Marketing and Internet Surveillance

The blog post “The Internet of Things that Talk About You Behind Your Back” by Bruce Schneier is really creepy. But it isn’t new, it is just getting worse.

In IT Security, the problem of undetected communication covert channels is old and well known. Also the fact that internet marketing adopts approaches and technologies that some times are close to it, is well known.

What it is worrisome is the extent to which we are getting. There are various aspects to it.

One is the legal aspect, that is what the legislations allow and how much they protect citicizens from excesses: it would be interesting to compare current legislations between different countries, from the USA to EU, Canada, Brazil, Russia, India, China, Japan etc.

On the technical side, devices like PCs and some tablets allow the user some choices like use different browsers (even Tor), manage cookies (in particular 3rd party cookies) etc., even if it is usually difficult to really be anonymous on internet unless extra precautions are taken (and many users will not be able to adopt similar precautions).

On smaller devices, like smartphones and “smart” objects like watches etc., choices are much more limited but with a little bit of effort the user can do something to protect him/herself from this kind of surveillance.

On IoT devices at the moment there seems to be nothing that the user can do, it is either use it and be traced, or do not use / buy it at all. For these devices, legislation could be the only way of giving the user some choices.

Finally, how many users are even aware of this kind of Internet Surveillance? How many would object if they knew?

IT Security, Human Behaviour and Normalization of Deviance

Bruce Schneier has a quite interesting blog posting (read here) on “Normalization of Deviance”, that is the human behaviour for which errors, warnings and the violation of rules or acceptable actions, becomes the norm.

We all know that in IT Security, people are usually the weakest link. We should also be careful that IT security professionals do not fall into the “Normalization of Deviance” syndrome. I try to summarize it in the extreme as follows: the approach that if something bad has happened, like an intrusion in an IT system, but it did not have real consequences and did not cause real damage, then such kind of events can be ignored from now on.

This is a pretty dangerous human behaviour, but unfortunately, as discussed by Schneier and the sociologists who study this field, quite common.

Cryptography is too risky: should we use something else to secure IT systems?

Obviously the title of this post is provocative, but reading some recent news it is evident that us, IT professionals and IT industry, are not good in managing cryptography. The consequence is that we deploy cryptography in IT products and give a false sense of security to the users. This actually can have worse consequences than if we would not use cryptography at all. I will give just a couple of examples.

This research paper shows how a well-known brand of hard disks has implemented disk encryption in totally faulty ways, to the point that for some disk models hardly any security is provided by the built-in disk encryption functionalities. This is just another of many similar cases, where cryptographic protocols and algorithms are incorrectly implemented so to cancel all or most of the security that they should provide.

Another research paper shows how a well-funded agency or corporation can in practice break the encryption of any data encrypted with the Diffie-Hellmann (DH) key exchange algorithm using keys up to 1024 bits included. Should we be shocked by this news? Not really since already 10 years ago it was known that a key of 1024 bits is too short for DH. Indeed, as per RFC 7525, a 1024 bit DH key offers a security less than a conventional bit security of 80 bits, but again RFC 7525 states that the absolute (legacy) minimum required conventional bit security must be 112 bits, and the current minimum required conventional bit security is 128 bits, that would practically correspond to a 2048 bits DH key. Even if we, IT professionals and IT industry, have known for at least 10 years that 1024 bits DH keys are too short to offer security to the data that they should protect, as of today a too large number of HTTPS websites, VPNs and SSH servers use DH keys of 1024 bits or less (see again the research paper mentioned above).

Unfortunately these are not two isolated examples, recent news are full of similar facts. So I start to wonder if we are good enough to manage cryptography or if we should look into something else to protect IT systems.

Game Over Zeus and Banking Malware

This announcement by US-CERT made me think about the current status of the war (I think that at the moment this is actually the correct word) between attackers / thieves / fraudsters and ICT Security practitioners, Banks, FInancial Institutes etc.

Recently we have seen banking malware using Tor hidden services to hide C2C (Command-and-Control) servers, or as described in the US-CERT announcement, P2P (peer-to-peer) networks. The purpose is the same, to hide the controlling master of the malware, that is the attacker / thief / fraudster her/himself. This also means that recently security practitioners, law enforcement and bank personnel got very good in finding and at least disrupting the C2C servers, otherwise there would be no need to find new ways of hiding them.

But how is this war going, that is, who is winning? Let’s be clear, we, the good guys, are losing.

At first sight the reason for this is simple: there are just too many bugs in today’s software (and possibly in hardware, or at least in embedded software in hardware) and new bugs are added at such a rate that our efforts to ‘secure’ the software are improving the situation a little but not much. It is just a never-ending chase: find a bug, exploit the bug, fix the bug – repeat… It is true that bugs are getting more difficult to find, that software developers are getting better in writing software and fixing bugs, that Bugs-Bounties are awarded to bugs discoverers from software houses etc., but the same happens on the other side and a real market of exploits (to which even secret services and the like participate) of unknown (also called 0-day) bugs exists and flourishes.

In this situation the approach that it is often adopted to protect financial transactions online (web-based) is to balance the costs of defensive measures with the losses to attackers. In the losses one should consider both those direct and those indirect, like bad publicity and loss of customers. Investing too much in some defensive measures could work but could also be a waste of money since the next attack can just avoid the expensive defensive measure and exploit some other bugs or flow in the process or, even worse, human weakness.

This really looks like a never ending cat-and-mouse game.

Hacking ATMs

It is always interesting, almost amusing, to follow what thieves can come up to steal money from ATMs, POS etc. Here one of the latest stunts described by Krebs. How is it possible that the physical security of these devices is so weak? We should be good at least in physical security, since has been around for thousands of years. It is more understandable that we have difficulty in dealing with ICT security, which is a relatively new discipline, and quite complex at that.

Human Factor is Always the Weakest Point

The take-over of the RSA Conference website(see Krebs here for a nice summary) reminds us (as if it was needed) that is not the technology the weakest link (and even less cryptography as such), but us, humans. Two points should be stressed:

  • if system are too complex (like in this case, the relations between content providers of online information) we are not up to the task of managing their complexity and we fail to adopt the needed security measures
  • technology and technical security is best and most easily circumvented and avoided by exploiting the human factor: why deploy expensive and technologically complex malware when you can send an email (well-formed) to ask employees to provide their usernames and passwords to access even mission critical systems? Much easier, faster, less expensive and you are sure to get an obliging answer!

Side Channel Cryptanalysis

In line with the previous post, it is of interest, albeit only at the research level and we should not really worry about it right now, the paper published by Adi Shamir, Daniel Genkin and Eran Tromer (download here and here for a comment) in which they describe how they have been able to extract an RSA private key managed by GnuPG 1.4.x  (current version is 2.x) by listening to the noises of the PC.

Yes, an acoustic attack on cryptographic private keys seems very unlikely, even if the idea has been discussed for long time. It is very interesting that it has been shown possible in practice, and this means that also other side channel attacks, like listening on the power cord, should be considered seriously at least when your security requirements are really high.

Device fingerprinting and user tracking

A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.

This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.

On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.

At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.