Security – Page 15 – A Geek With Guns

Invest In Security Now Or Pay Later

Security is a difficult thing to pitch. To summon Bastiat from beyond the grave, the costs of implementing security are seen but the costs of not implementing security are unseen. Making the pitch even more difficult is the fact most people think, “It’ll never happen to me.” But a breach can happen to anybody and the associated costs are often tremendous:

Hollywood Presbyterian Medical Center, the Los Angeles hospital held hostage by crypto-ransomware, has opted to pay a ransom of 40 bitcoins—the equivalent of $17,000—to the group that locked down access to the hospital’s electronic medical records system and other computer systems. The decision came 10 days after the hospital lost access to patient records.

$17,000 is already a decent chunk of change and 10 days of network downtime for a hospital is a very serious expense. This disaster could have been greatly mitigated with proper security practices. First of all, based on what we know so far about the breach, e-mail should never have been accessible on a computer with direct access to a mission critical system:

Stefanek did not say how the malware was introduced into the hospital’s EMR system. But the leading suspect, according to sources familiar with the investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.

E-mail is the source of a lot of malware and phishing attacks, specifically targeted ones, have become surprisingly effective. Knowing this, mission critical systems should be isolated from likely malware vectors (although I would argue those systems shouldn’t be connected to the Internet at all). Mission critical data should also be available redundantly so if one system goes down another can be made immediately while the down one is repaired. Frequent backups should also be part of any security plan in case something like this happens the machine can be quickly restored.

If you’re in a position that oversees budgeting give serious consideration to the unseen consequences of not providing funds for security and realize that an attack can happen to your organization.

Even An Air Gap Won’t Save You

Security is a fascinating field that is in a constant state of evolution. When new defenses are created new attackers follow and vice versa. One security measure some people take is to create and store their cryptography keys on a computer that isn’t attached to any network. This is known as an air gap and is a pretty solid security measure if implemented correctly (which is harder than most people realize). But even air gaps can be remotely exploited under the right circumstances:

In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers. Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room.

“By measuring the target’s electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall,” Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer write in a recently published paper. The research will be presented at the upcoming RSA Conference on March 3.

It needs to be stated up front that this attack requires a tightly controlled environment so isn’t yet practical for common real world exploitation. But attacks only improve over time so it’s possible this attack will become more practical with further research. Some may decry this as the end of computer security, because that’s what people commonly do when new exploits are created, but it will simply cause countermeasures to be implemented. Air gapped machines may be operated in a Faraday cage or computer manufacturers may improve casings to better control electromagnetic emissions.

This is just another chapter in the never ending saga of security. And it’s a damn impressive chapter no matter how you look at it.

When Karma Bites You In The Ass

The National Security Agency (NSA), which is supposedly tasked with security domestic networks in addition to exploiting foreign networks, has caused a lot of damage to overall computer security. It appears one of its efforts, inserting a backdoor into the Dual Elliptic Curve Deterministic Random Bit Generation algorithm, may have bit the State in the ass:

The government may have used compromised software for up to three years, exposing national security secrets to foreign spies, according to lawmakers and security experts.

Observers increasingly believe the software defect derived from an encryption “back door” created by the National Security Agency (NSA). Foreign hackers likely repurposed it for their own snooping needs.

[…]

The software vulnerability was spotted in December, when Juniper Networks, which makes a variety of IT products widely used in government, said it had found unauthorized code in its ScreenOS product.

[…]

The case is especially frustrating to security experts because it may have been avoidable. The hackers, they say, likely benefited from a flaw in the encryption algorithm that was inserted by the NSA.

For years, the NSA was seen as the standard-bearer on security technology, with many companies relying on the agency’s algorithms to lock down data.

But some suspected the NSA algorithms, including the one Juniper used, contained built-in vulnerabilities that could be used for surveillance purposes. Documents leaked by former NSA contractor Edward Snowden in 2013 appeared to confirm those suspicions.

Karma can be a real bitch.

This story does bring up a point many people often ignore: the State relies on a great deal of commercial hardware. Its infrastructure isn’t built of custom hardware and software free of the defects agencies such as the NSA introduce into commercial products. Much of its infrastructure is built on the exact same hardware and software the rest of us use. That means, contrary to what many libertarians claim as a pathetic justification not to learn proper computer security practices, the State is just as vulnerable to many of the issues as the rest of us and is therefore not as powerful as it seems.

The Networks Have Ears

Can you trust a network you don’t personally administer? No. The professors at the University of California are learning that lesson the hard way:

“Secret monitoring is ongoing.”

Those ominous words captured the attention of many faculty members at the University of California at Berkeley’s College of Natural Resources when they received an email message from a colleague on Thursday telling them that a new system to monitor computer networks had been secretly installed on all University of California campuses months ago, without letting any but a few people know about it.

“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data (‘full packet capture’). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus,” said the email from Ethan Ligon, associate professor of agricultural and resource economics. He is one of six members of the Academic Senate-Administration Joint Committee on Campus Information Technology.

When you control a network it’s a trivial matter to setup monitoring tools. This is made possible by the fact many network connects don’t utilize encryption. E-mail is one of the biggest offenders. Many e-mail server don’t encrypt traffic being sent so any network monitoring tools can’t read the contents. Likewise, many websites still utilize unencrypted connections so monitoring tools can easily read what is being sent and received between a browser and a web server. Instant messaging protocols often transmit data in the clear as well so monitoring tools can read entire conversations.

It’s not feasible to only use networks you control. A network that doesn’t connect to other networks is very limited in use. But there are tools to mitigate the risks associated with using a monitored network. For example, I run a Virtual Private Network (VPN) server that encrypts traffic between itself and my devices. When I connect to it all of my traffic goes through the encrypted connection so local network monitoring tools can’t snoop on my connects. Another tools that works very well for websites is the Tor Browser. The Tor Browser sends all traffic through an encrypted connection to an exit node. While the exit node can snoop on any unencrypted connections local monitoring tools cannot.

Such tools wouldn’t be as necessary to maintain privacy though if all connections utilized effective encryption. E-mail servers, websites, instant messengers, etc. can encrypt traffic and often do. But the lack of ubiquitous encryption means monitoring tools can still collect some data on you.

Security Is Critical Even If You Think You Have Nothing To Hide

In my position as a discount security advisor to the proles one of the hardest challenges I face is convincing people how important security is. Most people assume they have nothing to hide. They usually claim they won’t lose anything of importance if an unauthorized party gains access to their online accounts. I can’t remember how many times I’ve heard, “If they get into my Facebook they’ll just learn how boring I am.”

Even if you are the most boring person in the world, preventing unauthorized persons from accessing your accounts is critically important. Failing to do so can lead to severe real life ramifications:

In one nasty spurt in May, a hacker gained control of Amy’s Twitter account, which she had used only twice before, and posted a series of racist and antisemitic messages. (See if you can tell where Amy’s tweets end and the hacker’s begin in the timeline below.)

That same day, a hacker used Amy’s email account to post a message to a Yahoo Groups list of about 300 residents of the Straters’ subdivision, including many parents of students at the elementary school that the family’s youngest daughter attends. According to local news reports, the message carried a chilling subject line—“I Will Shoot Up Your School”—and detailed a planned attack on the school. Oswego police quickly verified that Amy’s account had been hacked and that the message was a hoax, but the damage had been done.

Later that day, Amy discovered that her LinkedIn profile had been hacked, too. The hacker posted a message calling her employer, Ingalls Health System, “A TERRIBLE COMPANY RAN [sic] BY JEWS.”

Amy, who had worked at Ingalls for seven months as a director of decision support, had suspected that the trolls might target her employer. She says she had previously alerted the company’s IT department that the company’s systems might be compromised by the same people who were attacking her and her son.

She expected support—after all, if it was her house that was being repeatedly robbed, rather than her social media accounts, wouldn’t the company be sympathetic? But none came. Shortly after the hack, Ingalls fired Amy from her six-figure job, giving her 12 weeks of severance pay. Amy says she got no satisfactory explanation for her dismissal, other than a hint that she was “too much of a liability.” (A spokeswoman for Ingalls Health System declined to comment.)

[…]

She hasn’t been able to get another job in hospital administration because for months, her first page of Google results has included her LinkedIn profile and her Twitter account, both of which were filled with racist and anti-semitic language. (She recently regained access to her LinkedIn account after contacting the company’s fraud division, but her defaced Twitter account is still up, since the attacker changed the password to prevent her from restoring it.)

I won’t lie to you and claim proper security practices will thwart a dedicated attacker such as the ones praying on the Straters. What proper security practices will do is make you a harder target. The cost of attacking you will go up and when it comes to self-defense, whether it’s online or offline, the goal is to raise the cost of attacking you high enough to dissuade your attackers. If you can’t dissuade your attacker entirely you can still reduce the amount of damage they cause.

Twitter, Yahoo, Google, LinkedIn, Facebook, and many other websites now offer two factor authentication. Two factor authentication requires both a password and an additional authentication token, usually tied to a physical device such as your phone, to log into an account. Enabling it is a relatively easy way to notably raise the cost of gaining unauthorized access to your accounts. If nothing else you should make sure your primary e-mail account supports two factor authentication and that it is enabled. E-mail accounts are a common method used by websites to reset passwords so gaining access to your e-mail account often allows an attacker to gain access to many of your other online accounts.

I also recommend using a password manager. There are many to choose from. I use 1Password. LastPass is still a managed I’m willing to recommend with the caveat that I don’t trust the new owners and therefore am wary of it as a longterm solution. Password managers allow you to use a unique, complex password for each of your accounts. If you use a common password for all of your accounts, which is a sadly common practice, and an unauthorized party learns that password they will have access to all of those accounts. Using a password manager allows you to limited damage by securing accounts with complex passwords that are difficult to guess and ensures an unauthorized party cannot gain access to any additional accounts by learning the password to one of them.

I must note that there is the potential threat of an unauthorized party compromising your password manager. In general the risk of this is lower than the risks involved with not using a password manager. There are also ways to mitigate the risk of unauthorized parties gaining access. LastPass, along with many other online password managers, supports two factor authentication. 1Password syncs passwords using iCloud or Dropbox, both of which support two factor authentication. You can also disable syncing in 1Password entirely so your password database never leaves your computer. LastPass, 1Password, and most other password managers also encrypt your password database so even if an unauthorized party does obtain a copy of the database they cannot read it without your decryption key.

Using two factor authentication and a password manager are by no means the only actions you can take. I mention them because they are simple ways for the average person to bolster the security of their online accounts quickly.

Nothing I’ve described above will protect you from social engineering attacks. Due to the lack of authentication inherent in many systems it’s still possible for an attacker to send the police to your home, order pizzas to be delivered to your home, call your employer and harass them enough to convince them to fire you, sending anonymous bomb threats in your name, getting your utilities disconnected, etc.

What I’ve described can reduce the risks of an attacker gaining access to your social media accounts and posting things that could cost you your job and haunt you for the rest of your life. And regardless of what most people believe, keeping attackers out of these accounts it important. Failure to do so can lead to dire consequences as demonstrated in the linked story.

The Risks Of Backing Up To The Cloud

Online backup services are convenient and offer resilience. Instead of managing your own backup drives a cloud backup service can upload your data to the Internet automatically whenever you’re connected. If your house burns down you don’t lose your data either. But, as with most things in the universe, there are trade offs. By placing your data on somebody else’s server you lose control over it. This can be mitigated by encrypting your files locally before uploading them but sometimes that’s not an option as with Apple’s iCloud Backup for iOS:

“If the government laid a subpoena to get iMessages, we can’t provide it,” CEO Tim Cook told Charlie Rose back in 2014. “It’s encrypted and we don’t have a key.”

But there’s always been a large and often-overlooked asterisk in that statement, and its name is iCloud.

It turns out the privacy benefits Apple likes to talk about (and the FBI likes to complain about) basically disappear when iCloud Backup is enabled. Your messages, photos and whatnot are still protected while on your device and encrypted end-to-end while in transit. But you’re also telling your device to CC Apple on everything. Those copies are encrypted on iCloud using a key controlled by Apple, not you, allowing the company (and thus anyone who gets access to your account) to see their contents.

I don’t use iCloud Backup for precisely this reason. My backups are done locally on my computer. This brings me to my point: you need to fully understand the tools you use to hope to have any semblance of security. One weakness in your armor can compromise everything.

iMessage may be end-to-end encrypted but that doesn’t do you any good if you’re backing up your data in cleartext to somebody else’s server.

Political Victories Are Only Temporary Victories

I hate redoing work. This is part of the reason I don’t pursue politics. Any political victory is only a temporary victory. At some future point the victory you achieved will be undone. The Cybersecurity Information Sharing Act (CISA) is just the latest example of this. If you go through the history of the bill you will see it was introduced and shutdown several times:

The Cybersecurity Information Sharing Act was introduced on July 10, 2014 during the 113th Congress, and was able to pass the Senate Intelligence Committee by a vote of 12-3. The bill did not reach a full senate vote before the end of the congressional session.

The bill was reintroduced for the 114th Congress on March 12, 2015, and the bill passed the Senate Intelligence Committee by a vote of 14-1. Senate Majority Leader Mitch McConnell, (R-Ky) attempted to attach the bill as an amendment to the annual National Defense Authorization Act, but was blocked 56-40, not reaching the necessary 60 votes to include the amendment. Mitch McConnell hoped to bring the bill to senate-wide vote during the week of August 3–7, but was unable to take up the bill before the summer recess. The Senate tentatively agreed to limit debate to 21 particular amendments and a manager’s amendment, but did not set time limits on debate. In October 2015, the US Senate took the bill back up following legislation concerning sanctuary cities.

If at first you don’t succeed, try, try again. This time the politicians attached CISA to the budget, which as we all know is a must pass bill:

Congress on Friday adopted a $1.15 trillion spending package that included a controversial cybersecurity measure that only passed because it was slipped into the US government’s budget legislation.

House Speaker Paul Ryan, a Republican of Wisconsin, inserted the Cybersecurity Information Sharing Act (CISA) into the Omnibus Appropriations Bill—which includes some $620 billion in tax breaks for business and low-income wage earners. Ryan’s move was a bid to prevent lawmakers from putting a procedural hold on the CISA bill and block it from a vote. Because CISA was tucked into the government’s overall spending package on Wednesday, it had to pass or the government likely would have had to cease operating next week.

Sen. Ron Wyden, a Democrat of Oregon, said the CISA measure, which backers say is designed to help prevent cyber threats, got even worse after it was slipped into the 2,000-page budget deal (PDF, page 1,728). He voted against the spending plan.

All those hours invested in the political process to fight CISA were instantly rendered meaningless with the passage of this bill. However, the bill can be rendered toothless. CISA removes any potential liability from private companies that share customer data with federal agencies. So long as private companies don’t have actionable information to share the provisions outlined in CISA are inconsequential. As with most privacy related issues, effective cryptography is the biggest key. Tools like Off-the-Record (OTR) messaging, OTR’s successor Multi-End Message and Object Encryption (OMEMO), Pretty Good Privacy (PGP), Transport Layer Security (TLS), Tor, and other cryptographic tools designed to keep data private and/or anonymous can go a long ways towards preventing private companies from having any usable data to give to federal agencies.

In addition to effective cryptography it’s also important to encourage businesses not to cooperate with federal agencies. The best way to do this is to buy products and services from companies that have fought attempts by federal agencies to acquire customer information and utilize cryptographic tools that prevent themselves from viewing customer data. As consumers we must make it clear that quislings will not be rewarded while those who stand with us will be.

Effective cryptography, unlike politics, offers a permanent solution to the surveillance problem. It’s wiser, in my opinion, to invest the time you’d otherwise waste with politics in learning how to properly utilize tools that protect your privacy. While your political victories may be undone nobody can take your knowledge from you.

Why Magnetic Strips On Credit And Debit Cards Need To Die

I’ve been harping on backwards compatibility as it relates to computer security for a while but that’s not the only place backwards compatibility bites us in the ass. Let’s consider credit and debit cards.

Chip and pin cards have been the standard in Europe for ages now. The United States is finally thinking about getting onboard. But in true American tradition the move to improve credit and debit card security is being done in the dumbest way possible. First of all the United States is adopting chip and signature, not chip and pin. Second, and this is even worse, the old legacy system of magnetic strips is still being supported. Because of this constantly improving card skimmers are still a viable means of stealing credit and debit card information:

Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.

For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This is another example of where a hard cutoff where all backwards compatibility is dropped should be implemented. So long as magnetic strips are still supported it’s trivial to steal credit and debit card numbers and use them to steal cash from people’s accounts.

Security, in general, does not lend itself well to backwards compatibility. Once a system is broken is should be dumped entirely. The credit card companies here in the United States should have required all banks to issue chip cards and all retailers to use readers that only support chip and PIN, Apple Pay, Android Pay, and other such modern payment methods. Instead everybody decided that the average American is too stupid to adapt to a new system and rewarded this perceived stupidity by continuing to support a completely broken standard. Because of that we’re all being put at unnecessary risk.

The Plague Of Backwards Compatibility Continues

SHA1 is a cryptographic hashing algorithm the Internet has relied on for quite some time. As things tend to go in the technology field, the old workhorse is showing its age. Attacks against it are quickly becoming more feasible so it needs to be put out to pasture.

Because of this certificates issued after 2016 will use SHA256. Although all modern browsers support SHA256 older browsers do not. Unfortunately this has convinced Facebook and CloudFlare to create a jerry rigged process to allow people running out of date browsers to access their services:

Facebook said as many as seven percent of the world’s browsers are unable to support the SHA256 function that serves as the new minimum requirement starting at the beginning of 2016. That translates into tens of millions of end users, and a disproportionate number of them are from developing countries still struggling to get online or protect themselves against repressive governments. CloudFlare, meanwhile, estimated that more than 37 million people won’t be able to access encrypted sites that rely on certificates signed with the new algorithm.

Both companies went on to unveil a controversial fallback mechanism that uses SHA1-based certificates to deliver HTTPS-encrypted webpages to people who still rely on outdated browsers. The remaining, much larger percentage of end users with modern browsers would be served HTTPS pages secured with SHA256 or an even stronger function. The mechanisms, which both companies are making available as open-source software, will allow websites to provide weaker HTTPS protection to older browsers while giving newer ones the added benefits of SHA256. Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers. CloudFlare said other sites, including those run by Chinese portal Alibaba, are also implementing it.

I’m of the opinion that there needs to be a cutoff date for software. That is to say there needs to be a date where people agree that supporting it is no longer happening. After that cutoff date anybody who refuses to upgrade will just have to suffer the consequences. The reason I believe this is because continuing to support legacy software puts both users and service providers at risk.

Just this year we were all bitten in the ass by legacy support. The FREAK and Logjam exploits were the result of continued support for the old export grade cryptographic algorithms once mandated under United States law. Both exploits allowed downgrading the encryption algorithms used by clients and servers to communicate securely with one another. By downgrading the algorithms being use the communications, although encrypted, could be feasible broken.

By supporting older browsers Facebook and CloudFlare are giving users another excuse to continue using vulnerable software instead of finally upgrading to something safe. In addition to not supporting effective cryptographic algorithms, out of date browsers also contain numerous unpatched security holes that are actively exploited. Using out of date browsers is unsafe and shouldn’t be encouraged in my opinion.

Why Centralization Fails

While the politicians discuss ways to further centralize security here let’s take a moment to review why centralization, specifically as it relates to security, fails. Imagine a society where private firearm ownership is illegal. In this society the only people who have access to firearms are the military, the police, and the attackers. It’s not hard to imagine since I’ve just described a good percentage of countries.

Under such circumstances society consists mostly of soft targets with a few hard targets scattered about. The hard targets consist of military bases, police stations, and any place where a soldier or police officer may be at a particular point in time. Everywhere else is a soft target. There are two major and very apparent weaknesses with this setup. First, the soft targets are all known. Second, the response time of somebody capable of thwarting your attack can be reasonably determined.

Attackers can cause a great deal of damage by finding a high value target far away from either a military base or a police station (and in societies, such as the United States, where the military is legally prohibited from operating in civilian spaces without approval you can focus primarily on police stations). For example, a school, museum, or sports stadium 10 to 15 minutes away from a police station will give attackers a lot of time in a target-rich environment, which will allow them to cause a great deal of damage.

Centralization fails precisely because the central points of failure can be identified and worked around. Decentralized systems tend to be more difficult to exploit because central points of failure either don’t exist or additional layers exist to support the centralized ones.

We can illustrate this by making a single alteration to our above model. In addition to soldiers and police we will allow licensed armed security agents to own firearms. Assuming any place can hire a security agent the difficulty of identifying soft targets becomes more difficult. Selecting a target now requires determining how far it is from a military base or police station and whether the it employs armed security agents. Another layer of security has been added and the complexity of pulling off an attack has increased.

Let’s take things a step further. In addition to soldiers, police officers, and licensed security agents we are now going to allow any adult who wants to own and carry a gun to do so. How do you identify the soft targets now? While a school, museum, or sports stadium may be 10 or 15 minutes away from a police station and doesn’t employ armed security agents anybody within the facility could be armed. While there is no guarantee that an armed individual will be at any specific target the possibility of one or more armed individuals being there always exists. Another layer of security has been added and the complexity of pulling off an attack has greatly increased.

What I’ve just described is a concept known as defense in depth. The idea is to have multiple layers of overlapping security so any single layer failing doesn’t result in total failure. As the politicians continue to argue that security must be further centralized under the State remember that the more centralized security becomes the more fragile it becomes.