Snapchat, your house was not ransacked…

NRK (Norway) recently reported on the Snapchat hack and they started of with the following line (google translated):

If someone breaks into a young girl’s house, stealing nude photos of her and hang them up in the neighborhood, it’s her own fault?

Taking the statement on face value…it’s not like that.

Using the analogy:

  • The house is the phone
  • the package where the photos are kept is the application
  • The delivery method (postal service) is the application sending the file to the cloud service
  • The warehouse is a ‘cloud’/online service (SnapSaved)
  • so… the photos are sent from home to a warehouse and redistributed to other houses and not someone breaking into the house.

So, the intruder is not breaking into the house, they are breaking into the warehouse.

You have very little control over the package once it leaves your house.

In theory, the house is safe as long as the photos are not sent to the warehouse.

As previously mentioned, the warehouse (application cloud/online service) and the delivery method (application) needs to be secured, who’s responsibility is that?

Note:

  • No one broke into anyone’s the phone!
  • It’s not the victims fault but just as any delivery service has a ‘items may be lost in transit policy’ or an ‘insurance’ service for valuable items, the application owners must communicate the equivalent risks to the victims (Snapchat was irresponsible for stating that their service is ‘safe’/’secure’! How can you guarantee a service when other services can ‘access their service’)
  • Yes, another application issue

It is important to get the analogies right to properly understand and appeciate the issue at hand, lawmakers, speak to the professionals!

http://www.nrk.no/ytring/snapchat-i-steinalderen-1.11985369

http://www.theinquirer.net/inquirer/news/2375126/hackers-post-at-least-100-000-intercepted-snapchat-photos-on-4chan

Advertisements

Trusting the cloud

A recent incident is making the rounds involving private photos of celebrities, iCloud and a hacker.

The hacker ‘broke’ into a few celeb accounts, pillaged and published.

The celebs lost their private moments.

A number of points here:

  1. If you are of value, you will be a target. Pretty obvious here.
  2. There would be no way that the celeb would know that they were under attack. The attack was not done on their phone, the attack was done ‘on the cloud’.
  3. Poor application security allowed for this to happened. To be precise, a combination of poor application security and poor passwords allowed for this to happen.
  4. If you are a potential target, consider what your potential loss is or speak to a professional.
  5. Finally, if you want your pics to be private, don’t use a cloud service. Remember, anything on the net is considered to be public!

http://www.bbc.co.uk/newsbeat/29008876

Ok, one more on application security.

Application developers must take responsibility to ensure their clients security.

Poorly coded software combined with growing network complexity has increased the attack surface at many organisations and it is taking its toll financially, said Spafford.

He called for an investment in computer programming education and a move by software manufacturers to embed software security concepts early into the development process.

http://news.techeye.net/business/security-industry-run-aground

Also, personal information + poorly coded software + in the public = disaster waiting to happen.

Putting your passwords in the cloud is not a good idea…it’s like putting your cash in a suitcase and leaving the safe in the middle of a busy road.

http://www.darkreading.com/cloud/hacking-password-managers/d/d-id/1297250

Free internet: it comes at a cost

It is a well known fact in security circles that if you were to do anything at all over an ‘untrusted network’ you must use some sort of countermeasure to ensure that you are not being watched.

Countermeasures include usually mean encryption that is, some sort of strong encoding that only you and the other party would know.

Free internet can be setup by anyone, any where, and is very hard to verify unless if you happen to be in the know.

Anything passing through it could be intercepted and analysed by the owner. It is giving your enemy a free lunch.

By using encryption, it only makes the analysis harder (if it is a well funded organisation, it may not be as hard)

The other and more important issue is our ‘trust‘ in applications, Dave Porcello CTO of Pwnie Express (company that make ‘interesting’ gear) said, “We just look for apps that work and trust them, because they help get work done

Applications are created by people, people are not perfect, applications are not perfect.

Application vendors are usually there to make money and do not always focus on privacy but yet we place our trust in them by giving them sensitive information which may include:

  • Name
  • Address
  • Date of birth
  • Geo location
  • Pictures
  • etc.

If the application developer is not taking steps to secure this information, then The Enemy will have a field day.

In short, if you don’t need the application, don’t use it. If you ‘do’ need the application, don’t give personal information (or use aliases…remember aliases?)

This article is a good case study:
http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/

Takeaways:

  • Don’t use free internet!
  • Use line/network encryption (a VPN does not always use encryption)
  • Badger your application developer to make sure their applications are created with security and privacy in mind
  • Use the latest version of any application you use

Facebook, now with added privacy (for new users!)

A long time coming…5 years!

Yay for OpSec.

http://mashable.com/2014/05/22/facebook-private-default-setting/

 

Existing users, it’s time to review yours?

 

To see what the world sees (subject to change):

  • Look for ‘View as public’ or
  • Click on the padlock button near the notifications
  • ‘What do other people see on my timeline?’/View As