Tag: Security

Once Data Leaves Your System You No Longer Have Control

I try not to waste your time talking about celebrity news on this blog. But once in a great while celebrity news can act as a launching point for something that’s actually important. The recent breach of several celebrities’ iCloud accounts is one of those rare times:

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 nude “selfies” of the actress. In fact, it seems multiple “b-tards” claimed they had access to the images, with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach appears different from other recent celebrity “hacks” in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims’ cloud accounts, the attacker basically bashed in the front door—and Apple didn’t find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple’s cloud in the first place. Even Apple’s two-factor authentication would not have helped, if the attack was the one now being investigated.

There is a valuable lesson in this story. Once data leaves your system you no longer have control over it. With the skyrocketing popularity of online data storage services (often referred to as “the cloud”) this lesson is more important than ever.

Smartphones are pervasive in our society. Millions of people are walking around with an Android, iOS, or Windows Mobile powered device in their pockets. These devices, by default, upload a lot of personal data to Google, Apple, and Microsoft’s online data storage services. While many conspiracy theorists will claim that these services are enabled by default for nefarious purposes the truth of the matter is consumers demanded these services. Automatically uploading data to online storage services helps protect against data loss. Since most computer users are unwilling to take the time to manually backup their data, and bitch an awful lot when they lose data, manufacturers have begun doing backups automatically. But security and convenience seldom go hand in hand. By backing up data to online services users have begun to lose control of their data. Once the data is been uploaded to a third party service that third party now has control over that data.

There are ways to alleviate many of the risks involved with using online storage services. The most effective method of reducing the risks involved is to encrypt data with a strong key known only to you before uploading it. That way the third party only has access to an encrypted blob and not the means of decrypting it. Using a strong password and two factor authentication and also help protect your online accounts but neither of those practices will offer much protection if there is a flaw in the service itself (as was the case with these iCloud breaches). Ultimately the most secure option is not to upload your data to begin with.

As a general rule I don’t upload anything to a third party service unless I’m OK with it becoming publicly accessible. While I don’t take selfies or record my sexual exploits, if I were to do so I wouldn’t upload them to iCloud, Dropbox, Azure Cloud, or any other third party online storage option. The iPhone is pretty good about giving you options to keep your data on your own services, and I utilize those options heavily. It’s been ages since I’ve used Android so I’m not sure if it has the same options (its options were sparse when I used it) and I have no idea what options are made available in Windows Mobile as I’ve not used that platform. But I highly encourage people to utilize such options when available. Apps, on the other hand, are seldom as flexible since most seemed geared towards getting people to utilize third party services. You may have the automatic upload features disabled in your phones operating system but if an app automatically uploads that data then all of your efforts are for naught. So it’s important to not only be familiar with your operating systems but also the applications you utilize.

Keep your shit under your control. If you fail to do so there’s no way to regain it.

Protection Against Rockets Doesn’t Imply Protection Against Malicious Hackers

Israel’s Iron Dome has proven to be a very effective defensive system against rockets. But just because you can build an effective anti-rocket system doesn’t mean your network and computer security don’t suck:

Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertaining to the shield technology, KrebsOnSecurity has learned.

The never-before publicized intrusions, which occurred between 2011 and 2012, illustrate the continued challenges that defense contractors and other companies face in deterring organized cyber adversaries and preventing the theft of proprietary information.

It always amazes me how a company that invests so much into physical security fail to properly security their computers and networks. But it doesn’t surprise me since physical security and computer and network security are usually quite different (although there is a lot of overlap). I would still think that a company whose task it is to build weapons for physical security would invest a great deal of money into hiring the best computer and network security people in existence.

iOS 8 Adds Interesting Privacy Features

If nothing else came of Edward Snowden’s leaks at least it pushed companies to focus more on privacy and security features. Whether you acknowledge Snowden as a hero or a villain (in which case you’re wrong) you are benefitting from his actions. His actions destroyed the trust people had in both the government and major technology companies. Now companies are scrambling to rebuild that trust and they’re doing so by adding more security and privacy features to their products. Come fall iOS users will be benefitting from this attempted rebuilding of trust in an interesting way as their devices will become harder to track via Wi-Fi:

It wasn’t touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy. As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize that address, effectively disguising any trace of the real device until it decides to connect to a network.

Every network interface has a media access control (MAC) address. In the case of Wi-Fi interfaces this address is plainly visible to anybody watching. That makes tracking devices via Wi-Fi fairly trivial. If you see a MAC address picked up by a cafe at one end of the street and a library at the other end of the street you know where the user is and the direction he or she is traveling. With enough data you can get a pretty good idea of the places a person frequents.

Randomizing this address until a connection has been made to the access point makes tracking a device over time difficult as it doesn’t appear to be the same device every time it passes an access point.

I believe this is a good feature and cannot wait until other manufacturers add it to their products.

Google Releases Chrome Extension for End-to-End E-Mail Encryption

Like most large corporations I have a love/hate relationship with Google. The company’s practices as far as selling customer data disturb me but it releases a large number of really good products. Last week Google announced an alpha release of an alpha version of a Chrome extension that is meant to make e-mail encryption easier:

Developers at Google have released an experimental tool—for Gmail and other Web-based services—that’s designed to streamline the highly cumbersome task of sending and receiving strongly encrypted e-mail.

On Tuesday, the company unveiled highly unstable “alpha” code that in theory allows people to use the Google Chrome browser to generate encryption keys, encrypt e-mails sent to others, and decrypt received e-mails. Dubbed End-to-End, the Chrome extension also allows Chrome users to digitally sign and verify digital signatures of e-mails sent through Gmail and other services. The code implements a fully compliant version of the OpenPGP standard, which is widely regarded as providing virtually uncrackable encryption when carried out correctly.

OpenPGP is a great tool for communicating securely over e-mail. However using OpenPGP can be difficult for newcomers as it requires some technical knowledge. I haven’t had a chance to play with this extension yet but if it makes using OpenPGP with popular webmail providers it could be significant. Key management has traditionally been the biggest hurdle for newcomers to OpenPGP and if this extension can help make that easier it will really boost OpenPGP’s ease of use.

To Disclose or Not to Disclose

Should security vulnerabilities be disclosed? What if they could be used to kill somebody? That’s a question Robert Graham recently asked on his blog:

Historically, we’ve dealt with vendor unresponsiveness through the process of “full disclosure”. If a vendor was unresponsive after we gave them a chance to first fix the bug, we simply published the bug (“drop 0day”), either on a mailing list, or during a talk at a hacker convention like DefCon. Only after full disclosure does the company take the problem seriously and fix it.

[…]

So let’s say I’ve found a pacemaker with an obvious BlueTooth backdoor that allows me to kill a person, and a year after notifying the vendor, they still ignore the problem, continuing to ship vulnerable pacemakers to customers. What should I do? If I do nothing, more and more such pacemakers will ship, endangering more lives. If I disclose the bug, then hackers may use it to kill some people.

The problem is that dropping a pacemaker 0day is so horrific that most people would readily agree it should be outlawed. But, at the same time, without the threat of 0day, vendors will ignore the problem.

As the article explains the lack of vendor responsiveness is major problem in the computer security field. Vendors often have the attitude that if a vulnerability isn’t widely know then it’s not dangerous. Of course they never stop to consider the fact that the person reporting the vulnerability found it so in all likelihood other people will find or have found it as well. And that lack of forethought will lead them to ignore the problem, which will ensure more people receive the vulnerable devices.

In this debate I’m a firm believer in, what Graham refers to as, coder’s rights. It’s unfortunate but often the only way to get a company to address a major security vulnerability is to attack its bottom line. The fact is any vulnerability in a medical device that could lead to human death would absolutely destroy the manufacturer’s reputation. Impending lawsuits would also do some financial damage.

Additionally there is the fact that concealing the vulnerability will often lead to continued product sales. That means a continuously growing number of people at risk of being killed by an exploit. By going public with the exploit the amount of potential damage can be limited.

But regardless of the side you sit on this debate is an interesting one.

You Should Probably Stop Using TrueCrypt

One of my favorite security tools must now be added to my blacklist. Yesterday all hell broke loose as the TrueCrypt website had a rather dramatic update. It now redirects visitors to a SourceForge site that warns users to not use TrueCrypt anymore and to instead rely on the encryption features built into most operating systems. Needless to say this has caused quite a stir.

There are a lot of theories surrounding what really happened. Many people are claiming that the TrueCrypt website was hacked. If that is the case then the hack was really good. In addition to redirecting users to the SourceForce site the hackers would have also obtained the private key used by the TrueCrypt team to sign their releases as a new version of TrueCrypt, which was signed by the team’s key, was made available on the website. The hackers would have also had to write the newly released version of TrueCrypt, which removed all of the encryption capabilities (it’s basically a TrueCrypt partition decrypter now). While all of this isn’t outside the realm of possibility it would require either a great deal of sophistication or an insider.

Others have theorized that this reaction was due to the TrueCrypt team receiving either a National Security Letter (NSL) or being otherwise coerced by the state. This, in my opinion, is more likely than a hack. Lavabit shutdown rather than comply with the state’s demand to provide a means to decrypt user e-mail. It’s possible the TrueCrypt team decided to abandon its product rather than compromise it.

I also have a theory that, like all of the other theories circulating, has no evidence to back it up. For a while the primary focus of TrueCrypt has been booting Windows from an encrypted partition. This feature is not really possible on systems that utilize Secure Boot. Perhaps in a fit of frustration the TrueCrypt team decided to give up on future development because their pet feature was no longer viable. Or they may have decided the work to support other operating systems was no longer worth the effort since Windows, Linux, and OS X all have the ability to boot from an encrypted drive.

Regardless of the reason it’s fairly safe to recommend that people stop using TrueCrypt. This could very well be a very good hack but we don’t know and since we don’t know we have to assume that what the site says is legitimate and that TrueCrypt may have some major security flaws in it.

Stupid Questions

The BBC has an article on so-called smart guns. Overall it’s not a bad article, it mostly covers what a smart gun is, how it works, and the political battle surrounding them. But one very stupid question is put forth:

Can it be hacked?

Yes. When the question is “Can it be hacked?” the answer is always yes. Granted the article does cover some of the ways in which radio-frequency identification (RFID) and biometric authentication systems have been hacked. But the conclusion by the BBC is that we don’t know if the iP1 authentication system can be hacked.

I’m here to tell you that it can be. We don’t know how but we do know it can be. That’s because every authentication system developed by us has been hacked because a security system can only buy time, it can’t entirely stop an unauthorized individual. Being that the RFID device used with the iP1 is new and, as the article explains, hasn’t seen much widespread use there is likely to be a plethora of bugs waiting to be discovered.

It’s likely that there will be a presentation at an upcoming security conference by a guy who figured out how to remotely enable and disable an iP1 from 100 feet away with an off the shelf RFID emulator. Authentication systems rarely survive their initial encounter with the hacker community.

The Conspiracy Theory that Annoys Me the Most

Conspiracy theories are fun even when you don’t buy into them hook, line, and sinker. I enjoy reading about all of the wonky theories people have come up with, especially if that theory involves lizard people. But amongst the conspiracy theories out there the one that annoys me the most is that the government is all omnipotent. This theory is very prevalent in libertarian circles, which is ironic considering that most libertarians view the government has being entirely incompetent. Whenever I try to discuss tools to secure one’s self against the National Security Agency’s (NSA) surveillance apparatus there are usually a few people who start making up bullshit and claiming that using such tools with either make you a target, are backdoored by the NSA (even if the project is open source and the code has been thoroughly reviewed for such shenanigans), or that the NSA has magical super computers that can instantly break all encryption protocols.

Unlike most conspiracy theories, which usually contain some kernel of factual information that wild theories are based off of, the claim that the government NSA can render all computer security tools impotent is entirely baseless. As Bruce Schneier pointed out in a recent blog entry the NSA isn’t magic:

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It’s this: the NSA is not made of magic. Its tools are no different from what we have in our world, it’s just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the backbone. The NSA breaks crypto not with super-secret cryptanalysis, but by using standard hacking tricks such as exploiting weak implementations and default keys. Its TAO implants are straightforward enhancements of attack tools developed by researchers, academics, and hackers; here’s a computer the size of a grain of rice, if you want to make your own such tools. The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.

The NSA is little more than the combination of well known hacking tools, massive funding, and privileged positions on the main infrastructure. Edward Snowden has said numerous times that encryption works. Anybody who claims that the NSA can render all known encryption protocols impotent is literally making shit up. It’s no different than the conspiracy theory that lizard people secretly control all of the governments of the world. Zero evidence exists supporting the claim.

My theory is that people who claim nobody should bother using encryption because it’s futile are simply too lazy to learn how to use the tools and don’t want to admit it. To make themselves feel better they justify their actions by claiming doing otherwise is pointless.

Stop Using Internet Explorer and Upgrade Your Flash Player

Are you one of those people who still uses Internet Explorer as your primary browser? If you are you really need to stop. Seriously. Right fucking now:

Attackers are actively exploiting a previously unknown vulnerability in all supported versions of Internet Explorer that allows them to surreptitiously hijack vulnerable computers, Microsoft warned Sunday.

The zero-day code-execution hole in IE versions 6 through 11 represents a significant threat to the Internet security because there is currently no fix for the underlying bug, which affects an estimated 26 percent of the total browser market. It’s also the first severe vulnerability to target affect Windows XP users since Microsoft withdrew support for that aging OS earlier this month. Users who have the option of using an alternate browser should avoid all use of IE for the time being. Those who remain dependent on the Microsoft browser should immediately install EMET, Microsoft’s freely available toolkit that greatly extends the security of Windows systems.

Internet Explorer has a pretty expansive history of major security flaws. As far as I’m concerned it’s not a safe browser to use in any context. This problem is also worse for people still using Windows XP since Microsoft has finally dropped support for it. By the way, if you’re using Windows XP stop it. Running an operating system that no longer received security updates is asking for trouble.

Also, since I’m on the issue of security news, you also want to upgrade your Adobe Flash Player:

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well.

Flash is another dangerous plugin to have installed. Unfortunately there are still sites that necessitate the use of Flash. My tactic is to disable Flash in every browser except Firefox and use NoScript to block all Flash content I don’t expressly allow. This method does a good job of balancing usability and security in my opinion. Hopefully we will someday live in a world where Flash is no longer used.

National Association for Gun Rights Leaking Personal Information

The National Association for Gun Rights (NAGR) is an organization that I’ve heard nothing good about and that hasn’t changed with the most recent news I came across via Shall Not Be Questioned. It turns out that the NAGR has been leaking information submitted to their contact page:

On Friday evening we were contacted by Jeff Hulsey, a retired gunsmith from the Gulf Coast region of Texas. Jeff had a problem. Starting back in August of 2013 He began receiving emails at his personal email inbox, which is through the popular Gmail domain, that it did not appear were intended for him.

[…]

What concerns Jeff is the fact that even though he is trying to point out the fairly obvious error that they are making that they are leaking personal information to an unknown source. We asked Jeff if these emails were truly unsolicited. He replied, “Absolutely unsolicited. The only dealings I’ve ever had with the NAGR were to score a couple of stickers for the side of my toolbox. I’m not even a member.”

When asked if the rest of the emails looked like the email he provided to us he stated, “Yes. It’s random questions from people who visited their “Contact Us” page, then forwarded by someone within their organization for follow-up or review. Some of them contain some very specific personal information, like the USPS worker who details which facility he works at in pursuit of an answer to a legal question.”

If you’re advertising yourself as a gun rights organization you need to realize some accepted practices within the gun rights arena. What may be the most important practice is privacy. Gun ownership is under constant attack by politicians and gun control activists. Because of this gun owners tend to desire privacy. Unless you’re willing to respect the privacy of gun owners you’re unlikely to gain much ground as a gun rights organization. But what makes this apparent misconfiguration or mishandling worse is the NAGR’s response:

To Jeff, this looked like a simple mistake. It looked like someone had the wrong email address and was forwarding him email incorrectly. He tried to contact NAGR and got no response. He has since received about one email a month from them following the same pattern.

Misconfiguration an e-mail forwarder or mishandling data, although bad, are mistakes that any system administrator in a hurry can make. Failing to acknowledge and correct the problem after it has been pointed out is unacceptable.

Handling personal information isn’t trivial. There are a lot of mistakes that can lead such information be leaked to unauthorized individuals. We see this even with well reputed organizations such as Target. What I find most telling about an organization is how to respond to their mistakes. The lack of response from the NAGR shows me that the organization is either disorganized or unconcerned. If it’s too disorganized to fix a simple mistake how can it expect anybody to trust it with fighting for gun rights? Political fights require a great deal or organization. On the other hand the NAGR may be unconcerned about its users’ privacy. If that’s the case how can anybody trust the organization to be seriously concerned with gun rights?

I haven’t supported the NAGR because I’ve never heard anything positive about the organization. But news like this leaves me urging people not to support or interact with the organization. Any information you give the NAGR, including payment information for all we know, could end up in unauthorized hands.