Tag: Security

Without Government Who Would Expose Us to Malware

When the state confiscates a domain name do they have to renew it until the investigation concludes? Apparently not. The Federal Bureau of Investigations (FBI) seized a series of domains related to Megaupload when it decided to go after Kim Dotcom. What were once legitimate sites service the wants of users are now service up malware and porn. This didn’t happen as a result of somebody compromising the account used to register the domain names, it was only made possible because the FBI allowed the domains to expire:

Earlier this week, something suspicious started happening with Web addresses related to sites seized by the FBI from Megaupload and a number of online gambling sites. Instead of directing browsers to a page with an FBI banner, they started dropping Web surfers onto a malicious feed of Web advertisements—some of them laden with malware.

The hijacking of the Megaupload domains wasn’t the result of some sophisticated hack. Based on evidence collected by Ars, it appears someone at the FBI’s Cyber Division failed to renew the domain registration for CIRFU.NET, the domain which in turn hosted Web and name servers used to redirect traffic headed to seized domains. As soon as they expired, they were snatched up in a GoDaddy auction by a self-described “black hat SEO marketer,” a British ex-pat who calls himself “Earl Grey.”

As of Thursday afternoon, all of the server names associated with the domain no longer resolve to Internet addresses. GoDaddy has apparently suspended the domain registration, and Earl Grey has been ranting about it ever since on Twitter. The CIRFU.NET domain currently remains in limbo.

This raises a couple of concerns. First, if the FBI liable for allowing domains related to an investigation to expire? Since the FBI is seldom held accountable for its failures I doubt the answer to this question is yes. Related to this question is whether or not the FBI is liable for exposing visitors to Megaupload to malware. Even though the site wasn’t providing file hosting it was under investigation and therefore people believed they could safely visit the domain for laughs (who doesn’t enjoy laughing at the FBI). It was only due to the FBI’s incompetence that malware was being served by that domain. Finally, if the FBI isn’t held liable for this kind of failure does that mean it can effectively censor sites by seizing domains and letting them expire? Why go through the rigors of a trial when you can just make up an investigation, seize a domain, and sit on it until it expires and can be bought up by some spammer? Perhaps domain registrars would step in to prevent such shenanigans but I’m not entirely sure since they let expired domains get purchased by spammers all the time.

Had the FBI never targeted Kim Dotcom it’s almost certain that the Megaupload domains wouldn’t have expired because they were part of his business model. When you’re deriving income from something you tend to protect it. So we can just write this off as another example of the government exposing Internet users to dangers they wouldn’t have otherwise faced.

Paying Taxes is Dangerous to Your Personal Information

The Internal Revenue Service (IRS) is one of the, if not the, best examples of government incompetence. Almost all of us are required to interact with the IRS. Our interactions, unfortunately, involve handing over a great deal of personal information. This is a major problem since the agency has a poor security track record. Recently it has admitted to losing control over the personal information of 100,000 tax victims:

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.

Perhaps I’m hypercritical but it seems to me that we shouldn’t have to submit any of this information to an agency that has demonstrated a complete disregard for keeping it safe. I mean, the IRS’s website doesn’t even have a valid means for users to securely connect to it. If the IRS doesn’t care enough to pull a valid Transport Layer Security (TLS) certificate to protect users then why are we supposed to trust it to store our personal information?

The worst part about this is that the 100,000 people who just had their personal information accessed have no recourse. Since the IRS is the government it is shielded from liability and accountability. That makes matters worse since an organization that is shielded from liability has little motivation to invest resources into fixing its mistakes.

Market Solutions Versus State Solutions: Google Edition

Xcel Energy demonstrated the difference between how markets and the state utilize drones. Now Google unwittingly provided another demonstration. When Google created the Play Store it saw it as a service that would improve the lives of their customers by providing a method to easily download Android applications. When the National Security Agency (NSA) saw the Play Store it saw it as a method to infect Android phones so they could be surveilled:

The information about Irritant Horn comes from documents provided by Edward Snowden to The Intercept and CBC. The program, which appears to have been in its early stages in 2011-2012, had NSA analysts use a type of man-in-the-middle attack to implant spyware on Android devices connecting to the Android Market or Samsung’s apps store. Basically, besides the requested app, the targets were served malicious software that allowed spooks to eavesdrop on everything that happened on the device. The NSA even explored using the capability to modify the target device, for propaganda or disinformation purposes.

Google wants to provide Android users with Firefox so they can browse the web. The NSA wants to provide Android users with a modified version of Firefox that reports on their browsing habits and potentially feeds them disinformation.

Whether the NSA was successful in highjacking Google’s service is up in the air. I think the answer to that heavily depends on the security used by the Play Store. If the Play Store uses effective tools to encrypt communications between an Android device and the Play Store as well as digitally sign provided software the likelihood of the NSA being successful is low. This is because a properly secured connection cannot be highjacked and digitally signing the software will alert you if it has been altered. Even if Google cooperated with the NSA the user would be able to tell if the software was modified so long as the developer signed it (that still leaves the possibility of the NSA enlisting the developer but then the problem isn’t the Play Store).

Two lessons should be taken away from this story. First, the market sees services as means to fulfill consumer wants whereas the state sees services as means to exploit them. Second, proper security is important and markets actors should focus on it to protect consumers from the state (and other malicious entities).

Come See Me On a Panel Discussion with William Binney and Todd Pierce

Wednesday June 3rd I will be participating in a panel discussion with National Security Agency (NSA) whistle blower William Binney and retired Judge Advocate General (JAG) Todd Pierce. The event will be focused on ending mass surveillance in our lifetime. Binney will likely be addressing the issue from a political activism viewpoint, Pierce will likely focus on legal matters, and I’ll be addressing the issue from a technical viewpoint.

The event will be held at the Bent Creek Golf Club in Eden Prairie. It’s scheduled to start at 19:00 and end at 20:30. There is no admission fee but drinks are going to cost you.

Another Vulnerability Caused by State Meddling

In March a security vulnerability, given the fancy marketing name FREAK, was discovered. FREAK was notable because it was caused by government meddling in computer security. Due to cryptography export restrictions quality cryptographic algorithms were not allowed to be put into widespread use, at least legally, and many legacy systems were built around weak algorithms. FREAK may be behind us but a new vulnerability was just discovered:

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

We’ll likely be dealing with the consequences of those export restrictions for some time to come. The only upside to this is that it is a reminder of what happens when the government meddles in security for its own purposes. Cryptography export restrictions were put in place because the United States government feared it would be unable to spy on foreign entities (and, as it turns out, domestic entities). Now the government, operating under similar concerns for its ability to spy, is discussing mandating the inclusion of back doors in systems that use strong cryptography. If this happens and developers actually comply we’ll have a repeat of what we’re dealing with today. Security vulnerabilities will arise from government mandated cryptography weaknesses that will put the masses at risk.

Whenever the government wishes the involve itself in something that only appropriate answer for the people to give is a loud “No!” This is especially true when it comes to security because the government has a direct interest in ensuring that each and every one of us is vulnerable to its surveillance apparatus.

Deprecating Non-Secure HTTP

One of the biggest weaknesses of the Internet, in my opinion, is the fact secure connections aren’t the default. E-mail servers often don’t transmit messages to other e-mail server over secure connections. Many Jabber servers don’t utilize secure connections to other servers they’re federated with. Even the protocol most of us deal with multiple times on a daily basis to interact with web servers, the hypertext transport protocol (HTTP), isn’t secure by default. This lack of security has been a boon for national spy agencies such as the National Security Agency (NSA) and the Government Communications Headquarters (GCHQ). Even private businesses have been exploiting the lack of secure HTTP connections so they can better spy on their customers for advertising purposes. At this point it’s clear that non-secure Internet connections need to die.

To this end Mozilla, the developer of Firefox, has announced its plan to depricate non-secure HTTP:

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.

This could be a huge move in the right direction. If every major browser deprecated non-secure HTTP it would force web servers to make secure connections available by default or lose users. More importantly, in my opinion, is that getting rid of non-secure HTTP would also eliminate the what’s encrypted guessing game. Many websites only utilize a secure connection for specific actions such as logging into an account or sending credit card data. Other interactions with the web server are done over a non-secure connection. That guessing game can make users believe that they’re connection is secure even though it isn’t.

Deprecating non-secure HTTP isn’t a straight forward move. Enabling transport layer security (TLS) isn’t as simple as flipping a switch. You need to obtain a keypair signed by an authority that major browsers trust, load them on the web server, and ensure those keys aren’t compromised. Administrators also have to keep up on recent security news so they can reconfigure their server when new exploits are discovered. Managing certificates could become much easier if Let’s Encrypt gains traction. Ensuring broken TLS protocols and features aren’t being used is a more difficult task but one that will likely be made easier as more sites move towards TLS. With that said, deprecating non-secure HTTP must be done regardless of the challenges involved.

CryptoParty in Minneapolis on May 9th

Do you want to learn how to communicate securely but don’t want to spend any money? Join CryptoPartyMN at The Hack Factory this Saturday between 13:00 and 17:00. We’ll teach you how to secure your stuff and won’t even hit you up for loose change!

This event will serve as a dry run before our main CryptoParty at Security B-Sides MSP on June 13th and 14th. Some mistakes will likely be made but I think we’ll be able to help you secure your life with a decent amount of competency.

If you’re interested in attending please RSVP here.

Stop Using Master Lock Combination Locks

In the world of padlocks there is the omnipresent Master Lock combination lock. It’s cheap, doesn’t require a key, and takes a bit of time to brute force. At least it used to take a bit of time to brute force. One rule in the security industry is once a flaw has been discovered in a product it’s only a matter of time until that flaw becomes more severe. A rather intelligent bloke came up with a way to open any Master Lock by trying only eight combinations and wrote a nice calculator for the site:

Master Lock combination padlocks have been known to be vulnerable to an attack that reduces their 64,000 possible combinations down to 100. I’ve devised a new attack for cracking any Master combo lock that simplifies the process and reduces the amount of work down to only 8 combinations.

Use this calculator in conjunction with the instructions below to find the 8 possible combinations for your Master combo lock.

People have been warning others away from Master Lock combination locks for years now but this shows that you really really need to replace them with something better.

Hillary Clinton Shows the Value of Hosting Your Own E-Mail

Republicans and statist libertarians have been losing their shit over the news that Hillary Clinton continued using her private e-mail address while acting as Secretary of State and hosted that e-mail address on a server in her home:

WASHINGTON (AP) — The computer server that transmitted and received Hillary Rodham Clinton’s emails — on a private account she used exclusively for official business when she was secretary of state — traced back to an Internet service registered to her family’s home in Chappaqua, New York, according to Internet records reviewed by The Associated Press.

[…]

Most Internet users rely on professional outside companies, such as Google Inc. or their own employers, for the behind-the-scenes complexities of managing their email communications. Government employees generally use servers run by federal agencies where they work.

In most cases, individuals who operate their own email servers are technical experts or users so concerned about issues of privacy and surveillance they take matters into their own hands. It was not immediately clear exactly where Clinton ran that computer system.

I highly doubt Hillary personally administered the server (although I would be impressed if she did). A person as influential and wealthy as her can afford a dedicated system administrator. However that isn’t relevant to this story. What is relevant is the reason her political opponents are losing their shit. It was a brilliant move that protected her privacy:

WASHINGTON — In 2012, congressional investigators asked the State Department for a wide range of documents related to the attack on the United States diplomatic compound in Benghazi, Libya. The department eventually responded, furnishing House committees with thousands of documents.

But it turns out that that was not everything.

The State Department had not searched the email account of former Secretary of State Hillary Rodham Clinton because she had maintained a private account, which shielded it from such searches, department officials acknowledged on Tuesday.

Everybody bitching about this needs to take a step back and understand the important lesson here. Hosting your e-mail on a server you personally control, one that is under your physical supervision, is a smart fucking move. By doing so she was able to avoid providing personal information to the State Department when it was investigating the Benghazi attack. If she could shield her personal information from a government investigation then you can as well!

The nice thing about hosting your own e-mail server is that you have complete control over it. You can delete all e-mails that are over six months old and verify that those deleted e-mails have been purged from all backups. Investigators can’t get what doesn’t exist no matter how many warrants and subpoena are issued. If your e-mail is on a third-party host you cannot verify that data has been removed from both your system and the hosting provider’s backups. Another benefit is that it’s impossible for the state to use a National Security Letter (NSL) to secretly obtain a copy of your e-mails. The only way the state can get copies of your e-mails from a self-hosted server is to either break in and copy them or order you to provide the data. Either way you stand a very good chance of knowing when the state has copied your data.

So ignore the partisan politics because they’re meaningless. If if those e-mails were obtained by investigators Hillary would have been found innocent of all wrongdoing. That’s a privilege of being a member of the oligarchy. What is meaningful is that she did something very intelligent and there’s no reason you can’t do the same (even if you don’t have the knowledge necessary to host an e-mail server you can learn).