Tuesday, November 25, 2014

Justification for Your Paranoia

Here is your weekly dose of security tech thoughts...



1) The Cyber-War in Real-Time:
Sometimes a job in security can be very boring. No signs of hackers, nothing to break into, no one really doing anything malicious on the network you are protecting.
Well, if it seems like nothing is happening, you can always open up Kaspersky's Real-Time Cyberthreat Map on a spare screen and watch all kinds of intrusions and malware all over the world as they happen.
It's also a very impressive thing for any non-security people walking by to see on your screen...
Yep [random dude standing behind me] Jordan is having a bad day...
And yes...someone in Antarctica has some spyware on their machine... 
2)  Encrypt all the things...
"Just make everything encrypted" is not bad advice for security the global web, but it has always had certain limits of practicality. That encrypted communication has to have a key to allow the end-client to decrypt it, which is currently handled through PKI certificates, which need a certificate authority to issue them...
While some companies (like Microsoft) issue their own certificates, most developers rely on public certificate authorities which usually cost $$ (such as Entrust). Even if the site does claim to have one of these "trusted certificates", you cannot always trust them. The certificate may be fake or the issuing authority may be compromised or insecure (such as India National Informatics Centre earlier this year).
So, in order to actually follow through with the "Encrypt Everything" idea, the world needs a trusted certificate authority that is can somehow managed to be well policed (and therefore trustworthy) AND cheap enough that every last kid running a website out of his mom's basement can afford to have a root certificate. 
Thankfully, that may be coming soon. Thanks to the Electronic Frontier Foundation, along with the likes of Akamai, Mozilla, and Cisco have released Let's Encrypt, a non-profit CA with a free, open-source certificate manager (that will, among other things auto-install the certificate for you and update/renew the certificate when needed).
"No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment."
So get out there and ENCRYPT EVERYTHING! Because now we can.
3) Password Managers? Yep, they can hack those too...
One common piece of advise from security experts is to use a password manager (like KeyPass or Password Safe) to store all of your passwords. This is good because...
  1. It lets you have a unique password for every site you visit while only remembering one password (for the safe).
  2. The software will usually test the strength of your passwords or even create random passwords for all your sites.
Don't take the rest of this note to mean that you should not use a password manager, because it is still a good idea if you are not the kind of person who can remember twenty or more long, randomized passwords. But password managers, even those with strong encryption, are not foolproof.
Password Managers are, in fact, the new favorite target of malware such as the Citadel Trojan (which specifically targets both KeyPass and Password Safe). Then you've got vulnerabilities in other PM tools like LastPass which could let malicious code on one site steal your credentials for all of them. 
This paper, presented at USENIX security back in August, points out all kinds of vulnerabilities in at least five different Password Managers. Then you've got things like ClipCaster (an Android app that specifically sniffs the clipboard feature so that you can see that LastPass and similar apps transmit your password in plaintext between the app and your browser when you use autofill features).
So...lessons learned? Don't use LastPass (for anything). Do use a password safe. BUT make sure to get good intel on the password safe you are using and always keep in mind that even these tools are vulnerable.
4) Robocop!
Yes, robot security patrols are no longer a thing of the future. The five-foot-tall "Knightscope K5" comes equipped with four cameras spread at 90 degree angles from each other, along with a weather sensor, a microphone array, a separate "license plate camera," a GPS sensor, LIDAR, and a Wi-Fi-enabled system to transmit live video and keep track of other nearby K5s. Cute huh?
Knightscope (the company that makes the robots) claims that its mission is to "cut crime by 50%". While this is an admirable ideal, keep in mind that these things are not equipped with weapons of any kind, weigh 300 pounds, and has a max speed of about 5 mph....
So...yeah. If you are doing anything nefarious, just walk away briskly...
Anyone who plays video games has had years of training at avoiding exactly this kind of slow, awkward crime-deterrent AI.