All posts by mitch tanenbaum

Sony Lesson: There Is No Such Thing As Private Email

One of the items that got leaked in the Sony hack was the mailbox of Amy Pascal, the Co-Chairman of Sony Pictures Entertainment.  Here are some excepts from a Washington Times article.

Among the leaked conversations int the email are a conversation between Pascal and producer Scott Rudin.  The conversation goes something like this:

Rudin: Angelina Jolie is a “minimally talented spoiled brat” from “Crazyland, … YOU BETTER SHUT ANGIE DOWN (referring to a project that Jolie wanted to do that would have impacted Rudin.

Pascal: “Do not [expletive] threaten me,”

Rudin: “What the hell are you talking about? Who’s threatening you? Let me remind you I brought this material to you and I can off her from it in a phone call,” Mr. Rudin writes of Ms. Jolie playing “Cleopatra,” the New York Post reported. “Don’t for one second even think about trying this [expletive] with me.”

There are other conversations – for example racist comments about President Obama.

Now here is the thing – and the I.T. guys have known this for years.  If you write stuff in email that you DON’T want to become public, it sometimes does become public.  You just can’t stop it.

Apparently, there are a bunch of other emails that are not terribly flattering as well.

There is talk on the street about Pascal losing her job.

I know that email is very convenient and if you use the right kind of encryption, you reduce the odds of it going public – but you don’t eliminate it.  It’s just not a good plan to put stuff like that in written form.  And if you do, you better cross your fingers.



The Year Of The Crypto Bug

I am going to name 2014 as the Year Of The Crypto Bug.

Does it seem to you that this year or so has revealed more than it’s share of cryptography oopsies?  It does to me.  So I started looking at what was found this year.  In some sense, this is good news, but in another sense, how many more have not been found yet?

I haven’t looked at history, so maybe this is normal.  MAYBE, this is the year of the crypto bug.

Many of the bugs listed below are major – like 10 out of 10 – kind of bugs and many are also ones that you don’t have the ability to patch.

  • Microsoft SChannel – SChannel is part of Microsoft’s implementation of SSL and TLS, that we all use for shopping and banking.  The bug patch was rated critical; Microsoft said that a remote, unauthenticated attacker could execute arbitrary code.  The bug, nicknamed Winshock, had been around for 19 years.
  • Heartbleed – The heartbleed bug got a lot of attention in the press when it was first announced.  Heartbleed affected OpenSSL, again attacking the security that we use for banking and shopping, but it also affects the “Internet of things” like web cams, alarm systems, elevators and HVAC controllers.  Many of these use OpenSSL because it is free.  Worse yet, when was the last time you patched your refrigerator?  So, it is likely that this bug will persist for years if not decades.  Some people rated this an 11 on a 1 to 10 scale
  • POODLEPOODLE is another attack on SSL – that old staple.  In this case, really old.  It is an attack that allows an attacker to convince a site to use an 18 old version of SSL, which has some security weaknesses.  The solution is to get rid of this version of SSL, which Firefox did several weeks ago, Google will do this month and Microsoft will do in a couple of months.
  • Son of POODLE – This new variant of the POODLE attack above is more effective than the original one.  It does not require you to force the browser or web site to use an obsolete version of SSL – it works fine with TLS – and it is far simpler to accomplish.  A number of high profile web sites fall victim to this bug.  The linked article has a pointer to Qualys free test to see if your site is vulnerable.
  • Whatsapp – This is really more of a design flaw than a bug, but it still puts content at risk.  According to some researchers in Utrecht, Netherlands, the Whatsapp development team made some decisions that weakens the protections offered by the encryption they provide.  They said that you should assume all messages are compromised (which is a bit strong in my opinion).  On the other hand, the CEO of Whatsapp said the story is overblown and don’t worry your pretty little heads.  One might conclude that they knew their crypto was weak and chose not to fix it or weakened it on purpose for nefarious reasons.
  • Mozilla NNS Crypto LibraryThis bug allows a hacker to fake or forge SSL certificates, allowing an attacker to create a website that looks real down to the SSL padlock.  Intel called this the BERserk attack because it compromises the Basic Encoding Rules of the protocol.  Cute.
  • Apple Triple HandshakeThis bug, affecting iOS 7.1 and earlier for phones and OSx 10.8 and 10.9 on Macs, allows an attacker to reuse credentials that you have already used to authenticate yourself to, say, your bank.  This requires that the attacker be able to eavesdrop in the middle of your conversation, like at a public WiFi.  Doing anything sensitive on a public WiFi is not a good idea anyway, so this just reinforces it.
  • Apple GoTo Fail bug –  This bug, which also affected a variety of Mac OSx and iOS versions, allowed an attacker to present a fake encryption key which the Apple OSes accepted because of a bug.  This would allow the attacker to decrypt ALL traffic. Apple took a lot of heat about the way they handled this particular bug.  This bug was named the GoTo Fail bug because it was caused by a developer adding 9 extra characters (GoTo Fail) in a module.  This points out that while some bugs are very difficult to detect, a simple code review by someone other than the developer would have likely found this bug before it was released.
  • GnuTLS bugThis bug, like the OpenSSL crypto bug, will be found on millions of computers (it is used by several distributions of Linux like Ubuntu, Red Hat and Debian).  The bug allows an attacker to easily bypass the SSL or TLS encryption on web sites.  Again, this software is used in lots of “Internet of Things” kind of devices like web cams and alarm systems.

Analysis Of The Sony Breach

Risk Based Security is doing a play by play of the Sony breach.  Visit their website for a detailed analysis of what was stolen.

I am going to just pick one little part of it, which is scary in and of itself.  The fact that they found over a million unredacted socials is a business process problem.  One that will likely lead to a number of lawsuits.

Utilizing the enterprise solution, Sensitive Data Manager, Identity Finder discovered:
  • 601 files containing SSNs
    – 75 Acrobat PDFs
    – 523 Excel spreadsheets
    – 3 Word documents
  • 47,426 unique SSNs
    – 15,232 SSNs belonged to current or former Sony employees
    – 3,253 SSNs appeared more than 100 times
    – 18 files contained between 10,860 and 22,533 SSNs each.
  • 1,123,798 copies of compromised SSNs
“The most concerning finding in our analysis is the sheer number of duplicate copies of Social Security numbers that existed inside the files. In this instance, some SSNs appeared in more than 400 different locations, giving hackers more opportunities to wreak havoc,” said Todd Feinman, President and CEO, Identity Finder. “As we have seen from the myriad data breaches this year, every organization is vulnerable to an attack. Security technologies are an important shield, but minimizing the target and reducing the footprint of sensitive data is more critical than ever.”


Charge Anywhere Hackers Were Inside For Almost 5 Years

Charge Anywhere is a provider of credit card payment services for merchants.  This week they announced that there were hackers found inside their network.

The sad thing about it is that they admitted that the bad guys had been inside their network since November 2009.  That is almost 5 years.

They said that they only found evidence of the bad guys trafficking in stolen cards between August 17, 2014 and September 24, 2014.  That doesn’t mean that these guys hadn’t been stealing data for years.

Now here is the hard part.  Unlike the Target or Home Depot breaches, a consumer has no way to know if some store that you went to used Charge Anywhere as their credit card processor.

What they say is watch your credit card and bank statements for unauthorized transactions — making their poor security hygiene your problem.  Given all the stuff going on, you should be doing this anyway, but still….

Assuming your card is misused, you are likely going to blame the merchant that you shopped with and not their credit card processor, so Charge Anywhere kind of gets a get out of jail free card.

Using cash is looking better all the time.


Sony – How Do You Deal With The Personal Threat

The Sony attack is breaking new ground (unfortunately).  Part of what the hacker group GOP is doing in creating fear, uncertainty and doubt.  They sent out an email to all Sony employees that read, in part  (From The Verge):

I am the head of GOP who made you worry.
Removing Sony Pictures on earth is a very tiny work for our group which is a worldwide organization. And what we have done so far is only a small part of our further plan. It’s your false if you if you think this crisis will be over after some time. All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures. Sony Pictures is responsible for whatever the result is. Sony Pictures clings to what is good to nobody from the beginning. It’s silly to expect in Sony Pictures to take off us. Sony Pictures makes only useless efforts. One beside you can be our member.
Many things beyond imagination will happen at many places of the world. Our agents find themselves act in necessary places. Please sign your name to object the false of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.

Sony is working with the FBI on this, but if I was an employee I would be concerned about what will these hackers do to make Sony employees suffer.

Michael Lynton, the CEO of Sony Pictures sent out an email to employees saying that they are working with the FBI, but given neither Sony nor the FBI were able to stop the attack in the first place nor find the attackers after the attack and also given that the attackers did not give any clue how they were going to make employees suffer, Mr. Lynton’s email does not give me the warm fuzzies that I should feel safe.

This is a whole new level of attack – if you can panic a company’s employees, some will leave and many will be distracted.  That kind of situation can put a company in a downward spiral.

Also, there have been reports that Sony executives received threatening emails prior to the attack starting.

Given that for many executives, their assistants read their emails, this situation brings into question how well trained the executive team is to deal with these type of threats.  I have no idea what happened at Sony.  The response could be anywhere from printing it out and putting on the executive’s reading stack to mashing the big red 911 button and rolling down the steel storm shutters.  How a company deals with this situation is up to the company, but there should be a plan in place that everyone – from the executive team to legal to security to whoever else needs to be in the loop – knows about in advance.  No different than having a plan for dealing with someone phoning in a bomb threat in the physical world.

For all we know, the initial threat could have come in with a link that someone clicked on that launched the attack.  Scary, but possible.

The company also needs to have a plan for how they are going to deal with employee concerns.  i don’t know if Sony had a plan (remember, this is somewhat old hat to them what with previous attacks and bomb threats), but what became public (the CEO saying that they are working with the FBI and thanking people for sticking it out) is kind of weak.

The longer this goes on, the more stressful it becomes for employees – which is how the attackers wear down the company.


Factory Reset On Your Android Phone – What Does It Really Do?

I suspect that many of you have performed a factory reset on your phone thinking that all your data was gone and then either gave away or sold your phone.  I have.

Tech Times wrote an interesting article on the subject and it is not all sunshine in Android land.

Avast, the computer security software firm purchased 20 second hand Android phones on eBay and used a standard forensics tool (FTK imager) on these 20 supposedly factory reset phones.

The results?  They recovered more than 40,000 pictures, some with kids in them.  Some with “personal” selfies.  Along with a bunch of other things like a loan application.  Remember these 40,000 pictures came from only 20 phones.

The issue is that just like in DOS (or Windows), all the factory reset does is change the index to the file so it is not visible.  The data is still out there.

Before you panic too much (sorry, you can’t change history – that phone you sold last year – just forget it), there is an answer.

Google says that if you enable encryption before you do that factory reset, you should be in good shape.  Remember that you have to enable encryption on the external SD card separately from the built in storage (or remove it from the phone and keep it).

Once you have turned on encryption, THEN perform the factory reset.

It still does not delete any of the files, but it DOES delete the encryption key, so when someone retrieves the deleted files, they won’t have the key and therefore won’t be able to decrypt the file they were able to recover.  Not perfect, but a whole lot better than before.

Avast (of course) does offer a freemium product called Avast Anti-Theft that they claim will overwrite deleted files, but unless you are very paranoid, you should not need to do that.

I guess it is what you DON’T know that can bite you.