Tag Archives: Encryption

Over 90 Percent of IoT Data Transactions Are Not Encrypted

According to a report released by  cloud security vendor Zscaler, 91% of the traffic that they saw coming through their network security devices from IoT “things” was NOT encrypted.

This is on enterprise networks where one might think that security is more important, so maybe the number is even higher on home networks, although it would be hard to beat that 91% by very much.

The data covered 56 million IoT device transactions from 1,051 enterprise networks, so it seems like a reasonable sample.

These devices include cameras, watches, printers, TVs, set-top boxes, digital assistants, DVRs, media players, IP phones and a host of other stuff.

Given that, what should you do?

First of all, you should be scanning your corporate network to look for these IoT devices since according to the survey, many of the IoT devices found on corporate networks are, not surprisingly, consumer grade.

Next you need to create a policy regarding what devices you are going to allow.  There is no right or wrong answer, but it should be a conscious decision.

Finally, you should isolate all of those devices onto the anything-but network.  Meaning, anything but your trusted internal company networks.  You probably want to group these into multiple anything-but networks.  For example, one network for phones, another for printers, another for smart devices (TVs, coffee pots, water coolers), etc..

While you are in the middle of this, it is probably a good idea to figure out which of these devices patch themselves and which ones vendors even offer patches for.  Then you have to figure out how the heck you can patch them.

And, if you CAN turn on encryption, you should probably do so.

Doesn’t this sound like fun?  Source: Zscaler.



Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.


China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.


Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather

Does Quantum Computing Mean the End of Encryption

If you believe all of the news reports, quantum computers are here and can break Quantum Computing Mean the End of Encryption all of the encryption that we have ever used.

A bit hyperbolic.

Dorothy Denning, a very well know security researcher who has written 4 books and over 200 articles while teaching at Purdue, Georgetown and the Naval Postgraduate School wrote a very readable article on the subject.

She explains what is and what is not real and why.  In English.

She makes a distinction between symetric key encryption like AES and public key encryption.  For AES,  there are reasonable solutions to the problem.

For public key encryption, one algorithm is based on the supposedly hard problem of factoring numbers.  So far the largest number that they have factored is 15 (4 bits).  Given that most public key encryption is 1,024 or 2,048 bits, they are not quite there. yet.

One study said that quantum computers would need to be 100,000 times faster and 100 times less error prone.

But they will get there.

However, the National Institute of Standards (NIST) is evaluating 69 new potential post quantum encryption algorithms.  They plan draft standard by 2024 if not sooner.

So as long as quantum computers don’t get 100,000 times faster and 100 times more reliable in the next 5 years or so, we are probably OK.

Read Dr. Denning’s article here.  Put your mind at ease.



Facebooktwitterredditlinkedinmailby feather

Security or Convenience – Manafort May Have Picked the Wrong Option

Paul Manafoft, President Trump’s former campaign manager, is in trouble with the Feds.  Again.

Federal prosecutors say that Manafort attempted to tamper with witnesses to make sure that their testimony coordinated with his.

How the feds found out is that they got a warrant for his iCloud account.  Whatsapp and Telegram messages backed up to iCloud are not encrypted.

Poof, his cover was blown.

Manafort has been charged with money laundering, tax evasion and failing to register as a foreign agent.  Now the feds may add witness tampering to that.

Since he is currently out on bond and possible witness tampering probably was not on the court’s approved list of things to do while you are out on bond, they could, possible, revoke his bond and send him to jail.  My guess is they will more likely use these new allegations to squeeze him some more.

So what should you do to avoid this situation?

Number one is don’t commit crimes.

Number two is if you are being prosecuted for possibly committing crimes, don’t commit even more crimes.

Number three is to remember that even if your end is secure, there is nothing to stop the recipients from giving you up.  The feds, for example, could say that they are going to charge the other person with a crime unless they cooperate.  Even if the charges are flimsy and don’t eventually hold up, they will still spend a lot of money and have their life turned upside down, so someone might decide to cooperate.

If you are creating records for yourself and you encrypt them, that makes it much harder for anyone to read them.  But you have to make sure that the software is well written and the keys are securely managed.  This is true whether you are planning a crime spree or just trying to protect your business.  Leaving the key in the locked door is not very secure. Happens to businesses all the time.  They think they are protecting their data by encrypting  it, but in reality, the keys are stored with the data. If you do it right, they (meaning the feds or hackers from China) might be able to get the data, but the data will still be encrypted.  Could they crack the encryption?  Maybe.  All that takes is time and money. Possibly a lot of both.  OR, they could hack your phone/computer and steal the encryption keys.

Bottom line – encryption is not a silver bullet;  even if you are not a crook.  It is hard to do right and easy to do wrong.

Information for this post came from Gizmodo.


Facebooktwitterredditlinkedinmailby feather

FBI Says Tech Industry Should Follow Financial Services in Saving Messages

FBI Director Christopher Wray suggested that the tech industry follow the model of the financial services industry.  Some of the big banks have created a messaging app with delete capability so to keep the regulators happy, they agreed to save a copy of each message for 7 years.

Lets apply that to the tech industry

Whatsapp currently serves up 55 billion messages plus 4.5 billion photos plus 1 billion videos a day.

iMessage serves up 40 billion messages a day.

Lets assume a message, with overhead is 1,000 bytes, a photo is 3 megabytes and a video is 20 megabytes AND lets ignore every other secure messaging platform.  The math is:

(95 billion x 1kB + 4.5 billion x 3mB + 1 billion x 20mB ) x 365 x 7

That equals 33,595,000 Billion bytes per day or

12,262,175,000 billion bytes per year or

85,835, 225,000 billion bytes in 7 years.

That would be 85,000,000,000,000,000,000 characters, if I did the math right.  Lets ignore compression for the moment since videos and photos don’t compress and they are the bulk of the disk space.

Assuming a 5 TB disk drive, that would only require 17,167, 045 disk drives to hold the data.

Double that if you would like just one backup copy.

That assumes zero growth during that time, which, as we know, growth is in the double digits per year.

That is a lot of disk drives for someone to buy.  And maintain.  And pay for the electric and people to keep them running.  Roughly the size and cost of the NSA’s Utah data center, which cost about $4 billion to build, estimates say and probably, a hundred million dollars a year to run.

Scale IS a problem here.  A big problem.

Lets say you scale that back and say that you only keep messages for a year.  Now you only need two and a half million disk drives, assuming zero growth.

If we assume that people don’t keep all their messages, someone else is going to have to and that will be VERY expensive.  Even if you build a back door into phones, if people delete their messages, that back door doesn’t help you.

I’m not saying there is no answer, but there is no simple or inexpensive or privacy protecting way.

And, of course, if you force Apple to build a back door into iMessage, some dude in Pakistan will build his own app that doesn’t have a backdoor.  Now you have to police every phone on the planet for a long list of apps that changes daily.  Again, possible, but not cheap or inexpensive.

NOTE: These numbers are only for examples.  They could be off by a factor of 10 in either direction – or more.

Information for this post came from The Washington Post.


Facebooktwitterredditlinkedinmailby feather

More Data is Better – Or Is It?

Talk to Google or Facebook and they will tell you that they never met a piece of information that they did not want to add to their databases.  More information means better profiles;  better profiles mean that they can charge more for ads.

But some Silicon Valley firms are rethinking that idea.

Silicon Valley startup Envoy, for example has made a decision to keep as little customer information as possible.  That way if the government asks them for the data, they can say they don’t not have it.

Some large tech firms are beginning to offer services that rely far less on collecting user data.

Even early stage startups are beginning to realize that between government demands for data and hackers, that holding more data is a liability rather than an asset.

Startups are beginning to invest scarce resources to reduce the amount of data that they collect, even if it slows short term growth

Even Marc Andreessen, the prominent venture capitalist and cofounder of Netscape, said “Engineers are not inherently anti-government, but they are becoming radicalized, because they believe that the FBI, in  particular, and the U.S. government, more broadly, wants to outlaw encryption”.

Andreessen says that startups are “particularly wary” of Burr-Feinstein, the proposed legislation that would force vendors to add back doors to their encryption software.

For some tech vendors, it is not possible to follow this data minimization strategy since they are dependent on selling that data to make money.  For other vendors, they need to have access in order to deliver their service – web based email is an example of this.

Other vendors – Apple’s iMessage, Whatsapp, Signal and others – have added end to end encryption where the vendors do not have the keys.  If the FBI comes to them, they can say that they do not have access to the data.

Whatever the outcome, the government has certainly changed the conversation in Silicon Valley and that will influence the design of systems for a long time.  We will have to wait and see how this all plays out.

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather