Burn Phones are the new black

It appears that the burn phone idea ‘is catching on’ in the celeb world.

The iPhone scandal, eavesdropping, etc are all catalysts for increased privacy.

Note the use of the burn phone: details are sent directly to the phone and the ‘lack of trust’ with the guest’s phones.

http://www.theregister.co.uk/2014/09/30/clooney_wedding_burner_phones/

Advertisements

Trusting the cloud (Part 2)

A few more observations.

Just to let you know where I stand on the issue:
People have a right to privacy, it is fine to embrace technology, take intimate photos of yourself and distribute it. However, you would expect that photos and personal content would remain secure and accessible only to who you want to allow.

If the app developer and the user is not responsible for the user’s privacy, then who is? One can’t assume that the application developer will provide security and privacy.

I still stand by the fact that the application developer must develop their products with privacy and security in mind.
Think about the automobile industry, if they don’t manufacture cars with safety improvements, people will die. While this is not as extreme, imagine if you had information that does cause major distress?

Let’s examine the core issues in detail.

1. If you are of value, you will be a target.

You might not be famous, successful, etc but to someone on the opposing team and determination, you may be their target. Multiply this if your popular and you become a major target, it is a numbers game.

The Fox News article states the following:

Many high-traffic websites feast on showing every inch of female flesh, preferably belonging to famous females, than they can access.

It is quite obvious that there is a market for this so they were targets!

2. The distribution of data opens opportunities for your enemy

Online technology, not just cloud services allow for more information to be distributed around to different services. Now it is a case of gathering pieces of the puzzle. The ArsTechnica article states that a reporter, Mat Honan was a target:

a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Little bits of information when matched together will help complete the puzzle. As a potential target, you will need to be conscious of the information you allow to be public. Operation security is the practice of information management.

Samantha Stone sums up the first two points and has directed her blame straight at the victims but let’s put this into perspective, yes, there is some blame there but technology is a tool. Like a car, you have to learn how to use it and be aware of the dangers and safety. By the same token, the application developer must ensure that their product is safe to use, which segway into the third point.

3. Poor application security

It is extremely hard to implement new technologies, it is also hard to implement security safeguards around new technology. However, history does repeat itself so what concepts we know could happen before will most likely happen again.

We take things for granted however, being privy/one step ahead will help stop attacks such as these. A combination of OpSec and application vendor security will help reduce situations like this from happening.

If there is a product out there to break into your systems, wouldn’t you be on it like a rash to fix it up?

The ArsTechica article states:

Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts— so the attacker was able to keep hammering away at targeted accounts until access was granted.

Brute force attacks and account lockout is NOT a new idea!

It is an old concept, shouldn’t you avoid making the same mistake twice???

Importantly from an OpSec point of view is that fact that, as celebrities, their personal information is no longer personal, rendering any security related challenge based on personal information useless.

The Dark reading article demonstrates how ‘easy’ it is to break into the accounts.

Further to this, Fort Knox does not have a broken wooden door between the outside world and the gold. Having your entire life (online backups) behind a ‘flimsy’ door (think weak password) is just asking for trouble.

There is more than one way to get valuable information, the Wired article points to the fact that if you have a backup and it is intercepted by your Enemy, they have a fighting chance of obtaining your personal information.

4. Reducing your potential loss.

Well, this is a tricky one. Unless if you are in the know, it is hard to keep up.

Quick thoughts:
1. Any real world threat can be carried out with efficiency and anonymity thanks to technology.
2. OpSec, Identity management is increasingly important in this age.
3. Evolution and rapid change makes it very difficult to keep up. Embrace new technology with a pinch of salt if you believe that you are a target.
4. There are specialists out there to help, go find one!

http://www.foxnews.com/politics/2014/09/04/nude-photo-hacking-why-mainstream-media-are-part-problem/
http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
http://www.reviewjournal.com/opinion/blame-technology-ignorant-victims-photo-hacking
http://www.washingtonpost.com/news/morning-mix/wp/2014/09/05/after-nude-celebrity-hacking-apples-tim-cook-says-company-will-improve-security/
http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923
http://www.wired.com/2014/09/eppb-icloud/

Trusting the cloud

A recent incident is making the rounds involving private photos of celebrities, iCloud and a hacker.

The hacker ‘broke’ into a few celeb accounts, pillaged and published.

The celebs lost their private moments.

A number of points here:

  1. If you are of value, you will be a target. Pretty obvious here.
  2. There would be no way that the celeb would know that they were under attack. The attack was not done on their phone, the attack was done ‘on the cloud’.
  3. Poor application security allowed for this to happened. To be precise, a combination of poor application security and poor passwords allowed for this to happen.
  4. If you are a potential target, consider what your potential loss is or speak to a professional.
  5. Finally, if you want your pics to be private, don’t use a cloud service. Remember, anything on the net is considered to be public!

http://www.bbc.co.uk/newsbeat/29008876

Hotel (un)safe

Did someone mention that last week is hotel safety week…Do you think your hotel is safe?

Hotel Wifi is probably a bad idea but so are ‘free’ computers at hotel business centers.

What about your hotel safe, the reason why the hotels recommend that you put your valuables in the main hotel safe is that the room safe is…well, not as safe.

What are your options?

  • Obviously, don’t use any public computers…you don’t get something for nothing!
  • If you have to use Wifi, use an encrypted VPN
  • Hotel safes, yes, use the hotel’s main safe.
  • Credit card swipe safes, don’t use a credit card…if you have a store loyality card, library card, etc (something that is not of value), use that. Better still, use the hotel’s main safe if it really is expensive or a pain to replace. Think what would happen if someone got your passport, …

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

http://www.theregister.co.uk/2014/07/17/hotel_safe_unsafe/

Phone ‘Hacking’

Lots of news in the UK about phone ‘hacking’.

In short, it wasn’t ‘hacking’, the investigator was using the default password to get access to their voicemails.

How does it work?

It varies between providers but in short, you can access a person’s voicemail even if you don’t have their phone, all you need is their number and their voicemail PIN (in this case it was the ‘default’ PIN.

Food for thought:

  1. Who still uses voicemail?
  2. If you have something important to say: call them or text them to get you to call back.

If you have a phone there are at least 3 passwords you need to change:

  1. Your SIM password so that no one but you can use that SIM
  2. Your phone password so that no one but you can use your phone
  3. Your voicemail password so that no one but you can access your voicemails.

More on phone hacking:
http://www.independent.co.uk/topic/PhoneHacking

Web of trust case study

A couple of blogs back we were on the subject of the Web of Trust and Tinder Hacking.

An article today has a good example of how both can be used and abused.

It is important to note that low hanging fruit is fair game, by leveraging trust, any campaign is just as effective.

Key steps:

  • assume a trusted identity
  • leverage that trust to target associations (friends)
  • SocEng: Use a time limited situation (ie: an emergency) for personal gain

Not everything is what they seem.

Countermeasures:

  • Out of band: call them, email them but don’t reply to the message (online dating, remember the burn phone)
  • Ignore: if it’s important, they will try again (use best judgement! If it is an emergency, get in touch with a next of kin, etc)

http://www.bbc.co.uk/news/technology-27922710

Free internet: it comes at a cost

It is a well known fact in security circles that if you were to do anything at all over an ‘untrusted network’ you must use some sort of countermeasure to ensure that you are not being watched.

Countermeasures include usually mean encryption that is, some sort of strong encoding that only you and the other party would know.

Free internet can be setup by anyone, any where, and is very hard to verify unless if you happen to be in the know.

Anything passing through it could be intercepted and analysed by the owner. It is giving your enemy a free lunch.

By using encryption, it only makes the analysis harder (if it is a well funded organisation, it may not be as hard)

The other and more important issue is our ‘trust‘ in applications, Dave Porcello CTO of Pwnie Express (company that make ‘interesting’ gear) said, “We just look for apps that work and trust them, because they help get work done

Applications are created by people, people are not perfect, applications are not perfect.

Application vendors are usually there to make money and do not always focus on privacy but yet we place our trust in them by giving them sensitive information which may include:

  • Name
  • Address
  • Date of birth
  • Geo location
  • Pictures
  • etc.

If the application developer is not taking steps to secure this information, then The Enemy will have a field day.

In short, if you don’t need the application, don’t use it. If you ‘do’ need the application, don’t give personal information (or use aliases…remember aliases?)

This article is a good case study:
http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/

Takeaways:

  • Don’t use free internet!
  • Use line/network encryption (a VPN does not always use encryption)
  • Badger your application developer to make sure their applications are created with security and privacy in mind
  • Use the latest version of any application you use