Insecure IoT

Vulnerabilities in Brink’s Smart Safe
https://www.schneier.com/blog/archives/2015/08/vulnerabilities_4.html

This is far from shocking to anyone who has studied infosec. More of a total yawn, actually. Clueless people racing to claim market segments are naturally going to trip over complex things like security. Anything meant to be secure only has a chance of being such if the only way to change configuration is to properly authenticate. Customers hate that, though, because when they forget their password then they have an expensive brick on their hands. I experienced that myself: I bought a solid state computer I was intending at the time to use for hosting my web sites (my provider, at the time, was being incredibly unresponsive to my complaints). I chose a password that would be trivial to remember so naturally didn’t write it down. Over a year later I remember the thing is sitting in the basement and lo and behold, I have no idea what the damn password is. I believe I was eventually able to reset the box and get back onto it (I can’t remember, it was many months ago when I tried for a couple of days), but anyone else who had physical possession of the box could also do that. I quite doubt that the drive was encrypted such that it became a incomprehensible mess upon reset, I expect all the data would be there plain as day. Since I only paid a couple of hundred for the box I was frustrated, but it wasn’t a big deal. What if you had paid 100’s of thousands or millions? In that case you would demand that there be a back door (but only a ‘secure one’, whatever the hell that means!) so if the gewgaw was unable to be reached for some reason you could get around it and still get your money’s worth.

Real security is expensive and hard and is still steeped with vulnerabilities. Anything else is just window dressing advertising to a credulous customer designed to improve profit margins at the expense of ignorance.

Beware Pita!

TEMPEST Attack
https://www.schneier.com/blog/archives/2015/06/tempest_attack.html

As usual for Schneier’s blog, the comments are at least as interesting as the article.

I haven’t blogged on infosec in a while (true, I haven’t blogged in a while, but I was out all last week on ‘vacation’ sweating my ass off in preparation for our July 4th party (which went very well indeed!)), because of my job I have to be careful and decided it would be better to avoid the topic. However, this one appears safe. It is interesting that these sorts of emanations are detectable at even this distance, I would think there would be so much inadvertent shielding and noise that you would have to put a detector directly on the laptop to get the data. TEMPEST has always been interesting to me, though I only discovered it by accident when I was looking around for the Tempest video game (one of my favorites, by far; I have avoided trying to purchase a refurbished unit because I would probably spend all day playing and have other things I need to do). In the old CRT days you could have a van parked in a parking lot a goodly distance away and be able to recreate the screen image (with appropriate equipment, of course) and it was interesting when people created fonts that would defeat such attempts. I am sure TEMPEST is alive and well, but defense against these sorts of things is relatively easy: just put a bunch of distance between yourself and any potential adversaries. The inverse square law is unyielding in its power and, as the above article shows, inches matter.

Outlaw paper shredders!

Congressman Warns of Encrypted “Dark Spaces”; Another Says: “Ooooh It Sounds Really Scary”
https://firstlook.org/theintercept/2015/06/03/one-congressman-warns-encrypted-dark-spaces-another-says-ooooh-sounds-really-scary/

“The notion that encryption is somehow different than other forms of destroying and hiding things is simply not true,” Lieu told The Intercept. “Forty years ago, you could make the statement that paper shredders are one of the most damaging things to national security because they destroy documents that law enforcement might want to see.”

It is almost (almost) amusing to me how clueless these people who claim to represent us are (of course, they actually represent the elite 0.001%). I don’t recall the specifics, but fairly recently (couple of years ago) some idiot senator or representative endlessly championed our governments ‘need’ to read everyone’s mail, that is, until she found out that the govt was reading _her_ mail. Suddenly she was against it. What the hell did she think? Oh yeah, she didn’t…

And the idea that somehow the government can have a backdoor that only the government, under a court order (like that has been working so far!) can access. Even in the unbelievably unlikely situation where the backdoor created is unhackable (vanishingly small, so small it is unrealistic in a real world to consider possible, let alone probable), how long until corrupt members of our law enforcement start to use the access without going through proper channels (which, naturally, themselves are subject to abuse).

Diceware

Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

This is sort of a re-tweet, but having studied a bit of the science behind cryptography over the years (I once ‘invented’ an encryption algorithm and even presented it to a cryptography expert (being ignorant can have amazing payoffs if you are lucky); only later did I realize how cheeky I was and later still after doing some entropy analysis did I realize that my algorithm sucked massively) I have a very good feeling about this. Diceware is a very simple, yet elegant and effective way to produce passphrases that have a useful amount of entropy (the article does a decent job of explaining this) yet are feasible to remember. While unnecessary, throwing capitalization and/or punctuation adds a few more bits of entropy against those performing an attack.

A note to reinforce the comments regarding using this technique for websites/cloud authentication: it is not feasible to test a trillion passphrases a second across the Internet against a busy server so it isn’t necessary to have the same level of entropy. Also, there are plenty of attacks that make having the best passphrase irrelevant anyway. This Diceware approach is for securing things you have physical control over (though, a note to you paranoid types: physical control is not total control if the device can ever be accessed via a device that has ever been connected in any way to any network that has ever been connected to the Internet at any time).

Shhh! Your TV is listening…

Samsung Privacy Policy: Watch What You Say Around Your Smart TV
http://abcnews.go.com/Technology/samsung-privacy-policy-watch-smart-tv/story?id=28829387

Not terribly surprising to me given that with the proper malware installed on your phone anyone can listen to any nearby conversation and that people can also turn on your video camera on your computers to see what there is to see (increasingly, TVs are also coming with cameras!). ‘Tis the new world order, us paranoid people just have to adjust…

Wow! Email encryption relies on just ONE guy!

The World’s Email Encryption Software Relies on One Guy, Who is Going Broke
Werner Koch’s code powers the email encryption programs around the world. If only somebody would pay him for the work.
http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

Also interesting comments here.

It is amazing how many fundamental pieces of open source software are dependent on a handful (or just one) person. There are a few that are supported by large groups, for instance Linux, Apache, gcc, but so many are hanging by a thread. It would be nice to see some process whereby these people could be compensated, but I am not holding my breath.

Steadily chipping away…

The Most Important Trial in America
The federal government’s case against the proprietor of a ‘darknet’ website could forever alter how we all use the Internet.
http://www.thedailybeast.com/articles/2015/01/14/the-most-important-trial-in-america.html

This is something that deserves higher visibility, so I will do my small (tiny (infinitesimal)) part to widen the scope. I agree with this statement:

I have no idea if he is innocent or guilty of all or some of the charges against him, but the manner in which his prosecution is playing out should disturb anyone who cares about justice.

When the government is allowed to break laws willy nilly and the justice department stands idly by, we are no longer a nation of laws. Of course, this has been a reality for quite a while, but sometimes it is hard to convince the sheeple that these things are important. Perhaps one day the government will finally reach a point where they take on someone who isn’t successfully demonized and the sheeple will rally. Or perhaps not…

Where there is money, a will and a way will follow

I found this on Bruce Schneier’s blog:

Fingerprinting Computers By Making Them Draw Images

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

I glanced at the paper and it is a bit interesting. By getting your computer’s hardware to produce an image they can identify the machine with a high degree of accuracy. Of course, one would presume that that level of hardware access would be blocked by the browser sandbox, but they found a clever way to step around that limitation. This approach will, of course, be quickly blocked by many of the browser writers (I am sure that the Firefox developers are almost done with a patch), but there is a HUGE amount of money out there for products such as these and I have no doubt that variations on a theme will be blasting out soon. It is interesting to me, though, that the very success with tools such as these puts a hard lifetime on their success. There are quite a few groups out there that are ultra paranoid about every byte that traverses their networks and they work to identify the source for each and every one, so something that becomes successful will rapidly rise into the targeting aperture of these organizations and be stomped on. It is interesting to observe the cat and mouse game (where ‘cat’ and ‘mouse’ switch roles from time to time) from the sidelines, I am quite happy to not put in 36 hour days figuring out some of these things.

This is what happens when your business model says a certain amount of fraud is OK

Unless you have been living under a rock, you know that Target (and several others) have recently been hacked at their point of sale (POS) terminals to the tune of 10’s of millions of credit cards. Back in the ‘old days’ when it was a whole lot of work to take advantage of a stolen credit card it made a lot of sense for the credit card companies to simply bake in a percentage of fraud and just get the customers to deal with it (note that the real customers of the CC companies are the merchants, NOT the consumer). However, now that CCs can be stolen by the millions and monetized quickly and entirely remotely this strategy is now biting the CC companies on the ass. Sure, with data mining they can identify a lot of fraud and take steps to minimize it, but since they push this cost on to their customers at some point the customers are going to balk. The core of the problem is that when you use the CC at the POS the merchant (and by extension anyone who has hacked the merchant’s POS hardware) now has all the information to make any number of unauthorized purchases. If we had smart cards that produced a one-time encrypted, signed token, ‘stealing’ this information would be entirely pointless. While it is not trivial to make such a system bulletproof, even a naive implementation would immediately eliminate any value from stealing the CC information and likely make the cost of fraud orders of magnitude higher. Of course, in the real world it is very hard to get anyone to change AND there is a huge amount of money to be made in converting to a new system so none of the current actors actually want to have open standards. However, I predict that the current paradigm will end soon (decade or so) because the fraud costs are going up on nearly a daily basis and I am quite sure that merchants are about ready to switch to cash-only to avoid the increasing percentage the CC companies are charging them. Of course, the merchants simply pass this cost onto their customers (us), but because of the highly competitive nature of (true capitalistic (not that we really have a lot of that here in the good old USofA)) competition, if a merchant can give a consumer a 10% discount for paying with cash (and maintain the same or better margins) I bet that would attract a lot of attention.

I was motivated to write this post after reading this other blog post:

Dispute Resolution Systems for Security Protocols
https://www.schneier.com/blog/archives/2014/02/dispute_resolut.html

It is not totally relevant to my post, but here it is in case you are curious. I didn’t read the paper the post refers to, because, as mentioned in my post and a couple of the comments (as usual, the comments are very interesting (well, if you are interested in infosec, anyway)) the paper is addressing the wrong problem.

Bridging the air gap

badBIOS
https://www.schneier.com/blog/archives/2013/11/badbios.html

I got to say I was very skeptical when I started reading the post and kept checking my calendar to see if it was April 1st. As is usual for Schneier’s blog, the comments are also interesting reading; I suggest interested reader(s) scroll down and check them out. The general consensus I got was it was feasible to get a few kbps and the knee jerk response is that bandwidth at that rate is useless. Well, for surfing the ‘net today, that is certainly the case, but back in the ‘old days’ when you weren’t transmitting gigabyte Flash files it actually could be very useful. Back in the ‘old days’ you would transmit compressed code and then compile it (or run it as a script) on the remote host and actually move quite a bit of functionality around over such a low bandwidth connection. So, for well written malware (yes, I know that is generally an oxymoron) such a tiny soda straw would be very valuable.

The moral to this story: with modern computers with all sorts of wireless communication (intentional or otherwise) devices built-in it can take a great deal of effort to truly isolate them.