Technology – Page 49 – A Geek With Guns

The Deplorable State Of The Government’s Network Security

“I’ve got nothing to hide,” is a phrase commonly spoken by supporters of government surveillance and those too apathetic to protect themselves against it. It’s a phrase only spoken by the ignorant. With each working professional committing an average of three felonies a day there are no grounds for anybody to claim they have nothing to hide from the government. But even those who don’t believe they have anything to hide from the government likely feel as though they have something to hide from the general public. With the breach of the Office of Personnel Management’s (OPM) network we were shown another important fact: the government’s network security is in such a poor state that any data it collects could be leaked to the general public.

Now we’re learning that the OPM wasn’t the only government agency with deplorable network security. It’s a chronic problem within the government:

Under a 2002 law, federal agencies are supposed to meet a minimum set of information security standards and have annual audits of their cybersecurity practices. OPM’s reviews showed years of problems.

But the issue is far more widespread than with just one agency. According to the Government Accountability Office, 19 of 24 major agencies have declared cybersecurity a “significant deficiency” or a “material weakness.” Problems range from a need for better oversight of information technology contractors to improving how agencies respond to breaches of personal information, according to GAO.

“Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information will be at an increased risk of compromise from cyber-based attacks and other threats,” the watchdog agency said in a report earlier this month.

A large majority of major agencies have declare their network security to be unfit. In addition to general network security there are also concerns about overseeing contractors; which is pretty legitimate after Edward Snowden, an at the time contractor, walked off with a lot of National Security Agency (NSA) secrets; and abilities to respond to breaches.

Many mass surveillance apologists have pointed out that the OPM isn’t exactly the NSA because they assume the latter has far better security. As I mentioned above, Edward Snowden proved otherwise. And even if some agencies do have effect network security the problem of inter-agency sharing is a real concern. Assume the Internal Revenue Service (IRS) actually has adequate network security but it shares information with the OPM. In the end the data held by the IRS is still acquired by malicious hackers because they were able to compromise an agency that also held the data. Security is only as strong as the weakest link.

The next time somebody claims they have nothing to hide from the government ask them to post all of their personal information to Pastebin. If they’re not willing to do that then they should be concerned about government surveillance considering the state of its networks.

Hacking Team Changes Its Tune In Desperate Attempt To Remain Relevant

Last week Hacking Team made a big deal about terrorists having access to its advanced technology. This week everything is different. Hacking Team wants the world to know that the technology that was obtained from its internal network is old and crappy and no big deal:

On Monday, Hacking Team released a statement saying that while some of its surveillance-related source code was released to the public, the firm still retains an edge. “Important elements of our source code were not compromised in this attack and remain undisclosed and protected,” the release said. “We have already isolated our internal systems so that additional data cannot be exfiltrated outside Hacking Team. A totally new internal infrastructure is being build [sic] at this moment to keep our data safe.”

Hacking Team must work very fast if it was able to discover all new exploits between last week and today that allows it to regain its edge as a top purveyor of surveillance software to countries that regularly commit atrocities. At best the company is literally making up bullshit, which wouldn’t be the first time considering how often it denied doing business with many of the countries it was doing business with, or at worst has been able to buy a slew of new zero-day exploits. Either way I doubt the damage against Hacking Team’s brand can be undone. Being a malware seller that was breached is one thing but being a malware seller that has demonstrably shitty internal security practices isn’t likely to put its customers’ minds at ease.

My highest hope is that Hacking Team goes bankrupt and its top brass are raked through the coals.

Another Reason To Run An Ad Blocker

Ad blockers are marvelous web browser plugins. In addition to saving users from dealing with ceaseless pop-ups, audio that plays automatically, and other annoyances ad blockers also protect users from malware. A recent study [PDF] published by the Simon Fraser University shows another reason to run an ad blocker: they can significantly reduce the data usage of your network:

A Canadian university claims to have saved between 25 and 40 percent of its network bandwidth by deploying Adblock Plus across its internal network.

The study tested the ability of the Adblock Plus browser extension in reducing IP traffic when installed in a large enterprise network environment, and found that huge amounts of bandwidth was saved by blocking web-based advertisements and video trailers.

This is especially important when you’re dealing with a service that requires you pay by usage, such as most modern cellular data plans, or building a network that will see heavy usage from numerous individuals, such as university networks.

Ad blockers are not well received by website operators who rely on them. It’s understandable because ad blockers directly cut into their profits. But it’s also unwise to rely on a revenue source that requires users to put themselves at risk of being infected with malware and pay more for bandwidth usage. If ad blockers are a threat to your revenue model then you should consider looking into other avenues to make profits.

I mention Feedbin periodically when the issue of website revenue comes up because it’s a great example of how a website can make money without relying on advertisements. Feedbin charges customers $3.00 per month or $30.00 per year to use its service. People are more than willing to pay money for a quality online service as demonstrated by Feedbin, Netflix, and Spotify. The advantage of a subscription model is that it’s a predicable cost, unlike the potential bandwidth costs incurred by serving advertisements, and greatly reduces the risks of malware infection.

Finding alternative revenue sources is going to become increasingly important as more people utilize ad blockers for security, reducing network congestion, and lowering bandwidth costs. Instead of expecting customers to face more risks and costs website operators need to being researching ways to stay afloat without ads. As with any market online services are constantly evolving and those who want to continue participating in it need to evolve as well.

Hacking Team Demonstrates It Doesn’t Know What Words Mean

Hacking Team has finally released a response to the attack it incurred. Much like the company’s internal network security the response it posted should have people concerned. In addition to not following basic security practices, such as not storing login credentials in plaintext files, the company also doesn’t have a strong grasp of the English language:

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies.

If Hacking Team could control who had access to the technology before the attack the attack wouldn’t have been successful. The fact the attack was successful proves that Hacking Team didn’t have control over its technology. Apparently whoever is doing public relations for the company doesn’t know what the meaning of control is.

The next two sentences, especially combined with the above sentence, are especially laughable to me:

Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

Instead of governments and government agencies having exclusive use of Hacking Team’s technology now terrorists, extortionists, and others have access to its technology? What exactly is the difference between a government and an extortionist? None. Governments by their very nature are extortionists. They do tend to use nice sounding euphemisms like taxes, license fees, and citations but in reality government are in the business of forcefully taking wealth from the populace.

Looking a bit deeper we must asking how some of the governments and agencies Hacking Team sold to; such as Sudan, Ethiopia, and the Drug Enforcement Agency; differ in any notable way from other terrorist organizations. With the exception Hacking Team has accepted money from them there is no notable difference. Simply calling something by a different name doesn’t change what it is. Admittedly this is a problem many people have with the English language.

Outside of the failure to utilize the English language the Hacking Team response contains this gem:

HackingTeam is evaluating if it is possibile to mitigate the danger.

How could a company that discovers previously unknown vulnerabilities help mitigate danger to people? For actual security companies the answer is to work with developers to fix the vulnerabilities before they can be actively exploited. Hacking Team, on the other hand, sat on those vulnerabilities so it could sell tools for the sole purpose of exploiting them. Its entire business model relied on people being in danger. Had it actually cared about helping mitigate danger it wouldn’t have sold the tools it did, especially to the customers it did.

This Hacking Team breach just gets better by the day. Between the company’s scummy practices, source code getting open sourced, and complete failure at handling public relations this breach is the gift that keeps on giving.

Company That Provides Spyware To Oppressive Regimes Gets Hacked; LULZ Follow

Yesterday might as well have been Christmas for the information security industry. Hacking Team, a company known for selling surveillance malware to oppressive regimes, was hacked an 400GB of its data was released to the Internet. A hacker going by the name PhineasFisher, who made a reputation for themselves when they hacked the spyware provider Gamma International, has supposedly claimed responsibility. If that’s true then we all own them a bear.

Remember what I said about Hacking Team having a reputation for selling software to oppressive regimes? Documents in the leaked data reveal some of the company’s customers. From that information it appears that the company will deal with anybody willing to throw cash at it:

One document pulled from the breached files, for instance, appears to be a list of Hacking Team customers along with the length of their contracts. These customers include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and several United States agencies including the DEA, FBI and Department of Defense. Other documents show that Hacking Team issued an invoice to Ethiopia’s Information Network Security Agency (the spy agency of a country known to surveil and censor its journalists and political dissidents) for licensing its Remote Control System, a spyware tool. For Sudan, a country that’s the subject of a UN embargo, the documents show a $480,000 invoice to its National Intelligence and Security Services for the same software.

Nigeria, Saudi Arabia, Sudan, and the Drug Enforcement Agency (DEA)? Talk about some nasty buyers. If I owned a company that had entities like these as customers I would shut my doors and label myself as the biggest failure in business. But Hacking Team apparently has not moral issues with selling to such scum and are even willing to bypass a United Nations embargo for $480,000! The bottom line is if you have the cash Hacking Team will sell to you.

Another interesting revelation that has come from this breach is just how terrible Hacking Team’s own internal security was. When you think of shady surveillance software providers you probably imagine some of the tightest network security in the business, right? As it turns out not so much:

The data released Sunday night and through to today not only contains a large number of emails, none of which have proven too embarrassing so far, but also a number of the firms’ internal passwords, which appear to be worryingly insecure for a company that deals in exposing others’ security. These include credentials belonging to Christian Pozzi, security engineer at Hacking Team, stored in a file called login.txt. His chosen logins include easily-crackable variations on the word “password” and the name of an X-Men character all in lower-case and with no numbers or symbols.

A file directly linked to Pozzi also included images believed to show RCS grabbing screenshots.

Apparently the head of a malware provider isn’t aware of password managers. Had he been he wouldn’t have needed to use insecure passwords stored in plain text files. This just goes to show that being smart enough to write exploits doesn’t mean you’re skilled enough to defend against even the most basic of them.

Now that I’ve had a little fun at Hacking Team’s expense let’s get down to the nitty gritty. What does this hack mean? Since the company’s exploitation software was just open sourced (not by its choice) a lot more good than simply revealing the immoral actions of a scummy company can come of this. The software security holes Hacking Team’s malware relied on can now be discovered and fixed. Malware producers, like government surveillance agencies, cause a lot of damage simply by keeping the exploits they discover secret. Instead of being helpful members of the security community by assisting companies in fixing their security flaws they write software that exploits them and sell it to anybody willing to pay. Ironically breaking into these companies’ networks and releasing their source code to the world makes everybody safer.

I’ll post more interesting information as it is revealed. But if you want real-time updates of what is being discovered I urge you to follow #HackingTeam on Twitter. There you’ll find such entertaining tidbits as the supposed Transport Layer Security (TLS) private key for support.hackingteam.com and the Hacking Team’s owner’s really shitty passwords.

CryptoPartyMN Website is Up Again

You probably noticed that posting has been sparse this week. That’s because I’ve been focusing my efforts on setting up the new website for CryptoPartyMN. For those of you who haven’t heard of CryptoPartyMN, it’s a group of us in the Twin Cities region that are organizing periodic meetups with the intention of teaching people who to utilize string crypto to protect online anonymity and security communications. We hosted a CryptoParty at The Hack Factory on May 9^th and B-Sides MSP and are planning more in the future.

Admittedly the website is pretty bland right now. Unfortunately the theme we were using was on the other server that I don’t have access to. It’ll be improved in time. Likewise now that the site is up and will remain up regularly we’ll make sure to post meetup notifications on it (we usually meet every other Tuesday). Add it to your RSS feed if you want to know when the next CryptoParty event is.

VPN Isn’t A Magic Bullet

I really like virtual private networks (VPN) and a lot of people utilize them for various reasons including protecting anonymity, thwarting region locks on services, and bypassing filters put in place by Internet service providers (ISP). However it’s important to note that there are no magic bullets and VPN is not exception.

We’re in the midst of a transition from IPv4 to IPv6. A lot of software still either doesn’t support or isn’t properly configured to handle IPv6 yet. In fact my ISP, Comcast, still doesn’t give business customers IPv6 addresses so I can’t setup my services to properly work with the new fangled Internet addressing scheme (and Comcast happens to be the only option in my area, good thing for Comcast the government exists to protect monopolies). That means my VPN server, like many others, may very well leak personal information through IPv6:

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as ‘IPv6 leakage’. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.

This is why I recommend doing things that absolutely need to remain private through a dedicated anonymity tool such as the Tor Browser. VPNs aren’t great for preserving anonymity anyways since the server administrator knows the IP address of connect clients whereas Tor exit nodes only know the IP address of the relays directly connected to it. The Tor developers also focus on anonymity first, which means they’re far more likely to find and fix leaks that could reveal personally identifiable information. However VPNs still work well for establishing connections to remote networks in a secure manner and will still do a good job of bypassing filters and region locks.

It’s also worth nothing that as we continue to transition to IPv6 we’re going to keep running into issues like this. Change is never completely smooth, especially when some ISPs, such as Comcast, still don’t provider customers the tools needed to utilize IPv6.

OpenVPN

After getting my business Internet account the first thing I did was setup a virtual private network (VPN) server. VPN servers have a million and one uses but the most important feature they offer me is the ability to have a secure tunnel when connected to networks that aren’t mine. I settled on L2TP/IPSec since that was the more secure of the two options offered by OS X Server (as you can tell the running theme with my network has been migrating away from OS X Server).

L2TP/IPSec served its purpose, it gave me a secure tunnel to my home network, but there were several notable downsides. The biggest of which was the way it was handled by iOS. iOS disconnects from an L2TP/IPSec VPN server when the device is turned off and doesn’t automatically reconnect when it is turned on again. That means I had to go into the settings and manually turn it on whenever I wanted to use it (which is often). I know, first world problems.

Last week I began setting up a replacement VPN server, this one using OpenVPN. This ended up being a phenomenal leap forward. OpenVPN uses OpenSSL for encryption and authentication. That gives you a lot of options. For my purposes I restricted my OpenVPN server to only use TLSv1.2 (the latest), forward secrecy, and known strong encryption and authentication algorithms. Instead of using a pre-shared key, which is an option, I’m using certificates. Using certificates offers several advantages but the most important one to me is that iOS will automatically reconnect to a VPN server if authentication is performed with certificates. OpenVPN has a great, albeit ugly as sin, client for iOS that can import OpenVPN profiles. Best of all the app doesn’t need to be running for the VPN connection to remain connected (so you don’t have to worry about the tunnel closing after 10 minutes since that’s the longest amount of time an app can run in the background on iOS). Now when I turn my phone on it automatically connects to my VPN server.

Since OpenVPN utilizes TLS it’s supposedly difficult to distinguish from HTTPS traffic, which means it’s less likely a network filter will block you from connecting to your VPN server. I don’t have access to a network that hostile so I can speak to the effectiveness of this but it’s something to keep in mind if you regularly find yourself connecting devices to a heavily filtered network.

If you’re interested in setting up a VPN server I highly recommend OpenVPN. It’s fairly simple to setup and clients are available for most operating systems.

Why Everybody Should Use Encryption

Using encryption requires individuals to put forth the effort to learn. Because people tend to be lazy they usually spend more time coming up with excuses for not learning encryption than they do learning how to use it. Ultimately the excuse they end up settling on is that they have nothing to hide. This is bullshit, of course. If they truly didn’t have anything to hide they would put Internet accessible cameras and microphones in every room of their house and allow anybody to check in on what they’re doing at any time. But they don’t.

Besides the fact that we all have something to hide there is another reason why the “nothing to hide” excuse doesn’t work. To quote Bruce Schneier:

Encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.

This is important. If we only use encryption when we’re working with important data, then encryption signals that data’s importance. If only dissidents use encryption in a country, that country’s authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can’t tell the dissidents from the rest of the population. Every time you use encryption, you’re protecting someone who needs to use it to stay alive.

By not using encryption you are putting lives in danger. Specifically the lives of people who need encryption to stay alive. So long as a majority of people utilize unencrypted forms of communication the presence of encryption becomes a signal that indicates to a snoop that the captured data is important. If all data, from e-mails wishing grandma a happy birthday to plans for protesting the latest act of police brutality, is encrypted then the spies can’t use it to indicate what is and isn’t important. At that point their costs skyrocket because the only way for them to learn what is and isn’t important is to decrypt everything, which isn’t feasible for any organization.

So stop making excuses and learn how to encrypt your data. There are plenty of people out there, including myself, willing to help you. If you don’t then you’re contributing to a problem that puts real lives in danger.

The Seedier Side of the Internet isn’t as Seedy as You Think

Due to the popularity of Silk Road the mainstream media has been busily reporting about the “dark” web. If you take the news stories about the “dark” web literally it is a place where child pornography is readily available, hitmen can be hired for a handful of Bitcoin, and terrorists commonly hold secret meetings to discuss their plan blow up the next elementary school. Reality, as is often the case with mainstream media portrayals, is quite different:

Read nearly any article about the dark web, and you’ll get the sense that its name connotes not just its secrecy but also the low-down dirty content of its shadowy realms. You’ll be told that it is home to several nefarious things: stolen data, terrorist sites, and child porn. Now while those things may be among what’s available on the dark web, all also are available on the normal web, and are easily accessible to anyone, right now, without the need for any fancy encryption software.

[…]

Despite reports, there are only shreds of evidence that the Islamic State is using the dark web. One apparent fund-raising site highlighted by the Washington Post had managed to garner exactly 0 bitcoins at the time of writing, and this was also the case with another I discovered recently. It’s worth pointing out that both of those sites simply claimed to be funneling the cash to the terrorist group, and could easily have been fakes. The one Islamic extremist dark web site to actually generate any revenue mustered only $1,200 earlier this year. Even it doesn’t explicitly mention the Islamic State.

And yes, child porn is accessible on the normal web. In fact, it is rampant when compared with what’s available from hidden sites. Last year, the Internet Watch Foundation, a charity that collates child sexual abuse websites and works with law enforcement and hosting providers to have the content removed, found 31,266 URLs that contained child porn images. Of those URLs, only 51 of them, or 0.2 percent, were hosted on the dark web.

In other words the big scary “dark” web is basically a smaller regular Internet. What you find on hidden sites, which is the correct term for the “dark” web, is also far more widely available on the regular Internet. Why do sites go through the hassle of requiring visitors to utilize something like the Tor browser then? Because maintaining anonymity for both themselves and their visitors is valuable.

In the case of Silk Road, for example, it was much easier to build user trust by using a hidden site since there was a barrier between the service and the identity of its users. Not only did that barrier protect users from potentially being revealed to law enforcement agents by the site’s administrators but it also prevented buyers and sellers from being able to identify each other. Silk Road was an example of anonymity making things safer for everybody involved.

If you’re of the opinion that buying and selling drugs should result in men with guns kicking down doors at oh dark thirty and therefore what I said above is not a valid justification for hidden sites don’t worry, I have another. Journalists often find themselves in positions where sources demand anonymity before revealing important information. That is why services such as Onionshare, were created:

That’s exactly the sort of ordeal Micah Lee, the staff technologist and resident crypto expert at Greenwald’s investigative news site The Intercept, hopes to render obsolete. On Tuesday he released Onionshare—simple, free software designed to let anyone send files securely and anonymously. After reading about Greenwald’s file transfer problem in Greenwald’s new book, Lee created the program as a way of sharing big data dumps via a direct channel encrypted and protected by the anonymity software Tor, making it far more difficult for eavesdroppers to determine who is sending what to whom.

Whistle blowers are an example of individuals who are less likely to talk to journalists, and therefore blow the whistle, unless their identify can be protected. This is especially true when the whistle blower is revealing unlawful government activities. With access to legal coercive powers it is possible for the state to compel a journalist to reveal a source of information damning to it. If the journalist doesn’t know the identity of the whistle blower, as would be the case if the data was sent via a hidden service, they cannot reveal it to the state no matter what court orders it issues or torture it performs. That protection makes the likelihood of a whistle blower to come forward much higher.

The “dark” web is little more than a layer of anonymity bolted onto the existing Internet. Anything available on the former is available in far larger quantities on the latter. What the “dark” web offers is protection for people often needing it. Like any tool it can be used for both good and bad but that doesn’t justify attempting to wipe it out. And because much of the world is ruled by even more insane states than the ones that dominate the so-called first world I would argue the good of protecting people far outweighs the bad that was happening and still is happening on the regular Internet.