A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Security’ tag

The Beginning of the End for Unsecured Websites

without comments

Chrome looks to be the first browser that is going to call a spade a spade. Starting in July 2018, Chrome will list all websites that aren’t utilizing HTTPS as unsecured:

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

I think Let’s Encrypt was the catalyst that made this decision possible. Before Let’s Encrypt was released, acquiring and managing TLS certificates could be a painful experience. What made matters worse is that the entire process had to be redone whenever the acquired TLS certificates expired. Let’s Encrypt turned that oftentimes annoying and expensive process into an easy command. This made it feasible for even amateur website administrators to implement HTTPS.

The Internet is slowly moving to a more secure model. HTTPS not only prevents third parties from seeing your web traffic but, maybe even more importantly, it also prevents third parties from altering your web traffic.

Written by Christopher Burg

February 16th, 2018 at 10:00 am

Let’s Put a Remotely Accessible Computer in a Door Lock

without comments

Let’s put a remotely accessible computer in a door lock, what could possibly go wrong?

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.

The Internet of Things (IoT) introduces all sorts of new and interesting exploits. These exploits range from minor, such as your lights turn colors, to severe, such as having your doors unlock for an unauthorized person. Unfortunately, since software is already incredibly complex and becoming more so every day it’s unlikely we’ll see secure IoT devices anytime in the near future. Fortunately, it appears that Apple caught this vulnerability and was able to patch it before it was actively exploited.

Written by Christopher Burg

December 8th, 2017 at 10:00 am

Posted in Technology

Tagged with ,

Physical Access Isn’t Necessarily Game Over

without comments

I swear Apple fanboys are some of the dumbest people on the planet. Quite a few of them have been saying, “If an attacker as physical access, it’s game over anyways,” as if that statement makes the root user exploit recently discovered in High Sierra a nonissue.

At one time that statement was true. However, today physical access is not necessarily game over. Look at all of the trouble the Federal Bureau of Investigations (FBI) has been having with accessing iOS devices. The security model of iOS actually takes physical access into account as part of its threat modeling and has mechanisms to preserve the integrity of the data contained on the device. iOS requires all code to be signed before it will install or run it, which makes it difficult, although far from impossible, to insert malicious software onto iOS devices. But more importantly iOS encrypts all of the data stored in flash memory by default. Fully encrypted disks protect against physical access by both preventing an attacker from getting any usable data from a disk and also by preventing them from altering the data on the disk (such as writing malware directly to the disk).

macOS has a boot mode called single user mode, which boots the computer to a root command prompt. However, if a firmware password is set, single user mode cannot be started without entering the firmware password. The firmware password can be reset on machines with removable RAM (resetting the password requires changing the amount of RAM connected to the mainboard) but most of Apple’s modern computers, some iMacs being the exception, have RAM modules that are soldered to the mainboard.

Physical access is especially dangerous because it allows an attacker to insert malicious hardware, such as a key logger, that would allow them to record everything you type, including your passwords. However, that kind of attack requires some amount of sophistication and time (at least if you want the malicious hardware to be difficult to detect), which is where the real problem with High Sierra’s root exploit comes in. The root exploit required no sophistication whatsoever. Gaining root access only required physical access (or remote access if certain services were enabled) to an unlocked Mac for a few seconds. So long as an attacker had enough time to open System Preferences, click one of the lock icons, and type in “root” for the user name a few times they had complete access to the machine (from there they could turn on remote access capabilities to maintain their access).

Attempting to write off this exploit as a nonissue because it requires physical access requires willful ignorance of both modern security features that defend against attackers with physical access and the concept of severity (an attack that requires no sophistication can be far more severe than a time consuming sophisticated attack under certain threat models).

Written by Christopher Burg

December 1st, 2017 at 11:00 am

The Fix for High Sierra’s Embarrassing Privilege Escalation Bug and the Fix for the Fix

without comments

Apple has already released a fix for its embarrassing privilege escalation bug. If you haven’t already, open the App Store, go to Updates, and install Security Update 2017-001. However, after installing that you may notice that file sharing no longer works. In order to fix this problem you need to perform the following steps:

  1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
  2. Type sudo /usr/libexec/configureLocalKDC and press Return.
  3. Enter your administrator password and press Return.
  4. Quit the Terminal app.

In conclusion High Sierra is still a steaming pile of shit and you should stick to Sierra if you can.

Written by Christopher Burg

November 30th, 2017 at 11:00 am

Adaptability is an Established Military’s Greatest Weakness

without comments

You may have heard the phrase, “The military is always preparing to fight the last war.” Any military that has been established for a length of time seems to get dragged down by entrenched ideologies and traditions. This leads them to become very rigid. The United States military is a great example of this. During its War on Terror it has clung to its usual tactics, which work well against other large national militaries but are more or less useless against asymmetrical tactics. It has also proven incompetent at information security, which is no a major component in warfare:

After uncovering a massive trove of social media-based intelligence left on multiple Amazon Web Services S3 storage buckets by a Defense Department contractor, the cloud security firm UpGuard has disclosed yet another major cloud storage breach of sensitive intelligence information. This time, the data exposed includes highly classified data and software associated with the Distributed Common Ground System-Army (DCGS-A), an intelligence distribution platform that DOD has spent billions to develop. Specifically, the breach involves software for a cloud-based component of DCGS-A called “Red Disk.”

Don’t get me wrong, I’m all for government transparency and appreciate the military’s current, albeit accidental, dedication to it. However, from a strategy standpoint this is pretty damned pitiful.

Written by Christopher Burg

November 29th, 2017 at 11:00 am

macOS High Sierra is Still Terrible

without comments

macOS High Sierra may go down in the history books as Apple’s worst release of macOS since the initial one. Swapping the graphical user interface to use the Metal API wasn’t a smooth transition to say the least but the real mess is in regards to security. There was a bug where a user’s password could be displayed in the password hint field so logging in as a malicious user only requires entering a user’s password incorrectly to trigger the hint field. But yesterday it was revealed that the root account, which is normally disabled entirely, could be activated in High Sierra by simply typing root into the user name field in System Preferences:

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

The only good news is that you can defend against this bug by enabling the root account and giving it a password.

The security mistakes in High Sierra are incredibly amateur. Automated regression testing should have caught both the password hint mistake and this root account mistake. I can only assume that Apple’s quality assurance department took the year off because both High Sierra and iOS 11 are buggy messes that should never have been released in the states they were released in.

Written by Christopher Burg

November 29th, 2017 at 10:00 am

There’s Hope for the Internet of Things

without comments

Granted, it’s not a lot of hope but it seems like some consumers are actually holding off on buying Internet of Things (IoT) products due to security concerns:

Consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes, consulting firm Deloitte found in a new survey it released Wednesday. Thanks to such discomfort, consumer interest in connected home home technology lags behind their interest in other types of IoT devices, Deloitte found.

“Consumers are more open to, and interested in, the connected world,” the firm said in its report. Noting the concerns about smart home devices, it added: “But not all IoT is created equal.”

Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives.

IoT companies have been extremely lazy when it comes to implementing security, which is a huge problem when their devices provide surveillance capabilities. If enough consumers avoid purchasing insecure IoT devices, IoT companies will be forced to either improve the security of their devices or go into bankruptcy.

Apple has done a good job at easing consumer’s security concerns with its biometric authentication technology. When Touch ID was first introduced, a lot of people were concerned about their fingerprints being uploaded to the Internet. However, Apple was able to east these concerns by explaining how its Secure Enclave chip works and how users’ fingerprints never leave that secure chip. The same technology was used for Face ID. IoT companies can do the same thing by properly securing their products. If, for example, an Internet accessible home surveillance device encrypted all of the data it recorded with a key that only the users possessed, it could provide Internet accessible home surveillance capabilities without putting user data at risk of being accessed by unwanted personnel.

Written by Christopher Burg

November 16th, 2017 at 10:30 am

Open Whisper Systems Released Standalone Desktop Client

without comments

Signal is my favorite messaging application. It offers very good confidentiality and is easy to use. I also appreciate the fact that a desktop client was released, which meant I didn’t have to pull out my phone every time I wanted to reply to somebody. What I didn’t like though was the fact that the Signal desktop client was a Chrome app. If you use a browser besides Chrome you had to install Chrome just to use Signal’s desktop client. Fortunately, Google announced that it was deprecating Chrome apps and that forced Open Whisper Systems to release a standalone desktop client.

Now you can run the Signal desktop client without having to install Chrome.

Written by Christopher Burg

November 1st, 2017 at 10:00 am

The FBI’s Performance Issues

without comments

When the Federal Bureau of Investigations (FBI) isn’t pursuing terrorists that it created, the agency tends to have a pretty abysmal record. The agency recently announced, most likely as propaganda against effective encryption, that it has failed to obtain the contents of 7,000 encrypted devices:

Agents at the US Federal Bureau of Investigation (FBI) have been unable to extract data from nearly 7,000 mobile devices they have tried to access, the agency’s director has said.

Christopher Wray said encryption on devices was “a huge, huge problem” for FBI investigations.

The agency had failed to access more than half of the devices it targeted in an 11-month period, he said.

The lesson to be learned here is that effective cryptography works. Thanks to effective cryptography the people are able to guarantee their supposed constitutional right to privacy. The restoration of rights should be celebrated but politicians never do because our rights are directly opposed to their goals. I guarantee that this announcement will lead to more political debates in Congress that will result in more bills being introduced to ban the plebs (but not the government, of course) from having effective cryptography. If one of the bills is passed into law, the plebs will have to personally patch their devices to fix the broken cryptography mandated by law (which, contrary to what politicians might believe, is what many of us plebs will do).

If you don’t want government goons violating your privacy, enable the cryptographic features on your devices such as full disk encryption.

Written by Christopher Burg

October 24th, 2017 at 10:00 am

A Grim Start to the Week

without comments

This week started on a low note as far as computer security is concerned. The first bit of new, which was also the least surprising, was that yet another vulnerability was discovered in Adobe’s Flash Player and was being actively exploited:

TORONTO (Reuters) – Adobe Systems Inc (ADBE.O) warned on Monday that hackers are exploiting vulnerabilities in its Flash multimedia software platform in web browsers, and the company urged users to quickly patch their systems to prevent such attacks.

[…]

Adobe said it had released a Flash security update to fix the problem, which affected Google’s Chrome and Microsoft’s Edge and Internet Explorer browsers as well as desktop versions.

If you’re in a position where you can’t possibly live without Flash, install the update. If you, like most people, can live without Flash, uninstall it if you haven’t already.

The next bit of bad security news was made possible by Infineon:

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This flaw impacts a lot of security devices including Estonia’s electronic identification cards, numerous Trusted Platform Modules (TPM), and YubiKeys shipped before June 6, 2017. In the case of YubiKeys, the flaw only impacts Rivest–Shamir–Adleman (RSA) keys generated on the devices themselves. Keys generated elsewhere and uploaded to the device should be fine (assuming they weren’t generated with a device that uses the flawed Infineon library). Moreover, other YubiKey functionality, such as Universal 2nd Factor (U2F) authentication, remains unaffected. If your computer has a TPM, check to see if there is a firmware update available for it. If you have an impacted YubiKey, Yubico has a replacement program.

The biggest security news though was the announcement of a new attack against Wi-Fi Protected Access (WPA), the security protocol used to secure wireless networks. The new attack, labeled key reinstallation attacks (KRACKs, get it? I wonder how long it took the researchers to come up with that one.), exploits a flaw in the WPA protocol itself:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

Fortunately, KRACKs can be mitigated by backwards compatible client and router software updates. Microsoft already released a patch for Windows 10 on October 10th. macOS and iOS have features that make them more difficult to exploit but a complete fix is apparently in the pipeline. Google has stated that it will release a patch for Android starting with its Pixel devices. Whether or not your specific Android device will receive a patch and when will depend on the manufacturer. I suspect some manufacturers will be quick to release a patch while some won’t release a patch at all. Pay attention to which manufacturers release a patch in a timely manner. If a manufacturer doesn’t release a patch for this or doesn’t release it in a timely manner, avoid buying their devices in the future.

Written by Christopher Burg

October 17th, 2017 at 10:00 am