Tag: Security

Security Is A Growing Threat To Security

Where a person stands on the subject of effective cryptography is a good litmus test for how technically knowledgeable they are. Although any litmus test is limited you can tell immediately that an individual doesn’t understand cryptography if they in any way support state mandated weaknesses. Mike Rogers, a former Michigan politician, expressed his ignorance of cryptography in an editorial that should demonstrate to everybody why his opinion on this matter can be safety discarded:

Back in the 1970s and ’80s, Americans asked private companies to divest from business dealings with the apartheid government of South Africa. In more recent years, federal and state law enforcement officials have asked — and required — Internet service providers to crack down on the production and distribution of child pornography.

You know where it is going when the magical words “child pornography” are being mentioned in the first paragraph.

Take another example: Many communities implement landlord responsibility ordinances to hold them liable for criminal activity on their properties. This means that landlords have certain obligations to protect nearby property owners and renters to ensure there isn’t illicit activity occurring on their property. Property management companies are typically required to screen prospective tenants.

Because of the title of the editorial I know this is supposed to be about encryption. By using the words “child pornography” I know this article is meant to argue against effective cryptography. However, I have no bloody clue how landlords play into this mess.

The point of all these examples?

There’s a point?

That state and federal laws routinely act in the interest of public safety at home and abroad. Yet now, an emerging technology poses a serious threat to Americans — and Congress and our government have failed to address it.

Oh boy, this exercise in mental gymnastics is going to be good. Rogers could be going for the gold!

Technology companies are creating encrypted communication that protects their users’ privacy in a way that prevents law enforcement, or even the companies themselves, from accessing the content. With this technology, a known ISIS bomb maker would be able to send an email from a tracked computer to a suspected radicalized individual under investigation in New York, and U.S. federal law enforcement agencies would not be able to see ISIS’s attack plans.

Child pornography and terrorism in the same editorial? He’s pulling out all the stops! Do note, however, that he was unable to cite a single instance where a terrorist attack would have been thwarted if only effective encryption hadn’t been in the picture. If you’re going to opt for fear mongering it’s best to not create hypothetical scenarios that can be shot down. Just drop the boogeyman’s name and move on otherwise you look like an even bigger fool than you would.

What could a solution look like? The most obvious one is that U.S. tech companies keep a key to that encrypted communication for legitimate law enforcement purposes. In fact, they should feel a responsibility and a moral obligation to do so, or else they risk upending the balance between privacy and safety that we have so carefully cultivated in this country.

Here is where his entire argument falls apart. First he claims “state and federal laws routinely act in the interest of public safety” and now he’s claiming that state and federal laws should work against public safety.

Let’s analyze what a hypothetical golden key would do. According to Rogers it would allow law enforcement agents to gain access to a suspect’s encrypted data. This is true. In fact it would allow anybody with a copy of that key to gain access to the encrypted data of anybody using that company’s products. Remember when Target and Home Depot’s networks were breached and all of their customers’ credit card data was compromised? Or that time Sony’s PlayStation Network was breached and its customers’ credit card data was compromised? How about the recent case of that affair website getting breached and its customers’ personal information ending up in unknown hands? And then there was the breach that exposed all of Hacking Team’s dirty secrets and many of its private keys to the Internet. These are not hypothetical scenarios cooked up by somebody trying to scare you into submission but real world examples of company networks being breached and customer data being compromised.

Imagine the same thing happening to a company that held a golden key that could decrypt any customer’s encrypted data. Suddenly a single breach would not only compromise personal information but also every device every one of the company’s customers possessed. If Apple, for example, were to implement Rogers’ proposed plan and its golden key was compromised every iOS user, which includes government employees I might add, would be vulnerable to having their encrypted data decrypted by anybody who acquired a copy of the key (and let’s not lie to ourselves, in the case of such a compromise the key would be posted publicly on the Internet).

Network breaches aren’t the only risk. Any employee with access to the golden key would be able to decrypt any customer’s device. Even if you trust law enforcement do you trust one or more random employees at a company to protect your data? A key with that sort of power would be worth a lot of money to a foreign government. Do you trust somebody to not hand a copy of the key over to the Chinese government for a few billion dollars?

There is no way a scenario involving a golden key can end well, which brings us to our next point.

Unfortunately, the tech industry argues that Americans have an absolute right to absolute privacy.

How is that unfortunate? More to the point, based on what I wrote above, we can see that the reason companies don’t implement cryptographic backdoors isn’t because they believe in some absolute right to privacy but because the risks of doing so are too great of a liability.

The only thing Rogers argued in his editorial was his complete ignorance on the subject of cryptography. Generally the opinions of people who are entirely ignorant on a topic are discarded and this should be no exception.

The Future Of Warfare

There are two common predictions regarding the future of warfare. First, the arms race between military powers necessitates a continuous adoption of improving technologies. Second, the focus will increasingly be on attacking your opponents technology as opposed to their soldiers.

TrackingPoint, an optical system that automates almost all of the previously specialized knowledge usually required to accurately hit a target at long distances with a rifle, is an example of this. Such a system could greatly increase the accuracy of the average soldier while cutting training costs. Militaries that adopt such technology would have a distinct advantage over those that didn’t. The tradeoff is that the technology can be attacked and potentially render it useless:

At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

I’m sure somebody is going to claim this as a reason why merging firearms and technology is stupid. Such criticisms can be dismissed entirely because any military that fails to take advantage of this type of technology will be at a tremendous disadvantage. Merging technology and firearms is inevitable so we need to address the weaknesses.

TrakingPoint has stated that it will work with the researches to fix the vulnerabilities and that’s the proper response. This should also serve as a lesson to any organization creating military technology that software security, which will eventually become the primary target of enemy forces, must be a primary consideration.

As an aside it will be interesting to see if the death tolls in future wars decrease as focus on attacking technology increases. If one side can disable the other side’s ability to wage war it could lead to a bloodless surrender or an immediate retreat.

It’ll also be interesting to see how this plays out in the ancient battle of the state versus the people. Traditionally states, being centralized bureaucracies, have responded poorly to change whereas humanity as a whole has responded very well to change. In the future states will be entirely dependent on technology to both wage war and exploit its people. That could give the people a strong advantage since you could have the creativity of the entire world focused on rendering the technology and these centralized exploiters impotent. Imagine a world where a police cruiser pursuing a nonviolent drug dealer could be turned off with the push of a button. Suddenly the dangerous high-speed chase initiated by the officer could be made into a very safe getaway for the dealer. Family pets could be saved from police kicking in a door at oh dark thirty by merely using an exploit that would cause the officer’s identification friend or foe (IFF) to identify all of the house’s inhabitants as friendly and therefore prevent their weapons from discharging at them. Admittedly that is a farfetched vision but not one outside of the realm of possibility.

CryptoPartyMN Meeting Next Tuesday

As some of you may be aware I’ve been working with a group of individuals on an initiative we call CrytoPartyMN. The idea is to have an organization that meets regularly to help people learn how to use secure communication tools. So far we’ve held two CrytoParties and have been trying to regularly hold meetings every other week. Next Tuesday we’ll be having a meeting at the Wedge Table (it’s kind of like the Wedge Co-op but with sit down space, you still have to dodge hipsters on fixies to get there though).

During the meeting we’ll be discussing our upcoming CryptoParty slated for the second or third weekend in August (depending on venue availability and such). If you’re interested helping with the event feel free to stop by. The meeting starts at 18:30 and we’re usually there until the place closes down.

Why You Should Be Concerned About Wi-Fi Sense

Windows 10 has a feature, dubbed Wi-Fi Sense, that allows you to share any Wi-Fi pre-shared keys with your friends. Needless to say the security community hasn’t received this feature with open arms. Just because you trust a friend to connect to your wireless network doesn’t mean you trust all of their friends. But a lot of people have been trying to argue that this feature isn’t a big deal and people should stop being so worried about it. Some are even claiming that this feature is beneficial to security because it makes it easier for people to find encrypted Wi-Fi networks to join.

My focus when it comes to security is the individual. From my vantage point I see this feature as a risk to individuals who want to control who has access to their wireless networks. Ars Technica, while trying to argue that Wi-Fi Sense isn’t that big of a deal, inadvertently made the best case against it:

For a start, when a Wi-Fi passkey is shared with your PC via Wi-Fi Sense, you never actually see the password: it comes down from a Microsoft server in encrypted form, and is decrypted behind the scenes. There might be a way to see the decrypted passkeys if you go hunting through the registry, or something along those lines, but it’s certainly not something that most people are likely to do.

Emphasis mine. You can’t base your security model on the assumption that so long as something isn’t easy to do it won’t be done. Although Wi-Fi Sense encrypts pre-shared keys before transmitting them they have to be decrypted before they can be used. Once they’re decrypted they’re fair game for anybody who knows where to look. To make matters worse once somebody finds where the unencrypted keys are stored it will be trivial to write an automated tool for extracting and displaying them.

The biggest problem with Wi-Fi Sense it makes it extremely easy to lose any control over who has access to your pre-shared key. While it’s true that you potentially lose control over who has your pre-shared key the second you share it with somebody else this makes the problem worse because even a trustworthy person may inadvertently shard the key with all of their friends.

As with anything there are pros and cons. I’m not saying Wi-Fi Sense doesn’t offer any benefits. But I think a lot of people are sweeping major security concerns about the feature under the rug. You should be fully aware of the risks involved in using the feature and you especially can’t assume just because something is potentially difficult nobody is going to do it.

The Real Android Security Issue

A new text message vulnerability has been discovered. Sending a maliciously formed video through multimedia messaging service (MMS) an attacker can compromise a device running Android. This shouldn’t be a notable problem because Google has already pushed out a fix. But it is a notable problem because there’s no guarantee device manufacturers will push the fix to their users:

If you’re an Android user, you’d better hope that a stranger doesn’t send you a video message in the near future — it might compromise your phone. Security researchers at Zimperium have discovered an exploit that lets attackers take control if they send a malware-laden MMS video. The kicker is that you may not even need to do anything to trigger the payload, depending on your text messaging app of choice. While the stock Messenger app won’t do anything until you see the message, Hangouts’ pre-processing for media attachments could put you at risk before you’re even aware that there’s a message waiting.

Google is already on top of the flaw, and has pushed out a fix to its hardware partners. However, whether or not you’ll get that fix will depend on your phone’s manufacturer. Zimperium tells Forbes that the Nexus 6 and Blackphone are already safe against some of the related flaws (other Nexus devices are likely in a similar boat), but more common third-party phones from Samsung, HTC and others are typically still vulnerable.

There is a lot of heated debate over whether iOS or Android is more secure. Overall I think both operating systems have a decent reputations for security but Android gets a bad rap because Google doesn’t control the update channel for all Android devices. Google has already pushed the fix out to its device and some manufacturers have pushed the fixes to their users. But each manufacturer gets a great deal of leeway over what they can do with Android and many have opted to make their devices rely on their update channel instead of Google’s. This means updates may not arrive in a timely manner or at all.

iOS has an advantage when it comes to security because Apple controls the hardware and software. When a vulnerability is fixed Apple can guarantee everybody using a currently support version of iOS gets the update.

Google would do well to require device manufacturers to use its official Android update channel in order to use its proprietary apps (which is the only real pull Google has since Android is an open source operating system). Since most Android users rely on Google’s proprietary apps that would be a powerful incentive for handset manufacturers to utilize the official Android update channel instead of rolling their own. Until that is done I fear a lot of Android users will continue being vulnerable to exploits that have already been discovered and patched.

Verification Is The Reason Why Random People Standing In Front Of Recruitment Centers Isn’t A Viable Security Model

Yesterday I noted that even an imbecile with a sightless AR-pattern pistol is an effective response to an active shooter situation. Less somebody mistake that statement as a blanket approval of armed individuals taking it upon themselves to stand guard uninvited over military recruitment centers let me discuss why such a security model isn’t viable. The Army has been telling its recruiters to treat random armed watchmen as potential threats and its right to do so:

WASHINGTON — The Army has warned its recruiters to treat the gun-toting civilians gathering at centers across the country in the wake of the Chattanooga, Tenn., shooting as a security threat.

Soldiers should avoid anyone standing outside the recruiting centers attempting to offer protection and report them to local law enforcement and the command if they feel threatened, according to a U.S. Army Recruiting Command policy letter issued Monday.

Effective security relies on effective threat modeling. When the threat model is an active shooter the most effective response is an armed individual able to provide resistance. Before an active shooting begins the threat model is different because the potential attacker still isn’t known. Under that model you must assume everybody who isn’t trusted is a potential attacker (trusted individuals could be potential attackers as well, which is why you need redundancies). How do the recruiters know that the person who took it upon themselves to stand watch isn’t actually planning to shoot the place up? They don’t.

This is why nobody, whether they be tasked with securing a top secret military facility or a bar, puts any random schmuck who volunteers on guard duty. Verification is required before somebody can be trusted to provide security services. Bars need to know that their bouncers are going to verify patrons’ ages instead of take payouts to let high school students in. Businesses need to know the person at the front desk isn’t a member of a gang of thieves planning to rob the place. Military recruiters need to know that the person at the front isn’t a copycat wanting to take out some military personnel.

The most effective defense against a potential shooter is arming the individuals you trust to be on your property. As I stated in yesterday’s article, responding to an active shooter doesn’t require training beyond being able to send rounds towards the shooter. Response time is the critical factor so the more armed individuals on site the faster the situation will likely be resolved. But the armed individuals must be trusted to be a viable part of your security model otherwise you can’t know if they’re going to be a defender or aggressor until the attack is underway.

Stopping Active Shooters Is About Armed Resistance, Not Special Training

The Trace, an anti-self-defense rag masquerading as a news source, posted what may be one of the dumbest arguments against arming, well, anybody but soldiers at recruitment centers specifically:

Most armed service members are not trained to neutralize active shooters, and putting more loaded guns in their hands creates its own risks.

[…]

Most service members — 99 percent of airmen, 88 percent of sailors, and about two-thirds of soldiers and Marines — are not in direct combat roles, but instead are technical workers whose specialties support those “tip of the spear” troops. These include navigators, supply clerks, water purification specialists, and camera crews. Roughly the same breakdown applies to the backgrounds of recruiters and reservists. Practically speaking, this means that your average military member’s firearms experience may only go as far as some boot camp familiarization with a service rifle on a “static range,” plinking at paper targets to qualify for a marksmanship ribbon.

I’ll be sure to tell my friend who was a helicopter mechanic in the Marines that his firearms training amounted to little more than plinking at paper on a range. Less I digress further into the firearm training military personnel receive let me make my point. Stopping an active shooter, in most cases, doesn’t require any special training. All that’s required are bullets moving towards the shooter. As it turns out most active shooters commit suicide upon meeting armed resistance:

But as much as we would like to confront the active shooter with multiple officers, the reality is that we are almost always in a reactive posture, and time is working in favor of the shooter. More often than not, we must wait for the incident to unfold before we are able to interject ourselves into the fray. Depending on the venue, whether it occurs in a big city or an isolated rural community, that response with well-trained responders may be a while in arriving.

Therefore, the individual officer becomes our best asset. Ideally, we’d like to have a response in which we send in several similarly trained officers, but that may not always be possible. Thus, the responsibility rests with the first car on the scene, and in these types of incidents it’s important to get inside and act quickly. By doing this, we interrupt the killer’s plan and his activity. This rapid interdiction is critical to saving lives.

However, quickly inserting oneself into the active shooter situation does not mean running blindly into a gun battle. Rather, it simply means stopping the shooter as fast as possible, either by lethal means or by the mere fact that he knows law enforcement is present. That knowledge alone, that cops are on scene, has ended the carnage in many instances and caused the gunman to commit suicide.

Therefore, the key to reacting to an active shooter situation is rapid response – get on scene and inside as quickly as possible.

Police “training” for active shooter responses is for the first officer on the scene to move in and start sending bullets at the shooter. That’s because response time is the key factor for how long an active shooter scenario will play out. The sooner somebody is able to provide armed resistance to an active shooter the sooner the situation stops in a vast majority of cases. The “training” that is supposedly absent from boot camp is having a gun and using it to shoot at the active shooter. Anybody who has gone through basic training in any branch of the military can handle that. Hell, I can handle that.

There isn’t a good argument against armed individuals at the scene being the most effective way to resolve active shootings. An active shooting is a scenario where, in the vast majority of cases, accuracy and tactics aren’t the primary deciding factors in how quickly it stops. Even a man at the scene wearing a stylish tactical neon shirt and camouflage Crocs armed with a potentially felonious foregrip equipped sightless AR-pattern pistol would be more effective against an active shooter than waiting for police to respond.

i-hear-sights-are-niceStill more effective than waiting for police to respond.

Situational Awareness Is Equally Important Offline And Online

Defending yourself online isn’t dissimilar to defending yourself offline. The tools do change. Instead of relying on tools such as physical fitness, weapons, and martial arts online defense relies on encryption, anonymity, and credential management. Even though online and offline self-defense utilize different tools both rely first and foremost on situational awareness. For example, in regards to offline defense it’s wise to avoid going down dark alleys that have reputations for being places of violence at night by yourself. Situation awareness should lead you to recognize that putting yourself in that situation greatly increases your risk of being the target of a violent crime. Likewise, when you’re online it’s wise not to submit personally identifiable information to websites that offer services that are either illegal or could be used to blackmail users.

37 million people failed the online situational awareness test and are now facing the very real prospect of being blackmailed:

Hackers claim to have personal details of more than 37 million cheating spouses on dating website Ashley Madison and have threatened to release nude photos and sexual fantasies of the site’s clients unless it is shut down, blog KrebsOnSecurity reported.

Ashley Madison’s Canadian parent, Avid Life Media, confirmed the breach on its systems and said it had since secured its site and was working with law enforcement agencies to try to trace those behind the attack.

Let’s consider the situation. The Ashley Madison website specifically specializes in helping married individuals have an affair. Since knowledge of affairs are often used as blackmail signing up for this website has pretty notable risks. The first risk is that the owners of the site will use the existence of your account to blackmail you. Another risk is exactly what happened, malicious hackers breaching the network and acquiring your personal information.

The latter risk is one faced whenever you sign up for any website. But the risks involved in your personal information from, say, Reddit being leaked is likely far less than those involved in a website that specifically advertises services to help married individuals commit adultery. That’s an important part of the situation to consider.

Another part of the situation that’s important to note is the site didn’t put any measures in place to protect your privacy in the event a breach occurred. Had the website been a hidden service that used Bitcoin as payment the ability to anonymize yourself, or at least offer plausible deniability by claiming somebody else created and maintained the account to sully your reputation, would exist. That’s exactly why Silk Road, which offered illegal services, opted for the hidden service using Bitcoin route. This website wasn’t a hidden service and, as far as I know, used credit cards, which are strongly tied to your real-life identity, for payments.

Be aware of the situation before you involve yourself in it. Failing to do so could put you in a bad situation that you could have otherwise avoided.

Use WPA-AES To Secure Your Wireless Network

Wired Equivalent Privacy (WEP) was the first standard implemented for securing wireless networks. As the weakness of the RC4 algorithm, which WEP relied on, became better known Wi-Fi Protected Access (WPA) was created as a successor. WPA has two modes: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

TKIP was a bandage created for devices that could implement AES. It used WEP but with four rotating keys that raised the challenge of attacking the network significantly. But it was never meant to be a long-term replacement. Nowadays everything has support for AES, which was a good enough reason to move away from TKIP. In addition to that the weaknesses in RC4 are now bad enough where breaking TKIP is easy:

Almost a third of the world’s encrypted Web connections can be cracked using an exploit that’s growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

A wireless network secured with TKIP can now be broken in an hour. If you haven’t already setup your access point to exclusively use AES it’s time to do so. If you’re administering a web server and haven’t already disabled RC4 you’ve failed. But there’s no reason you can’t redeem yourself by disabling it now.

I spend a lot of time advocating for people to encrypt their data. One caveat I try to point out but sometimes forget is that all encryption isn’t made the same. Some encryption algorithms and implementations are far better than others. Even poor encryption is better than no encryption but usually not by a lot. Effective encryption is what you need if you want to keep your data private.