Archive for October, 2013

Oct 27 2013

Battling for Power

Published by under General

The Battle for Power on the Internet” is long, but it’s a worthwhile read.  I’m not going to try to sum it up in a few lines or even a few hundred words, but it’s a well thought out piece by Bruce Schneier.  I think I’ve seen him speak too many times, because I can hear his voice in my head as I read it.  

One point he makes is worth calling out though, the ‘security gap’.  Basically, this is the space between new technologies being created, and exploited, and law enforcement’s ability to police and enforce societal rules on the technology.  And because our technology is changing faster than it’s ever changed before, that gap is growing wider and wider.  

The mirror of the security gap should probably be called the ‘surveillance gap’: the space between government and corporations’ ability to monitor the activities of citizens and citizens’ ability to maintain some sort of privacy and anonymity.  This gap is widening even faster than the security gap, because governments are using terrorism and criminal behaviour as a reason, or excuse, to spend enormous amounts of money on surveillance.  And as Bruce points out, the criminals and those who have specific reasons to avoid being watched can find ways around the eyes and ears in the network while the average person is always under the microscope.

There are no easy answers to this problem, but the article raises a number of interesting points.  Go, read it, form your own opinions.  And think about how this affects our future.

 

No responses yet

Oct 27 2013

Making the right mouth noises, but…

Published by under General

The security team at LinkedIn is stating they’ve done a spanking awesome job of securing Intro and that we should trust in them.  This came out on Saturday in the form of a blog post from LinkedIn’s Cory Scott.  Cory has an impressive background, with time spent at Matasano Security and Symantec.  You can check out his LinkedIn profile for yourself if you want.  And it sounds like they’ve got a pretty good setup.  But his missing the main point: LinkedIn has painted a huge target on themselves by asking for access to data they should never be asking for in the first place.

I could pick apart every single claim he has made in the blog post; I have to explain and defend similar statements every day in my own role and what he’s said is almost meaningless given the level of detail he’s telling us.  What does it mean to have a ‘tight security perimeter’ or ‘the right monitoring in place’?  A tight perimeter only lasts until the marketing team decides they need direct access to data or an admin makes a mistake on a network configuration.  What is ‘the right monitoring’ in this case?  How closely is LinkedIn looking at the data coming into, and more importantly, leaving their network? LinkedIn has had several high profile compromises in the last few years and I’m willing to bet that they thought they had the proper level of monitoring in each of those cases too.  

What’s really the problem is what LinkedIn had to do in order to create Intro.  This isn’t actually much of a program, it’s really a configuration file that you install to LinkedIn permission to insert itself into the traffic between iOS Mail.app and the IMAP server you’re connecting to.  They’re breaking the communication channel and any security surrounding it in order to be able to insert their own content.  Even if they don’t monitor the emails content itself, the metadata about the emails you send is invaluable when it comes to understanding your network of contacts and friends.  Just looke at how closely this mirrors the current international debate about the NSA.  I can’t see why anyone would be more willing to trust LinkedIn any more than they’d trust a shadowy government agency.  At least the NSA supposedly has our best interest at heart and won’t sell our data in order to meet Wall Street earning numbers.

Then there’s the issue of being able to inject HTML code and a user interface (UI) into your email, one that allows them to push HTML and CSS to your desktop.  How much testing has that really undergone?  How is the system protected from malicious code being injected into the stream?  If these systems are somehow compromised, then the entire user base of LinkedIn could easily be compromised.  Or an attacker could wait until a specific target uses the service, vastly increasing the chances to remain undetected.

I maintain that LinkedIn has made a huge mistake with Intro.  If I was a well funded, adaptive attacker, I’d be quickly sniffing around the edges of Intro, looking at how I can compromise the profiles, if I can intercept the communication between the devices and LinkedIn and how I can compromise the servers and services LinkedIn is offering.  They’ve made themselves the center man in a circle of communication, a role I have a hard time believing they’re ready for and that they have the ability to properly secure.  This isn’t the type of activity and network that standard security practices, even done right 100% of the time, are ready and able to handle.  LinkedIn’s history doesn’t leave me feeling they’ve done even standard security practices to industry leading standards, so why should I feel they’ve done it right this time?

If Intro lasts a year without some sort of class break or system compromise, I’ll be surprised.  I wish them luck, but I maintain this was a bad idea any security professional should have called a halt to early in the planning process.  And I won’t be surprised if Apple calls a halt to this either.

One response so far

Oct 24 2013

LinkedIn Outro

“I know!  Let’s build a man in the middle (MITM) attack into our iPhone app so that we can inject small bits of information into their email that show how useful our site and service are.  At the same time we’ll now have access to every piece of email our users send, and even if we only have the metadata, well, that’s good enough for the NSA and other national spying agencies, isn’t it?  Let’s do it!”

I have to imagine the thinking was nothing like that when LinkedIn decided to create Intro, but that’s basically what the decided to do anyway.  If you read the LinkedIn blog post, you can see that they knew that what they were doing is a MITM attack against your email, even if they are calling it a proxy.  They’ve broken the trusted, or semi-trusted, link between you and your IMAP provider in order to get access to your email so they could insert a piece of HTML code into each and every email you receive.  Additionally, they’ve figured out how to make it so that this code is executable directly in you’re email.

Basically, what LinkedIn is asking you to do is create a new profile that makes them the proxy for all your email.  This is similar to what you do for your corporate email when setting it up on a new phone, but rather than having something that’s finely tuned for that corporation, LinkedIn makes the new profile on the fly by probing your phone’s configuration and basing it on the settings it finds.  

I have a hard time believing that someone at LinkedIn didn’t wave a red flag when this was brought up.  You’re asking users to install a new profile making you their new trusted source for all email, you’re asking that they trust you with their configuration and you’re capturing, or at least having access to the stream of all authentication data for their email.  Didn’t anyone at LinkedIn see a problem with that?  I have to imagine there are plenty of corporate email administrators who’ll have a problem with it.

Given recent history and the revelations that metadata about a person’s communications, LinkedIn is  audacious to say the least.  They know what they have, or at least want to have: information similar to what Google and Facebook have about your daily contacts and habits.  This is a huge data mining operation for them, aimed at learning everything they can about their users and applying that to advertising.  But I think they have overreached in their their desire to have this information and are going to get shut down hard by Apple.  And this doesn’t even take into account the fact that they’ve already had data breaches and are being sued for reaching into consumers’ calendars and contact information.

I don’t think LinkedIn has been a good steward of the information they’ve had before, and there’s no way I’d install Intro onto one of my iDevices if I was a heavy user.  The fact is, I have an account that I mostly keep open out of habit and this is nearly enough to make me shut it down for good.  If I wanted my every move tracked, I’d just keep open a Facebook tab in my browser. And while they may not be much of an example when it comes to privacy, I guess Facebook is a great example when it comes to profitability.  Way to go LI.

 

No responses yet

Oct 23 2013

Why bother?

Published by under Personal,Privacy

I woke up this morning with a rant running through my mind.  Which is nothing unusual, by any stretch of the imagination.  I often rant, in person, on the blog, and on the podcast.  People almost expect it of me.

The difference this morning is I asked myself, “Why bother?”

Ranting isn’t going to change anyone’s mind.  The people who hold views similar to mine will nod and agree or, rarely, comment on the blog.  But it won’t change anything.  The people who hold opposing views will shake their heads and discount my opinions, or, rarely, comment on the blog.  But it won’t change anything in their minds either.

I’m currently suffering a crisis of faith; in our corporations, in our governments and in humanity.  We’re rapidly approaching an inflection point where we have to decide if we’re going to accept a world where our corporations and our governments monitor our every movement and action, or not.  Or perhaps we’ve already passed the inflection point and we just haven’t realized the implications yet.  In either case, the vast majority of people don’t even know there’s a decision being made that affects their future, as well as the future of their descendants.  Of course, such decisions are being made every day that most of us will never be aware of.

Part of me wants to lead a charge on the governments and corporations of the world in an attempt to recover some of the concepts of privacy we’ve lost in the last two decades.  But another part of me realizes the idea of privacy as we used to know it is dead and gone, it’s bones picked clean for the sake of social media and by the excuse of ‘national security’.  So how do we adjust our thinking to a new world and create a new type of privacy that limits the power of corporations and governments while still enabling social media and national security?  Especially when we live in a world where the vast majority of people don’t even understand there is a battle going on and the dangers opening up our lives to these forces pose.

I don’t know the answer, I don’t have a victory condition to fight for in this battle, or at least not one that’s realistic and achievable.  And quite frankly I don’t think anyone else does either, other than the short term goal of ‘gather everything’ that our governments and corporations have.  And I doubt even they have more than a vague idea where this will lead.

So that’s my ‘not quite a rant, but really a rant’ for today.  Scott McNealy was right, way back in 1999, when he said “You have zero privacy.  Get over it.”  It’s dead, so how do we change ourselves and the world to deal with this not so new reality?  I don’t know, which frustrates me and makes me want to rant.  Which leads to being marginalized as just another crazy talking about privacy.  So why bother?

Update:  A very timely article, at least for me:  The Real Privacy Problem at the MIT Technology review.  Long, but well worth the read.

2 responses so far

Oct 22 2013

Renting isn’t an excuse for spying

Published by under General

I know Rich, Zach and I talked about Aaron’s before on the podcast.  This is a company that rents out many items to customers, including laptops.  A few years ago they thought it was a good idea for some of their franchises to install software on the laptops which allowed administrators at the stores to take screenshots, capture keystrokes and generally spy on the activities of the users of the computer without their knowledge.  And apparently some administrators were using this capability to take pictures of in ‘intimate moments’.  Yeah, I think we all know what that really means.

I’ve always said this level of monitoring by anyone, not just the owner of the computer, of another human being is a horrendous invasion of privacy.  We have so little privacy left right now, to have the computer you rented taking pictures of you is unexcusable.  I fully admit there are legitimate uses of this sort of technology, such as finding a stolen laptop or tracking a deadbeat renter, but this type of usage has to be very narrowly defined and the administrators of the system have to be trained in the allowable uses and ethics of the technology.

This highlights the problem of enabling spying capabilities in a microcosm.  If we don’t very carefully lay out what is and isn’t acceptable usage, the systems are going to be abused.  Some of it will be innocent testing of the limits and finding edge cases.  But a lot of what will happen is that people will do things they know are wrong, simply because it feeds their darker desires.  

Aaron’s took a running leap over the line with their spyware and never even understood that there was a line.  I’m sure the legal battle with their customers and the FTC has made them painfully aware of that line and they’ll be a lot more careful in the future.  But I’m waiting for a car dealership to install something similar in all their rentals.  Oh, wait, they’ve already done that and been slapped down.  Maybe furniture rental places will put motion sensors in their sofas to determine when people are having sex on the couch and charge them extra at the end of the contract next.  It could happen.

No responses yet

Oct 21 2013

RSA EU is all too soon

Published by under General,Public Speaking

Next week is the RSA Europe conference in Amsterdam.  I’m speaking three times at the conference, once as a sponsor, once with my own topic and once in a lightning talk, aka a Pecha Kucha talk.   And at just 6’40″, it’s the PK talk that scares me the most.

The PK talk scares me because it’s such a rigid format.  20 slides set to forward automatically every 20 seconds means you have to have your patter down.  I don’t usually speak in public like that.  I generally use my slides as a template that I can hang talking points off of, but I don’t have a rigid script I’m talking to.  This lets me control the pace and the timing as I want to, rather than needing to go at a set pace.  So, yeah, it scares me.

The other part of giving the lightning talk is that some of the best speakers in security have given them, and I can’t help but compare myself and be found wanting.  Katie Moussouris, Josh Corman, and Rich Mogull, all friends, have given the talks and rave about how much fun it is, but they also talk about how hard the format is.  Any one of them probably have a dozen times the speaking experience I do, and if they found it hard, how is it going to be for me?  

So, if you’re in Amsterdam next week at RSA Europe, whatever you do, don’t come to the lightning talks!  Don’t come see me embarass myself!  I already feel like an idiot abroad, don’t make it any worse.

 

No responses yet

Oct 20 2013

Yandex selling Cocaine?

Published by under Cloud,Humor

Talk about subtle marketing, Russian search engine Yandex has started a new cloud offering called Cocaine.  “Grab some cocaine in containers” is one of their taglines.  I’m sure someone is buying, but I wonder how they expect to get this delivered for their late night parties.

I want to say something about hosting your app engine in Russia, but right now I’m not certain that having it based there is any worse to many people than having it based in the US.  I would strongly suggest anyone considering building a new application to review the laws in Russia as well as the contract they’re signing.  Of course I’d suggest the same to anyone building upon a service based in the US as well.  In any case, encrypt your storage as securely as you can, no matter where you’re storing the application data!

I wonder how developers are going to explian that their applications are built using Cocaine?  This isn’t the 80′s and such things aren’t as acceptable as they once were.  

No responses yet

Oct 17 2013

What’s a micromort?

Published by under Family,Humor,Risk

One of the cool things we’ve found on TV since moving to the UK is QI XL.  It’s a BBC show hosted by Stephen Fry where they take a rather comedic romp through a bunch of facts that may or may not have anything to do with one another.  Last night’s show was about Killers and a term that was completely new to me came up, a unit of measure called the ‘micromort’.  It’s basically a measurement equal to a one in a million chance of dying because of a specific event.  Really, it’s a scientifically valid measurement of risk.  And yes, our family has a strange idea of ‘cool’.

Why is the micromort important and relative to security?  Because humans, and security professionals are included in that category, have a horrible sense of the the risks involved in any action.  For example, you are 11 times more likely to die from a 1 mile bike ride, .22 micromorts, than you are from a shark attack, .02 micromorts.  Yet the same people who fear sharks greatly but are willing to go on a bike ride on a daily basis.  And many of those people smoke, which is a single micromort for each 1.4 cigarettes smoked.  People suck at risk analysis.

So could we come up with a similar unit of measurement for the risk in a million of a single action leading to a breach?  Someone needs to find a better name for it, but for the sake of argument, let’s call it a microbreach.  Every day you go without patching a system inside your perimeter is worth a microbreach.  Deploying a SQL server directly into the DMZ is 1000 microbreaches.  And deploying any Windows system directly onto the Internet is 10 million microbreaches, because you know that it’ll be scanned and found by randomly scanning botnets within minutes, if not seconds.

The problem is that the actuarial tables that the micromort measurements are drawn from millions of daily events.  People die every day, it’s an inevitability and we have a very black and white way of measuring when a person is dead.  We can’t even really agree on what constitutes a breach in security at this point in time, we don’t have millions of events to draw our data from (I hope) and even if we do, we’re not reporting them in a way that could be used to create statistical data about the cause of these events.

Some day we might be able to define a microbreach and the cost of any action in scientific terms.  There are small sections of the security community that argue endlessly about the term ‘risk’ and I have to believe they’re inching slowly towards a more accurate way to measure said risks.  I don’t expect those arguments to be settled any time soon, and perhaps not even in my lifetime.  So instead I’ll leave you with an entertaining video on the micromort to watch.  Thanks to David Szpunar (@dszp on twitter) for pointing me to it.

No responses yet

Oct 16 2013

Sometimes it’s just about doing it

Published by under Personal

One of the things I promised myself recently is that I’d write every day when I’m home.  I’d gone so long without writing much that I felt the skills start to atrophy.  It’s not important what I write about or how much I write, it’s the act of writing that I want to force myself to do.  As always with the blog, I assume 90% of what I write is useless dreck, but that last 10% is what makes it all worth it.

In a lot of ways, that’s a good allegory for my life: It’s more important to do, even if I fail, than to not do because I might fail or be embarrassed.  If I let failure stand in my way, I’d never try many of the things I’ve become good at over time.  So instead I force myself to do things that are uncomfortable in the expectation they’ll become more comfortable over time.

It’s not much, but at least I got something written today.  Now off to do something else that makes me uncomfortable: writing a presentation.

One response so far

Oct 15 2013

Don’t ask for my password or PIN, United!

I’ve been a United Airlines customer for years.  I’ve been very loyal to United and the Star Alliance.  I’ve flown over 300k miles with them, I’ll have flown over 100k miles this year alone as of my next trip.  I’m in the top tier of their frequent flyer program and they generally treat me very well, with the kinds of exceptions that plague every airline, like maintenance and weather delays.  But they do one thing that really, really bugs me and they need to change it: When I call in use my mileage or alter a ticket, their customer service representative asks for my PIN!

When you log into the United site, you have two choices; you can use your password or a four digit PIN to log in.  The same PIN or password can be used to login to the mobile application as well.  This login allows access to all aspects of the account’s capabilities, allowing the user to change flights, get updates and spend frequent flier miles.  In other words, total control of the account.  And the customer service reps need this PIN in order to make changes to my account.

This is why I’m extremely annoyed by the way United treats my PIN.  In effect, every time I call in to United, I have to give up total control of my account to a complete stranger.  I have to either trust that they are well vetted by airline, something I’m not entirely sure is true or go through the hoops of changing my PIN every time I call in to United’s customer care services.  Alternatively, I can ignore both of those options and simply hope that nothing happens when I give up my password.  I’ve done all three at various times, but it still makes me angry that I have to choose one of these options.

I’ve complained to United several times when calling in.  I’ve talked to the agent on the phone, I’ve asked to speak to a manager, but as recently as last week they show no sign of understanding that this is a problem or making any changes.  The requirement to give up my password seemed to coincide with the merger of United and Continental and the adoption of the Continental computer systems.  The impression I’ve received from sources inside of United and out is that the Continental system was developed in the mid-70′s and has been largely unchanged since then.  Yes, they slapped some lipstick on the pig in the form of a web interface, but the back end is still a mainframe of some sort with a security model that hasn’t changed since it’s inception.

I have to appeal to United’s security teams:  Please, please, please find some way of changing your system so that I don’t get asked for a sensitive piece of information like my password or PIN every time I need to talk to your agents for a change to my flight!  I realize there is no credit card data directly available from my account, but my flight information is and it opens up the ability to change my flights or spend my mileage.  This really is something that shouldn’t be allowed in the modern age, from a multi-national corporation that really should know something about security and securing customer data.  Between moving to the UK and your poor security, I’m seriously thinking it’s time for a different airline.

One response so far

Next »