Tuesday, December 8, 2015

Justification for Your Paranoia

So [again, So seems to be my favorite word for starting posts], it's been a long while since I've posted one of these...life has been complicated, I might get into details in a future unrelated post. Even when not posting these, I am constantly reading and constantly setting aside potential material for these updates. Rather than bog you down with ALL of the security nonsense from the last few months, I've thrown out a pile and jumped to the last couple of weeks section. Here is a pile of recent weird stuff from the world of information security... Enjoy!

1) VTech
Several years ago, my wife and I both worked in the "Edutainment" industry, making supposedly educational computer software. As people who used to get paid to do research into the efficacy of such things, we made a strong commitment to never expose our children to such scams (and really, almost all educational software is a scam). Discussions of efficacy aside, during Thanksgiving week of this year, the world learned another big reason not to put their trust in educational software and gadgets: they have just as little security as everything else out there...
While not on the scale of many previous breaches (not that 6 million users is small, but relative to hundreds of millions, it certainly is), the breach of educational toy maker VTech made headline news for a much different reason: the breached users were children and families. Also, the information obtained was not just usernames and passwords. The hacker who pulled this one got the names, addresses, and photographs of children, along with logs of chats between parents and children, and even audio samples and recordings of the kids voices.  
Analysis of the VTech breach done by various groups has turned up the typical issues: SQL Errors, lack of data retention boundaries, bad or missing encryption, passwords stored as a simple MD5 hash (i.e. not encrypted at all), etc. etc. etc.  Troy Hunt's analysis on Arstechnica goes into a lot of useful detail about how horrendous VTech's security really was. If these problems were isolated, you might be fine, but these are problems industry wide. And I don't mean just edutainment. All tech companies (including the ones I work for) have these problems. Also, kids are not just getting their hands on kid-specific products like VTech (how many of you have handed your kid an iPad to distract them for a bit). 
Since the hack, every site and news source from ABCNews, to NPR, to Sophos (the antivirus vendor) have made recommendations about how parents should respond or 'how to keep your kids safe' or the like. Let me make it very simple for you as someone with expertise in both educational gadgets and security, who is also a parent...
Just Don't.
Don't buy them. Don't use them.
Give your kids a book. You can't hack a book. And they'll learn so much more...
The one redeeming grace in this story is that the hacker was a relatively ethical one. In an interview with Motherboard (who originally broke the story), said hacker revealed the existence of forums broadly dedicated to hacking the VTech Innotab tablet ("for the lulz"). So far as is known, the hacker has not sold or otherwise profited from the data dumps and claims that,"I just want issues made aware of and fixed."

2) Fun Android Games...
No, not the kind where you click and launch birds, the kind where you easily spoof your email name and address and Google doesn't do anything about it. Thanks to the very slow turnaround and release cycle of fixing Android bugs (and the nature response to the researchers bug report), this is something you can try from home very easily and probably will be able to do for a fairly long time.

If you are using GMail and want to mess with your friends who have Android devices, just click on the gear icon in the top right of gmail. Select "Settings" then "Accounts and Import". Scroll down to "Send Mail As" and click "edit info" on the far right. Input the name you want displayed followed by a quotation mark, then the email address you want to display in quotes (Security Guy ""security@security.com"). Note the double quotes between the name and the address, that's the part that triggers the bug.
The next time you send an email to an Android users, they will see only the Name and email address you entered and your actual information will be completely obscured (even if the user clicks 'show details').
Have fun phishing!
Note: If they open the email on anything other than an Android device, they will be able to see your actual sender information. Until this is fixed, you probably want to check your gmail using a browser rather than your phone. 

3) Keep your phone in the other room when watching TV...
High-frequency sounds are being used to track people's behavior across multiple devices (TVs, tablets, phones, and computers). The ultrasonic pitches are embedded into TV commercials or internet ads. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product. 
A letter to the FTC from the Center for Democracy and Technology detailed that this ultrasonic cross-device tracking is already being used by more than a dozen marketing companies. The use of ultrasonics also has some similarity to "badBIOS", a piece of theoretical malware that uses ultrasonic transmissions to jump between airgapped (non-networked) computers.
On the plus side, it looks like the FTC is working on the issue. On Nev 16th, they hosted a Cross-Device Tracking Workshop to discuss both the benefits and the privacy and security concerns associated with this technology. Of course, it could be years before any regulations or software or hardware mitigations are made to curb this activity.

For now, just remember to stash your phone in a sound-proof drawer when you want to watch something in private...

4) Yahoo! wants its money...
...and will hold your emails ransom to get it.
If you are like me (which I never really presume, but you're reading this so we must have something in common) you probably have several free email addresses (for whatever reason). Between the various big-name options (Google, Yahoo, Hotmail, etc.), Yahoo mail has long been popular with many privacy-minded folks who don't want all of their info being shared with Google (who are pretty open about using the content of your emails to drive targeted advertisements). Of course, Yahoo! also gets its money from adds (if slightly less targeted). Well, now Yahoo! is trying to make sure they recoup that revenue one way or another, and they'll stop you from reading your mail to get it.
Yahoo has acknowledged that it is testing a "product experience" that prevents some users from viewing their email messages. The problem can be fixed if those users turn off their ad blockers. Some users reported receiving pop-up messages asking them to disable their ad blockers before being permitted to view the contents of their inbox. If you are using Yahoo e-mail and you didn't pay for it, you are the product... if you want privacy, or if you don't like ads, you need to pay for it (or so say the folks at Yahoo). 
Of course, in many cases ad blockers are being used to prevent malicious adverts infecting the user's computer. In 2014, Yahoo admitted that adverts on its homepage had been infected with and serving malware for several days before they addressed the issue.
In the real world the cost of a retailer to attract customers to their store is to ensure the customers will be safe in that store and not robbed or molested by criminals. Likewise website owners and advertising network companies need to review how they can guarantee the privacy and security of their customers to their websites. It's high time that sites that depend on ad revenue realize that ad-blocking isn't just an "experience" issue for consumers - it's a security issue.