Justice Department Continues Push To Get Rid Of Encryption

The Justice Department continues to push for the ability to bypass encryption (see here). Leslie Caldwell, one of the assistant AGs said that the DoJ is very concerned that Apple and Google have turned on encryption by default.  I guess that must point to the fact that if people have to do something to turn it on, they won’t, which makes eavesdropping that much easier for them.

FBI Director Comey has said before that he wants to push Congress to make automatic encryption illegal – again pointing to the fact that many people won’t bother to encrypt if it requires an extra click or two.

On the other hand, the government is saying that we have to be more concerned about cyber security – it seems like they are trying to have it both ways.  Encryption is one of the easiest and simplest ways to make it harder for the bad guys to do you in.  It also makes it harder for the FBI and NSA to vacuum up massive amounts of data to look for the needle that they want to find in the data haystack.

Caldwell actually said that encryption makes data too safe.  Really?  Too safe?  Isn’t that kind of like being too rich?  Or too happy?  Seems a bit self serving.

Caldwell also said that she hopes that companies will build a back door (‘cuz if they do, certainly the Chinese won’t figure that out) so that the FBI can mail the phone to Apple or Google to decrypt.  Really.  MAIL THE PHONE.  I think she is a bit out of touch with the digital age.

Some people have gotten hung up on the term back door, meaning an intentionally introduced mechanism that allows someone who knows about it to compromise the encryption.  Lets assume that what they really mean is that they want a copy of your encryption keys and they promise to keep them safe.  Is that really possible for them to keep safe?  And what about the data vacuuming that the agencies are doing – doesn’t that require them to use those keys every time you get online?  How, exactly, do you keep that secure.

If I have the key and they want it, then they have to go to a judge and get a warrant and I can disagree and try to convince the judge that they shouldn’t get it.  And, I can change the key so that sharing that key won’t compromise my future conversations.  Key escrow or back doors don’t allow any of that to occur.

The DoJ is also not happy with the TOR network.  They say they are making some progress at hacking it, but I *think* mostly they are taking advantage of people’s poor personal security hygiene (people make mistakes and the feds capitalize on that).

Clearly, encryption and TOR and similar tools can be used for bad purposes, but so can hammers and I don’t see a demand to outlaw hammers.

I am quite sure that encryption makes it harder for the government to do massive data collection and correlation, but we managed to track down criminals before and we can continue to track down criminals after.

Three thoughts and I will allow you to draw your own conclusion –

1. Are bad guys likely to use encryption software that has a back door vs. software that is available for free on the black market that does not have a back door?  Or software that is created by developers in any other country that doesn’t require them to add a back door.  Surely the dumb ones will and you may therefore catch them, but what about the really dangerous ones?

2. What is the financial impact on the U.S. economy if the rest of the world (RoW) knows that the U.S. government can look at their stuff without them knowing about it.  eWeek reported that U.S. Cloud providers said their business could shrink by 25 percent as a result of the NSA data collection. That could be a direct loss to the U.S. economy of $25-$100 billion over three years depending on who you believe.  That doesn’t include secondary effects (if the providers sell less services, they will buy less computers and hire fewer people, for example).  If the RoW thinks that the U.S. has a crypto back door, how many U.S. jobs will that cost and how many billions in business will we lose.

3. A lot of the crypto is controlled by service providers (like SSL and Facebook), but much more of it is controlled by the end users.  If Joe and I are talking to each other, we share a secret that only we know and that is used as the key.  The fact that the key is secret is what makes it secure.  If that key gets out, then all traffic past, present and future, that was protected with that key, is compromised.  And the feds would like businesses to give that to them freely.  I don’t think that is going to happen.  I have been known to be wrong before.  I think I was once in 1997.  Or maybe 1998.

The government has been trying to build back doors into encryption since at least 1993 when they came out with the idea of the Clipper chip.  It didn’t sell then and it is not likely to sell now.  My two cents.

Mitch

Facebooktwitterredditlinkedinmailby feather

Baby Monitor Hacked – Sorta

The news is reporting that a nanny in Houston said that she heard voices coming from the baby monitor while she was changing her baby’s diaper last week.

Apparently, someone was watching them and talking to them over the built in speaker in the baby monitor.  That speaker is designed so that the parents, using a smart phone, can talk to the baby if they are not there (I assume that they are not leaving the baby alone – that there is someone watching the baby – just not them).

Here is the rub and I have certainly spoken about this before.  I know that security is a pain, but if you don’t want someone watching you while you are having “mommy and daddy time” then (a) don’t have a camera where you are doing it and (b) follow decent security practices.

So what else does the article say?

  1. The camera was not password protected – I have never heard of a home security camera that does not allow for a password.  This one, from the pictures in the news, looked like a relatively high end consumer camera, so I am sure that it supported a password.
  2. The camera, from the pictures on the news, was wireless, so the combination of wireless access and no password is probably not a great parenting choice.  Whether the mother was breastfeeding while the perp was watching was not disclosed.
  3. The family had wifi in the house.  That connection was password protected, however if the perp was within range of the camera’s wifi, the fact that the house wifi was password protected would be irrelevant.   The news did not disclose what the password on the home wifi was, but given the camera had no password, maybe the house wifi had the default password.  These are usually difficult to guess – like admin or password or possibly Password .  For any given manufacturer, you can find the manual on the Internet and in the manual is the default password.

There are search engines like Shodan (www.shodan.io) that will allow you to search for web cams.  You can even specify which brand of camera you are interested in.  It will give you a list.  No password and poof, you are on the list.

Or the perp could be driving around the neighborhood looking for open wifi cams.  Sounds like if he did that, he would have no problem here.

So, if you are going to use wireless technology, whether it is a camera or an access point, you MUST do some basic stuff.  Make sure that it is patched.  Make sure that it is password protected. And don’t make your password 123456.  If you are making the device available on the internet through one of the many camera sharing web sites, make sure your credentials for that site are not easy to guess.

This is no different from any other password situation.

You, the user, have to make good choices.  There is nothing that the manufacturer or Internet service provider can do other than suggest you  make good choices.  You bought the camera;  now make good choices.

One other thing I want to point out.  Maybe you are an exhibitionist and are ok with some creeper watching you and your kids.  Remember, that camera is on the same network as all the other devices that you have in your house (unless you are like me and that is a whole other blog post).  If the camera is compromised then, potentially, every other device in the house can be compromised.  That is how both the Target and Home Depot attacks started.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

In Honor Of Super Bowl Week – NFL Mobile App Is Like Swiss Cheese

Dark Reading is reporting that the NFL mobile app has a few problems in it – not so much different than NFL officiating.

Wandera performed a scan of the app and discovered that after a successful login, the app leaks your credentials in an unencrypted API call.  In addition, it leaks your login name and email address too (which is probably enough to do a password reset).

That is enough, they say, to get the hacker into the user’s NFL web page, which is also unencrypted, which would allow the hacker to siphon off your address, phone number, occupation, date of birth, gender, if the user entered that in their profile.

As a side note, all they use that for is to push ads to you, so if possible, I recommend NOT entering that data and if they require you to do so, then enter bogus data. You may have to enter an occupation, but who says that you are not a mortician or clean septic tanks for a living.  There is no data validation.  And, as you go from site to site, enter different information – just to mess with the ad data people.

Anyway, back to the NFL.  Wandera did not try making a purchase, but given the above information, the security there is pretty suspect as well.

Since many users reuse passwords, getting their NFL.com password may give the hacker access to someone’s email or Amazon account too.

I recommend that if you are going to reuse passwords, break them into categories.  One category I call trash sites are sites that have the lowest possible security needs and least sensitive data (at least as long as you told them that you were 92, female, lived in Paris, France and were a jockey).  The NFL.com site would fall into that category.  At least that way, if that password was compromised, nothing else important would be compromised.

But here is the best part.  The NFL, like politicians, love to spin things.  Their answer to this issue was:

According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.

Obviously, this answer is total bulls&*t, but they probably figure most fans will trust them implicitly – like they trust the referee’s calls.  There is NOTHING they can do, technically, on the back end to fix this problem.  Can’t be done.  Total lie.

My suggestion is don’t fill out your profile and don’t purchase anything from their web site – buy stuff somewhere else.

Mitch

Facebooktwitterredditlinkedinmailby feather

How Does Your Anti Virus Software Stack Up?

Redmond Mag is reporting that AV-Test has ranked 28 Anti Virus software products against 153 pieces of zero day (meaning previously unknown) and 12,000+ pieces of known malware.

AV-Test, based in Germany, has gotten sideways with Microsoft before.  Microsoft has come in ranked very low on their tests several times.

Microsoft says that the firm ranks anti virus software based on how well it detects malware.  Microsoft says they prioritize “real world malware uses”.  I guess that means that they only worry about the major pieces of malware.

Microsoft’s product is free and unfortunately, this may be one case where you get what you pay for.  In 2013, Microsoft said that most of the malware that they didn’t stop either didn’t hurt users or wasn’t out there in the wild.

Anti virus software is pretty cheap.  Trend Micro, one of the vendors that scored 100 percent on the test, is available today on Amazon for $25 for 3 PCs (per year).  That would work out to $8 and change per PC at home if your family has several computers.

What I don’t know is whether the reason that Microsoft says that their users don’t see the malware that they don’t detect because that malware is not common or because they don’t detect it, hence Microsoft does report it as being found on user’s computers?

In any case, to me, if I could get something that detects all 12,000+ samples for $8 per computer per year – the cost of 1 or 2 Starbucks –  that sounds like a reasonable expense.

The three anti virus products that scored 100 percent in their tests are:

  • Avira’s Antivirus Pro 2015,
  • F-Secure Internet Security 2015 and
  • Trend Micro Internet Security 2015

The complete test is available here.

Mitch

Facebooktwitterredditlinkedinmailby feather

Sony Still Trying To Recover From Attack

In the latest bit of news dribbling out of Sony Pictures, Reuters is reporting that Sony has requested an extension of the required financial filings from mid February to the end of March.

Sony is saying that their financial and accounting applications will not be working until early February.

For those of you keeping track, the attack started on November 24th of last year.  Early February will put the recovery at 10 or 11 weeks just to get the systems back online.  Then comes the task of catching up on 10+ weeks of lost work for thousands of employees.

Sony did say, according to Reuters, that they will hold a news conference on February 4th.  It will be interesting to see if they announce a charge against earnings for the cost of the breach at that time or if they wait until March 31st when they will file their financials.

The impact on a company of not having any financial systems – and likely many other systems – to manage their business for 2-3 months is significant and we will have to watch to see what the longer term effect is on Sony.

Mitch

Facebooktwitterredditlinkedinmailby feather

Defensive Best Practices For Destructive Malware

The NSA released a 5 page document last week on keeping malware out of your network.  5 pages with links to hundreds of pages of other NSA documents.  It would probably take a year just to read and absorb them.  Then you have to deal with implementing the suggestions.  Some are simple, some are hard.  As i always say, it is a matter of business risk management to decide what you want to do.  Then implementing it.  Then maintaining it.  Simple, huh?  Not quite, but with the right resources, it is possible.

Here is the condensed version of what the NSA is recommending.  Since they control their workforce completely, they can do all of this.  You, probably, will have to pick and choose.

Prevent, Detect and Contain

  • Segregate your network so that when an attacker does get in, he or she cannot roam your entire universe.  An example would be at Target – getting in to the vendor management network should not allow you access to the point of sale system.  In Target’s case, this was way to easy.  This can be a lot of work, but it has slight impact on your users once it is set up and almost no performance impact.
  • Protect and restrict administrative privileges.  Unfortunately, the NSA is the poster child for this one.  When Edward Snowden went rogue, he had way too much access.  This is transparent to your users and a pain in the rear for your administrators.  Still, they have the keys to the cookie jar, so you decide.
  • Deploy application whitelisting.  Whitelisting means that only approved versions of approved applications can be installed anywhere on your network.  This mostly impacts your users and I would rate the impact high.  If users cannot run downloaded software or infected versions of approved software, it makes the hackers job very hard.
  • Limit workstation to workstation communication.  This makes it harder for malware to spread.  I rate the impact low on users and medium on administrators.  I rate it difficult to implement.
  • Implement robust network boundary defenses such as firewalls.  This takes some effort to implement but when it is done, for the most part, the users won’t notice.  The US Government is working on this – they had thousands of connections to the outside world.  How do you protect that many connections?  How many connections do you have?  What about the ones you don’t know about like that wifi connection between someone’s laptop and their personal wifi hotspot that they bought from Verizon for $49?
  • Maintain and monitor host and network logging.  This one is completely transparent to the users but takes a lot of work and likely some money.  Every device on your network – from a server to the refrigerator needs to send it’s logs to a central server.  Then, those logs have to be crunched for unusual events.  Then people have to act on the alerts.  That is what really killed Target.  Their logging and alerting system generated an alert, IT reviewed it and bounced it up the food chain and management decided not to take any action.
  • Implement mitigations like PassTheHash and Microsoft Enhanced Mitigation Experience Toolkit.  I rate these high pain levels for both the users and administrators.
  • Implement Host Intrusion Prevention Systems (HIPS) to detect anomalous behavior.  I rate this low for the user; higher for the admins (to setup and monitor) and some cost depending on the solution chosen.
  • Finally, patch software in a timely manner so that known bugs cannot be easily exploited.  There is some pain to the user, although a lot of this can be automated with some work.  There is a lot of work for IT to find all the patches, figure out where they need to go, test all the affected systems and deploy the patches.

Prepare for incident response and recovery

  • Backup, backup, backup.  Then test.  If you cannot restore the backup to a bare metal box, it doesn’t solve the problem.  If new systems are added and not included in the backups, you have a problem.  I know of a company who’s backups hadn’t been successful for a year, but no one was checking.  When they had a problem, it suddenly became a huge problem.
  • Establish an incident response and recovery plan.  Then test it at least once a quarter.  When I was a kid, the regional hospital was affected by a big blackout that covered the whole east coast.  The hospital had generators to provide power.  Unfortunately, no one knew how to get them up and running.  That was embarrassing.  Luckily, no patients died before they did get the generators running.
  • At the conclusion of an incident, conduct a lessons learned exercise and actually learn from the experience.

I managed to reduce this to about one printed page.  Actually doing this requires person years of effort, including planning, implementing, testing, monitoring, training and documentation.  Your goal is to make it harder for the bad guys to attack your system than the one next door.  You don’t need to be perfect.  Just harder to attack than your neighbor.

This is a good checklist to review as part of your business risk mitigation efforts.

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed