Thursday, June 18, 2015

Justification for Your Paranoia

May was a dead month for me writing things, and June is not looking much better so far. I'm not feeling particularly inspired, but, after beating my head against a wall for four days on a problem with my vulnerability scanner at work, I need a break. So I might as well use it to indulge in the less professional side of my paranoia...

1) LastPass
I mentioned months ago that password managers were rife with vulnerabilities, even going so far as to say "Don't use LastPass for anything". Well, I hate to be proven right, but I was...
Monday, LastPass announced "suspicious activity" which included compromises of account email addresses, password reminders, salts, and authentication hashes (i.e. hashed passwords). The good part, the vaults themselves were not compromised...yet.
Attackers having those authentication hashes (and the other key bits of information mentioned) means that it is really only a matter of time before they decrypt the hashes, at which time they can easily get in to your account and get ALL OF YOUR PASSWORDS.
The good news: LastPass master passwords are salted, hashed, and stretched...which should significantly slow down someone trying to decrypt the passwords. But it doesn't mean that they cannot be decrypted, especially if the original password is weak. Rememebr, a high-end GPU can make as many as 10,000 guesses per second.
What should you do: go change your LastPass password, which makes that hash that was stolen useless. 
Also, to be fair to the people at LastPass, they are trying really hard to do things right, and did pretty well with this one. 
  • They quickly identified, contained, and evaluated the scope of the breach
  • They promptly notified users about the breach (within 72 hours)
  • They are certainly doing proper password hashing (100,000+ rounds of PBKDF2-HMAC-SHA256 hashing and stretching is no joke)
  • Vault data obviously isn’t stored on the same system as authentication data, evidence of good segmentation 

2) Encryption as a Human Right
Back in 2011, the UN declared internet access to be a human right, the latest report by UN special rapporteur David Kaye takes that a step further. The report states that:
"Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity."
Kaye also includes appropriate calls to action:
"The Special Rapporteur, recognizing that the value of encryption and anonymity tools depends on their widespread adoption, encourages States, civil society organizations and corporations to engage in a campaign to bring encryption by design and default to users around the world and, where necessary, to ensure that users at risk be provided the tools to exercise their right to freedom of opinion and expression securely.
The report doesn't take quite as hard a line against encryption back doors as some of the big tech companies did recently, but it is nice to hear this coming from someone (anyone) in an official position. In the US, the fourth amendment protects citizens and their property from unreasonable and unwarranted searches, in the digital age, strong encryption is the one and only way to enforce that right to privacy.

3) Astoria
If encryption and anonymity are a human right, then we need better tools for such, eh?
Enter "Astoria".
Researchers in Israel and the US have developed a new Tor client aimed at thwarting the kind of traffic analysis and timing attacks used by intelligence agencies to de-anonymize of the Tor network. Dubbed Astoria, the tool's relay-selection algorithm decimates the percentage of vulnerable Tor connections from 58 percent of users to just 5.8 percent of users.
Tor Astoria uses an algorithm which is designed to more accurately predict attacks and then accordingly chooses the best and secure route to make a connection that mitigate timing attack opportunities.
"In addition to providing high-levels of security against [timing] attacks, Astoria also has performance that is within a reasonable distance from the current available Tor client," the researchers wrote. "Unlike other AS-aware [autonomous system aware] Tor clients, Astoria also considers how circuits should be built in the worst case, when no safe relays are available. Further, Astoria is a good network citizen and works to ensure that all the circuits created by it are load-balanced across the volunteer-driven Tor network."
 You can read the complete research paper here.
 The source-code for the Astoria client can be obtained from: Stony Brook University.

4) Because you've always wanted to do this, right?

I've talked previously about both cars being hackable to the point that one could control the braking and acceleration remotely. Well, now someone is working on making that flaw into a feature! Jaguar/Land Rover R&D have developed a prototype phone app that allows a driver to control their car remotely: start the car, steer, throttle (sadly to a maximum of only 4mph), and brake. Also, it apparently only works to a range of about 10 meters...
Of course...having made this kind of communication so deliberately possible, it is only a matter of time before someone figures out how to hack it and take complete control of your car from the comfort of their own living room...