The Privacy Blog Podcast – Ep.7: Blacklisted SSL Certificates, Social Media Hacking, and the “Right to be Forgotten” Online

in , , , , , ,

Welcome to episode 7 of The Privacy Blog Podcast. In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox - Specifically, what this complex issue means and why Mozilla chose to start doing this.

In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.

Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.

The power we give to Social Media

in ,

Last week the Twitter account of the Associated Press was hacked, and a message posted saying that bombs had gone off in the white house, and the president was injured.

 

Obviously this was false. The Syrian Electronic army a pro regime hacker group has claimed responsibility, which does not prove that they did it.

There is talk about Twitter moving to two factor authentication to reduce similar hacking in the future. While this is all well and good, it will not eliminate the problem.

The bigger issue is that these poorly secured social media sites are used by people around the world as reliable sources of news.

Apparently much of the crash came from automated trading systems parsing the tweet, and generating immediate trades without any human intervention at all.

The DOW dropped 140 points in 5 minutes.

The creators of these trading algorithms feel that news from twitter is reliable enough to be the basis of equity trades without any confirmation, or time for reflection.

Certainly very large amounts of money were made and lost in that short period.

Why make the effort to hack into what we hope is a well defended nuclear power plant or other critical infrastructure, when you can get similar amounts of financial damage from subverting a nearly undefended twitter account.

Because individual twitter accounts are not considered critical infrastructure, they are hardly protected at all, and are not designed to be easy to protect.

Nevertheless we give it, and other social media, substantial power to influence us and our decisions, financial and otherwise.

Take for example the crowd sourced search for the Boston bombers on reddit. Despite the best of intentions, many false accusations were made that had major impact on the accused, and one can imagine scenarios which could have turned out much worse. What if the accused at committed suicide, been injured in a confrontation with authorities, or been the vicim of vigilante action? Now, what if there had been malicious players in that crowd intentionally subverting the process. Planting false information, introducing chaos and causing more damage.

 

This is an interesting problem. There are no technical or legislative solutions. It is a social problem with only social solutions. Those are often the hardest to address.

Blacklisting SSL Certificate Authorities

in , ,

The Register has an article on Firefox black listing an SSL Certificate authority.

Certificates and certificate authorities are the underpinnings of our secure web infrastructure.

When you see the lock on your browser, it means that the session is encrypted and the site has presented a valid site certificate (so it is who it claims to be).

That site certificate is signed by one of many certificate authorities.

I see 86 certificate issuing authorities in my Firefox now.

Many of those certificate authorities have multiple signing certificates.

Additionally the certificate authorities can delegate to subordinate certificate authorities to sign site certificates.

Any certificate signed by any of these authorities or subordinate authorities is recognized as valid.

These entities are located all over the world, many under the control of oppressive governments (however you define that).

Certificate authorities can create certificates to enable man in the middle attacks, by signing keys purporting to be for a given website, but actually created and held by some other entity.

There are plugins like certificate patrol for Firefox that will tell you when a site you have visited before changes certificates or certificate authorities. Unfortunately this happens fairly frequently for legitimate reasons, such as when renewing certificates every year or few years.

Some certificate authorities are known or suspected to be working with various law enforcement entities to create false certificate for surveillance.

Here is how it works:

The government has certificate authority create a new certificate for a website.

The government then intercepts all sessions to that site with a server (at national level routers for example).

The server uses real site certificate to communicate with the real website securely.

The server uses the new fake certificate to communicate with user securely.

The server then has access to everything in the clear as it shuttles data between the two secure connections..

It can read and/or modify anything in the data stream.

 

Firefox is removing TeliaSonera’s certificate authority from the list in Firefox for this reason. Going forward no certificate issued by them will be recognized as valid. This will impact a large number of legitimate websites that have contracted with TeliaSonera, as well as preventing the fake certificates.

There is a lot of controversy about this. What is appropriate cooperation with law enforcement vs. supporting and enabling dictators.

In any case, this is a failure of the protocol. If the browser shows a certificate as valid when it has not come from the real website, then there has been a security failure.

The SSL key infrastructure is showing its age. It was “good enough” when there were only one or two certificate authorities and the certificates were not actually protecting anything of great importance. Now everyone relies heavily on the security of the web. Unfortunately, while it is broken, it is very hard to replace.

In the short term, installing a certificate checker like certificate patrol is probably a good idea, despite the number of false positives you will see.

In the longer term, there is a really hard problem to solve.


No Porn on UK WiFi

in , ,

According to the Telegraph, the UK government is instituting a code of conduct for public WiFi which would require blocking of pornography to protect kids.

I see a couple of problems here.

1) Porn proliferates very quickly, so the blocking is likely to always be behind the curve, and kids are really good at getting around these kinds of blocks.

2) Some people will feel that things are allowed that should be blocked.

3) Inevitably legitimate websites will be blocked. A common example is breast feeding web sties, which frequently get caught in these kinds of nets.

4) Implementing this requires active monitoring of the activity on the WiFi which generally enables other kinds of surveillance.

Most home networks don't have filtering on the whole network, so kids at home would be exposed to raw Internet. The standard is generally to filter at the end device. It seems to me that would be the best option here.

Parents could choose exactly the blocking technology and philosophy they want to have applied, and it does not impact anyone else.

DEA can't break Apple iMessage encryption?

in , ,

Cnet reports that an internal DEA document reveals that the DEA are unable to intercept text messages sent over Apple's iMessage protocol.

The protocol provides end to end encryption for messages between iOS and Mac OS X devices.

This is not to suggest that the encryption in iMessages is particularly good, but to contrast with standard text messages and voice calls which are completely unprotected within the phone company's networks.

It appears that an active man in the middle attack would be able to thwart the encryption, but would be significantly more effort. The lack of any kind of out of band channel authentication suggests that such an attack should not be too difficult.

If you really need to protect your chat messages, I suggest using a tool like Silent Text. They take some steps that make man in the middle attacks almost impossible.

The Privacy Blog Podcast - Ep.6: Breaking Privacy News – Facebook “Likes” Predict Personality, Google's Wi-Fi Sniffing, and the Six Strikes Anti-Piracy Policy

in , ,

In the March episode of The Privacy Blog Podcast, I’ll run down some of the major privacy news events of the last month. Learn how Facebook “Likes” can paint an extremely detailed and eerie picture of your real-life character traits. I’ll provide my take on Google’s Street View Wi-Fi sniffing controversy along with how “Do Not Track” flags are affecting the everyday Internet user. We’ll then touch on the implementation of the “Six Strikes” copyright alert system that was recently adopted by all five major ISP providers. Stay tuned until the end of the episode to hear about Anonymizer’s exciting new beta program for Android and iOS devices. Thanks for listening!

Will a warrent be required to access your email.

in , ,

Email Privacy Hearing Set To Go Before The House On Tuesday | WebProNews

The House Judiciary Committee is going to be discussing the Electronic Communications Privacy Act. There is a chance that they will strengthen it.

This act was written decades ago, before there were any real cloud solutions. Email was downloaded by your email client, and immediately deleted from the server. They law assumed that any email left on a server more than 180 days had been abandoned, and so no warrant was required for law enforcement to obtain it.

These days, with services like gmail, we tend to keep our email on the servers for years, with no thought that it has been abandoned. Law enforcement is opposing reforms of this law because it would make their work more difficult. Doubtless it would, as does almost any civil liberty.

Earlier this month Zoe Lofgren introduced the Online Communications and Geolocation Protection act, amending ECPA. It would require a warrant to obtain cell phone location information. There is clearly some momentum for reform.

Did Anyone Get the Name of That Hacker Who PWNED Me?

in , ,

Since relatively few of you had a chance to hear my talk at RSA, here is a re-recording I did of the presentation I uploaded to YouTube.

It runs just under 30 minutes.

The talk is the flip side of my usual presentations. I typically talk about how to be stealthy on the Internet. This time I was talking to network defenders about how to identify people using privacy technologies, and to use that information to help them strengthen their network defenses.

Enjoy!

Devastatingly effective spear phishing

in , ,

The BBC has an article that powerfully reinforces what I have been saying for years about spear phishing. It is worth a read if just for the specific examples.

The short version is, if an attacker is going for you specifically, they can do enough research to craft an email and attachment that you are almost certain to open. The success rate against even very paranoid and sophisticated users is shockingly high.

In Bruce Schneier's blog post about this he quotes Brian Snow, former NSA Information Assurance Director. "Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents."

Sobering….

The Privacy Blog Podcast – Ep. 5: The Dark Alleys of the Internet & The High Stakes of Corporate Anonymity

in , , , , , ,

Welcome to the February edition of The Privacy Blog Podcast. In this episode, I’ll discuss a topic that caught me by surprise in the recent weeks – the dark alleys of the Internet aren’t as scary as we once thought. According to Cisco’s Annual Security Report, the most common, trusted websites we visit everyday have the highest overall incidents of web malware encounters. For example, Cisco reports that online advertisements are 182 times more likely to infect you with malware than porn sites. Secondly, I’ll be talking about corporate anonymity issues, where the stakes are often extremely high due to real dollar-losses corporations could face. A few examples I’ll hit on are: competitive pricing research, search engine only pages for spoofing search results, trademark infringement, and research and development activities.

Hope you enjoy the episode. Please leave feedback and questions in the comments section of this post.

Security by obscurity and personality shards

in , , ,

Adam Rifkin on TechCrunch has an interesting article about Tumblr and how it is actually used.The thesis of the article is that Tumblr is used more openly and for more sensitive things than Facebook because the privacy model is so much easier to understand and implement. If you have five interests and corresponding social circles, just set up five pseudonymous Tumblrs. Each then becomes its own independent social space with minimal risk of cross contamination. While all of those Tumblrs are public and discoverable, in practice they are not easy to find and unlikely to be stumbled upon by undesired individuals. This is classic security by obscurity. By contrast, Facebook wants you to put everything in one place, then use various settings to try to ensure that only the desired subset of friends, friends of friends, or the general public have access to it. This ties to the case I have been making for a while that people want to be able to separate their various personality shards among their various social circles. Even with access controls, using the same account for all of them may be too much connection and the odds of accidentally releasing information to the wrong people is too likely. I would like to see something like Tumblr provide stronger abilities to restrict discoverability, but it represents an interesting and growing alternative model to Facebook.

China launches MITM attack on GitHub

in , , , ,

It appears that China recently launched a poorly executed Man in the Middle (MITM) attack on GitHub.

Greatfire.org has all the details.

In short:

GitHub.com is an https only website, so the only way to monitor it is to use a MITM attack to decrypt the contents of the communications. There is evidence that GitHub is widely used in China for code sharing, so the backlash from blocking it completely was too large, and it was unblocked a few days later.

The attack happened on January 26. It was poorly executed in that the faked certificate did not match the real one in any of the meta-data and it was not signed by a recognized certificate authority. This caused most browsers to report a security error. The MITM attack only lasted about an hour.

Based on reports it only impacted users in China, which strongly suggests that it was government backed at some level. My work in censorship circumvention over the years has shown that China is far from monolithic. This could have been the work of a local government or regional ISP. I have not seen an analysis showing if this was country wide or not. It seems very ham fisted for the central government.

The speculated reason for the attack is to monitor access to a list of people who have been involved in creating the Great Firewall of China, which is hosted on GitHub, and is connected to a petition on Whitehouse.gov proposing that those people be denied entry to the US.

Dark alleys of the Internet not actually the dangerous parts.

in ,

For years I have been telling people to be especially careful when they venture into the dark back alleys of the Internet. My thinking was that these more "wild west" areas would be home to most of the malware and other attacks.

Dark Reading analyzes a Cisco report which says that online shopping sites and search engines are over 20 times more likely to deliver malware than counterfeit software sites. Advertisers are 182 times more dangerous than pornography sites.

So, I guess I need to change my tune. Be careful when you are going about your daily business, and have fun in those dark alleys!

Have you seen your digital footprint lately?

in , , ,

A Guest Post by Robin Wilton of the Internet Society  

We are the raw material of the new economy. Data about all of us is being prospected for, mined, refined, and traded...

 

. . . and most of us don’t even know about it.

 

Every time we go online, we add to a personal digital footprint that’s interconnected across multiple service providers, and enrich massive caches of personal data that identify us, whether we have explicitly authenticated or not.

 

That may make you feel somewhat uneasy. It's pretty hard to manage your digital footprint if you can't even see it.

 

Although none of us can control everything that’s known about us online, there are steps we can take to understand and regain some level of control over our online identities, and the Internet Society has developed three interactive tutorials to help educate and inform users who would like to find out more.

 

We set out to answer some basic questions about personal data and privacy:

 

  1. Who’s interested in our online identity? From advertisers to corporations, our online footprint is what many sales driven companies say helps them make more informed decisions about not only the products and services they provide - but also who to target, when and why.

 

  1. What's the real bargain we enter into when we sign up? The websites we visit may seem free - but there are always costs. More often than not, we pay by giving up information about ourselves – information that we have been encouraged to think has no value.

 

  1. What risk does this bargain involve? Often, the information in our digital footprint directly changes our online experience. This can range from the advertising we see right down to paying higher prices or being denied services altogether based on some piece of data about us that we may never even have seen. We need to improve our awareness of the risks associated with our digital footprint.

 

  1. The best thing we can do to protect our identity online is to learn more about it.

 

The aim of the three tutorials is to help everyone learn more about how data about us is collected and used. They also suggest things you need to look out for in order to make informed choices about what you share and when.

 

Each lasts about 5 minutes and will help empower all of us to not only about what we want to keep private, but also about what we want to share.

 

After all, if we are the raw material others are mining to make money in the information economy, don't we deserve a say in how it happens?

 

Find out more about the Internet Society’s work on Privacy and Identity by visiting its website.

 

* Robin Wilton oversees technical outreach for Identity and Privacy at the Internet Society.

The Privacy Blog Podcast - Ep.4: Data Privacy Day – Privacy Legislation, Social Media, and Corporate Data Security

in

Welcome to first podcast of 2013. In honor of Data Privacy Day, which falls on January 28th, I’ll be discussing current data privacy and security issues facing both consumers and businesses by taking you through the pros and cons of privacy legislation, privacy in the context of social media, and corporate data security at the human level. Hope you enjoy January’s episode of The Privacy Blog Podcast. Please leave any feedback or questions you have in the comments section below.

A peek at the cybercrime economy

in , ,

The latest Java exploit has given another view into the workings of the cybercrime economy. Although I should not be, I am always startled at just how open and robustly capitalistic the whole enterprise has become. The business is conducted more or less in the open.

Krebs on Security has a nice piece on an auction selling source code to the Java exploit. You can see that there is a high level of service provided, and some warnings about now to ensure that the exploit you paid for stays valuable.

Looks like Java is STILL vulnerable / broken

in ,

I did not post on the recent Java vulnerability because the fixes came out so quickly, however, it looks like I relaxed too soon.

Apparently there was a second vulnerability that did not get fixed. At this point, you should probably just disable Java in your browser. Gizmodo has a short article on how to do that for the various browsers.

Very few websites actually require Java any more. If you absolutely need to visit one of them, I suggest enabling Java on just one of your browsers and using that browser exclusively for visiting that trusted site with Java.

Nokia does a man in the middle attack on your secure mobile browsing

in , , ,

Gigaom reports on a major security issue at Nokia, first announced in the "Treasure Hunt" blog.

Their Asha and Lumia phones come with something they call the "Xpress Browser". To improve the browser experience, the web traffic is proxies and cached. That is a fairly common and accepted practice.

Where Nokia has stepped into questionable territory is when it does this for secure web traffic (URLs starting with HTTPS://). Ordinarily it is impossible to cache secure web pages because the encryption key is unique and used only for a single session, and is negotiated directly between the browser and the target website. If it was cached no one would be able to read the cached data.

Nokia is doing a "man in the middle attack" on the user's secure browser traffic. Nokia does this by having all web traffic sent to their proxy servers. The proxy then impersonate the intended website to the phone, and set up a new secure connection between the proxy and the real website.

Ordinarily this would generate security alerts because the proxy would not have the real website's cryptographic Certificate. Nokia gets around this by creating new certificates which are signed by a certificate authority they control and which is pre-installed and automatically trusted by the phone.

So, you try to go to Gmail. The proxy intercepts that connection, and gives you a fake Gmail certificate signed by the Nokia certificate authority. Your phone trusts that so everything goes smoothly. The proxy then securely connects to Gmail using the real certificate. Nokia can cache the data, and the user gets a faster experience.

All good right?

The fly in the ointment is that Nokia now has access to all of your secure browser traffic in the clear, including email, banking, etc.

They claim that they don't look at this information, and I think that is probably true. The problem is that you can't really rely on that. What if Nokia gets a subpoena? What about hackers? What about accidental storage or logging?

This is a significant breaking of the HTTPS security model without any warning to end users.