Wednesday, September 3, 2014

Justification for Your Paranoia

I have noticed an interesting paradox lately. Somehow, having a job that requires me to regularly share and indulge in my native paranoia has actually made me substantially more open in talking about and sharing information about myself on the internet. Maybe it's that I have another outlet now...

Anyways, it's the time of the month when I have to tell my co-workers about the state of the insecurity of their data, so here is another dose of random things from the world of IT security.

1. Reportedly, 1.2 billion usernames and passwords were obtained by some Russian hackers.
This tops most of the data leaks that have happened over the years, but is smaller when you consider that those credentials are aggregated from some 400K websites. Also they purchased credentials that had been stolen previously to find sites that were vulnerable to SQL injection, then stole more credentials from the site's databases. Given the volume of sites affected and number of credentials stolen, it is hard to identify whether any given user has been compromised. Simple answer, change your passwords. If you are still worried, you can sign up for an identity protection service which could let you know if your specific e-mail address has been compromised.

2. Here is another option in the search for a more secure phone.
Thin, lightweight, unlimited battery life. Revives your social and sex life. This might be your ideal phone! 
“A technology-free alternative to constant hand-to-phone contact. The noPhone acts as a surrogate to any smart mobile device, enabling you to always have a rectangle of smooth, cold plastic to clutch without forgoing any potential engagement with your direct environment.” 
I think they've got the right idea.

3. I've previously mentioned how insecure cloud-based sharing apps are...
BitTorrent has come out with an alternative that might just be worth your while. There are dozens of sync and backup services available on the Internet, but most have a major drawback. They require people to store data on external cloud-based servers that are not under their control. 
BitTorrent Sync is a lightweight backup tool that eliminates this drawback, and it’s much faster too. The functionality of the Sync application is comparable to most cloud-based sync tools, except for the fact that there’s no cloud involved. Users simply share their files across their own devices, or the devices of people they share files with. All traffic between devices is encrypted with AES-128 encryption, using a unique session key, and is sent over µTP peer-to-peer protocols.
The latest version also lets you share over https with a unique url (which can be set with an expiration date and other specific access controls if you want).

4. In case it wasn't easy enough to steal encryption keys, now you can do it by touch!
Researchers from Tel Aviv University have demonstrated an attack against the GnuPG encryption software that enables them to retrieve decryption keys by touching exposed metal parts of laptop computers. This research is a side-channel attack. The metal parts of a laptop, such as the shielding around USB ports, and heatsink fins, are notionally all at a common ground level. However, this level undergoes tiny fluctuations due to the electric fields within the laptop. These variations can be measured, and this can be used to leak information about encryption keys.
The measurements can be done by directly attaching a digitizer to a metal part of the laptop, but they don't have to be this obvious. The researchers showed that they could retrieve information with connections at the far end of shielded USB, VGA, and Ethernet connections. They also used human touch: a person in contact with metal parts of the laptop can in turn be connected to a digitizer, and the voltage fluctuations can be measured. The researchers note that this works better in hot weather, due to the lower resistance of sweaty fingers.
A pdf of the long version of their report is available here.

5. If you have time to watch a bunch of videos, all of the presentations from Black Hat are up on YouTube.