Snapchat, your house was not ransacked…

NRK (Norway) recently reported on the Snapchat hack and they started of with the following line (google translated):

If someone breaks into a young girl’s house, stealing nude photos of her and hang them up in the neighborhood, it’s her own fault?

Taking the statement on face value…it’s not like that.

Using the analogy:

  • The house is the phone
  • the package where the photos are kept is the application
  • The delivery method (postal service) is the application sending the file to the cloud service
  • The warehouse is a ‘cloud’/online service (SnapSaved)
  • so… the photos are sent from home to a warehouse and redistributed to other houses and not someone breaking into the house.

So, the intruder is not breaking into the house, they are breaking into the warehouse.

You have very little control over the package once it leaves your house.

In theory, the house is safe as long as the photos are not sent to the warehouse.

As previously mentioned, the warehouse (application cloud/online service) and the delivery method (application) needs to be secured, who’s responsibility is that?

Note:

  • No one broke into anyone’s the phone!
  • It’s not the victims fault but just as any delivery service has a ‘items may be lost in transit policy’ or an ‘insurance’ service for valuable items, the application owners must communicate the equivalent risks to the victims (Snapchat was irresponsible for stating that their service is ‘safe’/’secure’! How can you guarantee a service when other services can ‘access their service’)
  • Yes, another application issue

It is important to get the analogies right to properly understand and appeciate the issue at hand, lawmakers, speak to the professionals!

http://www.nrk.no/ytring/snapchat-i-steinalderen-1.11985369

http://www.theinquirer.net/inquirer/news/2375126/hackers-post-at-least-100-000-intercepted-snapchat-photos-on-4chan

Trusting the cloud (Part 2)

A few more observations.

Just to let you know where I stand on the issue:
People have a right to privacy, it is fine to embrace technology, take intimate photos of yourself and distribute it. However, you would expect that photos and personal content would remain secure and accessible only to who you want to allow.

If the app developer and the user is not responsible for the user’s privacy, then who is? One can’t assume that the application developer will provide security and privacy.

I still stand by the fact that the application developer must develop their products with privacy and security in mind.
Think about the automobile industry, if they don’t manufacture cars with safety improvements, people will die. While this is not as extreme, imagine if you had information that does cause major distress?

Let’s examine the core issues in detail.

1. If you are of value, you will be a target.

You might not be famous, successful, etc but to someone on the opposing team and determination, you may be their target. Multiply this if your popular and you become a major target, it is a numbers game.

The Fox News article states the following:

Many high-traffic websites feast on showing every inch of female flesh, preferably belonging to famous females, than they can access.

It is quite obvious that there is a market for this so they were targets!

2. The distribution of data opens opportunities for your enemy

Online technology, not just cloud services allow for more information to be distributed around to different services. Now it is a case of gathering pieces of the puzzle. The ArsTechnica article states that a reporter, Mat Honan was a target:

a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Little bits of information when matched together will help complete the puzzle. As a potential target, you will need to be conscious of the information you allow to be public. Operation security is the practice of information management.

Samantha Stone sums up the first two points and has directed her blame straight at the victims but let’s put this into perspective, yes, there is some blame there but technology is a tool. Like a car, you have to learn how to use it and be aware of the dangers and safety. By the same token, the application developer must ensure that their product is safe to use, which segway into the third point.

3. Poor application security

It is extremely hard to implement new technologies, it is also hard to implement security safeguards around new technology. However, history does repeat itself so what concepts we know could happen before will most likely happen again.

We take things for granted however, being privy/one step ahead will help stop attacks such as these. A combination of OpSec and application vendor security will help reduce situations like this from happening.

If there is a product out there to break into your systems, wouldn’t you be on it like a rash to fix it up?

The ArsTechica article states:

Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts— so the attacker was able to keep hammering away at targeted accounts until access was granted.

Brute force attacks and account lockout is NOT a new idea!

It is an old concept, shouldn’t you avoid making the same mistake twice???

Importantly from an OpSec point of view is that fact that, as celebrities, their personal information is no longer personal, rendering any security related challenge based on personal information useless.

The Dark reading article demonstrates how ‘easy’ it is to break into the accounts.

Further to this, Fort Knox does not have a broken wooden door between the outside world and the gold. Having your entire life (online backups) behind a ‘flimsy’ door (think weak password) is just asking for trouble.

There is more than one way to get valuable information, the Wired article points to the fact that if you have a backup and it is intercepted by your Enemy, they have a fighting chance of obtaining your personal information.

4. Reducing your potential loss.

Well, this is a tricky one. Unless if you are in the know, it is hard to keep up.

Quick thoughts:
1. Any real world threat can be carried out with efficiency and anonymity thanks to technology.
2. OpSec, Identity management is increasingly important in this age.
3. Evolution and rapid change makes it very difficult to keep up. Embrace new technology with a pinch of salt if you believe that you are a target.
4. There are specialists out there to help, go find one!

http://www.foxnews.com/politics/2014/09/04/nude-photo-hacking-why-mainstream-media-are-part-problem/
http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
http://www.reviewjournal.com/opinion/blame-technology-ignorant-victims-photo-hacking
http://www.washingtonpost.com/news/morning-mix/wp/2014/09/05/after-nude-celebrity-hacking-apples-tim-cook-says-company-will-improve-security/
http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923
http://www.wired.com/2014/09/eppb-icloud/

Trusting the cloud

A recent incident is making the rounds involving private photos of celebrities, iCloud and a hacker.

The hacker ‘broke’ into a few celeb accounts, pillaged and published.

The celebs lost their private moments.

A number of points here:

  1. If you are of value, you will be a target. Pretty obvious here.
  2. There would be no way that the celeb would know that they were under attack. The attack was not done on their phone, the attack was done ‘on the cloud’.
  3. Poor application security allowed for this to happened. To be precise, a combination of poor application security and poor passwords allowed for this to happen.
  4. If you are a potential target, consider what your potential loss is or speak to a professional.
  5. Finally, if you want your pics to be private, don’t use a cloud service. Remember, anything on the net is considered to be public!

http://www.bbc.co.uk/newsbeat/29008876

Ok, one more on application security.

Application developers must take responsibility to ensure their clients security.

Poorly coded software combined with growing network complexity has increased the attack surface at many organisations and it is taking its toll financially, said Spafford.

He called for an investment in computer programming education and a move by software manufacturers to embed software security concepts early into the development process.

http://news.techeye.net/business/security-industry-run-aground

Also, personal information + poorly coded software + in the public = disaster waiting to happen.

Putting your passwords in the cloud is not a good idea…it’s like putting your cash in a suitcase and leaving the safe in the middle of a busy road.

http://www.darkreading.com/cloud/hacking-password-managers/d/d-id/1297250

Hotel (un)safe

Did someone mention that last week is hotel safety week…Do you think your hotel is safe?

Hotel Wifi is probably a bad idea but so are ‘free’ computers at hotel business centers.

What about your hotel safe, the reason why the hotels recommend that you put your valuables in the main hotel safe is that the room safe is…well, not as safe.

What are your options?

  • Obviously, don’t use any public computers…you don’t get something for nothing!
  • If you have to use Wifi, use an encrypted VPN
  • Hotel safes, yes, use the hotel’s main safe.
  • Credit card swipe safes, don’t use a credit card…if you have a store loyality card, library card, etc (something that is not of value), use that. Better still, use the hotel’s main safe if it really is expensive or a pain to replace. Think what would happen if someone got your passport, …

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

http://www.theregister.co.uk/2014/07/17/hotel_safe_unsafe/

What ever you put on a site, it is no longer private

There are a number of reasons why:

  • Your security settings may allow the public access to your information (unless if you tie it down and monitor it for changes by the hosting site)
  • The hosting site (eg: Facebook) have access to your information (you read the EULA, didn’t you?)
  • Law enforcement have access to your information (depending on jurisdiction, with or without a warrant)
  • Hackers may break/steal/social engineer their way through to get access to your information (more likely to be the last option)

What are your options:

  1. Never post anything that would get you expelled, fired or arrested
  2. Don’t post anything that would get you kicked out of your house, break up your relationship, start a fight.
  3. Don’t post anything that could be used against you

http://nakedsecurity.sophos.com/2014/06/30/facebooks-facing-a-losing-battle-to-protect-users-privacy/

The simple things in life are often the best.

It doesn’t matter how strong your defences are, if the operator/human is tricked, it is a game over.

Targeting infrastructure for malicious attacks water, gas, electricity, telecommunications, etc. could lead to a massive loss of lives. Transport and the Airline industry is a big one.

Something as simple as a social engineering attempt shows that, as long as humans are in control or have access to powerful systems, they will also be targets for attack.

The compromise started with a phishing attack in which email containing a malicious link was sent to people working in the aviation industry. The CIS said the attackers used a “public document” in selecting their victims, but did not identify the document.

The fact that the attackers were able to trick people into downloading malware that led to the compromise is “surprising, but not unexpected,” Murray said. “Simple attacks work.”

You’re a CxO of a company or a high risk individual, you receive an e-mail, you fall for the trap. Now, is your company, family, reputation, etc at risk?

If you need further proof that social engineering affects everyone, just ask the  head of Australia’s Military. His pictures were lifted from a site and used for a lonely hearts scam. This is a reverse scenario where leveraging someone’s position of power to carry off a scam.

Remember phishing:

  • Addressed in a personal nature
    • Connected via Facebook, ‘direct’ relationship to you
  • Something to get you to react
    • He has been single and is looking to meet up
  • Consequence should you fail to act
    • Missing out on an opportunity to meet someone
  • The con: need to send €300 to ‘him’ to arrange for costs

Side note: with greater access to anonymous methods for money transfer, traditional financial gain crimes will become increasingly prevalent, brazen and are harder to stop (scams, extortion, etc).

http://www.csoonline.com/article/2378585/data-protection/airport-breach-a-sign-for-it-industry-to-think-security-not-money.html

http://www.smh.com.au/national/defence-chiefs-identity-stolen-in-love-scam-20140628-3b0jk.html