Friday, November 7, 2014

Justification for Your Paranoia

So, about a week ago my company got hacked by Russians. No evidence of them doing anything (like the Chinese, I doubt it took them long to realize that there was nothing of real value on our networks), but they did get in by forging a contractor's VPN credentials, which makes my job a pain.

Let's start this week's issue with an amusing Apple-bashing photograph...because that always makes me feel better (the use of this metaphor should in no way be construed as endorsement of the Latin apple=evil malapropism, even though Apple® is definitely evil).

1) I previously mentioned that the newest Android release would support encryption by default...
Android 5 "Lollipop" is now out and available (for certain devices). If you want to upgrade, here is a handy list of which Android devices say they are getting Lollipop and when.
New OS or not, remember that Android already supports encryption, just make sure you turn it on.
2) There an odd myth of infallibility/virus-immunity among Apple-lovers...
If recent leaks from iCloud, backdoors on the iPhone, botnet worms on OS X, and other breaches are not sufficient to convince you that you are delusional, maybe this week's news will.
First, there is "Wirelurker" a malware targeting both OS-X and iOS devices spread by "trojanizing" every app uploaded to a popular Chinese app-store between April and June (as of Oct 16, researchers had found more then 467 infected apps including popular titles like "Sims 3" and "Angry Birds"). Once it finds itself on a computer, WireLurker drops malicious executables, dynamic libraries and configuration files. The downloaded apps work normally to avoid raising any suspicion. It can spread itself via USB connections to any other Apple device by exploiting iTunes protocols, affecting both jailbroken and non-jailbroken devices. In short--it's just as effective and malicious as any virus ever put out for PCs. Given the price of Apple devices and the general profile of Apple customers (let's just say they are compelling targets), you can bet you will see more like this in the future.
Secondly, there is "rootpipe", a privilege escalation vulnerability in OS X. Basically if an attacker can execute code on a Mac using an administrator account, they can give themselves "root" access--letting them access everything and do pretty much anything they want. Of course, it would probably need to be combined with some other method of getting access to the machine (for which a virus like the one above might be perfect).
3) Google is taking 2-step identification to the next logical step.
I've mentioned before that the kind of two-factor authentication that involves a code sent to your phone can be spoofed by intercepting the SMS message used in the verification. Many enterprise 2FA gets around this potential problem by using a "hard key" (a separate physical device that stores the RSA keys for the authentication). Google has decided to make this approach available to consumers using Chrome logins in the form of their new Security Key
The Security Key, which only works with Google Chrome for now, plugs into a USB port. It will first verify that the site you’re trying to access is actually a Google site, not some third-party spoof. Then you simply type in your Google account password, tap the small button on the Security Key when prompted and — assuming you do have the proper account credentials entered — you’re into your Google account.
Of course, steps like this just mean that you need to keep even better track of your keys (the physical kind that you might occasionally leave sitting on a table). If you're not the kind who regularly loses small objects like this, you can read more about using Security Key here and can find FIDO U2F compatible keys on Amazon (or other retailers).
4) The FBI rigs the game again...
When traffic-cameras became a thing, my father-in-law referred to it as the police "not playing fair" or "cheating". While my wife is annoyed the idea that he considers breaking the law a "game", he does make a good point: We expect our law-enforcement agents to behave in a certain way, give citizens the benefit of the doubt, and be open to reasonable negotiation when no one has been hurt. Obviously cops these days have ceased being reasonable and traffic cameras are only the tip of this iceberg. 
Recent reports have brought to light numerous practices by the Federal Bureau of Investigations that even people like my wife would consider unreasonable. First, in investigating potential illegal gambling activities in Las Vegas, they cut a hotel's internet and posed as repairmen to enter a "home" and video-taped the inhabitants without a search warrant.
In the second, the FBI created a fake Seattle Times web page and news story, and used that site to plant spyware on the computer of a suspect. Needless to say, the newspapers involved as pissed.
If that doesn't qualify as "cheating", I don't know what does.