Tag Archives: password

Apple-Google-FBI Phone Encryption Spat or Public Image Campaign?

Apple and Google announced encryption programs for their smartphones that supposedly increase their customers’ privacy. As a result we’ve just seen a very public privacy vs. security debate with Apple, Google, and the FBI making statements worthy of desperate pre-election politicians. An interesting aspect is that the debate rages around the technical issue of encryption, even though practically no technical information has been released. So no technical evaluation of the claims is feasible, but a closer look at the underlying issues seems in order.

First of all, the very basis of encryption as we know it is that every party privy to encrypted data has to have the key. Simply put, this means that there are always at least two keys involved. Even if you encrypt your files within your own computer with a password that you remember, there has to be a reciprocal key somewhere in you computer for validation. Otherwise, there is no encryption.

Apple and Google announced that they would no longer have a “master key,” or possibly a database of the passwords of all users on their servers. (A very interesting question pops up: how are they going to update software in your phone or computer? That wasn’t mentioned.) That sounds like they’re transferring your privacy destiny into you own hands. It’s just not so. Suppose they really aren’t going to have your password. What they’re really saying is that somebody else will have your password, presumably your mobile phone carrier. So the whole hoopla is really about them saying that they don’t want to deal with Government demands for massive amounts of our private data. They’re just saying that the Government has to deal with someone else.

The best case scenario here would be for Apple and Google encryption to be arranged in a way that your personal data such as your rolodex, your pictures and notes, etc. would be stored in your phone encrypted with your personal password, and your carrier would not have a copy of it.

Either way, the FBI has a difficult case to complain about. Their statement that encryption will hinder criminal investigation is clearly disingenuous. It’s not a matter of technical difficulty, it’s a matter of convenience and constitutionality. The only problem this would make for the FBI is that they couldn’t come to a company with a vague sweeping order for a vast amount of private data of a lot of their customers. They’d have to hack every suspect’s phone individually. This is certainly not difficult, and if they don’t know how to do it they can consult the NSA. They’d also have to go to court to obtain a search warrant for every individual suspect. Inconvenient, but that’s the way the Constitution meant it to be.

Cyber Guns for Hire

Dawn of a New Era of Hacking

Last week I was trying to log on to the control panel of my blog and an annoying message came back. It announced that the host company was under a massive cyber attack by a botnet of some 90,000 infected slave computers trying to break into its customers’ blogging accounts by a brute force attack that was guessing its customers’ user IDs and passwords. Success would enable the attacker to take control over some blogs. So a login was not available.

My first reaction was mild annoyance at this déjà vu event of Internet daily life. Then something occurred to me: this was not business as usual, it was a sign of a new hacking era.

There are two important points to be made here. One is the type of the attack. Botnet attacks have been around for decades, but usually they are crude flooding-type DDoS attacks, with tons of cyber junk thrown at some entity’s servers, clogging up their communications channels and thus denying normal cyber services. This was dramatically different: the botnet was performing a crypto attack by a vastly distributed but coordinated force. And there was a fundamental qualitative difference here: instead of a dumb flooding the botnet performed an intelligent task by utilizing the vast computing power of the combined slave machines.

This is just the beginning of a trend, with the performance of more sophisticated tasks to come. It represents a frightening increase of the cyber powers of hackers not backed by a state, who by themselves possess limited computing power.

The second point here is that the attack was directed at the blogs’ controls server, which does not itself contain any of its clients’ financial information. Typically, hackers go after financial data or target a specific entity they don’t like. In this case the site attacked contains multiple blogs, so it was not itself the target. This, in turn, means that somebody – a hacker’s customer who does not possess the level of expertise necessary for such a major operation — was after a specific blog or two they didn’t like for some reason. So the entity behind the attack was not a typical hacker.

What does this tell us? That it likely was a hacking job for hire performed by a competent hacker for some customer motivated by unknown considerations. This means that a paying customer can hire the services of skilled but unscrupulous hackers with their powers vastly amplified by potentially millions of computers around the world.

This aspect of the event seems to signal the dawn of an alarming new era in cyberspace, when someone can actually use cyber guns for hire to mount sophisticated attacks far more devastating than just silencing a blog they dislike.

I addressed the theoretical potential of this dimension of hacking in my book (Cyberspace and Security), and it now looks like an upcoming reality.

A Hack Is Forever

Announcements by major companies and Government organizations that they’ve been hacked and have lost millions of private records that we entrusted to them are now as routine as the morning weather forecast on TV news. These announcements are usually followed by an assurance that from now on everything will be just fine, along with an urgent request that everyone change their passwords. Requirements for the passwords are getting more sophisticated – instead of a plain four-letter word they are supposed to be a little longer and include some characters requiring the shift key.

This is totally useless advice for two reasons: one is that these “sophisticated” passwords are in practice just as easy prey for a modern computer as the proverbial four-letter word, and the second is that no real hacker is going after your individual account unless he happens to be your curious next-door teenager or your nosy grandmother. In the real world hackers aren’t dumb. Why would they go after a few million accounts one-by-one if they can simply hack the organization’s server at the root or Administrator level and get all the data in every account with just a single hack? Any hacker worth his salt knows this, and this is exactly what hackers do – they hack the server, and  that makes our individual passwords irrelevant.

These “change-your-password-for-a better-one” announcements likely have some other subliminal agenda. It looks like the real reason for asking you to change your password is to make you feel responsible for your data security. In other words, to blame the victim.

Furthermore, victims are majorly misled in a couple of other ways too. First of all, after a hack all your private personal data are gone, and they’re available to any criminal is cyberspace for a nominal fee. You cannot take them back. You can change your password, but you cannot change your name, date of birth, social security number, address, phone number; even changing your mother’s maiden name is difficult. All these are available to identity thieves.

And there’s another aspect that your favorite bank won’t tell you about: every competent hacker will leave a dormant cyber mole deep inside the hacked system. These are practically impossible to detect despite all political and marketing claims to the contrary. So even if the entire security program of a system is changed the cyber mole will report all the changes to its master. Including your new sophisticated password.

So a hack is forever.

Dawn of Cyber Reality

It’s being presented as mainstream media shockers that a Russian cyber gang stole 1.2 billion cyber identities, including user names and passwords, or that somebody stole 4.5 million hospital records including including addresses, birth dates and social security numbers. How awful!

Now, a good reality check is clearly in order. The alleged Russian criminal gang of less than a dozen members comes from a small town in the middle of Russia that most people never heard of. By any measure this gang is nowhere close to the top of Russian cyber criminal outfits, never mind the government spooks of many countries. If they managed to get all the data reported, there’s absolutely no doubt that higher-level cyber attackers have much more — they just prevent others from finding out about it. Actually, it’s usually wisest to hide your success in any intelligence operation or theft.

The current cyber reality is that practically all user data is stolen. One of the qualities of cyberspace is that the same cyber asset can be stolen multiple times by multiple perpetrators. In other words, in the physical world a burglar can steal your asset only once; in cyberspace it can be stolen many times by multiple cyber burglars. So understand: whether you like it or not, all user data is stolen by many attackers, including multiple cyber gangs and, of course, by several countries’ spooks.

The real question isn’t whether user data is stolen, nor who stole it—it’s what to do about it. And, in another reality check, it’s being recognized by more and more “experts” that nothing can be done about it beyond fuming until we finally get to develop a real cyber security. Indeed, what difference does it make who stole your assets? There is none, unless you have a preferred burglar for your house.

So, it looks like all this hype about stolen identities is no more than a lot of hot air until we develop a cybersecurity technology that actually works. Then we can seriously discuss the issues now hotly and fruitlessly debated in apparent perpetuity.

 

Real Target of eBay Hack

Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.

A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a  casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.

Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.

All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.

Utilities Hacking Paradigm Shift

 

With the pleasant long weekend over, now is a good time to check up on recent cyber history. It’s a common Government practice to release potential “hot potatoes” just before a holiday in the hope that they will pass generally unnoticed. So it’s useful to review the pre-holiday week’s releases right after the holiday. There is something there that caught my eye that I would like to address.

Interesting questions were raised by the following article, oddly published by an Australian publication on May 22: http://www.gizmodo.com.au/2014/05/hackers-broke-into-a-public-utility-control-room-by-guessing-a-password   (“Hackers Broke Into A Public Utility Control Room By Guessing A Password.”) In short, the story is commenting on the DHS announcement of the discovery and fixing of a hackers’ break-in into an unspecified public utility’s controls. This raises at least two questions.The first question is why the announcement was made at all. Everybody who is anybody in cybersecurity knows that within the US-Russia-China triangle practically all internet-connected utilities have been penetrated for decades. Malware representing electronic bombs have been mutually installed by these countries and have gone through several generations of upgrades; they are ready to use, and extremely difficult to detect. Obviously, the most vulnerable side of the triangle is the US, since it has the most advanced and most connected network of utilities. The existing status quo in the triangle is somewhat similar to the famous MAD – Mutually Assure Destruction– of the Cold War, and the situation is pretty stable. So, if it’s not news, why announce it? This question can probably be answered by the second question.

The second question is: what has been left unsaid in the announcement? This is probably the key to the whole thing. The announcement mentioned “hackers,” with no hints as to their identity. But the interesting detail is that the attack was performed by a very unsophisticated “brute force” approach, which any hacker with a  modern computer can do that easily. So, the only plausible explanation for the whole announcement is to tacitly acknowledge that some rogue hackers were able to penetrate a public utility, and to suggest that more such attacks may be coming. Obviously, rogue hackers of many denominations do not have the mutual restraints of the US-Russia-China triangle, and without such restraints they can do real damage.

Overall, it looks like the DHS is laying down the proposition that when some real damage is done, they can say that now anybody can take control of our utilities, as we warned you.

Don’t Bother Changing Your Password

The news of the day is the Heartbleed bug. The mainstream media is full of the headline “Change your password. Hurry”.

Don’t. Just don’t bother. This is one of the daily occurrences of “major” cybersecurity breaches. The reality is that with this bug or the next one, the issue is not the bug, the issue is the password, as a concept. Any password can be hacked by a serious hacker with a decent computer in minutes if not seconds. How many times do we have to be hacked to get the message across  that we need to develop an effective cybersecurity technology instead of stitching patches on the constantly punctured bubble of the firewall?

Doing the same thing and hoping for a different result is not exactly the definition of intelligence. We’ve been doing that every day for a quarter century and calling ourselves cybersecurity experts. It doesn’t  seem that qualification is deserved.