Sunday, February 28, 2016

Encryption (week 11)

Image courtesy of plus.maths.org
Ever since written communication was developed, humans have always tried to hide, conceal, or scramble sensitive information from prying eyes. Julius Caesar had his scheme where characters were shifted a certain number of positions to scramble the message and this was dubbed the Caesar’s cipher. For this to work the recipients had to know what the count was for the shift. This method is of course very easy to break with the current technology. During world war 2, the Germans had the famous (or infamous depending on what side you were on) encryption device named Enigma. This machine was used by the Germans to encrypt their messages and the way it worked was by providing substitute characters for the letters entered by the operator. The only way this message could be decrypted was through the possession of an enigma machine. When speaking about the Enigma, the name Alan Turing also has to be mentioned as he pioneered the cracking of the Enigma and this changed the course of the war and perhaps the future of the world.

On February 20th of this year, Linux Mint was breached and hackers were able to point users to a compromised ISO (drive image) that was a modified version of the 17.3 Cinnamon (Linux Mint OS). This version allegedly has a backdoor according to Linux project leader, Clement Lefebvre’s post on the Linux Mint Blog. This is a classic case of awareness and using the available tools to ensure that you are downloading the safe versions of software. By verifying hashes, we can be able to know if a software version has been tampered with.

From the real world affairs to the digital landscape, encryption touches 2 of the 3 aspects of the CIA (Confidentiality Integrity and Availability) triad; confidentiality and integrity. Confidentiality is the process of ensuring that information is only exposed to individuals who are authorized to view that information. There are different methods that can be employed to ensure that this comes to fruition, one way is through policies such as training and awareness of the users, classifying the information based on the level of risk to the business were it to be exposed, and a through technical controls like encrypting this information. Integrity on the other hand is the process of ensuring that data is not tampered with; it involves maintaining the consistency, accuracy, and trustworthiness of the data over its entire life cycle. 

For both confidentiality and integrity, the data may be at rest for example stored in hard drives, tapes, databases etc., in transit meaning that it is traversing the network for example emails being sent, files being transferred, and the last state that data can be in is in use which is data that is in memory and being processed. All three data states need to be secured and encryption is a method that can be used to achieve this security control.

Other elements of security that encryption provides is authentication and this is when the origin and originator of the message can be verified. Non-repudiation is also achieved through encryption and this is when the sender of the message cannot deny sending the message. The way encryption achieves this control is through digital signatures. Before technology, official seals were one way of authenticating the letters sent from for example a business or government agency. In the Internet world, digital signatures are used to perform this task. One key area where digital signatures are common is in software signing. When you download software over the Internet, how do you verify that this is legitimate software from the true publisher for example Microsoft? Digital signatures. The software publishers provide the public with a hash which is a representation of the entire contents of the software posted on their site. If any modifications are made to the software, the hash value would change and the end users can know that there has been tampering therefore the integrity of the software has been compromised. 

Although enforcing encryption controls may be cumbersome to the business or even our home systems, it adds an extra layer of protection for our data. Encryption helps to protect the data against physical threats as well; if we lose our devices, it’s hard for the adversary to read our sensitive information if the files or hard disks are encrypted.  

References:
https://plus.maths.org/issue34/features/ellis/enigma_in_use.jpg



Sunday, February 21, 2016

Privacy Over Security (week 10)

Image courtesy of www.pewinternet.org
After 9/11 2001 the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (aka USA PATRIOT Act) was passed by the legislative wing of the government. What this act did was provide a significant increase in the surveillance and investigative capabilities of law enforcement agencies within the United States and the intention was to ensure that there can never be a repeat of 9/11 on American soil. This act had the right intentions and at the time it was passed, the whole Nation was speaking in unison; “we must get them” and “never forget” were some of the themes.

According to the epic.org article titled USA Patriot Act, under surveillance and privacy, there are three major laws that do not provide many of the protections that were associated with the Federal wiretap statute (in place before the Patriot Act).

The Title III which requires probable cause and approval from a judge before conducting real-time interceptions.

Electronic Communications Privacy Act (ECPA). This act governs how law enforcement can access stored email and other electronic communications. The act states that the use of intercepting tools requires a court order but no probable cause and the court must authorize the surveillance upon government request. That statement shows just how vague the controls or checks and balances are when it comes to electronic surveillance. The court order is just a formality.

Foreign Intelligence Surveillance Act (FISA). This act authorizes the government to carry out electronic surveillance after obtaining a court order that authorizes the surveillance and the only probable cause that they need to provide is that the person of interest is acting as a foreign agent and this applies even to American citizens.

There are many other acts within the Patriot Act that give law enforcement even more authority to intercept, collect and even store private information that they obtain through the use of advanced surveillance tools in the name of National Security. The extent of these surveillance programs within the United States was made public by Edward Snowden who leaked information about how the National Security Agency collected electronic information. Snowden received both support and criticism. His revelations did however lead to more debates on how much privacy are we willing to give up in order to stay secure. The civil liberties and privacy protections that have been part of America and that the constitution dictates are slowly eroding. If you are a proponent of security, your opinion is that security will always trump privacy and we should be willing and expect to lose some of these liberties if we expect to be safe.

The biggest privacy issue this week is of course Apple vs FBI. The FBI are trying to get Apple to create a backdoor that will enable them to crack the deceased gunman Syed Rizwan Farook’s iPhone as they try to access it to get information that may help them with their investigation. Farook was involved in a terrorist attack that killed 14 people in California late last year. As a security feature, Apple iPhones are built to wipe all data after the password is entered incorrectly too many times which makes it popular with companies as they can protect their intellectual property in cases where employees lose their phones. The FBI’s brute forcing attempts must have hit a roadblock and now they are asking Apple to intervene (through a court order). Apple’s argument for non-compliance is that they are not comfortable sharing how to by-pass the security feature with law enforcement as they do not know what their reach will be after they gain the know-how.

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals… The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.”
-        Andrea Noble - The Washington Times – quoting Apple CEO, Mr. Cook

The courts already ordered Apple to comply but they are still resisting and have appealed to a higher court. I would not be surprised if Apple took this all the way to the highest court in the land; they certainly have the means. Protests are already planned with anti-surveillance groups planning to let the FBI know how they feel about their request. This is a contentious issue given that the phone that needs to be back-doored belongs to a confirmed terrorist and not a suspect. In my opinion I think Apple will be forced to give in. They may have a condition in place like not being required to share how they did it but you never know, the FBI might get that too. I am curious if Apple’s decision is truly based on its support of privacy or this is just a marketing ploy to rally the masses to their products as they come out of this fight as ‘champions of their customers’.

Whatever side of this topic you may be on, the fact is, times are changing and we will always have this issue hover over us as long as electronic communication is still around. You try to install an app and you are supplied with a terms of agreement. For the application to function, you need to allow it to access different things on your device. When browsing the web, you have cookies that track your every move and if you were to turn these feature off, you would probably not be able to experience the web the way we do today. It seems like everything we do on the web requires some form of loss of privacy.

The debate still rages on; are we willing to sacrifice one over the other? ... because we cannot get both at the same time.

References



Sunday, February 14, 2016

Wireless Communication (Week 9 Blog)

This week in my Ethical Hacking and Response class we will be presenting a group project and the topic of discussion is Wireless Hacking. I thought it would be a good topic for my blog post this week. First off I would like to throw in a breach that happened back in 2006.

TJX Companies: 2006. 94 million credit cards exposed. Hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall's stores in Miami, Fla.
After the TJX breach came to light, one of the questions posed by security experts was: Why are businesses still using WEP?” (Schwartz, 2011 – darkreading)

Let’s briefly touch on a few areas that wireless technology is used:
Voice Communications - cellphones
Remote Control and Monitoring – TV remotes, garage openers, wireless dog fence (cruel), infrared sensors, surveillance videos, heart rate monitors
Remote Measurement and Wireless Sensing – Utility companies can now remotely read your meter
Item Tracking – Think Radio Frequency IDentification tags
Entertainment – wireless speakers, headphones, microphones, home theatres
Navigation and Location – Global Positioning Systems (GPS)
Quality control and Risk Management
Networking – PAN, LAN, WAN, Cellular Networks
Energy Management and Wireless Power Transfer – charging docks

Wireless technology has come a long way and it is freeing existing good ideas from the constraint of wires and, at the same time, enabling an emergence of new ideas and applications that weren't possible before. The list above shows that wireless has played a major role in advancing some technologies that are now part and parcel of our day to day lives, but just like with every good thing, there seems to always be some cons.

“The wireless security market has matured significantly in the past several years, but still many organizations remain vulnerable to attacks, either through legacy protocols with well-published deficiencies, or through new threats that are not adequately addressed”
 – Joshua Wright, SANS

With wireless networks, its biggest flaw is the hardware that is used; the routers, modems etc. A common attack vector for wireless communication is wireless driver attacks. In this type of attack, rather than going after the wireless networks themselves, an attacker will choose the path of least resistance by going after the hardware. Exploitable vulnerabilities in wireless drivers have been discovered in all major wireless card manufacturers. When I looked up the word wireless under NVD (National Vulnerability Database), it returned 359 matching records

So how do we secure wireless communication?

The answer is through the combination of a Strong Encryption Method and a Strong Key/Password

Image courtesy of howtogeek.com

Key Encryption Methods are as follows

WEP (Wired Equivalent Privacy) – in this system, the same shared key is used for both authentication and encryption. With the shared key, the attacker can decrypt frames or pose as a legitimate user. WEP can be easily broken and is no longer recommended.

WPA + TKIP: Wi-Fi Protected Access + Temporal Key Integrity Protocol
WPA TKIP was meant to replace WEP but it is now considered unsecure. TKIP uses the RC4 stream encryption algorithm as its basis and it encrypts each data packet with a unique encryption key, and the keys are much stronger than those of WEP.

WPA + TKIP/AES: Wi-Fi Protected Access + Temporal Key Integrity Protocol/ Advanced Encryption Standard.
AES uses symmetric-key algorithm (same key for encryption and decryption). AES is considered secure and is used by many government agencies. In this encryption method, the TKIP enables compatibility with legacy devices that don’t support AES but this also opens up the network to attacks since the low hanging fruits always get hit first.

WPA + AES – this one just removes the TKIP portion so it’s safer than the latter

WPA2 + AES – This is the most secure and should be used in wireless communication setups. It utilizes keys that are 64 hexadecimal digits long. Note that this method can be cracked too, but it will take too long for any attacker so the incentive to actually commit resources for this ‘mission’ may not be there for most wireless networks. There are other avenues of breaching your network that are less time consuming like sending a phishing email.

Summary
Wireless communication has benefited a lot of people and is helping make life easier and with the growing trend in Internet of Things, despite some of the weaknesses associated with it, it is not going anywhere. As users we should always be vigilant of our surroundings (beware of ‘free/open’ networks) and when setting up wireless networks, we should ensure that we adhere to security best practices by using the most secure encryption method (WPA2/AES) and making sure that the key/password is strong enough. Also make sure that defaults are changed. Leaving the devices’ default settings will make it as simple as opening a browser and typing in ‘router passwords’ and you are presented with a list of all the default user names and passwords for all kinds of router makes and models.

Stay safe while you connect!

References:

Sunday, February 7, 2016

The Internet of Things (IoT) and Botnets (week 8)

In 2008, Microsoft released a security bulletin MS08-067 which was in regards to a vulnerability that could allow remote code execution if an affected system received a specially crafted RPC request. The bulletin further indicated that it was possible that the vulnerability could be used in the crafting of a wormable exploit. 
(Hotbots, n.d.)

This post will be about botnets and its impact to the economy. When we talk about botnets, conficker comes to mind. This infamous worm was discovered in 2008 and by mid-2009 there were over ten million infected computers participating in this botnet. Conficker's logic includes mechanisms to generate lists of new domain names on a daily basis to seek out Internet points that the authors use for updates and for command and control of the machines infected.

Within a few months of Conficker’s appearance, some 7 million computers became linked into one of the largest botnets in the world (Singer, 2011).

So what is a botnet?

Botnets are computers that have been ‘captured’ and made to run unauthorized software and are part of a group that is controlled by what is termed as a bot herder or bot master. To understand the potential impact that botnets possess we should first review the Internet. The Internet’s growth is unprecedented and the impact it has to human progress is potentially unequalled. The Internet has made it possible for the world to be closer and for collaboration to take place in ways never seen before. A class can be conducted in the United States and a student can be in the comfort of their home in Australia attending the live class. The Internet has enabled a ‘Global village’ to be possible. With this fast growth however, comes challenges; Innovators don’t always have time or resources to address potential security issues. The market awards and encourages low cost, high volume, and short time to market products and the ‘norm’ sadly appears to be go to market and ‘patch it later’.

When you look at the other side of the story, just as the pace of innovation and adaptation on the Internet increases, so do the criminals and their ‘tools of trade’. With the increased connectivity, the faster it is for an exploit to spread. Botnets are successful because of the many software flaws (vulnerabilities) on Internet connected devices and with the presence of botnets, Internet crime is further propagated. Now we are heading to a time when most things are going to be connected; the Internet of Things (IoT) which means the attack surface just increased.

“With the advent of high speed “always on” connections, these PCs add up to either an enormous global threat, or a bonanza of freely retarget-able resources, depending upon one’s point of view” (Vixie, 2002).

As more devices are connected and less security is being emphasized, not only can these devices be used to propagate attacks but also attack our privacy. We have Internet connected cameras, cars that have WiFi, home appliances that can be accessed from the Internet just to mention a few items. Most of these devices are not secure by default and it would take some effort on the end users part to make them a little bit more secure. Most end users do not bother to check these settings and the bad guys are aware of these. A simple google search on default passwords for WiFi cameras brings back a significant list that can be used to attack those cameras. As mentioned previously, most manufacturers are simply trying to break into the market of IoT and their focus is interoperability as opposed to building secure systems. Attackers can take advantage of these fact and now the spread of bots is worse than it was when conficker first hit the Internet scene.

Conclusion
Due to the threat that botnets possess, every Internet user should be aware of how they may be assisting in the propagation of these exploit vector. Users should know that if their Internet connected device is out of date and/or running unpatched software it means that they may get infected and may be used to participate in illegal activity like DDoS attacks, spam delivery or even identity theft.

References:
Singer, P. W. (2011, October 21). Mark Bowden’s “Worm: The First Digital
     World War”. Retrieved February 7, 2016, from https://www.washingtonpost.com/
     entertainment/books/mark-bowdens-worm-the-first-digital-world-war/2011/08/30/
     gIQAwcKO4L_story.html 
Microsoft Security Bulletin MS08-067 - Critical. (2008, October 23). Retrieved
     February 7, 2016, from https://technet.microsoft.com/library/security/
     ms08-067 
Vixie, P. (2002, October 17). Securing the Edge. Retrieved February 7, 2016,
     from https://archive.icann.org/en/committees/security/sac004.txt 

hotbots [Photograph]. (n.d.). Retrieved from https://www.usenix.org/legacy/event/
     hotbots07/tech/full_papers/wang/wang_html/figure1.png