Heartbleed? That’s nothing. Here comes Microsoft SChannel!

microsoft_securityThe lot of hype around the so-called “Heartbleed” vulnerability in open-source cryptographic library OpenSSL was not really justified. Yes, many servers were affected but the vulnerability was quickly patched and it was only an information disclosure vulnerability. It could not be used to break into the servers directly.

Now we have Microsoft Secure Channel library vulnerability (“SChannel attack”) that allows an attacker to easily own MS servers:

This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This vulnerability in Microsoft TLS is much more serious as it allows to take over the control of any vulnerable server remotely by basically simply sending packets with commands. Microsoft admits that there are no mitigating factors and no workarounds, meaning if you did not install the patch, your server is defenseless against the attack. Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003, as well as workstations running Vista, Windows 7 and Windows 8 are all vulnerable.

This is as critical as it gets.

Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone)

android-devilAn excellent article by Sven Tuerpe argues that we pay excessive attention to the problems of encryption and insufficient – to the problems of system security. I wholeheartedly agree with that statement. Read the original article: Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone).

Security cannot be based solely on the encryption and encryption only. The system must be built to withstand attacks from outside and from within to be secure. There is a lot of expertise in building secure devices and creating secure software but none of that is used at all in the mobile devices of today. Whether those smartphones and tablets provide encryption or not is simply besides the point in most attack scenarios and for most kinds of usage. We have to get the devices secured in the first place before the discussion of encryption on them would begin to make sense.

Facebook “joins” Tor – good-bye, privacy!

Multiple publications are touting the announcement by Facebook of a Tor-enabled version of the social networking website as nothing short of a breakthrough for anonymous access from “repressed nations”. They think that the people around the world who wish their identity and activity online to remain hidden will now have a great time of using Facebook through Tor.

In my point of view, the result is just the opposite. The users of Facebook sign in and are tracked across a multitude of collaborating sites. Using Facebook through Tor will actually disclose completely the identity and the activity of the person using it. This information will become available across several user-tracking websites. The user will completely lose the anonymity they so strongly desired.

Mozilla Firefox Lightroom-578-80
Lightbeam for Firefox shows tracking of the user through different websites and tracking networks and how they share information with each other.

Facebook previously denied access to its social network through the Tor network citing security concerns. Surely, you do not think they decided to provide Tor access because they decided to be nice to those few who use Tor? Facebook is a commercial company under control of United States government and don’t you forget it. The move to bring in a few thousand Tor users is unlikely to have any positive impact on their business but will require to provide additional infrastructure. Therefore, Facebook is acting selflessly and causing themselves trouble for no commercial gain. I view such a move as extremely suspicious. Most likely, the company’s network will be used in online operations to unmask the identity of Tor users.

Of course, the proper way to keep your privacy online is to never use any social networks of any kind and discard every session after a short period and when switching activities. Searching for movie tickets? Use a session and discard it when done. Looking up the hospital’s admission hours? Discard when done. In any other case, the network of tracking sites will connect the dots on you. If you are to use the Facebook in the same session, your identity is revealed instantly and all of that activity will be linked to the real you.

We released too much of our privacy to the Internet companies already. They are now slowly dismantling the last bastions, one of which is the Tor network, under the pretense of fighting online crime. Facebook, having a history of abusing its customers, should not be trusted on these matters. Their interest is not in protecting your privacy, they will betray you for money, rest assured.