When Malware Does Some Unintentional Good

There aren’t many good things to be said about malware but once in a while it can accomplish some unintentional good:

Acting Deputy Commissioner Ross Guenther told reporters on Friday that 55 cameras had been exposed to the ransomware virus, but they’ve now determined 280 cameras had been exposed. The cameras are not connected to the internet, but a maintenance worker unwittingly connected a USB stick with the virus on it to the camera system on June 6.

Fryer said that about 1643 tickets would be withdrawn – up from the 590 that police had announced on Friday – and another five and a half thousand tickets pending in the system would be embargoed.

It sounds like the police department is planning on reissuing many of the tickets after it has [pre]determined that the malware didn’t actually alter anything. But it’s nice to see malware actually attacking a legitimate target even if it wasn’t intentional.

Now You Can Vote Harder

The security of voting has always been a joke. The people counting the votes could always manipulate the results, boxes of ballots could disappear, voters could vote more than once pretty easily, etc. Electronic voting machines could have solved many of these issues. Instead they are merely continuing the tradition of terrible security:

A 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia, wanted to assess the security of the state’s voting systems. When he learned that Kennesaw State University’s Center for Election Systems tests and programs voting machines for the entire state of Georgia, he searched the center’s website.

“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.

[…]

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

Login passwords posted where they’re publicly accessible? That sounds like fun. Oh, and the site is running an old version of Drupal, which means it has plenty of vulnerabilities for malicious individuals to exploit. With this information in hand it might be possible for a malicious hacker to actually vote hard enough to change the results of an election.

What lessons can be taken away from this? The most obvious lesson is that the Georgia government doesn’t give a shit about security. With how important statists claim voting is you would think that hiring a few security researchers to verify the security of purchased voting machines and the systems they rely on would have been at the top of Georgia’s list. Apparently it wasn’t on the list at all. The second lesson that one could take away from this is that voting is meaningless. Not only are you more likely to die on your way to your polling place than to change the election with your vote but the security of the voting process is so terrible that there’s every reason to believe that your vote won’t be counted or will be counted incorrectly.

The Dangers of Insecure Internal Networks

It’s fairly well known that internally telephone networks operate on an insecure protocol called Signaling System 7 (SS7). How insecure is SS7? It has no mechanism for authentication so anybody able to access a network using SS7 can manipulate it. As you can imagine, gaining access to a global network that has no real authentication mechanism isn’t terribly difficult.

Security researchers have been warning about the dangers of SS7 for ages now but the telecom industry has shown little motivation to transition away from the insecure protocol. Now there is a Tor hidden service that claims to sell the ability to track individual phones using the SS7 protocol:

For years, experts have warned of vulnerabilities in the network that routes phone calls and cellular service — but those attacks may be more widespread than anyone realized. For more than a year, a Tor Hidden Service has been offering ongoing access to telecom’s private SS7 network for as little as $500 a month. Combined with known vulnerabilities, that access could be used to intercept texts, track the location of an individual phone, or cut off cellular service entirely.

Accessible on Tor at zkkc7e5rwvs4bpxm.onion, the “Interconnector” service offers a variety of services charged as monthly fees, including $250 to intercept calls or texts, $500 for full access, or $150 for cellphone reports (including location data and IMSI numbers). Well-heeled users can even pay $5,500 for direct access to the SS7 port, billed as “everything you need to start your own service.”

I checked the hidden service address and it appears that the site either went darker or never had much in the way of public information. Now it only lists an XMPP address to contact. However, while the service may or may not actually provide what it claims, the fact that it technically could offer such services should give people cause for concern.

SS7 is another example of the insecure legacy protocol that operates critical infrastructure. Considering the number of these legacy protocols being used to operate critical infrastructure, it’s a wonder that there aren’t more stores like this one.

It’s Not Your Data When It’s in The Cloud

I’ve annoyed a great many electrons writing about the dangers of using other people’s computer (i.e. “the cloud”) to store personal information. Most of the time I’ve focused on the threat of government surveillance. If your data is stored on somebody else’s computer, a subpoena is all that is needed for law enforcers to obtain your data. However, law enforcers aren’t the only threat when it comes to “the cloud.” Whoever is storing your data, unless you’ve encrypted it in a way that make it inaccessible to others before you uploaded it, has access to it, which means that their employees could steal it:

Chinese authorities say they have uncovered a massive underground operation involving the sale of Apple users’ personal data.

Twenty-two people have been detained on suspicion of infringing individuals’ privacy and illegally obtaining their digital personal information, according to a statement Wednesday from police in southern Zhejiang province.

Of the 22 suspects, 20 were employees of an Apple “domestic direct sales company and outsourcing company”.

This story is a valuable lesson and warning. Apple has spent a great deal of time developing a reputation for guarding the privacy of its users. But data uploaded to its iCloud service are normally stored unencrypted so while a third-party may not be able to intercept en route, at least some of Apple’s employees have access to it.

The only way you can guard your data from becoming public is to either keep it exclusively on your machines or encrypt it in such a way that third parties cannot access it before uploading it to “the cloud.”

Keybase Client

Keybase.io started off as a service people could use to prove their identity using Pretty Good Privacy (PGP). I use it to prove that I own various public accounts online as well as this domain. Back in February the Keybase team announced a chat client. I hadn’t gotten around to playing with it until very recently but I’ve been impressed enough by it that I feel the need to post about it.

Keybase’s chat service has a lot of similarities to Signal. Both services provided end-to-end encrypted communications, although in slightly different ways (Keybase, for example, doesn’t utilize forward secrecy except on “self-destructing” messages). However, one issue with Signal is that it relies on your phone number. If you want to chat on Signal with somebody you have to give them your phone number and they have to give you theirs. This reliance on phone numbers makes Signal undesirable in many cases (such as communicating with people you know online but not offline).

Keybase relies on your proven online identities. If you want to securely talk to me using Keybase you can search for me by using the URL for this website since I’ve proven my ownership of it on Keybase. Likewise, if you want to securely talk to somebody on Reddit or Github you can search for their user names on those sites in Keybase.

Another nice feature Keybase offers is a way to securely share files. Each user of the Keybase client gets 10GB of storage for free. Any data added to your private folder is encrypted in such a way that only you can access the files. If you want to share files amongst a few friends the files can be encrypted in a way that only you and those designated friends can access them.

On the other hand, if you’re into voice and video calls, you’re out of luck. Keybase, unlike Signal, currently supports neither and I have no idea if there are plans to implement them in the future. I feel that it’s also important to note that Keybase, due to how new it is, hasn’t undergone the same level of rigorous testing as Signal has so you probably don’t want to put the same level of trust in it yet.

You are Responsible for Your Own Anonymity

Reality Leigh Winner (who, despite her name, was not a winner in reality) is currently sitting in a cage for the crime of leaking classified National Security Agency (NSA) documents. Unlike Edward Snowden, Reality didn’t purposely go public. But she made a series of major mistakes that allowed the NSA to identify her after she leaked the documents. Her first mistake was using a work computer to communicate with The Intercept:

Investigators then determined that Ms Winner was one of only six people to have printed the document. Examination of her email on her desk computer further revealed that she had exchanged emails with the news outlet, the indictment said.

By using a work computer to communicate with The Intercept, she made hard evidence against her easily available to her employer.

Her second mistake was physically printing the documents:

When reporters at The Intercept approached the National Security Agency on June 1 to confirm a document that had been anonymously leaked to the publication in May, they handed over a copy of the document to the NSA to verify its authenticity. When they did so, the Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed—and it included encoded watermarking that revealed exactly when it had been printed and on what printer.

Most major printer manufacturers watermark any pages printed by their printers. The watermarks identify which printer printed the document. In addition to the physical printer, the watermark on the document posted by The Intercept also included a timestamp of when the document was printed.

Reality’s third mistake was trusting a third-party to guard her anonymity. Because of The Intercept’s history of working with leakers it’s easy to assume that the organization takes precautions to guard the identities of its sources. However, a single mistake, posting the printed document without editing out the watermark, gave the NSA enough evidence to narrow down who the leaker could be.

The lesson to be learned from this is that you alone are responsible for maintaining your anonymity. If you’re leaking classified materials you need to do so in a way that even the individual or organization you’re leaking them to is unable to identify you.

CryptoPartyMN Meeting Tonight

For those of you who don’t know, CryptoPartyMN is a group that focuses on teaching individuals how to utilize secure communication tools. We meet every other week and host a few hands-on workshops each year. With the sudden concern about privacy as it related to Internet Service Providers (ISP) tonight’s meeting will discuss Virtual Private Networks (VPN).

If you’re interested in learning about defending your privacy against your ISP please feel free to join us.

Political Solutions Don’t Work

A lot of people here in the United States are flipping out because the rulers are voting to allow Internet Service Providers (ISP) to sell customer usage data:

A US House committee is set to vote today on whether to kill privacy rules that would prevent internet service providers (ISPs) from selling users’ web browsing histories and app usage histories to advertisers. Planned protections, proposed by the Federal Communications Commission (FCC) that would have forced ISPs to get people’s consent before hawking their data – are now at risk. Here’s why it matters.

It amazes me that more people seem to be upset about private companies selling their usage information for profit than providing their usage data to law enforcers so the wrath of the State’s judicial system can be brought upon them. Personally, I’m far more concerned about the latter than the former. But I digress.

This vote demonstrates the futility of political solutions. At one point the privacy laws were put into place by the State. The process of getting those laws put into place probably involved a lot of begging and kowtowing from the serfs. But Congress and the presidency have been shuffled around and the new masters disagree with what the former masters did so all of that begging and kowtowing was for nothing.

The problem with political solutions is that they’re temporary. Even if you can get the current Congress and president to pass laws that will solve your particular problems, it’s only a matter of time until Congress and the presidency changes hands and undoes the laws you begged so hard to have passed.

If you want a problem solved you have to solve it yourself. In the case of Internet privacy, the best defense against snoopy ISPs is to utilize a foreign Virtual Private Network (VPN) provider that respects your privacy and is in a country that is difficult for domestic law enforcement to coerce. Using a VPN will deprive your ISP, and by extent domestic law enforcement, of your usage data.

Living Under a Criminal Enterprise

Will you look at that, it’s a day ending in “y.” You know what that means, right? It means another Internet scam is afoot! This time the scam involves a flaw in Mobile Safari that was just patched yesterday:

The flaw involved the way that Safari displayed JavaScript pop-up windows. In a blog post published Monday afternoon, researchers from mobile-security provider Lookout described how exploit code surreptitiously planted on multiple websites caused an endless loop of windows to be displayed in a way that prevented the browser from being used. The attacker websites posed as law-enforcement actions and falsely claimed that the only way users could regain use of their browser was to pay a fine in the form of an iTunes gift card code to be delivered by text message. In fact, recovering from the pop-up loop was as easy as going into the device settings and clearing the browser cache. This simple fix was possibly lost on some uninformed targets who were too uncomfortable to ask for outside help.

Patch your shit, folks.

I had a friend comment that he couldn’t believe that anybody would be stupid enough to fall for this since law enforcement would never highjack a phone and demand payment in iTunes gift cards. Although demanding payment in iTunes gift cards would be unusual for law enforcement, the actions being taken by the scammers aren’t that different than many actions taken by law enforcement. The scammers used a threat in order to extort wealth from their victim just as law enforcement agents do. When people have lived their entire life worrying about being pulled over and threatened with violence if they don’t pay a fine for driving too fast or, worse yet, having their vehicle and cash confiscated under civil forfeiture laws, the idea that police officers would highjack your browser and demand payment probably doesn’t seem that odd.

We all live under a massive criminal enterprise known as the State. It has taught us that being extorted is just a way of life. With that in mind, it’s not too surprising to me that there are people who fall for these kinds of scams.

Let’s Encrypt

Most of you probably didn’t notice but over the weekend I changed this blog over to Let’s Encrypt. There really aren’t any changes for you but this is a project that I’ve been planning to do for a while now.

Since I changed this site over to HTTPS only, I’ve been using StartSSL certificates. However, when it was announced that StartCom, the owner of StartSSL, was bought by WoSign I was wary to renew my certificates through them. When it was later announced that StartCom and WoSign were backdating certificates to get around the SHA-1 depreciation deadline I knew it was time to move on. The good news is that Let’s Encrypt is far easier than StartSSL was. Setting it up took a bit of time because Nginx support in Let’s Encrypt is still experimental and the other options for pulling certificates without shutting down the server required some server customizations. But once everything was setup it was simple to pull certificates.

While I was changing over my certificates I also took the opportunity to implement a Content Security Policy (CSP). Now when you load my page your browser is given a whitelist of locations content can come from. This reduces the threat of potential code injection attacks. Unfortunately, due to WordPress, I had to enable some unsafe options such as executing inline JavaScript and eval() statements. I’ll be looking for ways to get rid of those in the future though.

So you can breathe easy knowing that you browsing experience is even safer now than it was before.