Burn Phones are the new black

It appears that the burn phone idea ‘is catching on’ in the celeb world.

The iPhone scandal, eavesdropping, etc are all catalysts for increased privacy.

Note the use of the burn phone: details are sent directly to the phone and the ‘lack of trust’ with the guest’s phones.

http://www.theregister.co.uk/2014/09/30/clooney_wedding_burner_phones/

Advertisements

Trusting the cloud (Part 2)

A few more observations.

Just to let you know where I stand on the issue:
People have a right to privacy, it is fine to embrace technology, take intimate photos of yourself and distribute it. However, you would expect that photos and personal content would remain secure and accessible only to who you want to allow.

If the app developer and the user is not responsible for the user’s privacy, then who is? One can’t assume that the application developer will provide security and privacy.

I still stand by the fact that the application developer must develop their products with privacy and security in mind.
Think about the automobile industry, if they don’t manufacture cars with safety improvements, people will die. While this is not as extreme, imagine if you had information that does cause major distress?

Let’s examine the core issues in detail.

1. If you are of value, you will be a target.

You might not be famous, successful, etc but to someone on the opposing team and determination, you may be their target. Multiply this if your popular and you become a major target, it is a numbers game.

The Fox News article states the following:

Many high-traffic websites feast on showing every inch of female flesh, preferably belonging to famous females, than they can access.

It is quite obvious that there is a market for this so they were targets!

2. The distribution of data opens opportunities for your enemy

Online technology, not just cloud services allow for more information to be distributed around to different services. Now it is a case of gathering pieces of the puzzle. The ArsTechnica article states that a reporter, Mat Honan was a target:

a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Little bits of information when matched together will help complete the puzzle. As a potential target, you will need to be conscious of the information you allow to be public. Operation security is the practice of information management.

Samantha Stone sums up the first two points and has directed her blame straight at the victims but let’s put this into perspective, yes, there is some blame there but technology is a tool. Like a car, you have to learn how to use it and be aware of the dangers and safety. By the same token, the application developer must ensure that their product is safe to use, which segway into the third point.

3. Poor application security

It is extremely hard to implement new technologies, it is also hard to implement security safeguards around new technology. However, history does repeat itself so what concepts we know could happen before will most likely happen again.

We take things for granted however, being privy/one step ahead will help stop attacks such as these. A combination of OpSec and application vendor security will help reduce situations like this from happening.

If there is a product out there to break into your systems, wouldn’t you be on it like a rash to fix it up?

The ArsTechica article states:

Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts— so the attacker was able to keep hammering away at targeted accounts until access was granted.

Brute force attacks and account lockout is NOT a new idea!

It is an old concept, shouldn’t you avoid making the same mistake twice???

Importantly from an OpSec point of view is that fact that, as celebrities, their personal information is no longer personal, rendering any security related challenge based on personal information useless.

The Dark reading article demonstrates how ‘easy’ it is to break into the accounts.

Further to this, Fort Knox does not have a broken wooden door between the outside world and the gold. Having your entire life (online backups) behind a ‘flimsy’ door (think weak password) is just asking for trouble.

There is more than one way to get valuable information, the Wired article points to the fact that if you have a backup and it is intercepted by your Enemy, they have a fighting chance of obtaining your personal information.

4. Reducing your potential loss.

Well, this is a tricky one. Unless if you are in the know, it is hard to keep up.

Quick thoughts:
1. Any real world threat can be carried out with efficiency and anonymity thanks to technology.
2. OpSec, Identity management is increasingly important in this age.
3. Evolution and rapid change makes it very difficult to keep up. Embrace new technology with a pinch of salt if you believe that you are a target.
4. There are specialists out there to help, go find one!

http://www.foxnews.com/politics/2014/09/04/nude-photo-hacking-why-mainstream-media-are-part-problem/
http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
http://www.reviewjournal.com/opinion/blame-technology-ignorant-victims-photo-hacking
http://www.washingtonpost.com/news/morning-mix/wp/2014/09/05/after-nude-celebrity-hacking-apples-tim-cook-says-company-will-improve-security/
http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923
http://www.wired.com/2014/09/eppb-icloud/

Trusting the cloud

A recent incident is making the rounds involving private photos of celebrities, iCloud and a hacker.

The hacker ‘broke’ into a few celeb accounts, pillaged and published.

The celebs lost their private moments.

A number of points here:

  1. If you are of value, you will be a target. Pretty obvious here.
  2. There would be no way that the celeb would know that they were under attack. The attack was not done on their phone, the attack was done ‘on the cloud’.
  3. Poor application security allowed for this to happened. To be precise, a combination of poor application security and poor passwords allowed for this to happen.
  4. If you are a potential target, consider what your potential loss is or speak to a professional.
  5. Finally, if you want your pics to be private, don’t use a cloud service. Remember, anything on the net is considered to be public!

http://www.bbc.co.uk/newsbeat/29008876

Hotel (un)safe

Did someone mention that last week is hotel safety week…Do you think your hotel is safe?

Hotel Wifi is probably a bad idea but so are ‘free’ computers at hotel business centers.

What about your hotel safe, the reason why the hotels recommend that you put your valuables in the main hotel safe is that the room safe is…well, not as safe.

What are your options?

  • Obviously, don’t use any public computers…you don’t get something for nothing!
  • If you have to use Wifi, use an encrypted VPN
  • Hotel safes, yes, use the hotel’s main safe.
  • Credit card swipe safes, don’t use a credit card…if you have a store loyality card, library card, etc (something that is not of value), use that. Better still, use the hotel’s main safe if it really is expensive or a pain to replace. Think what would happen if someone got your passport, …

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

http://www.theregister.co.uk/2014/07/17/hotel_safe_unsafe/

What ever you put on a site, it is no longer private

There are a number of reasons why:

  • Your security settings may allow the public access to your information (unless if you tie it down and monitor it for changes by the hosting site)
  • The hosting site (eg: Facebook) have access to your information (you read the EULA, didn’t you?)
  • Law enforcement have access to your information (depending on jurisdiction, with or without a warrant)
  • Hackers may break/steal/social engineer their way through to get access to your information (more likely to be the last option)

What are your options:

  1. Never post anything that would get you expelled, fired or arrested
  2. Don’t post anything that would get you kicked out of your house, break up your relationship, start a fight.
  3. Don’t post anything that could be used against you

http://nakedsecurity.sophos.com/2014/06/30/facebooks-facing-a-losing-battle-to-protect-users-privacy/

Phone ‘Hacking’

Lots of news in the UK about phone ‘hacking’.

In short, it wasn’t ‘hacking’, the investigator was using the default password to get access to their voicemails.

How does it work?

It varies between providers but in short, you can access a person’s voicemail even if you don’t have their phone, all you need is their number and their voicemail PIN (in this case it was the ‘default’ PIN.

Food for thought:

  1. Who still uses voicemail?
  2. If you have something important to say: call them or text them to get you to call back.

If you have a phone there are at least 3 passwords you need to change:

  1. Your SIM password so that no one but you can use that SIM
  2. Your phone password so that no one but you can use your phone
  3. Your voicemail password so that no one but you can access your voicemails.

More on phone hacking:
http://www.independent.co.uk/topic/PhoneHacking

Web of trust case study

A couple of blogs back we were on the subject of the Web of Trust and Tinder Hacking.

An article today has a good example of how both can be used and abused.

It is important to note that low hanging fruit is fair game, by leveraging trust, any campaign is just as effective.

Key steps:

  • assume a trusted identity
  • leverage that trust to target associations (friends)
  • SocEng: Use a time limited situation (ie: an emergency) for personal gain

Not everything is what they seem.

Countermeasures:

  • Out of band: call them, email them but don’t reply to the message (online dating, remember the burn phone)
  • Ignore: if it’s important, they will try again (use best judgement! If it is an emergency, get in touch with a next of kin, etc)

http://www.bbc.co.uk/news/technology-27922710