Apple vs. the surveillance state

“I want you to think!”

“How will your gun make me do that, Mr. Thompson?”

      — Ayn Rand, Atlas Shrugged

The FBI has ordered Apple to undertake a spyware development program. Apple is saying no. I applaud Apple, and I hope that if the FBI gets its way, the developers charged with the task will quit.
Read the rest of this entry »

Advertisements
Posted in General. Tags: , , , . Comments Off on Apple vs. the surveillance state

St. Mary’s Bank’s gross negligence

If you’ve got an online banking account with St. Mary’s Bank, change your password now. Then come back to this article. It’ll still be there. Hopefully your money still is too, but I wouldn’t guarantee it.
Read the rest of this entry »

Posted in General. Tags: , , , , . Comments Off on St. Mary’s Bank’s gross negligence

Chrysler’s computer security disaster

Andy Greenberg and associates demonstrated that they can remotely hijack a Jeep Cherokee, making it do things that could kill everyone in it. Fiat Chrysler is recalling 1.4 million vehicles as a result of this revelation. Greenberg doesn’t fully explain how they did it, for obvious reasons, but he tells us this:

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.

Every computer on the Internet has an IP address, so the real issue is the “one vulnerable element.” We can only guess about it, but this seems like serious negligence on Chrysler’s part. When a computer system can put people’s lives at risk, you have to pay serious attention to security. According to a Computerworld article, it’s the entertainment system which is open to remote access, but it “is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.”

A basic principle of secure design is that you grant only as much access as is necessary. It’s hard to imagine why an entertainment system would need access to life-critical components. If it is necessary, perhaps so that a warning of a major malfunction can go to the speakers, the critical component needs a firewall that limits the access it allows. Did Chrysler allow the entertainment system free run of its ECUs, or was the firewall defective? We don’t know yet, and maybe it will never be made public.
Read the rest of this entry »

New article on FEE website

FEE is running my latest article, “The Ghosts of Spying Past,” at just the right moment. The FBI is demanding the sacrifice of computer security to “national security”; this would represent a return to the encryption restrictions of the Clinton years. We’re still feeling the consequences of those requirements, and the NSA and FBI are demanding that we give up strong security because ISIS will kill us all!

Please spread the word if you like the article. A good hit count makes me more attractive as a repeat contributor.

Posted in General. Tags: , , , . Comments Off on New article on FEE website

Clinton’s email server

I try to avoid addressing specifically political issues on this blog too often, since I could easily get carried away with them to no useful purpose. This post is an extended reply to a couple of Twitter responses from a friend; discussing anything complicated on Twitter just doesn’t work. Also, it relates to issues where I have a bit of knowledge.

While she was Secretary of State, Hillary Clinton used a private server for the large majority of her official email. According to the New York Times, she didn’t even have a .gov email address. This doesn’t appear to have violated any laws, but legal isn’t the same thing as reasonable and prudent.

An article on Gizmodo discusses the security risks that may come with a less than expert setup of an email server. She used the domain clintonemail.com, managed by a company called Perfect Privacy, LLC. Perfect privacy sounds good, but names are easy. It’s hardly likely that its security was as good as the State Department’s. (Although, perhaps … she had reasons to think that hostile spy agencies had completely compromised the State Department’s email and she escaped to a private server? These days you can’t be too paranoid, but it isn’t clear how her course would have helped much. Future news developments might yet surprise us.)

The problems with such a system include lack of credible authenticity (If you got a message from “clintonemail.com,” would you think it was from the Secretary of State?), easy confusion with other domains, an uncertain level of security, and a far too convenient ability to delete anything she didn’t want known. Whether President Obama knew she was using this server is very confusing. A Guardian article says, “Barack Obama emailed Hillary Clinton several times at her personal email address, the White House said on Monday, while insisting the US president did not realise his secretary of state was operating an independent email system detached from government servers.” How is that even possible? Whatever Obama is, he isn’t stupid. Would he accept email from any old address that claimed to be his Secretary of State, without even wondering about it?

Maybe I’m just underestimating how tech-stupid most people, even intelligent ones, are. Some email clients, like the inexplicably popular Outlook, do their best to hide the address from which you got any email, showing only the name. When I had to use Outlook at a previous employer, even I found it hard to tell what address a message really came from. (Which isn’t to say that an email address authenticates anything. They’re trivial to forge.) This affair has me wondering just how vulnerable high-level government email communications are. Maybe it isn’t so unreasonable that Obama would be oblivious to an unfamiliar address. There must be clever technical people in Washington constantly begging high-level officials not to do stupid things, and I don’t envy them; who’d want to tell someone at the White House or Cabinet level, “Don’t do that, you idiot” for a living?

When caught, Clinton blustered; that’s a normal politician’s reflex. It only made her look more stupid to me, but not that many people understand the technical issues. I know how to read email headers; most people don’t know anything more than “From” and “To.” I’m regularly surprised when people don’t know things I consider common knowledge, like that Linux is an operating system or that Lenovo shipped Superfish with many of its computers. There are as many things I don’t know that other people take for granted. But somebody, in all that time, should have noticed that Clinton was engaging in seriously bad security and accountability practices. I suppose no one dared raise the issue.

How Lenovo’s spyware works

If you’ve recently bought a Lenovo computer and you’ve been reading about “Superfish,” should you panic? Yes.

Well, no. Panic never produces useful results. But you should definitely act. If you can, return the computer and get a different brand. If you can’t, take prompt steps to remove the spyware.

The best approach is to install Windows (or Linux) from scratch, overwriting the existing operating system, and not using Lenovo’s installation package. The problem isn’t just the spyware; it’s that Lenovo has shown itself to be basically untrustworthy. Even if we assume it accepted Superfish stupidly rather than knowing it was committing a major security breach, Lenovo was notified on January 21 that Superfish used a self-signed root certificate to intercept SSL communications and didn’t respond until the publicity became overwhelming, almost a month later. Update: Superfish was reported for falsifying Google search results on Lenovo’s forums back in September 2014, though that report didn’t note the SSL hijacking.

The root certificate issue may need some explaining. The SSL certificate system, which is central to secure Web communications, relies private/public encryption keys. When you connect with authenticated HTTPS to a server, it queries the server using encrypted data, based on the public certificate. It can respond correctly only if it has the corresponding private key.

But how do you know that the certificate is authentic? The answer is “digital signing.” A key is authenticated with encrypted data from a certificate authority (CA), and the same public-private trick is used to verify the signature’s authenticity.

But isn’t that begging the question? You still need to know whether the CA is authentic. A CA’s certificate can be signed by another CA, and such chains are necessary to handle the vast number of SSL certificates on the Internet. Ultimately it comes down to a trusted source, a “root certificate.” Browsers ship with one or more root certificates, which they trust by default. If a root certificate is compromised, the whole system comes crashing down. It can claim that fake certificates are genuine and allow impersonation of websites that collect your credit card numbers and other personal data.

Lenovo’s Superfish installs a rogue root certificate. It uses it to intercept your secure communications and modify them. It “self-signs” the certificate, so your browser will trust it. You think you have a secure, private channel to a site like Google, but Superfish is listening to every bit you transfer. This is what’s known as a “man in the middle” attack. It decrypts your data, does things with it, and then re-encrypts the modified data and sends it on its way.

Lenovo is intercepting secure communication by feeding users false data. I’m no lawyer, but shouldn’t that be grounds for criminal charges?

The private key is on the computer which runs Lenovo’s subverted version of Windows. It’s password protected, but a little reverse engineering of the software has turned up the password, which is a rather weak one and is now all over the Internet. This means that others can impersonate the impersonator, doing far worse things than injecting ads into your browser.

The CA system is inherently fragile. Superfish isn’t the first to have thought of this scam. There are lots of opportunities for criminals and governments (pardon the redundancy) to steal information this way.

It appears that Lenovo’s removal package, introduced after intense public pressure, removes the Superfish software but not the bogus certificate.

Lenovo has been shamelessly lying:

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly.

Where do we start? Lenovo makes unspecified claims about “false and misleading statements” without denying anythying in particular. The issue isn’t merely a “security risk,” but an actual, willful breach. Whether it shares the intercepted data with a third party is irrelevant. The claim that a software bug “unintentionally” created the forged certificate and man-in-the-middle interception is ludicrous.

The “third party” in question is a company called Komodia, which devised the interception technology and used its own name as the password for the bogus certificate. According to Forbes, Komodia’s founder, Barak Weichselbaum, “was once a programmer in Israel’s IDF’s Intelligence Core.” Komodia used to offer an “SSL hijacker,” no longer on their website although the Internet Archive still has the page. Komodia explains that “the hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.” Purely unintentionally, of course.

Just by the way, here’s a filk on the subject:

Superphishin’

Words: Gary McGath, Copyright 2015

Music: “Superchicken”

When your data is in danger,
When it’s picked up by a stranger,
And they never asked for your permission,
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
 
If it looks like you have well and truly caught it,
You should have known it was infected when you bought it.
 
Now you understand the risk
Of SSL faked on the disk;
A painful death for them is what you’re wishin’.
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
Lenoooooooooovo’s Superphishin’!

Posted in Tech. Tags: , , , . Comments Off on How Lenovo’s spyware works

Review: Swann Viewcam

Looking for something to augment my home security, I picked up a Swann Viewcam. It’s offered as a basic home security camera with local storage and Wi-Fi capabilities. The idea is good, and the camera itself doesn’t seem too bad, but the software makes it a disaster. First I downloaded the Mac application. It’s unintuitive, without text labels on its controls. It provides no reliable status indication for the device. Sometimes it would say the device was “off,” but at other times it would just show the last image received. If it’s monitoring an empty room, it can take a while to realize that nothing is being updated. The camera’s Wi-Fi range is poor, even in a relatively small home like mine.

The iOS application is even weaker, and it bombards you with ads. (Have they forgotten that the people using it have just paid them a fair amount of money for the device?) It doesn’t provide any status indication beyond showing incoming video or not. It required me to log in repeatedly; that isn’t even a security feature, since it pre-loaded the user and password fields and just made me tap “Log in” to continue.

All this wouldn’t be fatal if the device and software performed their basic function of storing video. Last night I noticed no files were being stored, but I let it run overnight just to be sure. This morning there were still no files stored in the folder I’d designated. I’d put a Micro SD card into the device to store video locally; that likewise had nothing on it.

Zero stars. This device will soon be going back to the store.

Posted in General. Tags: , . Comments Off on Review: Swann Viewcam

Online banking security

Banks still don’t get security for their online sites. A long time ago, I signed up for online banking with BANK_X (I’m not giving out any information that would help phishers here) and noticed some worrisome signs, including a sudden increase in directed phishing spam, so I cancelled the service. About a decade later I figured they might have improved things, so I tried again. It’s a little better, but there’s still at least one significant problem.

After getting my account initially working, I had to activate the bill payment feature separately. This involved a delay, and I got an email from “Bill Pay” this morning saying it had been activated. It’s a lucky thing the email from Mr. Pay didn’t get marked as spam.

I logged into my account in the usual way, from the bank’s website (never blindly click on email links!) and found that the page didn’t look the same as usual. Only my checking account was showing; and then I noticed I was in a different domain from the one that normally services my online banking. I was logged out in the middle of navigating it, and I went back to the BANK_X site and logged in again. This time things looked normal. This had me worried, so I sent an in-site message stating my concern. The response said that I should be seeing the image I had selected when setting up the account on each page, and if I wasn’t seeing it, there might be a security problem.

I discovered that by clicking on the bill payment tab I got taken to the same odd-looking page on a different domain as before, and confirmed my recollection that I wasn’t seeing the image in question. This was sounding seriously worrisome, so I called the bank. The person I talked with told me that behavior sounded wrong and asked me to try again from another computer. I booted up my laptop, found the same behavior there, and called back. The person who answered this time got the information from the one I’d talked to at first, and this time I was talking with someone who understood the system better. She said that bill payment is in fact handled by a different service, and that I won’t see the selected image there. I pointed out that this was contrary to to the instructions on the BANK_X website; she agreed with me and suggested I send in feedback, which I’ll be doing shortly.

Most customers are oblivious to all suspicious behavior on a bank’s website and will just forge blindly ahead, which is why phishers are able to scam people so easily.

I have serious doubts about using this bill payment service, even after my most pressing fears were assuaged.

Update: A representative of BANK_X replied to my feedback and said that once you’ve logged in and see the security image once, nothing can possibly go wrong, so you don’t need to see the security image again and you shouldn’t worry if you find yourself on a different domain. Idiots.

Posted in General. Tags: , , , . Comments Off on Online banking security

Philcon’s insecure online registration

While it’s the data breaches at big companies that make headlines, small operations are often the sloppiest. A few days ago I started to register for Philcon. The only option was online registration. I chose one adult full membership and was taken to the following URL:

http : //2014.philcon.org/index.php/component/hikashop/checkout?Itemid=131

(WordPress automatically turns anything that’s syntactically a URL into a link, so I’ve put spaces around the colon to prevent this.)

That page asks for either a login with an existing password or registration with entry of an existing password. In either case, the password will be sent as cleartext. This is seriously bad security for any site that’s handling money.

I wanted to see if it would do the same when asking for my credit card information. If it did, that would be egregiously bad security. Here, though, things just got weird. I entered clearly fake information, selected Visa for my payment method, and clicked to continue. This brought me to a page that had a message at the top, “You cannot access the private section of this site,” but was still allowing me to proceed. It claimed that I had chosen PayPal for my payment method. I tried going back but couldn’t find any way to change the payment method.

When I clicked on “Finish,” I was taken to a secure PayPal page, where I stopped. I went back to the Philcon site and found that my shopping cart had been cleared; at least that’s worth something as a security touch. I tried to log in again, and kept getting “You cannot access the private section of this site,” this time keeping me from going further. (If I entered the wrong password I got a different error message, so I had successfully registered and was using the right password.) As a further check, I tried logging in from two other browsers, first clearing all cookies, and got the same error message about the private section. I don’t know what the “private section” is or why the server thought I was trying to access it; maybe that’s where credit card payment happens if you can get there.

I would have been happy to register with a paper form, but the site didn’t provide one. A couple of days ago I learned from another person with the same problem that he was being told that no one else was complaining. I gave him permission to say I was complaining too, and now there’s an option to download the flyer. Philcon’s online registration is frighteningly buggy, so I recommend using the paper form.

See you at Philcon, if they don’t ban me for posting this.

Posted in General. Tags: , . Comments Off on Philcon’s insecure online registration

Thumbtack, a security disaster

Thumbtack.com is a website where people can post requests for bids on jobs. I signed up for it last week, hoping to pick up some website creation jobs, but I’ve just deleted my account after discovering it has a horrendous security hole. Fortunately, I hadn’t given any sensitive information such as a credit card.

I discovered Thumbtack’s security disaster this morning, when I received my first email requesting bids. I clicked on the link — sent in cleartext — and found myself logged in to Thumbtack. I can assure you I was not logged in before. My browser settings delete all cookies when I quit. I verified this with a second browser. With that click, I had access to all my settings.

Bear in mind that cleartext email goes through any number of servers, with no security. Anyone with access to the server on any relay point, or to the traffic between them, could run a filter for thumbtack.com and harvest accounts. Someone probably is doing it; I doubt that I’m the first person in the world to notice. On top of that, the link is http, not https, so it’s also vulnerable to interception.

I immediately tried to delete my account; it took about four tries, which isn’t a good sign either, but I finally got rid of it. I think. Let’s try that link again … Oh, good. I’m now getting “Account deactivated.”

I feel as if I’m walking rather dizzily back from a precipice. AVOID THUMBTACK.

Posted in General. Tags: , , . Comments Off on Thumbtack, a security disaster