Tuesday, December 30, 2014

Justification for Your Paranoia

December is prime getting-hacked infection time for people around the world. Whether from increased shopping activity, more online browsing looking for the right gift, decreased vigilance due to holiday cheer, end-of-year quotas for professional cyber-criminals, or whatever other crazy theory you may have, the simple fact is that December is a sucky month to be "The Security Guy"...

Thanks to the obsessions of my son, my family celebrates the lunar new year, so don't expect any kind of year-in-review posts on this blog. That said, here are a few of the things lighting up the security world this past couple of weeks.

1) Merry Christmas from the NSA!
On Dec 24th, the NSA responded to a FOIA lawsuit from the ACLU by (very quietly) releasing 12 years worth of internal reports from the President's Intelligence Oversight Board. Though heavy portions of the documents are redacted, this particular set of revelations leans more towards human mistakes than intentional law sidestepping. The oversight reports include such gems as U.S. data being e-mailed to unauthorized recipients, data being kept on unsecured computers, and sensitive information being sent to the wrong printer.
Around the same time, the German news magazine Ser Spiegel published this great article (based on the Snowden leaks) on the various efforts the NSA break through all manner of cryptography used in internet-based communications. Including, just in case you somehow didn't already know this, full real-time access to voice, video, text messaging, and file sharing from targeted individuals over Microsoft’s Skype service. 
The full capture of voice traffic began in Feb 2011 for “Skype in” and “Skype out” calls—calls between a Skype user and a land line or cellphone—captured through taps into Microsoft’s gateways. But in July of 2011, the NSA added the capability of capturing peer-to-peer Skype communications—meaning that the NSA gained the ability to capture peer-to-peer traffic and decrypt it using keys provided by Microsoft.
Also out of this latest batch, we get a good view of just how useless VPNs are when dealing with groups like the NSA (thanks to some slides from their dedicated VPN Exploitation Team). Not just PPTP, which everyone knew to be insecure, but also SSH, SSL, and IPSec VPNs.
As an aside, I really wish I worked for whatever team in the NSA gets to name their various tools and databases. For example "according to the presentation, a “full take” of its traffic is stored in VULCANDEATHGRIP, a VPN data repository" and "successfully cracked VPNs are then processed by a system called TURTLEPOWER". 
On the plus side, the new release indicates that the NSA has trouble decrypting certain kinds of traffic—TOR, PGP, and ZRTP for example. Perhaps most heartening from all of this, is the NSA's relative ineptitude at deanonymizing TOR users. The evidence from the documents is circumstantial, but it looks like liberal use of these open-source technologies might help keep your communications private (and substantially better than any of the commercial options).
2) The Great Firewall of China just got a little taller...
Since June 2014, Google services have been significantly disrupted in China. As of the day after Christmas, Gmail users in China now have no way to access their accounts (including blocking of gmail use through IMAP, SMTP, and POP3). You can see the results on Google's own traffic report.
For further reading...If you are interested in China's ongoing censorship campaign, Greatfire.org is a great resource.
3) Your fingerprints can be stolen...with a camera.
For any of you out there thinking that Biometrics are a thing that will keep you safe from would-be identity thieves, think again. Sure, sci-fi movies and shows (from Spaceballs to Firefly) regularly show fingerprint and handprint scanners being spoofed by hauling around the unconscious body of a recently-knocked-out security guard, and modern crime dramas show fingerprints being lifted from coffee-mugs with scotch tape, but it's actually possible to spoof finger-print readers without ever coming in contact with the person, or even an object they touched.
A German hacker by the name of "Starbug" managed to reproduce the fingerprints of German Defense Minister Ursula von der Leyen using a couple of high-resolution photos of her hands taken at a press conference (from a distance of about 10 feet) and some commercially available software. This coming on the heels of his cracking Apple's touch-ID feature last year, only 48 hours after it was released using a camera and a laser printer.
Note: video is in German.
For, another good reason not to bother with finger-print ID, in October a Virginia Circuit Court judge ruled that a criminal defendant can be compelled to give up his fingerprint to unlock a cell phone, but not a password, PIN, or other code. The judge noted in his written opinion that “giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits. A passcode, though, requires the defendant to divulge knowledge, which the law protects against.”
4) Woe to network console gamers...
While video games are not really my bailiwick, I do have to feel sorry for anyone who got a game for Christmas that required a connection to the Playstation Network (PSN) or Xbox Live to play (though I always feel sorry for people who would waste time on networked video-games when they could be playing a tabletop RPG instead). 
Both networks were hit with a six-hour-long DDoS attack, which started Christmas day. The attack ended when Kim Dotcom offered the attackers, a group calling itself the Lizard Squad, vouchers for one year of 500GB storage on his "Mega" service. The Lizard Squad then followed up with an attack targeting the TOR network, taking over or setting up some 3000 Tor relays in an effort to deanonymize users, though the relay vetting process kept this from having any real effect, and the attack on TOR incurred the wrath of Anonymous.