Seriously Tinder, cleartext in 2018?

Watched while on tinder When I think about security and privacy, I often focus on sophisticated attacks and exotic exploits, or on user error and social engineering. A recent report about the security design of Tinder reminds me that we need to also keep an eye out for someone just leaving the door unlocked and wide open.

Tinder does not encrypt the connection between your phone and its servers when sending photos back and forth. Anyone in a position to see your network traffic, like on a public WiFi, could see and potentially modify those photos. Additionally, even the encrypted communications leave patterns that an attacker can recognize. The messages for "left swipes" and “right swipes” are different in size, so the observer not only knows which profile you viewed, but also what you thought about it.

The company that discovered the attack, Checkmarx, has even created fully functional demonstration of the attack.

Doubtless there are many other apps with similar vulnerabilities that testers have not gotten around to examining. It is deeply frustrating that many developers put so little effort into protecting the privacy and security of their users, who are the whole reason the business has value.

Fortunately there is a way to defend against at least this particular vulnerability, VPNs. By encrypting all of your traffic before it leaves your device you can ensure that anyone sniffing on the local network or WiFi is prevented from reading any of the content. It also keeps them from knowing what services you are visiting, and mixes together all of your different activities over the same channel.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow him on Facebook, Twitter, and LinkedIn

The Looming End of Network Neutrality and How to Protect Yourself

Let’s get this out right up front. I am a strong advocate for network neutrality. ISPs like Comcast say that these regulations strangle innovation, and that all the concerns about how they might abuse their position are just paranoia.

First a quick review. Network Neutrality is the principle that ISPs should not discriminate between the different sources of traffic on their network. My YouTube, your Facebook, his BitTorrent, her porn site, all should have the same access to, and performance on, the internet. In effect, the internet is like water or electricity, a utility delivered to your doorstep. Those utilities don’t get to control how I use those resources, or limit my ability to plug in certain brands of appliance. Similarly, the utilities should not be able to inject things into the water or send unwanted messages over your electric wires. They are just providing a simple service.

The big ISPs have a long history of abusing their near monopoly status. Way back in 2007, I wrote a blog on how Comcast was blocking BitTorrent traffic. Despite their repeated denials, the Associated Press was finally able to prove that they were.

In 2013, Comcast was called out for injecting code into the websites users were visiting. At that time the code was mostly notifying users that they were close to their data cap. To do this, Comcast is intercepting your connection to the website, reading the content, then modifying it to add their code before sending it on to you. They, and other ISPs, were still at it in 2015 despite all the backlash.

Now in late 2017, partly because of the Network Neutrality debate, we are seeing reports of this again. There is no way to opt out of this, and for most Americans, there is only one choice for a fast network connection where they live. Changing providers is simply not an option.

American ISPs have generally avoided obvious throttling of commercial content because of the threat of enforcement of Network Neutrality regulations, and the possibility of stronger ones to come if they did. They are claiming that if the regulations are removed, they will continue to act in good faith.

While the companies won’t let you opt out, you do have a technical way directly preventing them from messing with your traffic, a VPN. Services like Anonymizer create an encrypted path past your ISP out to the internet. There is no way for the ISP to see the contents of your communication either to modify it, or to throttle it.

If this is an issue that you feel is important too, you can make the issue more visible with some of the techniques and suggestions here.

Fighting cybercrime vs. protecting citizens

IMG 1402 David Shedd, former director of the Defense Intelligence Agency, recently published an OpEd on the damage that unrestricted focus on catching criminals can do to our general cyber security. It is great to see people with that kind of background speaking on on this critical issue.

"Americans want their cyber data to be safe from prying eyes. They also want the government to be able to catch criminals. Can they have both? It's an especially pertinent question to ask at a time when concerns over Russian hacking are prevalent. Can we expose lawbreakers without also putting law-abiders at greater risk? After all, the same iPhone that makes life easier for ordinary Americans also makes life easier for criminals."

You can read the whole essay here.

Do you use any of the worst passwords of 2016?

Password sticky 123456 It is time to talk about passwords again. They are like the seatbelts of the security world. There are many more exciting security tools but few are as important to keeping you safe from the risks you encounter day to day.

Splash Data recently released their list of the most common passwords from 2016 based on over five million stolen and leaked credentials.

Clearly things have improved and password requirements and gotten more stringent because the winner is no longer 1234, which has dropped to #11. It is now 123456! Second place goes to that perennial favorite “password” and we see12345 in third place.

Rather than showing how stupid people are I think this shows just how many passwords we are asked to create, keep track of, and change. I have over 1500 passwords right now. Asking humans to create, manage, and remember unguessable and unique passwords for all those sites is absurd. Humans tend to fall back on a couple of strategies. Some people have one good password that they use on all of their important websites, and a really simple one for all the other websites. Other people will create a simple pattern for generating passwords for each site like adding a word to the name of the site. The password for Facebook might be “fluffy3Facebook!" and Wells Fargo might be "fluffy3WellsFargo!”. Those would pass most tests for length, capitalization, numbers, and special characters, but if an attacker was able to discover one of them they could easily guess all the others. Random passwords are the gold standard but long random passwords are very hard to remember. Pass phrases can make long passwords memorable but it is still very hard to remember a thousand of them without resorting to a simple pattern.

My suggestion is to use a password managers (also called password vaults) like 1Password, Dashlane, or LastPass. Any of these will store all of your passwords, make them securely available across your devices, and automatically fill them in on web forms. They will also generate long random passwords for you, which you never need to bother trying to remember. For example, a typical password for me would be "kGAg2{MgHm8[cvrG7WE=“ which is very strong.

I do still need to remember one password, the one that secures the passwords in the vault. That is where the pass phrase really shines. That one memorable phrase protects all the impossible to remember unique and strong passwords. That phrase could be something like “H8 it when Fluffy poops on the rug, but love him all the time!” which is easy to remember, very hard to guess, and you only need one.

If you do just one thing for your security this year, get a good password manager and start changing all of your passwords to be strong and unique every time you go to a site.

For the curious, here is the full list of the 25 most common passwords:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

Your Android phone may be passing your texts to China

Blu phone Security firm Kryptowire discovered that at least hundreds of thousands of Android phones in the US are configured to automatically send all text messages, call logs, location information, contact lists and more to servers in China every 72 hours. This is all invisible to the end user.

In the US, the dangerous software, made by Adups, is known to be on 120,000 phones made by BLU Products. The software appears to have been designed primarily for the Chinese market and impacts in the US may have been unintentional. Adups provides the software to ZTE and Huawei, two of the largest phone makers in the world.

This is not a bug but an intentional feature of the software. It is not yet clear whether this is abusive data collection for marketing or usage data, or whether this is part of a major surveillance activity by the Chinese government. An attorney for Adups says that the software helped identify junk texts and calls and that the information (at least for BLU customers) was deleted.

Read more in this NYTimes article.

How was the Internet of Things able to take down the Internet with a DDoS?

DDoS from IoT Devices On October 21st, a large number of websites, including some of the biggest names, were knocked off the Internet by a massive distributed denial-of-service (DDoS) attack. A DDoS attack occurs when thousands to millions of devices send traffic to a target, completely overloading its servers or Internet connection.

The recent attack targeted a company called DYN, a DNS service provider for thousands of companies. DNS translates the name of an Internet host like and converts it to an IP address like Your computer then uses this to do the actual communicating. By disrupting DYN, the attackers prevented this translation from happing for the companies DYN supports, making them unreachable for many users.

To cause this disruption, the attackers sent a staggering 1.2 Tbps (trillion bits per second) of data. Typical home Internet might max out at 15 Mbps (million bits per second). Therefore, this would be equivalent to 80,000 home connections simultaneously sending everything they could to this one company. In fact, this attack utilized many more devices, sending only a smaller amount of data each to add up to that gigantic total.

Interestingly, the attack did not use compromised personal computers (typically the most common method), but rather compromised Internet of Things (IoT) devices. IoT devices include surveillance cameras, smart TVs, home routers, and smart thermostats. Most of these are designed with very weak security and often have built-in, hard to change default passwords. A malware tool called  Marai, recently released to the public as source code, was the technology behind exploiting these vulnerable devices. Anyone could have used Marai to create an enormous swarm of compromised devices, which could be launched against any target they pleased.

Unfortunately, there is very little incentive for the makers of IoT devices to create them using real security. So far, they have not been held responsible for damages, and neither they nor their users typically experience any direct harm from the attacks. ISPs also have some ability to detect and block attacking traffic and vulnerable devices, but only at significant cost and annoyance to their legitimate customers.

Because these devices have a relatively long shelf life, it may take years after the makers are finally forced, in one way or another, to secure the devices before we see any real benefits from the change.

[Updated 10/27 to improve clarity]

So many reasons to never buy a D-Link router

D Link Logo Blue strap edited If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode.

Researcher Pierre Kim found an amazing set of security vulnerabilities that should embarrass a first year developer.

First, by default you and SSH and Telnet (yes Telnet!) into the router using the root or admin accounts. These accounts have preset passwords of “admin” and “1234” respectively. People, you should never set up fixed accounts like this, and if you do don’t use trivial passwords!

Of course it gets worse. There is also a backdoor on the routers. If you send “HELODBG” to port 39889 it will start a telnet demon which provides access to root without any authentication at all. My head is starting to look like the guys at the end of Raiders of the Lost Ark.

Just for fun they have a fixed PIN number for WiFi Protected Setup, many vulnerabilities in the HTTP daemon, major weakness in their over the air firmware updating, and anyone on the LAN can also create any port forwarding rule on the router for any port.

It is amazing that one product could have such a comprehensive set of catastrophic security failures. It certainly begs the question of how well they secure any of their other products.

Macs are not safe from Bears

Bear fancy pattern Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.

The malware is a trojan executable designed to look and act like a PDF file. It is being used in highly targeted attacks where the apparent content of the file is something that the recipient was expecting to receive.

These kinds of attacks typically start with the nation state level APT attackers and quickly make their way down to the street level cybercriminals. Everyone on every platform needs to pay attention to their security and take proper precautions.

Security lessons from Pokemon Go - Catch them all!

IMG_0810 When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.

Criminals have jumped quickly on the piecemeal global rollout of the game. Players unwilling to wait for the official release in their countries have been looking for the game on unofficial app stores. A version with the Android trojan DroidJack has been seen which allows the attacker to take complete control of the victim’s phone and access any files or information. The vast majority of users should absolutely avoid any third party app stores. Only get your software from known and reputable sources and don’t do anything to bypass the phone’s security. The best practice is to stick with the app store that came with your phone.

Even the official version of the game raises some troubling privacy concerns. By design the application tracks you when you are using it, and you are strongly encouraged to be using it all the time. This is hardly the only application tracking you, but the privacy policy on the game is not great. Also, it is likely to be disproportionately tracking children. Always think about who has access to your information and how it can be used for and against you. The tracking data might be ok in the hands of the current company but if it is sold or stolen, you might be less happy with the people who have it.

Conventional muggers have also discovered the power of Pokemon Go to lure their victims. In the game players need to search out fixed locations called Poke Stops and Gyms. Criminals can add capabilities to these virtual constructs to make them even more interesting and attractive. If the location is dark and somewhat hidden it becomes the perfect location for an ambush. The divide between virtual and physical keeps getting narrower. Physical attacks are launched from cyberspace and cyber attacks can start with physical device access. We can’t just focus on the digital risks of tools and attacks, but must also consider how it could impact us in the the analog world.

Finally, this game is causing people to walk into the street, down dark alleys, and into rough neighborhoods without paying attention or taking appropriate care. Like distracted driving, this is another example of our immersion in the electronic realm causing us to neglect the basics of staying safe in the here and now.

I find it fascinating that one program, and a game at that, can have so many and varied security implications. Now, I am off to catch me some Pokemon, I think there are some down my driveway!

Downloading files is dangerous, these tips can keep you safe

Hazmat computer user When it comes to checking for hostile files coming in from the web, it is much more difficult than simply scanning an email. Communications are being conducted in real-time and often encrypted. So in order to defend against the two ways to get malware when surfing the Internet — an exploited browser (which automatically downloads malware without the need for you to click anything) and being tricked into downloading an infected file — you need a secure browser and some common sense.

To effectively protect yourself against browser exploits it doesn’t take much, you just need to use a secure browser. Conventional browsers will always be vulnerable to attacks, while secure browsers like Passages provide complete protection against browser exploits. Regardless of where you go or what you click on, malicious files will never make it to your physical computer.

Read my whole article on the Ntrepid blog.

Why targeting is a trend and how to protect yourself

Rhino in the cross hairs at a watering hole At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.

Sophisticated targeting is one of the most important trends in security right now. Although most of the malware and attacks we see are still un-targeted the biggest and most damaging ones are highly targeted.

  1. Targeted attacks are harder to detect because they impact a much smaller population.
  2. Targeted attacks avoid attacking security researchers, bots, and honeypots making discovery and analysis more difficult and time consuming.
  3. Targeted attacks preserve expensive zero-day exploits from being added to detection signatures.
  4. Attackers know exactly what they want and what they want to do with it so they can get much more impact for a given effort (whether cash, political impact, revenge, or whatever).

A random attack like a ransomware incident should be no more than an annoyance to a reasonably prepared business. Employees can be trained to avoid clicking on links or attachments in suspicious emails. The same is not true of targeted attacks. A masterfully crafted spear phishing email will fool just about anyone, even the most savvy or expert users. Attack emails will come from people the victim knows and will be written in that person’s style and be completely appropriate to their topics of discussion. Attachments and links will appear normal and expected. Targeted watering hole attacks compromise marquee websites like Forbes and Yahoo, and then avoid detection by only launching attacks against the small handful of desired victims. Far from being in the dark back alleys of the Internet, these attacks happen in the cyber equivalent of noon in Times Square. Because targeted attacks are harder to detect, attackers are willing to deploy their most valuable zero-day or otherwise undetectable exploits and tools. They know that they are likely to remain effective long after the attack. These tools are also the most effective and reliable at penetrating the target company.

Once the attacker is in, they can move directly to getting what they came for. That could be credit card numbers, personal information, business secrets, or just embarrassing emails. The Sony hackers almost certainly knew what they wanted to do with their stolen emails before they started. Likewise the OPM hackers doubtless had very specific plans for the detailed personal information they were able to take. Defending against targeted attacks is also much more difficult. The low volume makes it much less likely that anomaly detection system will trigger. The use unknown tools makes signature detection fail. And attacker research allows them to find a soft entry point to the enterprise and move strategically from there. Businesses need to move quickly towards security that is less reliant on detection for protection. Architectures must contain attacks, minimize damage, and automatically restore systems whether or not they are known to be compromised. Detection and training will always be valuable but we can not rely on them to be effective, especially against targeted attacks.

POS Breaches Threaten Holiday Shopping Season

Point of sale checkout counterThe point of sales (POS) breaches at Hilton, and Starwood before that, suggest that a group of hackers is specifically targeting hotels, probably because most travelers have above average income. It should also make us brace for a likely wave of further POS breaches in many other businesses during the holiday shopping season. It really makes me wish that more merchants accepted secure payment tools like Apple Pay, or even that more than a small fraction accepted the new chip and signature cards.

Hilton Data Breach Focuses Attention On Growing POS Malware Threat

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.