Tag: Security

Google May Be Looking at Prioritizing Encrypted Sites in Search Results

One of the things that I believe to be unnecessary this day and age are unencrypted sites. When certificate authorities offer free certificates for personal use there are no real barriers left preventing the adoption of HTTPS on every website. Google may agree as it appears that it is looking into prioritizing websites that use HTTPS in its search results:

In a move that experts say could make it harder to spy on Web users, Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference.

The executive, Matt Cutts, is well known in the search world as the liaison between Google’s search team and website designers who track every tweak to its search algorithms.

Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.

I hope that the person familiar with the matter is correct. The information leaked by Edward Snowden demonstrated to all of us that an insecure Internet is no longer a viable option. We need to move to an Internet where all information is encrypted. Doing so wouldn’t just make it harder for organizations like the NSA to spy on our communications but it would also make it more difficult for malicious hackers to intercept user authentication information. By prioritizing encrypted sites Google could help convince more site administrators to use HTTPS for their sites.

When Different Government Departments Have Mutually Exclusive Missions

Trying to unwrap every mission the federal government has tasked itself with is practically impossible. The beast as grown so large that no single individual can fully grasp it. There are many dangers inherit in such a massive system. One of those dangers is different departments holding mutually exclusive mission. Take the Department of Homeland Security (DHS) for instance. One of its missions [Warning: link is operated by a dangerous gang of violent criminals] is to defend the nation’s communication infrastructure. This would imply discovering and notifying the public about potential security exploits. Now consider the National Security Agency (NSA). Its mission is to exploit vulnerable system of both domestic and foreign entities in order to spy on them. This mission is mutually exclusive to DHS’s:

WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

It is impossible for the government to both protect the nation’s communication infrastructure and not inform the public about major security flaws. When you discover a security flaw you cannot know for certain that you’re the only one who knows about it. Any number of people could have discovered it beforehand. That being the case you cannot assume that the flaw isn’t being actively exploited by nefarious individuals or organizations. Therefore the only way to protect the general public is to disclose information regarding the exploit so it can be fixed.

This is one of the reasons why any mission statement given by a government agency is meaningless. While one government agency may be tasked with a certain mission another agency is likely tasked with the exact opposite mission.

If You’re Reading This Then You’re On the NSA’s Watch List

Good news readers, you’re officially on the National Security Agency’s (NSA) watch list! I know what you’re thinking, how can I be on the agency’s watch list when I haven’t done anything. It turns out that the NSA assumes anybody using encryption is a suspect and this very website employes encryption. Some time ago I switched this site over to using Secure Sockets Layer (SSL) and forced any attempt to access the insecure version of this site to the secure version. It’s bad news for government spies trying to snoop on your web traffic but good news for the NSA when it comes time to point out how many suspected terrorists it’s tracking:

AUSTIN, Texas — Glenn Greenwald, editor of the newly launched digital publication The Intercept, told attendees at SXSWi that the National Security Agency is wary of anyone who takes steps to protect their online activity from being hacked, such as using encryption tools.

“In [the NSA’s] mind, if you want to hide what you’re saying from them, it must mean that what you’re saying is a bad thing,” Greenwald said via a Skype video call. “They view the use of encryption… as evidence that you’re suspicious and can actually target you if you use it.”

Why stop at using encryption for just websites? Since you’re already on the watch list you might as well start encrypting your e-mail and other forms of communication. Those agents at the NSA get paid good money so we might as well make them work hard for it.

Cryptocat for iOS

I’ve been experimenting with Cryptocat with a few friends for several months now. For those of you who haven’t heard of it, Cryptocat is an Off-the-Record (OTR) messaging client that runs as a browser plugin. I’m a fan. Cryptocat has undergone and passed at least one security audit, which makes the developers’ claims of security far greater than many other clients. More importantly, as somebody who is trying to convince people to use secure communication systems, Cryptocat is easy to use. After spending some time trying to convince people to use security methods of communication I’ve learned that the primary barrier is effort; the more effort a system requires the less apt people are to use it. Of course there are downsides to everything that the biggest downside to Cryptocat has been it’s lack of a mobile client.

Fortunately that issue has been partially resolved with the introduction of Cryptocat for iOS. I’ve been playing with it for roughly one week now and am impressed. The interface is straight forward, the client has no issue logging into Cryptocat conversations, and you receive iOS notifications when a new messages appears in a conversation. Unfortunately, due to Apple’s restrictions, Cryptocat is only able to run in the background for a few minutes before it’s unceremoniously killed. Since Cryptocat rooms don’t maintain a history of posted messages (by design) you can’t catch up on any message sent between the time your client is killed and you log back in. But when you’re working on Apple’s system you have to play by Apple’s rules.

I’m hoping an Android client will be released soon. Once that’s done a vast majority of smartphones will be able to access Cryptocat rooms, which will make the system more viable. Who knows, someday OTR may become commonly used for text communications.

A New Telephone Scam

Usually when word spreads of a new telephone, mail, or online scam I’m skeptical. Most of the time these scams end up being fear mongering. But I actually know a friend who was cheated by a recent telephone scam so I believe it’s legitimate and therefore worth bringing up:

One of my Facebook followers let me know about an old scam that has roared back to life. Years ago, crooks found a way to exploit a handful of international area codes that don’t require a foreign code to dial up.

Now that scam has resurfaced as what’s being called the “one ring scam.” Crooks are using robocalling technology to place Internet calls that only ring once to cell phones.

If you pick up, the robocaller just drops the line. But the bigger danger is if you miss the call. Like so many people, you might think it’s an important call and dial that number right back.

Bad move.

Turns out the area codes are in the Caribbean. That call will cost you between $15 and $30! And to add insult to injury, the criminals behind these calls will sign you up (through your cell provider) for bogus services that will be crammed on your phone bill if you return their call.

I have a policy of never answering the phone when I don’t recognize the number. If it’s important I know the person will leave a voice mail, which I can use to identify the caller. If I’m unable to identify the caller via their voice mail message or don’t recognize the individual or organization that left the message I don’t bother calling back. My primary reason for this is sheer laziness but it turns out that it also guards against several scams.

Scamming people out of resources is probably the second oldest profession in the world. Unless you want to regularly be separated from your money you need to be extremely skeptical of, well, everything. If you can’t identify the person you’re communicating with then you should assume that it’s a scam or a waste of your time (or both). Even being able to identify the person you’re communicating with isn’t always an effective defense since many so-called friends turn out to be scam artists themselves.

Applied Crypto Hardening

I spend a lot of time urging people to utilize available cryptographic tools to secure their data. While I also admit that using cryptographic tools is less convenient that not and involves a learning curve, I believe that everybody has a duty to take their online self-defense into their own hands. To this end a group of people have gotten together and written a white paper that helps individuals utilized cryptographic features in popular software packages:

This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.

Initiated by Aaron Kaplan (CERT.at) and Adi Kriegisch (VRVis), a group of specialists, cryptographers and sysadmins from CERTs, academia and the private sector joined forces to write such a concise, short guide.

This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It is completely open sourced, every step in the creation of this guide is public, discussed on a public mailing list and any changes to the text are documented in a publicly readable version control system.

The document itself can be downloaded here [PDF]. I haven’t read through the entire guide but it is obviously still being written as there are quite a few omissions. But what is there is good information albeit information devoid of theory, which is OK, you have to start somewhere and enabling these features without fully understanding them is still better than not enabling them at all.

A Promising Steganography Tool

Encryption is a wonderful tool that grants us information control. But there is one thing that encryption generally fails to do, conceal the fact that you’re using encryption. This is where steganography comes in. Steganography is the art of concealing hidden messages in plain sight. There are numerous tools that allow you to do this, most of which conceal data inside of image files. The creator of BitTorrent is developing a new steganography tool can conceal data inside of any file type:

For the last year Cohen, who created the breakthrough file-sharing protocol BitTorrent a decade ago, has been working on a new piece of software he calls DissidentX. The program, which he released over the summer in a barebones prototype and is now working to develop with the help of a group of researchers at Stanford, goes beyond encryption to offer users what cryptographers call “steganography,” the ability to conceal a message inside another message. Instead of merely enciphering users’ communications in a scramble of nonsensical characters, DissidentX can camouflage their secrets in an inconspicuous website, a corporate document, or any other, pre-existing file from a Rick Astley video to a digital copy of Crime and Punishment.

“What you really want is to be as unsuspicious as possible,” says Cohen, who spoke with me about DissidentX at the Real World Crypto conference in New York Tuesday. “We don’t want an interloper to be able to tell that this communication is happening at all.”

As world governments become more tyrannical I believe it will become critical to have means of communicating securely in a way that doesn’t reveal the use of secure communications. Embedding an encrypted message inside of a picture of a cat, for example, is likely to go undetected on the Internet. Communications could be setup in such a way that uses embed a message in an image, upload it to a specific image sharing site, and decrypted by the recipient without anybody else knowing the image contains a message.

Even Your Automobile is Snitching on You

I enjoy the fact that we’re seeing some innovation in the long stagnant automobile market. But said innovation comes at a price. Every new feature that is capable of collecting data about your driving habits is a potential set of loose lips that can get you into trouble. The Vice President of Marketing and Sales at Ford let the cat out of the bag when he publicly announced that his company knows when you’re doing something illegal with your automobile:

Farley was trying to describe how much data Ford has on its customers, and illustrate the fact that the company uses very little of it in order to avoid raising privacy concerns: “We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing. By the way, we don’t supply that data to anyone,” he told attendees.

His claim that that data isn’t given to anybody is a lie. If somebody holds data the government can issue a subpoena to take it or use the National Security Agency’s (NSA) surveillance apparatus to secretly take it. Furthermore, if Ford ever declares bankruptcy the data that it has collected on its customers will be sold at its asset auction.

The obvious solutions to this problem are to either forgo a new automobile or disable any new vehicle’s tracking and reporting capabilities. If the data is being collected it can be acquired by unauthorized parties. This fact is especially worrisome as the state continues its slow death spiral and beings desperately grasping at any opportunity to expropriate wealth from the people.

NSA Intercepts Electronics in Transit to Install Malware

Today is one of those days that ends in a “y”. That must mean the National Security Agency (NSA) is doing something dickish again. The NSA has been intercepting electronic devices during delivery to install malware on them:

Take, for example, when they intercept shipping deliveries. If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called “load stations,” agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

These minor disruptions in the parcel shipping business rank among the “most productive operations” conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks “around the world.”

Even in the Internet Age, some traditional spying methods continue to live on.

There are no words to describe the absolute insanity that is the NSA. What’s even worse is that many people are perfectly fine with the surveillance apparatus it has established. A lot of people have actually fallen for the “If you’ve got nothing to hide, you’ve got nothing to fear” line. Fortunately the NSA’s actions have garnered more disapproval overseas. But that disapproval is unlikely to accomplish much.

At this point it’s pretty obvious that proprietary platforms are a liability. With a completely open platform one has the ability to verify if any additional hardware has been added to a device or if the software has been modified in any way. That’s not to say open platforms are a magic bullet, but they do offer the ability to more closely scrutinize the hardware and software while adding a way to verify if alternations have been made. Without our reliance on closed platforms we lack this ability entirely.

Private Keys Must Remain Private

Public key cryptography is great. By handing people a public key they can encrypt message that only you, the holder of the private key, can decrypt. However, there is one consideration that should be obvious. The private key must remain private. Once put publish your private key for others to see anybody can decrypt messages encrypted with your public key. Sometimes the consequences of such a breach are minor but sometimes they result in money being stolen:

On Friday, Miller learned an important lesson. It was an experience that everyone should remember before they start moving their money into the digital currency.

While on air, Miller surprised Bloomberg anchors Adam Johnson and Trish Regan each with $20 worth of Bitcoin.

But as Johnson received the paper gift, he briefly exposed the QR code (see above). This act was effectively like sharing a bank account and PIN number.

Immediately, someone lifted the QR code and stole the $20.

Bitcoin utilizes public key cryptography. Public keys allow other people to send money to other users. Private keys allow people to withdraw Bitcoin from a wallet. If somebody else nabs your Bitcoin private key they have full access to your funds. So don’t do something stupid like hand your private key to somebody else or who it on television.