Tag: Security

When the Cloud is More Secure

I’ve annoyed a great many electrons explaining how to free yourself from “the cloud” (online services controlled by the likes of Microsoft, Yahoo!, and Google). The reason I advocate individuals use self-hosted services is because it’s more difficult for creepers like the National Security Agency (NSA) to collect all of your data. As an anarchist the state is one of the most common malicious attackers in my threat models. But after gaining some experience helping somebody deal with a surveillance happy significant other I’ve finally had to consider other threat models. Namely models involving local threats. This is where “the cloud” comes in.

Consider a domestic abuse situation. The threat is likely going to be somebody who lives with you and therefore has physical access to your devices. Physical access is the death knell of any security setup (although with encrypted data storage the difficult of exploitation, assuming the threat isn’t using rubber hose cryptanalysis, has greatly increased) so what can you do? Move your data to “the cloud” and access it with anonymizing tools.

The last part is very important. If you access your “cloud” data from your normal machine using the standard tools there will be records left all over the place. However, if you use something like a Tails boot disk, which doesn’t write anything to any storage media by default and pumps all Internet traffic through Tor to render local network monitoring tools impotent, there will be very little evidence of you having created or access any data (although Tor doesn’t hide the fact that you’re using Tor, which is something to keep in mind if your network is being monitored locally).

In a situation where the data you create could agitate your threat it’s best to make sure that data is hidden. I haven’t really had time to go over the finer details of this threat model so what I’m writing here is simply a very brief introduction to something I’ve had to consider recently. Much more work is necessary on my part and I will try to post updates of what I come up with in the hopes it can help other people.

Encrypt Your Hard Drive

Modern versions of Windows, Linux, and Mac OS all have built-in utilities to completely encrypt the contents of your hard drives. Use these tools. Many people don’t encrypt their drives because they believe they have nothing to hide. But encryption your drive also protects against individuals altering the contents on your drive. This can be very valuable.

While an operating system will attempt to prevent unauthorized users from altering files or installing software when it has been booted by it will be rendered powerless if another method is used to boot the system, such as a boot disk. An encrypted hard drive, on the other hand, cannot be written to (any alteration of the encrypted data will appear to be garbage when you attempt to decrypt the drive) unless it is decrypted with the appropriate key.

That means an encrypted disk will prevent an attacker with physical access from installing software keyloggers, rootkits, and other potentially troublesome forms of malicious software.

I spent a decent portion of last night helping somebody deal with this scenario. As a related side note if you suspect your jealous and/or abusive significant other of having installed surveillance software on your system feel free to contact me. I will provide what assistance I can and I won’t charge a dime.

If You’re Going to Run an Illegal Business Don’t Hire a Fed

The big news floating around the darknet community is that the Federal Bureau of Investigations (FBI) managed to shutdown Silk Road 2.0. When the news first broke there was a lot of speculation about how the FBI managed to do this. Many people theorized that the FBI has managed to break Tor’s hidden service functionality in such a way that it can identify the location of servers. As it turns out the FBI’s method was much more mundane:

The complaint describes how federal agents infiltrated Silk Road 2.0 from the very start, after an undercover agent working for Homeland Security investigators managed to infiltrate the support staff involved in the administration of the Silk Road 2.0 website.

“On or about October 7, 2013, the HSI-UC [the Homeland Security Investigations undercover agent] was invited to join a newly created discussion forum on the Tor network, concerning the potential creation of a replacement for the Silk Road 1.0 website,” the complaint recounts. “The next day, on or about October 8, 2013, the persons operating the forum gave the HSI‐UC moderator privileges, enabling the HSI‐UC to access areas of the forum available only to forum staff. The forum would later become the discussion forum associated with the Silk Road 2.0 website.”

The complaint also explains how the feds located and copied data from the Silk Road 2.0 servers. “In May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time. On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it . Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, I know that once the Silk Road 2.0 server was taken offline for imaging, the Silk Road 2.0 website went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website.”

The FBI didn’t utilize anything fancy, it relied on old fashioned investigative work. First it infiltrated an agent into the Silk Road 2.0 team and then it obtained the cooperation of foreign law enforcers to obtain an image of the server and looked to see if complaints of downtime corresponded to the server being taken down for imaging.

The takeaway from this is that keeping a hidden service truly hidden is difficult, especially when your adversary has the resources of government law enforcers on its side. That doesn’t mean it’s impossible but you have to know exactly what you’re doing.

As an agorist I’m a huge fan of “black” market businesses so long as they don’t involved initiating force against people. Silk Road was a great business that not only managed to siphon funds away from the state and render its drug prohibition irrelevant but it also made the drug trade safer by separating customers from sellers with a nice barrier of anonymity. While Silk Road 2.0 shutting down is rather sad it’s not the end of the world since another hidden service will rise to replace it. Hopefully the new online drug market will learn lessons from this case and make themselves even more difficult to shutdown.

Another Reason to Implement HTTPS Everywhere

There is no reason for a website to not at least have an HTTPS connection available to users. When websites like StartSSL provide free certificates the old excuse of costs is no longer even applicable. Computer hardware has increased to the point where offering secure connection isn’t really that big of a drain on a server. And HTTP is just plain dangerous. Not only can any traffic sent over HTTP be viewed by anybody between the two communicating points but it can be altered without either point knowing. That is what Verizon is now doing to its customer’s HTTP traffic:

Over the past couple of days, there’s been an outpouring of concern about Verizon’s advertising practices. Verizon Wireless is injecting a unique identifier into web requests, as data transits the network. On my phone, for example, here’s the extra HTTP header.1

X-UIDH: OTgxNTk2NDk0ADJVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHw

After poring over Verizon’s related patents and marketing materials, here’s my rough understanding of how the header works.

[…]

In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. Questionable. By default, the information appears to consist of demographic and geographic segments.2 If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.

This is a dirty trick only made possible over unsecured connections. Secure connections, in addition to preventing anybody in between two communicating points from snooping on the communications, also provides mechanisms to verify that the data wasn’t altered when traversing between its start and end points. This is done with a wonderful algorithm called hashbased message authentication codes (HMAC). If the contents of the message are altered in any way the HMAC will not match and the receiver can verify that the message received doesn’t match the message that was sent. HTTP, unfortunately, has no way of providing this functionality so there is no way to know whether or not the data has been altered in transit.

The bottom line is HTTP needs to die and HTTPS needs to replace it for every website.

A Stark Difference in Threat Model Responses

Anybody who has been following the Internet drama festival that is GamerGhazi/GamerGate knows that the Internet has been at operational level full retard for a few weeks now. One side of the debate, if you want to call it that, is trying its damnedest to preserve what it believes to be the gaming culture. The other side of the debate is trying to overturn what it believes to be deep seated misogyny within the gaming culture. There is also a third faction, the Internet trolls, that have been manipulating the other two sides like a masterful puppeteer for shits and giggles.

I find Internet drama entertaining so I’ve been watching this exchange since it first blew up. But nothing about this little debacle has really been worth writing about on this blog. Until now! Anita Sarkeesian, one of the feminists who has attracted the wrath of the GamerGhazi/GamerGate community, was schedule to speak at Utah State University. She cancelled because she found out that the laws in Utah allow individuals to carry concealed firearms on campus:

The university consulted with federal and state law enforcement and had determined it was safe to go ahead with the presentation.

But Sarkeesian pulled out after learning from university officials that concealed weapons would be permitted, as long as attendees have a valid concealed firearm permit in accordance with Utah law.

This shows a stark difference in thinking that I find rather interesting. In her opinion the combination of a death threat and permitted individuals being allowed to carry a concealed firearm to her speaking event constitutes a danger to her person. Were I in her shoes I would feel the opposite.

Permit holders by and large are more law abiding than non-permit holders. Obtaining a carry permit requires passing a background check. Passing a background check requires one not have a history of violent crime. So we know that a permit holder, statistically speaking, is more law abiding and has no history of violent crime. Permit holders are also less likely to commit murder than police officers, which is why I’d prefer being surrounded by permit holders than having police officers providing security.

Another thing to consider is the importance of response time during active shootings. In many cases active shooters end up killing themselves upon running into armed resistance. Armed resistance, in the instances where the active shooter doesn’t commit suicide, forces the shooter to focus on somebody other than innocent bystanders. When individuals are allowed to carry concealed weapons to a venue the response time to an active shooting is potentially instantaneous.

Sarkeesian obviously has a different threat model than my own. She likely sees armed individuals, in any capacity other than police (judging by her desire to have somebody perform pat downs of individuals attending her talk) , as a potential threat. Because of this she doesn’t want permit holders carrying firearms to her event. Our threat models also differ in how we treat Internet death threats. My threat model disregards Internet death threats (which I have received enough of in my life to paper a room in my dwelling if I printed them out) since they’re almost always sent by angry teenagers full of impotent rage. Her threat model obviously treats Internet death threats far more seriously.

In the end each person must create their own threat model and act accordingly. As an individual with an interest in security I find the criteria people use to develop threat models and the responses they create based on those models fascinating. I would love to know the criteria used by Sarkeesian after this GamerGhazi/GamerGate fiasco to develop her threat model and the responses she has created based on that model.

Internet Defensive Services

The dust is beginning to settle after the Fappening. For those who haven’t been following along the Fappening involved individuals gaining unauthorized access to nude photos of celebrities stored on Apple’s iCloud service. Earlier this week the Fappeneing was looking to strike again as a website appeared with a countdown. The site claimed that when the countdown reached zero nude photos of Emma Watson would be released. As it turns out the site was a hoax and now there is a debate about whether it was a hoax created by 4chan itself or a marketing company aimed at taking down 4chan. But the mere existence of the site created a shitstorm that has fueled a lot of angry ranting. Most of the ranting can be summarized by the idea that women aren’t safe on the Internet.

First of all let me say that it’s good that people are in an uproar. Data breaches suck but all too often they raise little ire. When they do manage to piss a lot of people off resources get diverted to tighten security. But so long as people aren’t outraged companies are all too happy to let known security issues linger until somebody gets bit in the ass. While Apple has finally taken measure to fix the iCloud vulnerability the damage has been done. The images are out there and there’s no way to remove them since the Internet is forever.

But this situation got me thinking. Stunts like the Fappening are all too easy to pull off because the minor risks involved are seldom dissuasive. To prevent thing like the Fappening from occurring again the risks need to be increased. Most people seem to be aware of this and they have been demanding stronger laws against unauthorized computer access and other state interventions. Let me say that demanding state intervention is pointless. The state doesn’t give a fuck about anybody but itself and its cronies. It will only exploit these situations to gain more power for itself over the Internet without actually address the issue.

What we really need are hackers. As an anarchist I’m a proponent of a compensatory justice system, social ostracization, and outlawry. Suffice to say when it is possible to compensate somebody for a wrong then they should be compensated. If an individual or individuals have a habit of shitty behavior then the community should ostracize them. And if somebody refuses to abide by the laws of society (the natural laws created through spontaneous order, not the decrees issued by the state) they should not receive the protection of the law. For any of this to be possible the identity of the bad actors must be uncovered.

My proposal is complex and revolutionary since it works outside of the state (in fact by the state’s very laws it is illegal as hell). But I put forth that hackers should form organizations with the purpose of identifying bad actors and seeking justice against them. This obviously requires a lot of investigative work and either cooperation from organizations that have suffered data breaches or gaining unauthorized access to their systems to collect forensic information. Once the bad actors have been uncovered justice can be sought. Depending on the severity of the offense justice may entail something as simple as compensation paid to the victim or as complex as attacking any system in that person’s possession with the express purpose of preventing them from gaining access to the Internet. In especially egregious circumstance destruction of their data, credit ratings, and identity may be called for.

In other words I propose we create our own justice system just as stateless societies have in the past. I subscribe to the ideas expressed in the Crypto Anarchist Manifesto. The Internet is the realm of those who use it, not the state. To borrow a page from agorism we need to create our own goods and services and utilize the market to determine where resources should be prioritized. Seeking justice against those who gain unauthorized access to other people’s personal data sounds like a good place to put some resources. And it’s something that people can do. Most of the electrons spilled over the Fappening have been in the form of impotent bitching. Take the article I linked to that claimed women aren’t safe on the Internet. A group of feminist hackers coming together to seek justice against those who wrong women online could create a safer Internet for women. It certainly would accomplish more than complaining has.

Shell Shock Exploit

Can you guess what I was doing last night? If you guessed upgrading my servers you’re correct. The hits just keep on coming this year. Earlier there was a nasty exploit in the OpenSSL library, which a huge amount of software relies on, that allowed attackers to read arbitrary chunks of memory from a targeted server. Now a vulnerability in the Bourne Again Shell (Bash) has tossed a monkey wrench into the works as it allows the remote execute of commands:

Let me start with the CVE from NIST vulnerability database because it gives a good sense of the severity (highlight mine):

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

They go on to rate it a “10 out of 10” for severity or in other words, as bad as it gets. This is compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts. The summary above is a little convoluted though so let’s boil it down to the mechanics of the bug.

In the industry that is what we call bad news. So who’s vulnerable? Anybody using a system with a vulnerable version of Bash installed. Since Bash is an extremely popular shell amongst UNIX systems, including being the default shell in many Linux distributions and Apple OS X, there’s a lot of exploitable systems out there. But Microsoft users get to sit this one out.

If you run Linux updates Bash immediately. Apple hasn’t released a fix for this exploit yet but if you have Xcode installed you can compile a patched version of Bash or you can use Homebrew or Macports to install a newer version of Bash. And if you run a UNIX server and haven’t upgraded your system yet you better get your ass in gear.

Number One Reason to Upgrade to iOS 8

iOS 8 was released yesterday. I have it installed on my iPhone 5 and can say that it’s a decent upgrade (LastPass can now fill in my user names and passwords in Safari, which is the highlight of the upgrade for me). But the best feature of iOS 8 is one that doesn’t seem to be getting a lot of coverage:

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Security changes to iOS 8 seem to have made it technically impossible for Apple to fulfill warrants demanding it extract data from a customer device. I’m glad to see Apple taking security against government agents seriously. It also goes to show just how untrusting companies have become towards the government after Snowden released the National Security Agency’s (NSA) dirty laundry. Before then I doubt Apple would have invested resources to ensuring it couldn’t comply with government data requests and it almost certainly wouldn’t have advertised the fact so prominently.

However it is important to keep in mind that the scope of this protection is only on the device itself. If you upload data to iCloud Apple can still comply with any warrants demanding it turn over customer data. So if you value your privacy it’s a good idea to upgrade to iOS 8 and not upload your data to online storage services.

Comcast Continues Its Quest to be The Most Dickish Company Ever

Comcast has a mission. That mission is to be the single most dickish company in the world. Between it’s horrible customer service, attempts to convince people it supports net neutrality through shady marketing, and continued attempts to regulate competition out of existence Comcast gotten far in realizing its goal. But all of this still isn’t enough to win the crown of dickishness so Comcast is now injecting advertisements into webpages served by its publicly accessible Wi-Fi access points:

Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.

Now that’s some dickish behavior! Injecting code into a page without the permission of the page owner is something mostly attributed to malicious software. Granted Comcast is pretty malicious so I believe calling its injected ads malware isn’t dishonest. But this story also makes another very important point:

One way to prevent this from happening, he said, is for websites to encrypt and serve over HTTPS. But many sites do not do that.

There’s no reason this day and age for a website to have an unsecured connection available. Companies like StartSSL will provide free Transport Layer Security (TLS) certificates for personal use and change a very reasonable fee for commercial use. Almost every (I’m not actually aware of any exceptions) personal computer, tablet, and smartphone made in the last decade is capable of communicating via secured connections. If you’re running a website get a TLS certificate, load it on your server, and force the unsecured connection to redirect to the secured connection (that’s what I do on this site). For those of you who are using a hosting service that doesn’t give you the option of enabling TLS demand that they offer that capability or provide the certificates and enable TLS for you. Allowing only TLS connections not only prevents third parties from eavesdropping but it also prevents third parties from altering pages in transit. We’re at a point (and have been for a long time) where the benefits of TLS far outweigh the negatives.

There is a Difference Between Victim Blaming and Valid Criticism

There is a term that is quickly losing any value due to dilution: victim blaming. Victim blaming, once used to point out a valid criticism against those who blamed victims of crimes for said crimes happening, is becoming little more than a phrase uttered to put a person who has been victimized above any form of criticism. I am, of course, referring to the nude phones that were leaked of several celebrities (what I can say, it’s the hot topic of the week and intersects with my computer science profession). As a computer scientist who has a strong interest in security I have been using these leaks as a platform to explain both the risks of using online storage services and the measures individuals can take to mitigate those risks. Not surprisingly I’ve been getting accused of victim blaming.

A thin line exists between victim blaming and valid criticism but it’s important line. To better understand this line let’s consider an all too common scenario. Most people, as far as I know, who live outside of rural communities make a habit of locking their vehicle doors when they are going to be away from it for a period of time. Locking your vehicle doors reduces the risk of a thief breaking into it. But many people also leave valuable stuff inside of their vehicle in plain sight. What this does is offset the risk of breaking into a vehicle for unknown gain with knowledge that breaking into a vehicle will result in a sizable gain. In other words the risk/reward calculation changed from increased risk for no potential reward to increased risk with reward. The vehicle owner isn’t at fault for the thief breaking into his or her vehicle but leaving valuables in plain sight wasn’t smart.

iCloud-gate, or whatever snazzy fucking name with “-gate” postfixed to it that you want to use, is similar to the vehicle analogy. Uploading unencrypted data to an online storage service is similar to leaving valuables inside of your vehicle in plain sight. In both instances you’re advertising the reward so a potential thief can more accurately make a risk/reward calculation. That thief may be a malicious hacker or they may be a system administrator at Apple. Either way giving them more information is not a good idea. Pointing this out isn’t victim blaming, it’s valid criticism.

It’s the difference between blaming a woman for being raped and telling a woman “It’s Dangerous to go alone! Take this.” and handing her a .45 pistol. The former is an accusation of fault and the latter attempt to help her mitigate risk. The difference is admittedly thin but also important.