Seriously Tinder, cleartext in 2018?

Watched while on tinder When I think about security and privacy, I often focus on sophisticated attacks and exotic exploits, or on user error and social engineering. A recent report about the security design of Tinder reminds me that we need to also keep an eye out for someone just leaving the door unlocked and wide open.

Tinder does not encrypt the connection between your phone and its servers when sending photos back and forth. Anyone in a position to see your network traffic, like on a public WiFi, could see and potentially modify those photos. Additionally, even the encrypted communications leave patterns that an attacker can recognize. The messages for "left swipes" and “right swipes” are different in size, so the observer not only knows which profile you viewed, but also what you thought about it.

The company that discovered the attack, Checkmarx, has even created fully functional demonstration of the attack.

Doubtless there are many other apps with similar vulnerabilities that testers have not gotten around to examining. It is deeply frustrating that many developers put so little effort into protecting the privacy and security of their users, who are the whole reason the business has value.

Fortunately there is a way to defend against at least this particular vulnerability, VPNs. By encrypting all of your traffic before it leaves your device you can ensure that anyone sniffing on the local network or WiFi is prevented from reading any of the content. It also keeps them from knowing what services you are visiting, and mixes together all of your different activities over the same channel.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow him on Facebook, Twitter, and LinkedIn

Do you use any of the worst passwords of 2016?

Password sticky 123456 It is time to talk about passwords again. They are like the seatbelts of the security world. There are many more exciting security tools but few are as important to keeping you safe from the risks you encounter day to day.

Splash Data recently released their list of the most common passwords from 2016 based on over five million stolen and leaked credentials.

Clearly things have improved and password requirements and gotten more stringent because the winner is no longer 1234, which has dropped to #11. It is now 123456! Second place goes to that perennial favorite “password” and we see12345 in third place.

Rather than showing how stupid people are I think this shows just how many passwords we are asked to create, keep track of, and change. I have over 1500 passwords right now. Asking humans to create, manage, and remember unguessable and unique passwords for all those sites is absurd. Humans tend to fall back on a couple of strategies. Some people have one good password that they use on all of their important websites, and a really simple one for all the other websites. Other people will create a simple pattern for generating passwords for each site like adding a word to the name of the site. The password for Facebook might be “fluffy3Facebook!" and Wells Fargo might be "fluffy3WellsFargo!”. Those would pass most tests for length, capitalization, numbers, and special characters, but if an attacker was able to discover one of them they could easily guess all the others. Random passwords are the gold standard but long random passwords are very hard to remember. Pass phrases can make long passwords memorable but it is still very hard to remember a thousand of them without resorting to a simple pattern.

My suggestion is to use a password managers (also called password vaults) like 1Password, Dashlane, or LastPass. Any of these will store all of your passwords, make them securely available across your devices, and automatically fill them in on web forms. They will also generate long random passwords for you, which you never need to bother trying to remember. For example, a typical password for me would be "kGAg2{MgHm8[cvrG7WE=“ which is very strong.

I do still need to remember one password, the one that secures the passwords in the vault. That is where the pass phrase really shines. That one memorable phrase protects all the impossible to remember unique and strong passwords. That phrase could be something like “H8 it when Fluffy poops on the rug, but love him all the time!” which is easy to remember, very hard to guess, and you only need one.

If you do just one thing for your security this year, get a good password manager and start changing all of your passwords to be strong and unique every time you go to a site.

For the curious, here is the full list of the 25 most common passwords:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

So many reasons to never buy a D-Link router

D Link Logo Blue strap edited If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode.

Researcher Pierre Kim found an amazing set of security vulnerabilities that should embarrass a first year developer.

First, by default you and SSH and Telnet (yes Telnet!) into the router using the root or admin accounts. These accounts have preset passwords of “admin” and “1234” respectively. People, you should never set up fixed accounts like this, and if you do don’t use trivial passwords!

Of course it gets worse. There is also a backdoor on the routers. If you send “HELODBG” to port 39889 it will start a telnet demon which provides access to root without any authentication at all. My head is starting to look like the guys at the end of Raiders of the Lost Ark.

Just for fun they have a fixed PIN number for WiFi Protected Setup, many vulnerabilities in the HTTP daemon, major weakness in their over the air firmware updating, and anyone on the LAN can also create any port forwarding rule on the router for any port.

It is amazing that one product could have such a comprehensive set of catastrophic security failures. It certainly begs the question of how well they secure any of their other products.

Macs are not safe from Bears

Bear fancy pattern Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.

The malware is a trojan executable designed to look and act like a PDF file. It is being used in highly targeted attacks where the apparent content of the file is something that the recipient was expecting to receive.

These kinds of attacks typically start with the nation state level APT attackers and quickly make their way down to the street level cybercriminals. Everyone on every platform needs to pay attention to their security and take proper precautions.

Use VPN to avoid Gogo Man In The Middle vulnerability

3 birds on a wire Google engineer Adrienne Felt recently noticed that Gogo in-flight Wi-Fi was messing with the SSL certificates on secure Google web pages.

Her browser showed a problem with the HTTPs connection, and further investigation showed that the SSL certificate was self signed by Gogo’s own untrusted certificate authority.

This allows them to read all of the supposedly encrypted communications in the clear. That information could include personal, financial, corporate, or other confidential data. It also tends to train users to ignore security alerts, which leaves them vulnerable to any other attacker using the same kind of Man in the Middle attack.

In their response, Gogo EVP / CTO said:

“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.

We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”

I am not very reassured by this, particularly given their previous history of going above and beyond requirements to support law enforcement intercepts. Even if they are acting in good faith, this kind of action puts all users at risk. Any compromise of the proxy server would give full clear text access to the communications of everyone on the plane.

To protect yourself, make sure you use a VPN service (like Anonymizer) to encrypt your traffic out to an endpoint beyond Gogo’s reach.

Nokia did something similar a while back.

Even certificate authorities can’t always be trusted.

Thanks to the following articles:

Gogo Inflight Internet is intentionally issuing fake SSL certificates - Neowin

Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates | Techdirt

Gizmodo - Gogo Wi-Fi Is Using Man-in-the-Middle Malware Tactics on Its Own Users

GoGo in-flight WiFi creates man-in-the-middle diddle • The Register

 

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.