CAT | Computer Security
A reader of this blog recently emailed me to ask:
What s/w do you recommend to keep anonymous while using Gmail, IE, Outlook, and Facebook on a laptop?
This is actually a very tricky question because the nature of all of these tools, except Internet Explorer (IE), is to be associated with a visible and discoverable account and identity in the “cloud”. I will discuss IE last and separately.
Gmail ties to your gmail and other Google accounts. Outlook ties to some existing email account at some email provider. Facebook is tied to your Facebook account and is explicitly designed for making your information public.
The profound question here is, what do we even mean by being anonymous using these services? I would argue that the best one can manage is to be pseudonymous; that is to maintain a persistent and visible pseudonym / alias which, while discoverable, is not associated with your true identity.
Fortunately Gmail and Facebook are free and typically do not require any real credentials to set up an account, and many of the free email providers work similarly. Using Anonymizer Universal (AU), and a browser with no history or cache to set up the accounts would ensure they were not connected to your real identity. It is important that the accounts never be accessed in any way except through AU, or they will be forever after associated with your real IP address. Furthermore, it is critical that the browser used is never used for any activity connected to your real identity, or the cookies and other digital detritus in your browser may allow these sites (or other folks) to tie the pseudonym to your other real name accounts.
IE is in many ways the easiest because there is no underlying account, but all the same rules apply. You need to ensure that you isolate your anonymous or pseudonymous activity from your real name activity.
For all of this activity a virtual machine can be a very effective tool. For example, if you use a Mac you can use a virtual machine running Windows or Linux for all of your alias activities and use the normal operating system for your real name activities. Similar tools exist for other operating systems.
3 Comments · Posted by lance in Computer Security, Cryptography, First Amendment, Innovation, Internet, legal, Legislation, National Security, Online Privacy, Personal Privacy, Security Breaches, Surveillance
The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea.
The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance and constitutional issues).
Today we are releasing the results of a survey on how people understand the risks of going on-line, and what does and does not work to protect against various threats.
One of the most interesting results was that a significant majority of respondents thought that firewalls provided identity protection on line. While important, they are addressing a very different threat.
More information on our results can be found here.
1 Comment · Posted by lance in Computer Security, Cryptography, Email Security, Internet, legal, Legislation, National Security, Online Privacy, Personal Privacy, Security Breaches, Stupidity, Surveillance
This NYTimes article discusses a bill which the Obama administration is proposing to submit to congress. The general background of the bill is that evolving technology has made it more difficult for law enforcement to conduct effective wiretaps and other intercepts because much of the targeted communication now takes place on the Internet and is often encrypted.
The actual text of the proposed bill does not appear to be available, but the article lists the following likely requirements.
- Communications services that encrypt messages must have a way to unscramble them.
- Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
- Developers of software that enables peer-to-peer communication must redesign their service to allow interception.
The first of these is similar to the CALEA law which requires telecommunications carriers to design their services to enable automated real time intercepts. While this generally sounds reasonable when “we” say it, the idea is more ominous when coming from some other governments.
The third proposal is completely outrageous. In effect it says that I may not speak in a way which is unintelligible to the wire tappers. As a colleague quipped “I am hiring Navajo code talkers.” This would require a back door be inserted in to cryptography tools. Experience shows that any crypto system with such a back door will be breached and then left vulnerable to the enormous number of criminal hackers on the Internet today.
In 1993 the US Government proposed a system called the “Clipper Chip” which would provide all encryption for personal computers, but to which the US Government would have back door access. This was a terrible idea then, it was widely ridiculed, and suffered a well justified death by 1996. This third proposal would be much worse. It is asking huge numbers of non-crypto experts to build back doors in to their systems. Frankly, the cryptography in most software is already badly broken in many cases. Something as subtle and complex as a secure and effective law enforcement back door would be far beyond their abilities and render currently poor security completely untrustworthy.
All this is not to mention the potential abuse by oppressive regimes, who will pounce on the capability to further crush dissent within their countries. Finally, it will be largely ineffective against serious threats. Very strong and easy to use cryptography is already available world wide, for free (GPG, ZPhone, TrueCrypt, etc.). This is a classic case of damaging the innocent while leaving the guilty and dangerous unaffected.
It seems to me that there is a pendulum swing to these things. Technology cuts both ways. Some times it favors the interceptor and some times it favors the communicator. In most ways the Internet has been a fantastic boon to law enforcement. Cloud computing, email hosts, social networking, open WiFi, and huge hard drive that encourage people to save everything all provide law enforcement with enormous amounts of information they could never have collected in the past.
It may not be shocking to anyone that there is no federal push to make that more difficult to access while pushing to enhance their ability to intercept encrypted communications.
All this is argument about a bill we have not seen yet. Let us hope that the furor that has swirled around it will cause it to be retraced or modified significantly before it is actually delivered to congress.
I have been reading about this “Haystack” anti-censorship tool for a while, but have withheld comment up to now. The above linked article seems to justify my reticence.
This tool has been a media darling, hyped in many different publications, but try as I might I have never been able to find out any solid information about what it actually does. Just a lot of marketing hype.
It now looks like the system was well intentioned snake oil. I still have not seen it, so this is all hearsay. Unfortunately it can be very difficult for the average person to tell the difference. One thing to look for is transparency in security systems. No security system should rely on assuming the enemy will not work out how it operates. It absolutely must be secure even if the opponent knows everything.
Other good signs are the experience and reputation of the author, the length of time the tool has been in use, and published analysis by other independent security experts.
As it turns out, media hype has a very poor correlation with real security.
In a recent post on Privacy Digest, and an article in the NYTimes, there is a discussion of some major and well known vulnerabilities in the global public key infrastructure (PKI) and some examples of exploitations of that vulnerability.
The issue is with the proliferation of certificate authorities on the Internet, and the low level of oversight on their policies.
Using the web as an example, here is how it works. Embedded in every browser is a list of “certificate authorities”. These are companies that are deemed trustworthy to issue and sign website certificates. Website certificates are what allows websites to be authenticated by your browser and enables SSL based secure connections (e.g. to your bank).
These certificate authorities may also be able to delegate their certificate signing authorities to other secondary certificate authority organizations. The list of primary certificate authorities in your browser is long (I count 43 in my copy of Firefox), and who knows how many secondary certificate authorities may be out there. These certificate authorities exist all over the world, and any of them can issue a certificate that your browser will accept as valid.
A malevolent certificate authority could issue certificates to allow them to impersonate any secure website.
The articles talk specifically about a secondary certificate authority called Etisalat, located in the UAE. They created a certificate which allowed them to sign code which would be accepted as valid and authorized by BlackBerry cell phones. They then created and distributed software to about 100,000 users which enabled government surveillance of the devices. RIM, the maker of BlackBerry, was able to detect and patch this introduced back door.
Etisalat could create certificates to allow the UAE to intercept and read all secure web traffic traveling over networks within that country.
It is likely that there are many other certificate authorities that are similarly willing to compromise the security of the PKI for various ends. To date, no action has been taken against Etisalat. The EFF is calling for Verizon to revoke Etisalat’s ability to issue certificates (Verizon is the primary authority that delegated to Etisalat as the secondary).
This very short article describes a really simple attack that enables someone to discover your physical location with a very high degree of reliability and accuracy.
Given that information, it is easy to pass this information to a Location Services API which returns a location good to a few hundred feet, sometimes much closer. Here is a website that does this for you.
We discovered a major security hole in Facebook almost by accident. The exploit is so trivial I can’t justify calling it hacking. Any time you are on an open WiFi and accessing Facebook, anyone else on the same network can easily grab your credential and access Facebook as you with full access to your account.
Much of the chatter I have seen about this issue talks about targeted advertising and user tracking. While I have no doubt that both companies are very interested in doing that I don’t think this particular disclosure is about that. Message targeting is more likely to happen within applications where the user has granted explicit permission to push location based advertising and alerts.
I think this is all about improving Enhanced GPS services. My guess (and it is just a guess at this point) is that the phones are reporting back GPS location, Cell tower IDs and signal strength, and all visible WiFi base stations and signal strengths. Given enough of these sets of measurements, they can provide extremely accurate location information given only WiFi information (which takes much less power than GPS and also works indoors). It has been well established that multiple companies, including Google, are building such databases from trucks driving around the world (see my last post).
One purely anecdotal data point I have is from my WiFi only iPad. For background, I live on a fairly large lot and the only WiFi I can detect is my own. One of the first things I did with the new iPad was to open up the map application. It almost instantly centered the location reticule on my house. The only available location information was from the WiFi. I know that the Street View truck has never been through my neighborhood, and doubt that any others have been. My suspicion is that phones used within my house have been providing the correlating data between my physical location and my personal WiFi base station hardware ID.
Cnet (among others) reports on Google’s interception of personal information from open WiFi nodes, including passwords and e-mail.
Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.
To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.
It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.
The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.
If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.
To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.
If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.