We pride ourselves on our approach to security here at RJS and have been keenly interested in the goings on with the NSA and the PRISM program and all the third parties that seem to have no problem coughing up your personal info, corporate giants such as Google, Facebook, Microsoft, etc.
Here’s a new one to add to the list: Motorola.
Ben Lincoln posted on his blog today some interesting facts he happened to stumble upon when troubleshooting an Exchange Active-sync setup with his Motorola Droid X2 cell phone. Turns out that Motorola is gathering ALL his log on credentials for third party sites/services and photos he’s taken with his phone, and passing quite a bit of that data unencrypted over HTTP.
In layman’s terms: all that data is interceptable by third parties, in fact, that’s how Lincoln initially discovered it.
We talked quite a bit about a similar issue with HTC and “Carrier IQ” being pushed to all their phones through an over-the-air update. Fortunately, Trevor Eckhart discovered that little gem and put in a lot of valuable time and effort into making it known: Eckhart pointed it out to the XDA ROM modding community and swift steps were taken to purge it from all custom ROMs. The resulting backlash against HTC was huge to the point that their stock and market share tumbled during 2012 and in 2013.
When you break the trust of your customer’s it is really hard to recover.
HTC licked their wounds and released out the HTC One, which has been aptly named since it’s their one last effort to salvage the company. I picked up the One this spring on vacation, rooted it a day later and installed a custom ROM that I know has been stripped of any carrier and manufacturer bloat and spyware.
Do I feel any more secure? Not really since the NSA is digging through all my email and phone traffic regardless of personal security steps I take.
Maybe it’s time to take a Jack Reacher approach and just unplug from everything and step entirely off of the grid …
Iterative Improvement and Data Leaks
Over the weekend, social media sites lit up with news about Edward J. Snowden’s travel plans. Leaving aside the questionable “wisdom” of keeping the government tracking you informed as to which countries you plan to flee to and which flights you plan to take, the practice of “stay one step ahead of your trackers” is a time-tested technique. Though it results in some rather humorous jokes, fundamentally, it works.
What also works is learning from the mistakes of others.
In this story, we have two individuals, Edward J. Snowden and Bradley Manning. We also have a fairly large organization that first trusted, then persecuted them. We can call this “the U.S. Military,” “the U.S. Government,” “the Obama Administration” or “the Intelligence Community.” However, all of these terms, I think, suggest a level of uniformity that doesn’t really exist. The various departments involved seem to operate more as fiefdoms than as cogs in a massive and efficient machine. Why?
Let’s look at the Manning story: In May 2010, he was arrested for providing data to WikiLeaks about the way the U.S. behaved during the conflicts in Iraq and Afghanistan. After his arrest, he was jailed and, according to some, treated quite poorly. While military treatment during detention differs significantly from that of private individuals, it is seems as though he:
- Was kept in a small cell with no window.
- Forced in a regimented sleep schedule.
- Required to remain visible at all time (no sheets, etc).
Later, he was classified as a suicide risk and, according to the rumors, had his clothing and glasses taken away and was forced to remain in his cell 24 hours a day. This classification was later lifted, and he was moved to a lower security prison.
Now, if you saw evidence of what you believed to be unethical behavior and felt obligated to report it, how would those consequences affect you? For many of us, it may well be enough to prevent us from leaking the information — but as Snowden shows, that’s not the case for everyone. Snowden’s flight to Russia and, if he ever gets there, to Cuba and then to points beyond, indicates that he saw the risks of his choice and is taking steps to address mitigate them. He may not be doing it very well, but it is important to note that he has learned from Manning and is trying to do a little bit better. Odds are high that the next person in this position will do even better.
This is because attackers gravitate towards open communication and learn quite quickly.
In contrast, we have a defense side that was taken twice by the same attack — three years apart. Sure, the details vary a bit, but all in all, sensitive data was taken off a system and the identity of the person that stole it was only made public because of their own action. In other words, three years after the first attack, the distributed departments that make up the U.S. government and military have NOT learned how to protect their data and identify the individuals that have access to it.
Granted, it’s a big problem. However, it’s also a big problem to not address this problem, as illustrated by the political risks being faced by the administration today. In general, attackers learn faster than defenders and then, during an event like this, the defenders have to expend even more resources attempting to either contain or respond to successful attacks.
What will things look like in three more years? Will we have a data leaker who is better at keeping anonymous? Will the data released be even more damaging to the government?
Who do you think will learn the Snowden lesson better? The next leaker or every department of the government?
History is not on the side of the defense.
Internet Theft and the Holidays
As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.
“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.
This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.
In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.
Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.
The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.
Or did I?
See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.
In the News
Here are three security articles we found rather interesting this week.
Researcher Wows Black Hat with NFC-based Smartphone Hacking Demo (CIO)
Accuvant Labs researcher Charlie Miller has figured out how to break into the Google/Samsung Nexus S and the Nokia 9 smartphones by using Near Field Communication (NFC).
I can read all the files, said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. I can make phone calls, too. Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said.
The truth behind those Nigerian 419 scammers (TechRepublic)
419 Advanced Fee Fraud (also known as the Nigerian 419 scam) is still being used quite frequently to steal money from gullible victims via fraudulent emails. But are these emails really coming from Nigeria, or are they perpetrated by attackers from other countries?
Researchers from the University of Ibadan found the following IP locations within 400 scam emails tested:
The Wisconsin Department of Revenue: A Bargain for the Identity Theft Collective (The Huffington Post)
Adam Levin of Credit.com wrote an interesting story documenting Wisconsin’s complete inability to secure public information.
Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.
This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.
A Simple Lesson in Protecting yourself against Malware
We see the stories in the news each and everyday.
Malware hit Android. Malware took advantage of known flaws in Windows. Source code was released for a new family of malware. The thing is … none of this is really news.
I’ll make it simple for you. You can ignore all the rest of the malware stories that come out this year if you remember the following points:
- Attackers get better day-by-day. After all, if they didn’t, they’d lose.
- As defenders, you must also get better day by day. If you don’t, you’ll lose.
- Since we can’t control what the attackers do, the best you can do is play to not lose. This means:
1) Harden your systems (patch them, check users/passwords, remove uneeded software).
2) If you can’t harden your systems, get rid of them.
3) If you can’t harden your systems or get rid of them, implement compensating controls and understand where the gaps leave you exposed.
4) If you can’t do any of these three, get help. Sorry to toot my own horn here, but this is what we specialize in. You don’t need to be perfect, you just have to be getting better a bit faster than the attackers do.
5) If you can’t get help, give up. Just post your banking credentials, customer list and passwords on your website. The attackers are going to get them anyway. If you’re not going to protect yourself, just give up and enjoy the ride down as best you can.