the foundation necessary for such a transition exists and there is evidence to suggest that such a shift could be taking place. Think back to math class when you asked your teacher why you had to learn multiplication tables when you had a calculator that could multiply for you. Your teacher likely said that you wouldn’t always have a calculator with you. Today anybody with a smartphone in their pocket also has a calculator. Soon the same question that has been so often asked about multiplication tables could be often asked about reading and writing. It’s an interesting thing to ponder.

Cellular Phones Aren’t the Only Way to Track People

A lot of privacy advocates have a habit of developing tunnel vision. They’ll see an obvious privacy violation and fail to see dozens of others. For example, I know a lot of privacy advocates who have developed tunnel vision for cellular phones. Some of these individuals will even leave their cellular phone at home when traveling somewhere thinking that doing so will make invisible to surveillance. However, there is more than one way to track an individual’s movements. How many people who leave their cellular phones at home then immediately get into a uniquely identifiable vehicle?

The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month. The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians.

Every vehicle is legally required to have a uniquely identifiable license plate. Image recognition technology has advanced to the point where reading the unique identified on these plats is trivial. Now it’s trivial to create a vehicle tracking system with nothing more than strategically placed cameras that can talk to a central tracking system.

If you want to protect your privacy, you need to take public transportation, right? While this might seem like an obvious answer since public transportation mixes a lot of people together, most public transit systems include video surveillance and facial recognition is now at the point where uniquely identifying somebody’s face is pretty easy. Given enough surveillance cameras, it’s possible to track somebody walking in a city thanks to facial recognition technology.

Surveillance has always been a cat and mouse game. Right now the cat has some new tactics that give it an edge. In order to survive, the mouse must evolve too. The mouse won’t evolve if it succumbs to tunnel vision though.

If Your Device Relies on the Cloud, You Don’t Own It

Towards the end of 2016 Pebble announced that much of it had been acquired by Fitbit. Since Pebble wasn’t doing well financially, news of it being acquired wasn’t surprising. However, Pebble fans had hoped that Fitbit was planning to continue the Pebble line. As is often the case with acquisitions, Fitbit was primarily interested in Pebble’s intellectual property, not its product portfolio. As part of the acquisition Fitbit promised to keep Pebble’s online services running for a while. Yesterday Fitbit announced the date it would be shutting down those services:

But for those who want nothing to do with Fitbit OS development and only care about how long their Pebbles will last, this news is bittersweet. According to Fitbit’s announcement, Pebble devices will continue to work after June 30, but these features will stop working: the Pebble app store, the Pebble forum, voice recognition features, SMS and email replies, timeline pins from third-party apps (although calendar pins will still function), and the CloudPebble development tool.

Pebble fans have been unhappy with the acquisition every since Fitbit announced that it was planning to shutdown Pebble’s online services. However, I think Fitbit was actually pretty decent about the entire thing since it left the online services running for as long as it did and even allowed Pebble developers to push some firmware updates to allowed existing Pebble devices to continue operating in some capacity without the online services. Unfortunately, even with those firmware changes, a lot of Pebble functionality will be crippled once Fitbit turns off the old Pebble servers.

So the lesson people should take away from this is that proprietary devices that rely on proprietary online services aren’t owned property, they’re temporarily licensed products. At any moment the manufacturer can decide to turn off the online services, which will effectively brick or reduce the functionality of the devices that rely on those services. Had the Pebble been an open source product the option would have at least existed for the community to develop new firmware and alternate online services to keep their Pebbles running.

Let’s Put a Remotely Accessible Computer in a Door Lock

Let’s put a remotely accessible computer in a door lock, what could possibly go wrong?

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.

The Internet of Things (IoT) introduces all sorts of new and interesting exploits. These exploits range from minor, such as your lights turn colors, to severe, such as having your doors unlock for an unauthorized person. Unfortunately, since software is already incredibly complex and becoming more so every day it’s unlikely we’ll see secure IoT devices anytime in the near future. Fortunately, it appears that Apple caught this vulnerability and was able to patch it before it was actively exploited.

There’s Hope for the Internet of Things

Granted, it’s not a lot of hope but it seems like some consumers are actually holding off on buying Internet of Things (IoT) products due to security concerns:

Consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes, consulting firm Deloitte found in a new survey it released Wednesday. Thanks to such discomfort, consumer interest in connected home home technology lags behind their interest in other types of IoT devices, Deloitte found.

“Consumers are more open to, and interested in, the connected world,” the firm said in its report. Noting the concerns about smart home devices, it added: “But not all IoT is created equal.”

Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives.

IoT companies have been extremely lazy when it comes to implementing security, which is a huge problem when their devices provide surveillance capabilities. If enough consumers avoid purchasing insecure IoT devices, IoT companies will be forced to either improve the security of their devices or go into bankruptcy.

Apple has done a good job at easing consumer’s security concerns with its biometric authentication technology. When Touch ID was first introduced, a lot of people were concerned about their fingerprints being uploaded to the Internet. However, Apple was able to east these concerns by explaining how its Secure Enclave chip works and how users’ fingerprints never leave that secure chip. The same technology was used for Face ID. IoT companies can do the same thing by properly securing their products. If, for example, an Internet accessible home surveillance device encrypted all of the data it recorded with a key that only the users possessed, it could provide Internet accessible home surveillance capabilities without putting user data at risk of being accessed by unwanted personnel.

If Your Device Requires a “Cloud” Service, It’s Not Your Device

It’s time for a pop quiz. If you purchase a device and its basic functionality relies on a “cloud” service (somebody else’s computer), do you own it?

No, you don’t:

Bricking a device, which usually happens during firmware update gone wrong, is never a good thing. It’s even worse when companies do it to their devices intentionally. According to emails received by users, Logitech will be intentionally bricking all Harmony Link devices via a firmware update as of March 16th, 2018. The bad news was first reported by Bleeping Computer.

According to this Harmony Link review, the device cost $100.00 when it was released. For that $100.00 I’m sure there were a lot of consumers who mistakenly believed that they were buying the device when, in fact, they were merely renting it. Now the owner of those devices, Logitech, is going to turn them off.

A Grim Start to the Week

This week started on a low note as far as computer security is concerned. The first bit of new, which was also the least surprising, was that yet another vulnerability was discovered in Adobe’s Flash Player and was being actively exploited:

TORONTO (Reuters) – Adobe Systems Inc (ADBE.O) warned on Monday that hackers are exploiting vulnerabilities in its Flash multimedia software platform in web browsers, and the company urged users to quickly patch their systems to prevent such attacks.

[…]

Adobe said it had released a Flash security update to fix the problem, which affected Google’s Chrome and Microsoft’s Edge and Internet Explorer browsers as well as desktop versions.

If you’re in a position where you can’t possibly live without Flash, install the update. If you, like most people, can live without Flash, uninstall it if you haven’t already.

The next bit of bad security news was made possible by Infineon:

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This flaw impacts a lot of security devices including Estonia’s electronic identification cards, numerous Trusted Platform Modules (TPM), and YubiKeys shipped before June 6, 2017. In the case of YubiKeys, the flaw only impacts Rivest–Shamir–Adleman (RSA) keys generated on the devices themselves. Keys generated elsewhere and uploaded to the device should be fine (assuming they weren’t generated with a device that uses the flawed Infineon library). Moreover, other YubiKey functionality, such as Universal 2nd Factor (U2F) authentication, remains unaffected. If your computer has a TPM, check to see if there is a firmware update available for it. If you have an impacted YubiKey, Yubico has a replacement program.

The biggest security news though was the announcement of a new attack against Wi-Fi Protected Access (WPA), the security protocol used to secure wireless networks. The new attack, labeled key reinstallation attacks (KRACKs, get it? I wonder how long it took the researchers to come up with that one.), exploits a flaw in the WPA protocol itself:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

Fortunately, KRACKs can be mitigated by backwards compatible client and router software updates. Microsoft already released a patch for Windows 10 on October 10th. macOS and iOS have features that make them more difficult to exploit but a complete fix is apparently in the pipeline. Google has stated that it will release a patch for Android starting with its Pixel devices. Whether or not your specific Android device will receive a patch and when will depend on the manufacturer. I suspect some manufacturers will be quick to release a patch while some won’t release a patch at all. Pay attention to which manufacturers release a patch in a timely manner. If a manufacturer doesn’t release a patch for this or doesn’t release it in a timely manner, avoid buying their devices in the future.

The Sorry State of Electronic Voting Machine Security

A lot of people from different backgrounds have expressed concerns about the integrity of electronic voting machines. It turns out that those concerns were entirely valid:

It’s no secret that it’s possible to hack voting systems. But how easy is it, really? Entirely too easy, if you ask researchers at this year’s DefCon. They’ve posted a report detailing how voting machines from numerous vendors held up at the security conference, and… it’s not good. Every device in DefCon’s “Voting Machine Hacking Village” was compromised in some way, whether it was by exploiting network vulnerabilities or simple physical access.

Multiple systems ran on ancient software (the Sequoia AVC Edge uses an operating system from 1989) with few if any checks to make sure they were running legitimate code. Meanwhile, unprotected USB ports and other physical vulnerabilities were a common sight — a conference hacker reckoned that it would take just 15 seconds of hands-on time to wreak havoc with a keyboard and a USB stick. And whether or not researchers had direct access, they didn’t need any familiarity with the voting systems to discover hacks within hours, if not “tens of minutes.”

Just put those voting machines in the cloud! Everything is magically fixed when it’s put in the cloud!

Anonymous ballots are notoriously difficult to secure but it’s obvious that the current crop of electronic voting machines were developed by companies that have no interest whatsoever in even attempting to address that problem. Many of the issues mentioned in the report are what I would call amateur hour mistakes. There is no reason why these machines should have any unprotected ports on them. Moreover, there is no reason why the software running on these machines isn’t up to date. And the machines should certainly be able to verify the code they’re running. If the electronic voting machine developers don’t understand how code signing works, they should contact Apple since the signature of every piece of code that runs on iOS is verified.

And therein lies the insult to injury. The types of security exploits used to compromise the sample voting machines weren’t new or novel. They were exploits that have been known about and addressed for years. A cynical person might believe that the companies making these voting machines are just trying to make a quick buck off of a government contract and not interested in delivering a quality product. A cynical man might even feel the need to point out that this type of behavior is common because the government seldom holds itself or contractors accountable.