A company with an SQL injection name

Finally, someone registered a company that is an SQL injection attack. We saw the license plates on cars doctored to execute SQL injection attacks but this is the first time, I think, that an attempt to crash all business SQL databases in a country is made.

The company name is: ; DROP TABLE “COMPANIES”;– LTD

The registration record: https://beta.companieshouse.gov.uk/company/10542519

XKCD cartoon “Exploits of a mom”

Don’t patch it, it’s fine?

I wrote back in 2013 about my shock at discovering that the companies are now publicly calling to stop the investment in security and avoid fixing security bugs in my article Brainwashing in security. There, we witnessed the head of Adobe security, Brad Arkin, tell us that the companies should not be wasting their precious resources on “fixing every little bug”, agreeing to the comment made by another participant, John Viega from SilverSky, that:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens.”

All right, fast forward three years and Adobe becomes a showcase. Here is what Google senior security engineer Darren Bilby, speaking at the Kiwicon, has to tell us about the security of the contemporary software:

“We are giving people systems that are not safe for the internet and we are blaming the user,” Bilby says.

He illustrated his point by referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, saying the strategy to patch those holes is like a car yard which sells vehicles that catch on fire every other week.

The security strategy at Adobe is clearly paying its dividends. Way to go, Adobe, way to go…

 

Data breach at LinkedIn

linkedin-default-shareApparently, there was a serious data breach at LinkedIn and many customer records were stolen including “member email addresses, hashed passwords, and LinkedIn member IDs”. LinkedIn sent out a notification informing that the passwords were invalidated. What is interesting in the note is that they included a cryptic note that the break-in was “not new”. What could they mean by that?

On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.

I can take a wild guess that they passwords prior to 2012 were stored either unencrypted, without salt, or using some very weak algorithm. The security breach itself was, of  course, “new” but the only information at risk are those passwords in the database that were stored in this old-fashioned way.

So, according to my wild guess, there must be more information stolen than they tell us but LinkedIn judged that the only information that threatens themselves were those old passwords so they finally invalidated them (what they should have done back in 2012) and told us they are happy with it.Unfortunately, there is no way to know for sure.

You can make your own wild guess at what happened.

Backdoors in encryption products

padlock-security-protection-hacking-540x334After the recent terrorist attacks the governments are again pushing for more surveillance and the old debate on the necessity of the backdoors in encryption software raises its ugly head again. Leaving the surveillance question aside, let’s see, what does it mean to introduce backdoors to programs and how they can be harmful, especially when we are talking security and encryption?

Generally, a backdoor is an additional interface to a program that is not documented, its existence is kept secret and used for purposes other than the main function of the program. Quite often, a backdoor is simply a testing interface that the developers use to run special commands and perform tasks that normal users would not need to. Such testing backdoors are also often left in the production code, sometimes completely unprotected, sometimes protected with a fixed password stored in the code of the program where it is easy to find, i.e. also unprotected. Testing backdoors may or may not be useful to an attacker depending on the kind of functionality they provide.

Sometimes the backdoors are introduced with an explicit task of gaining access to the program surreptitiously. These are often very powerful tools that allow full access to all functionality of the program and sometimes add other functions that are not even available at the regular user interface. When talking about security and encryption products, such backdoors could allow unauthorized access, impersonation of other users, man-in-the-middle attacks, collection of keys, passwords and other useful information among other things.

The idea of the proponents of introducing backdoors into security and encryption software is that we could introduce such backdoors to the encryption and other tools used by general public. Then, the access to those backdoors would only be available to the police, justice department, secret services, immigration control and drug enforcement agencies… did I miss any? Maybe a few more agencies would be on the list but they are all well behaved, properly computer security trained and completely legal users. And that access would allow them to spy on the people using the tools in case those people turn out to be terrorists or something. Then the backdoors would come in really handy to collect the evidence against the bad guys and perhaps even prevent an explosion or two.

2015-07-19-image-5The problem with this reasoning is that it assumes too much. The assumptions include:

  1. The existence and the access to the backdoors will not be known to the “bad guys”. As the practice shows, the general public and the criminal society contain highly skilled people who can find those backdoors and publish (or sell) them for others to use. Throughout the computer history every single backdoor was eventually found and publicized. Why would it be different this time?
  2. The “bad guys” will actually use the software containing the backdoors. That’s a big assumption, isn’t it? If those guys are clever enough to use encryption and other security software, why would they use something suspicious? They would go for tools that are well known to contain no such loopholes, wouldn’t they?
  3. The surveillance of everyone is acceptable as long as sometimes one of the people under surveillance is correctly determined to be a criminal. This whole preceding sentence is by itself the subject of many a fiction story and movie, “Minority Report” as an example comes to mind. The book “Tactical Crime Analysis: Research and Investigation” might be a good discussion of problems of predicting crime in repeat offenders, now try applying that to first-time offenders – you get literally random results. Couple that with the potential for abuse of collected surveillance data… I don’t really even want to think about it.

So we would en up, among other things, with systems that can be abused by the very “bad guys” that we are trying to catch while they use other, trustworthy, software and the surveillance results on the general population are wide open to abuse as well. I hope this is sufficiently clear now.

Whenever you think of “backdoors”, your knee-jerk reaction should be “remove them”. Even for testing, they are too dangerous. If you introduce them in the software on purpose… pity the fool.

Windows 10: catching up to Google?

windows-10-is-spying-on-every-user-but-theres-a-way-outWindows 10 has turned out to be a very interesting update to the popular desktop operating system. Apparently, Microsoft envies Google for their success in spying on everyone and their dog through the Internet. Accordingly, Microsoft could not resist turning Windows into a mean spying machine. People were mightily surprised when all of the new spying features of Windows started to get uncovered.

To start with, the EULA, the license agreement, actually states clearly that Microsoft will collect the history of browsing, WiFi access point names and passwords, and website passwords. All of this information will be stored in the “user’s” Microsoft account, i.e. on the servers of Microsoft. Every user will receive a unique identification number that will be available to third parties for targeted advertisement.

When you use BitLocker for disk encryption, the key will be also stored at Microsoft! The license agreement states that the password will be copied automatically to OneDrive servers. I told you that going with BitLocker was not something a sane person would do, didn’t I?

And now all of that personal data can be used by Microsoft at will:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

See, it’s not just in case that a court issues an order, but simply whenever Microsoft thinks that they need to.

Some observers report that the license also reserves the rights for Microsoft to disconnect “unlicensed hardware”. I did not find that part in the EULA though, I don’t know if it is true. I found something else though. Windows 10 will also remove your anti-virus or other anti-malware protection: “other antimalware software will be disabled or may have to be removed”.

That’s the part about EULA. There is also Cortana, the virtual assistant, and various parts of the OS that submit various information to Microsoft. Well, Cortana can be disabled. However, it turns out that even disabling every single thing that reports user information to Microsoft does not help – Windows 10 still reports a lot of things, now without even informing the user. Apparently, the user cannot switch off all of the monitoring.

One of the things that cannot be switched off is a built-in keylogger. The keystrokes are recorded in a temporary file and then submitted to Microsoft servers. Keylogger is active even when you are not logged into the Microsoft account.

Another thing is the microphone and camera. Whenever the microphone is on, it records the sound and transmits it to the servers of the company. The same happens to the video camera, the video is recorded automatically and the first 35 MB are sent over to Microsoft.

Microsoft explains that all of this is necessary to create a database of users, so that the targeted advertisement can be sold to third parties. However, these are obvious privacy violations and some of them are even performed without informing the user.

Microsoft has also announced that some of the features of the Windows 10 will be backported to the previous versions of Windows. So we can expect soon the updates for previous versions that will introduce these spying features across all of Windows computers.

Continue the TrueCrypt discussion: Windows 10

I already pointed out previously that I do not see any alternative to the TrueCrypt for encrypting data on disk. TrueCrypt is the only tool that we can more or less trust so far. You will probably remember that Bruce Schneier recommended to use Windows encryption, the BitLocker, instead of TrueCrypt and I called that idea nonsense. To prove me right, here comes the Windows 10 End User License Agreement (EULA) that states explicitly Microsoft will retain the keys to the encryption.

windows-10-is-spying-on-every-user-but-theres-a-way-outThis is rather amazing but, indeed, if you used the BitLocker to encrypt the data on disk, the key will be copied by Microsoft to the OneDrive servers. Of course, that makes the encryption quite pointless as the OneDrive servers are controlled by Microsoft and they will give the key to government authorities and intelligence agencies.

Moreover, Microsoft actually reserves the right to do anything they want with all your data, which by definition includes your keys and the data protected by the encryption:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

So, really, all of your information is not only accessible to the government and intelligence agencies but even the company itself will access and manipulate your data whenever they believe it “necessary”.

Yes, TrueCrypt remains the only tool for disk encryption on Windows and you cannot, in good faith, claim that BitLocker is a good substitute for it. And, really, go Linux already.

TrueCrypt

truecryptSince the anonymous team behind TrueCrypt has left the building, security aware people were left wondering what’s next. I personally keep using TrueCrypt and as long as it works I will keep recommending it.

Recently, Bruce Schneier has raised a few red flags by his strange advice that seems to indicate that he is being paid now for his “services to the community” by parties not so interested in keeping the community secure. One more thing is his advice to switch from TrueCrypt to BitLocker.

The guys that “disappeared” from behind TrueCrypt recommended to switch to BitLocker and that makes BitLocker suspect right away. Moreover, anyone working in security would be right suspecting that BitLocker, coming from Microsoft, would be backdoor-ed. And now Bruce Schneier is coming out and saying that he recommends BitLocker now instead of TrueCrypt? Great. I am not going to trust either.

TrueCrypt for the moment remains the only trustworthy application for disk encryption. There is an effort to make TrueCrypt survive and support newer features of the file systems. I hope it works and we still have some tool to trust in five years from now.

I have also stored the recent versions of TrueCrypt.

GAO report on cybersecurity in Air Traffic Control is outright scary

aircraft-networksThe fact that the modern aircraft can be controlled from the ground is not widely publicized but known. There was though a lot of controversy, including among specialists, about how much of control could be intercepted by unauthorized 3rd parties. Well, now the extent of the problem is confirmed officially.

The U.S. Government Accountability Office (GAO), which is also called “watchdog of Congress”, usually oversees the federal government for the expenditure of public funds. However, the 56-page report “Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen» (copy) published on April 14  tells a very interesting but scary story. For a document that is not classified as “secret”, in any case.

Apparently, the computers on board of contemporary aircraft could be susceptible for break-in and take over by using the on-board WiFi network or even from the ground. The computer systems that control the airplane communicate with each other and the systems on the ground using IP networking technologies and connecting through the same networks that are used on board for entertainment. This opens the aircraft control networks to a wide range of security threats.

FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.

The “solution” entertained by FAA includes setting up a firewall to separate the operations network from that of “visitors”. And we all know it’s not going to help, we are past that point long ago. General purpose IP firewalling does not really correspond to the level of threat sophistication of today. The GAO report tells as much: “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.” Which means that the access to the cabin could be obtained from the same network being used by the passengers or even from a remote location outside the aircraft.

These networked systems are present in all modern airplanes, including Boeing 787, Airbus А350 и Airbus А380. Currently, the FAA certification of the aircraft does not include any cybersecurity assessment, so the security of the airplane systems is left to the discretion of the manufacturer. Until now, other security measures generally prevented the malicious actors from doing any harm to the airplane but the new threats that arise from networking and software-driven operation are not taken into account.

According to the CNN, the government investigators that wrote the report concluded that it would be possible for someone equipped with only a laptop to:

  • Commandeer the aircraft
  • Put a virus into flight control computers
  • Jeopardize the safety of the flight by taking control of computers
  • Take over the warning systems or even navigation systems

Basically, it is as bad as it gets. The flight systems are not protected as they are all legacy from the previous non-networked age and developed by the same people that developed the previous generations of systems. The only protection is the firewall that separates the cockpit from the rest of the world but that is a slight consolation.

They should put a sign at the airport: “Fly at your own risk”.

It is also really strange that this information is published at all. The Federal Aviation Administration is a governmental body of USA. United States of America, at least officially, are in a state of so-called “war on terror”. At such a time, when an investigative authority finds out some possibility for terrorists to execute attacks, such information is, I assume, immediately classified and the problem is solved between the government and the company quietly.

But at the moment this looks as if the US government strongly suggests to the terrorists: “why do you expose yourself to unnecessary risks trying to smuggle explosives on board, while there is a proven method to achieve the same results by connecting to the airplane control system with a laptop?”

Typically, in such cases, even the noble task of warning the public about the dangers of the situation is not taken into account. What should the audience do with it, anyway? Panic and do the ticket office run trying to cancel all reserved flights? Stage a mutiny on board, requiring immediate emergency landing? Or just remember that from this point on the use of air transport is at your own risk?

Unfortunately, it feels more like if US has planned to stage a series of new terrorist attacks against international air traffic that must be attributed to whomever finds this information useful.

Anyway, the illusion of safety of international air traffic is now officially dispelled. Fly at your own risk. Oh, and you are still not allowed to carry that bottle of mineral water on board.

Security Forum Hagenberg 2015

sf_logoI will be talking about the philosophy in engineering or the human factor in the development of secure software at the Security Forum in Hagenberg im Mühlkreis, Austria on 22nd of April.

https://www.securityforum.at/en/

My talk will concentrate on the absence of a holistic, systemic approach in the current software development as a result of taking the scientific approach of “divide and conquer” a bit too far and applying it where it should not be.

It may seem at first that philosophy has nothing to do with software development or with security but that is not so. We, the human beings, operate on a particular philosophical basis, the basis of thinking, whether implied or explicit. Our technologies are fine, what needs change is the human that applies and develops technologies. And the change starts in the mind, with the philosophy that we apply to our understanding of the world.

Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone)

android-devilAn excellent article by Sven Tuerpe argues that we pay excessive attention to the problems of encryption and insufficient – to the problems of system security. I wholeheartedly agree with that statement. Read the original article: Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone).

Security cannot be based solely on the encryption and encryption only. The system must be built to withstand attacks from outside and from within to be secure. There is a lot of expertise in building secure devices and creating secure software but none of that is used at all in the mobile devices of today. Whether those smartphones and tablets provide encryption or not is simply besides the point in most attack scenarios and for most kinds of usage. We have to get the devices secured in the first place before the discussion of encryption on them would begin to make sense.

Posts navigation

1 2 3