Archive for the ‘Security’ tag
I’m always on the lookout for good guides on privacy and security for beginner’s. Ars Technica posted an excellent beginner’s guide yesterday. It covers the basics; such as installing operating system and browser updates, enabling two-factor authentication, and using a password manager to enable you to use strong and unique passwords for your accounts; that even less computer savvy users can follow to improve their security.
If you’re not sure where to begin when it comes to security and privacy take a look at Ars’ guide.
Whenever there is an attack on a school or college campus most people tend to focus on the tool used by the attacker. So far we’ve been fortunate that a majority of these attackers have preferred firearms to explosives, which have the potential to cause far more damage and are only addressed in a limited capacity by current security measures. Unfortunately, yesterday an attacker decided to utilize an automobile and knife to attack the Ohio State University:
Police are investigating whether an attack at Ohio State University which left 11 injured was an act of terror.
Abdul Razak Ali Artan, 18, rammed his car into a group of pedestrians at the college and then began stabbing people before police shot him dead on Monday.
This is the second major incident where a knife was one of the weapons used by the attacker. A few months ago a guy went on a rampage with a knife in St. Cloud (and the police were good enough to lockdown the mall so people were trapped inside with the attacker). But this is the first time, at least in recent history, that this type of attack was perpetrated in part with one of the most dangerous commonly available weapons, an automobile.
The amount of energy something has is based on its mass and velocity. A 230 grain .45 bullet traveling at 900 feet per second will give you 414 foot pounds of energy. A 124 grain 9mm bullet traveling at 1,200 feet per second will give you 384 foot pounds of energy. A 1.5 ton vehicle moving at 30 miles per hour will give you 90,259 foot pounds of energy. As you can see, a vehicle can deliver a tremendous amount of energy and therefore can deliver a tremendous amount of damage. On top of that a vehicle provides the driver with some amount of protection against police weapons (in part because it’s capable of moving fast, in part because part of the driver is concealed, and in part because the engine block can protect the driver from a lot of types of commonly used ammunition). And then there’s the fact that an automobile contains combustable fuel.
So far people have been fortune that most of these attackers have opted for firearms on foot rather than using a vehicle. Even in this case the amount of damage the attacker could have caused was reduced because he opted to exit the vehicle and continue is rampage on foot with a knife.
Fortunately, it doesn’t appear as though the attacker had much success. He did manage to injure 11 people but so far it appears that he didn’t kill anybody. However, if the next attacker decides to study previous attacks to learn from them they could leave a bodycount in their wake. So the big question is, what can be done?
Of course colleges can try to hinder automobiles from entering the campus by erecting concrete pillars akin to those in front of many stores. But maintenance and delivery people often need to get vehicles on campus so some means of access has to remain. And blocking vehicle traffic will only cause an attacker to seek another tool. The only real defense against these kinds of attacks is a decentralized response system. One of the biggest weaknesses that allows these attacks to meet a high degree of success is the highly centralized security measures currently in place. When one of these attacks starts an alert is sent to the police. The police then need to get to the location of the attack, find the attacker, and engage them. This usually means that the attacker has several minutes of free reign. The faster the attacker can be engaged the less time they have to perpetuate their indiscriminate attack. Any further centralized security measures will meet with limited success. At most they will force an attacker to change their strategy to something not addressed by the centralized system.
Obviously legalizing the carrying of firearms on campus is a good start. Permit holders add a great deal of uncertainty for attackers because anybody could potentially engage them. Since permit holders don’t wear obvious uniforms an attacker also can’t know which individuals to take out first (and by surprise so the unformed security person doesn’t have a chance to respond). Another thing that can be done to make these attacks more difficult is getting rid of the shelter in place concept. Sheltering in place can be an effective defensive strategy if the people sheltering have a means of defending themselves. If they don’t then they’re basically fish in a barrel if the attacker finds them and gains entry to their shelter (although in the case of a vehicle sheltering in place can be effective, especially in a relatively hardened building like those on many college campuses).
My hatred of using advertisements to fun “free” services is pretty well known at this point. However, it seems that a lot of people prefer the business model where they’re the product instead of the customer. Knowing that, and knowing that password reuse is still a significant security problem for most people, I feel the need to inform you that LastPass, which still remains a solid password manager despite being bought by LogMeIn, now has an ad supported “free” version:
I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.
Anything that may convince more people to start using password managers is a win in my book. People who don’t utilize password managers tend to reuse the same credentials on multiple sites, which significantly increases the damage that a password database leak can cause. Furthermore, using a password manager lowers the hurdle for using strong passwords. Instead of having to use passwords that are memorizable a password manager also allows users to use long strings of pseudorandom characters, which means if a password database is breached the time it takes to unveil their password from its stored hash is significantly increased (because the attacker has to rely on brute force instead of a time saving method such as rainbow tables).
If money has been the only thing that has held you back from using a password manager you should take a look at LastPass’s “free” version. While ads are a potential vector for malware they can be blocked with an ad blocker and the risk of being infected through ads is significantly less than the risks involved in not using a password manager.
My biggest grip with the advertisement based model most Internet services have opted to use is that ads can easily be used to spread malware. Because of that I view ad blockers as security software more than anything. And the Internet seems to enjoy proving my point every few weeks:
As a security researcher, it’s always exciting to discover new vulnerabilities and techniques used by malicious actors to deliver malware to unsuspecting users. These moments are actually quite rare, and it’s increasingly frustrating from a researcher’s perspective to watch the bad guys continue to use the same previously exposed methods to conduct their malicious operations.
Today’s example is no different. We discovered a malvertising campaign on Google AdWords for the search term “Google Chrome”, where unsuspecting MacOS users were being tricked into downloading a malicious installer identified as ‘OSX/InstallMiez’ (or ‘OSX/InstallCore’).
In this case the malware didn’t spread through a browser exploit. Instead it exploited the weakest component of any security system: the human. The malware developers bought ads from Google so that their link, which was cleverly titled “Get Google Chrome”, would appear at the very top of the page. This malware was targeted at macOS users so if you were a Windows user and clicked on the link you’d be redirected to a nonexistent page but macOS users would be taken to a page to download the malware installer. After running the installer the malware opens a browser page to a scareware site urging you to “clean your Mac” and then downloads more malware that opens automatically and urges the user to copy it to their Applications folder.
As operating systems have become more secure malware producers have begun relying on exploiting the human component. Unfortunately, it’s difficult to train mom, dad, grandpa, and grandma on proper computer security practices. Explaining the difference between Google advertisement links and Google search result links to your grandparents is often a hopeless cause. The easiest way of dealing with that situation is to hide the ads, and therefore any malware that tries to spread via ads, from their view and ad blockers are the best tools for that job.
Unfortunately, the advertisement based model isn’t going away anytime soon. Too many people think that web services are free because, as Bastiat explained way back when, they’re not seeing the unseen factors. Since they’re not paying money to access a service they think that the service is free. What remains unseens are the other costs such as being surveilled for the benefit of advertisers, increased bandwidth and battery usage for sending and displaying advertisements, the risk of malware infecting their system via advertisements, etc. So long as the advertisement based model continues to thrive you should run ad blockers on all of your devices to protect yourself.
No matter how secure you make your network you will always have one significant weakness: the users. Humans are terrible at risk management and if somebody doesn’t understand the risks involved in specific actions it is almost impossible to train them not to do those actions. Consider phishing scams. They often rely on e-mails that look like they’re from a specific site, say Gmail, that include a scary message about your account being unlawfully accessed and a link to a site where you can log in to change your password. Of course that link actually goes to a site controlled by the phisher and exists solely to steal your password so they can log into your account. But most people don’t understand the risks of trusting any official looking e-mail and visiting whatever link it provides and entering their password so training people not to fall for phishing scams is a significant challenge.
Even people who are in positions where they should expect to be targets of hackers fall for phishing scams:
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.
While the United States government and some security researchers point the finger at Russia it should be noted that this kind of scam is trivial to execute. So trivial that anybody could do it. For all we know the e-mail could have been sent by a 13-year-old in Romania who wanted to cause a bunch of chaos for shits and giggles.
But speculating about who did this at this point is unimportant. What is important is the lesson that can be taught, which is that even people in high positions, people who should expect to be targets for malicious hackers, screw up very basic security practices.
If you want to make waves in the security field I suggest investing your time into researching ways to deal with the human component of a security system. Anybody who finds a more effective way to either train people or reduce the damage they can do to themselves (and by extent whatever organizations they’re involved in) while still being able to do their jobs will almost certain gain respect, fame, and fortune.
Anybody with more than two braincells to rub together and has even a modest knowledge of economic history knows that you can’t trust the State for your retirement. The government issued funny money is in a constant state of devaluation, which means every slip of its paper you save will be worth much less when you retire. Because of that, smart people find alternative ways to preserve their wealth for retirement. Some people invest a portion of their wealth in the hopes they can grow it faster than the rate of inflation while others prefer to rely on time proven precious metals.
If you look at historical trends the latter is a pretty solid choice if your goal is to preserve your purchasing power. However, if you’re going to opt for precious metals you need a secure method of storage, to spread out your assets, and probably a decent insurance policy because physical assets can be stolen:
ST. PAUL, Minn. – St. Paul Police are looking into an reported burglary that stripped a female resident of her entire life savings.
Police spokesman Steve Linders confirms that the alleged victim, a 57-year-old who lives on the 1600 block of Abell Street, had her valuables stashed in her bedroom because she does not trust banks. The thieves got away with 100 gold bars valued at more than $1,200 apiece, $60,000 cash and a diamond ring valued at $36,000.
I’ve seen quite a few comments making fun of the fact that her lack of trust in banks caused her to lose her life savings. But if your money is in a bank account its purchasing power is constantly being stolen in the form of inflation so acting high and mighty because you keep your government funny money in a bank is just as stupid as keeping all of your gold in one location and not properly securing it.
By the description of her storage method (stashing it in her bedroom) I’m left to assume she didn’t have her gold in a quality safe. If you’re going to have a lot of gold on hand you should invest in a decent safe that can be bolted to the ground (i.e. a decent gun safe). Bonus points can be had if you can also conceal the safe. But a quality safe offer two advantages. First, it greatly increases the time it takes for a burglar to get to your valuable assets. Burglaries are often smash and grab affairs where the burglars want to minimize the amount of time that they’re in a house. The more secure your assets are the less attractive they will be to a petty thief looking to get in and out. The second advantage a quality safe offers is fire protection. You don’t want to lose your retirement if your house burns down.
In addition to a quality safe you also want to spread your assets around. Keeping all of your eggs in one basket is not a wise idea. I would personally recommend against a safety deposit box at a bank because the State can and has seized them. And since the United States government has confiscated gold in the past it’s not unreasonable to think another gold confiscation might occur. You’re better off having trustworthy family members or close friends or have a second piece of property where you can install a quality safe and store some of your assets.
The third thing, which can be tricky if you’re concerned about another possible government gold confiscation, is having an insurance policy. Precious metals are valuable and valuable assets should be insured against loss. However, insuring your precious metals also means records of the metals existence will exist. If the government decided to do another gold confiscation they very well may require insurance companies to surrender information on customers who have insured precious metals. Then again, an insurance policy is a nice thing to have if burglars break into your home and get into your safe. It’s one of those risk-reward formulas that you have to figure out for yourself.
Storing your retirement savings in government funny money in a bank is not a good idea but if you’re going to do something else you need to be smart about. Simply buying gold isn’t a solid plan if you don’t have a way of securing that gold longterm.
E-mail should be a dead standard this day and age. By default it offers no confidentiality or anonymity. Even when you use something like GPG to encrypt the contents of your e-mail the metadata, such as who you communicated with, remains unencrypted. But legacy products like to stick around past their welcome and almost all of us have to deal with e-mail on a daily basis.
This dependency on a legacy product has also been a boon for the State. The snoops working for the State such as the National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) love e-mail because it’s easy to surveil. Not only are the messages unencrypted by default but many providers are more than happy to assist federal agencies in their quest to spy on the general population. It was recently revealed that Yahoo has been one of the e-mail providers in the State’s pocket:
Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
Stories like this make me happy that Yahoo has been suffering financially. Most technology companies have at least half heartedly pushed back when the State has demanded all-encompassing surveillance powers. But Yahoo was more than willing to roll up its sleeves and provide the State with everything it asked for. Fortunately, there was at least one decent person in Yahoo during this fiasco. Unfortunately, that person was powerless to stop Yahoo from going through with its dastardly deed:
According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.
I’d say he was well rewarded for standing up for what he believed in. Facebook is raking in cash so he’s almost certainly being paid far better. And while Facebook is a major player in the State’s surveillance apparatus the company has at least shown a willingness to provide customers with secure means of communications by allowing WhatsApp, one of its acquisitions, to implement the Signal protocol and even implemented optional end-to-end encryption in its Messenger app.
This is the point where I’d recommend Yahoo’s users to abandon its e-mail service for a more reputable one. But I doubt anybody reading this is actually using Yahoo’s e-mail service. But if you are a statistical anomaly and still using it you should stop. Yahoo has zero interest in protecting your privacy.
The Intercept has started a bit of a shit storm by pointing out that iMessage doesn’t encrypt metadata:
APPLE PROMISES THAT your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.
Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.
Is this an affront to privacy? Is Apple showing bad faith in its promise to deliver a more security communication system? No and no. The issue at hand here is that Apple has promised confidentiality but hasn’t promised anonymity, which are two different things.
Confidentiality means that a communication isn’t accessible to unauthorized parties. In other words what was communicated is secret. Anonymity means that the parties communicating are secret. A confidential message isn’t necessarily anonymous and an anonymous message isn’t necessarily confidential.
iMessage and other secure communication applications such as WhatsApp and Signal use an identifier that are tied to your real-life persona, your phone number. Using phone numbers as identifiers allows these apps to easily scan your contacts list to see who does and doesn’t have the application. While they do keep what is being communicated secret they make no attempt to keep who is communicating secret.
Tor, on the other hand, attempts to provide anonymity but doesn’t necessarily provide confidentiality. With the exception of hidden services, every website you access through Tor goes through an exit node. Unless the site you’re accessing utilizes Transport Layer Security (TLS) the contents of the site are accessible to the exit node operator. On Tor the content being communicated isn’t necessarily confidential but the parties communicating are.
Applications such as Ricochet attempt (I use this qualifier because Ricochet is still experimental) to provide both confidentiality and anonymity. Not only are the communications themselves kept secret but the parties who are communicating is also kept secret. But since Ricochet users are anonymous be default the application can’t go through your contacts list and automatically inform you who does and doesn’t have the application.
There’s nothing sinister afoot here. Apple, WhatsApp, and Signal never claimed to deliver anonymity. Even if they didn’t use phone numbers as identifiers they still wouldn’t deliver anonymity since they make no attempt to conceal your IP address. Everybody that is freaking out about this is freaking out about the fact that Apple isn’t providing something it never claimed to provide.
There are no magic bullets. Before choosing the right tool for the job you need to develop a threat model. Unless you know what you are guarding against you can’t effectively guard against it. Confidentiality works well to protect against certain types of snoops. Law enforcers wanting to dig through the contents of messages to find evidence of illegal activities and advertisers wanting the same but to acquire information to better sell your products are threats where confidentiality is important but anonymity may not be required. Law enforcers wanting to create a social graph so it can target friends of specific individuals and censors wanting to learn who is putting out unapproved material are threats where anonymity is important but confidentiality may not be required. On the other hand, depending on your threat model, all of the above may be threats where confidentiality and anonymity are required.
Know your threats and know your tools. Make sure your tools address your threats. But don’t get upset because a tool doesn’t address your threat when it never claimed to do so.
The developers behind Signal, an application that allows you to send secure text messaging and make secure phone calls, released a Chrome app some time ago. The Chrome app allowed you to link your Android device with the app so you could use Signal on a desktop or laptop computer. iOS users were left out in the cold, which annoyed me because I spend more time on my laptop than on my phone (also, because I hate typing on my phone). Fortunately, Signal for iOS now supports linking with the Chrome app.
It’s simple to setup and works well. If you, like me, don’t use Chrome as your primary browser and don’t want to open it just to use Signal you can right-click on the Signal App in Chrome and create a shortcut. On macOS the shortcut will be created in your ~/Applications/Chrome Apps/ folder (I have no idea where it puts it on Windows or Linux). Once created you can drag the Signal shortcut to the dock.
Saturday evening there was a multiple stabbing incident at the St. Cloud Center here in Minnesota. Although tragic there are some lessons that can be learned these kinds of situations and this incident is no different:
In a media briefing after midnight Sunday, St. Cloud police chief William Blair Anderson said an off-duty officer from another jurisdiction confronted and killed the suspect. He said the suspect — who was dressed in a private security uniform — reportedly asked at least one victim whether they were Muslim before assaulting them, and referred to Allah during the attacks.
Here lies our most important lesson. The attacker was dressed in a security uniform. This probably allowed him to get close to his victims without raising any red flags, which is important if you’re relying a knife. So the lesson here is that not everybody is exactly as they appear. Just because somebody is dressed like a cop or a security guard doesn’t mean they actually are one. Don’t let your guard down just because somebody is in a specific uniform.
One of my friends pointed out another lesson to be learned from this:
The mall remained on lockdown after the incident, but authorities expected those remaining inside to be released early Sunday. Photos and video of the mall taken hours after the incident showed groups of shoppers waiting to be released, including some huddled together near a food court entrance.
The officers trapped people inside the mall with the attacker. When the police arrived it wasn’t yet known if there were multiple attackers so the mall goers were potentially locked in a building with multiple people meaning to cause them harm. Being confined in an area with an unknown number of assailants is not a good place to be. If you hear that there’s an attacker in the building find the nearest fire exit and go through it. If you’re luck the police won’t see you leave. If you’re unlucky they’ll catch you but in that case you’ll likely be held in the back of a squad car, which is still a safer place than being confined in an area with and unknown number of potential assailants.
Keep your guard up when you’re out and about. Listen to your gut instinct. If that little voice in the back of your head is telling you something is wrong then you should listen to it. We’ve all been doing this human thing for our entire lives so we’re pretty good at subconsciously reading very subtle signs from one another. Anybody can put on any uniform they please but a uniform isn’t going to conceal all those subtle signs we use to judge one another’s intentions. If that voice is telling you the approaching security guard means you harm take heed and book it.
Be aware of all the potential exits. Fire exits are especially good in these kinds of situations because they usually trip a fire alarm. If it’s an audible alarm it will alert other people in the building to get out. If it’s a silent alarm it will still involve a response from the local authorities.
Finally, have a plan to defend yourself if escape isn’t an option. I recommend that people carry a firearm because they give you the best fighting chance. But even if you’re not willing or are unable to carry a firearm you should have some defensive response that you’ve trained thoroughly enough to be instinctual. Be it martial arts, mace, a baton, or even a knife. While you might not win a violent encounter even if you have a means of self-defense, you will certainly lose one if your response is to freeze up.