The Weak Link In Cyber Security: Humans

It’s no surprise that we humans are our own worst enemy when it comes to security.  We tend to be lazy, complacent, and far too confident in our defenses. We don’t keep our software patched, our curiosity causes us to open dangerous attachments or click on dangerous links, we use poor passwords and we’re often too eager to be helpful to the social engineer on the other end of the phone.  Here is the link to a great write up on how human nature helps the cyber criminal.  One of the important takeaways from the story is that the vast majority of exploits target security holes in software that have been round for months or years. According to the article, “the top 10 known vulnerabilities accounted for 85 percent of successful exploits.”  The vulnerabilities are well known yet nothing has been done to patch them for whatever reason.  63% of data breaches involve weak or stolen passwords.  Phishing attacks are also on the rise and are succeeding because of the things people do – like click on attachments or links in suspicious emails.  Many of these phishing emails are well crafted and thought out.  They can convince employees that a manager within their organization is requesting data when it is really a spoofed email from an attacker outside the organization.  In one case a community college employee was tricked into emailing sensitive employee data to a criminal.  The data was gone as soon as the email was sent.  When these attacks are successful the compromise happens quickly (93% within minutes of the breach).  However, detection is much slower – 83% of breaches weren’t discovered for weeks or months afterward.  In cases where network penetration occurs the data is gone within minutes in 28% of the cases.  There are often three prongs to the modern attack:

1. Send phishing email with malware or link to malicious website

2. Install malware on target computer

3. Elevate privileges and access more data or use the site as a jumping off point for attacks on yet more sites.

The defenses are basically the same as they have always been – train your employees not to do dumb things (good luck with that), use two factor authentication, keep your software patched and up to date, back up your data, monitor your network and look for users who don’t belong or exceed their authorized access levels, and encrypt your important data.  Whether at work or at home be vigilant.  Good security practices pay for themselves.

Malware Threat Is Getting Worse

Keeping your computer, smart phone, and home network safe isn’t getting any easier. Unless you’ve been living under a rock the past few years you probably already know the malware to exploit your digital life is getting easier to obtain and more effective all the time.   Ransomeware is becoming big business and much more common.  Criminals who aren’t technical or command line proficient can now launch malware they don’t understand from a GUI interface. This article gives a good description of how these exploits work. Simply visiting an infected website can allow malware to attack your computer or smart phone. Cyber criminals are also going after smart phones with exploits designed just for them. People often use their phones to browse the web and check email even though the phones don’t have the security features likely to be found on a well secured desktop.  One nasty exploit is called “Angler” and it will inject malicious URLs into website ads redirecting the victim to another website where malware is installed.  In response to such attacks this article recommends a layered defense to protect your computer.  It offers some insights into various ways malware infects a system, hides itself, and does its dirty work.  Malware can disguise itself quite well and hide from your antivirus. If you want to stay safe online the same old rules apply – keep your system updated and patched regularly, don’t let Adobe Flash run automatically (Flash accounts for some 80% of the exploited software vulnerabilities), don’t click on attachments in emails if you aren’t 100% about them, and don’t say “yes” to enabling macros unless you know what you are doing.  If you’re concerned about the safety of your system I suggest reviewing my simple tips for securing your computer. After that you can explore more advanced means of protection.

Tor Needs Exit Nodes – Help Them Out!

It is no surprise that Tor needs more exit nodes. It is also not surprising that few people volunteer to host one. When you hear stories of people getting raided by the police for hosting a Tor exit you are bound to think twice. I’ve been wondering if there was a way to help facilitate more exit nodes without having to host one myself. I thought it would be nice if those of us who support Tor could make donations to help those that are willing and able to run the nodes. It turns out that we can do that very thing. The Tor Project refers people to four charities that run nodes. They need donations to keep going. The four are: (Germany)

Noisebridge (San Francisco)

Nos-Oignons  (France)

DFRI  (Sweden)

Check them out and make a donation if you can. I did. Remember, every little bit helps.  If you have other ideas on good ways to help please leave a comment.



Government Case Blurs Line Between National Security Investigation and Ordinary Crime

The Washington Post has run a good story showing how easy it can be to blur the lines between national security and ordinary criminal investigations. It seems the FBI obtained a secret search warrant on national security grounds to search the home of Keith Gartenlaub, a Boeing employee. The FBI suspected him of spying for the Chinese in an effort to get China information on the C-17 military transport plane. In the process of searching for evidence of spying the agents found child pornography on four hard drives. Spying charges were never brought, but the pornography charges were used instead. The net result is that Mr. Gartenlaub has been convicted of a crime without proper due process as afforded by the fourth amendment to the Constitution. He was not allowed to see the warrant against him and challenge its validity. Any other defendant would have had that right. What makes this even more disturbing is the apparent weakness of the government’s case. A forensic expert said there was no credible evidence the pornography was ever viewed by anyone using the computer. Another forensic expert said there was no evidence of the illegal material ever being downloaded to the computer leading to speculation it was copied there – but no one can say for sure by whom. Two of the four drives in question had been at a beach house where numerous people had access to them. Another disturbing aspect of the case is the fact that the FBI obtained the warrant to search his personal email because he was the “nationwide Unix military administrator for Boeing.” Two other Boeing employees said there was no such position. When the case is viewed in its totality it really seems that the FBI was on a fishing expedition looking for any evidence of spying no matter how unlikely they were to find it. It even agreed to drop the pornography charges if he would talk about the C-17. When he denied the espionage charges (and everyone knew there was no evidence of spying) the government went with the next best thing. If they had not found the pornography they would have left the house and the defendant would never and know they were there. The bottom line is that the government went fishing on national security grounds but caught a common criminal. It may be legal, but it is not in keeping with the spirit of the Constitution or the Bill of Rights.

Majority Think “Dark Net” Should Be Shut Down

According to a new poll a majority of people think the “dark net” should be shut down.  Given the non-stop negative press it receives and the constant whining from governments about the “dark net” this is no surprise.  What people in Western countries don’t appreciate is just how important the “dark net” is to those living under repressive regimes.  It is also an important place for journalists and whistle blowers.  I’ll go even further and say that anonymous speech is a human right we all should be able to enjoy regardless of where we live.  It seems to be a natural human instinct to fear and attack what we cannot control and do not understand. I suspect most people do not understand the so called dark net or Tor hidden services.  They fear it because of the negative publicity and sensational news reporting on the subject. They fear it because it is not under some kind of “control.”  In my opinion, this is exactly why we should value it – because it is not controlled.  Because government oppression and public opinion cannot shut it down.  The spirit of the age seems to be working against freedom right now – calls to ban end to end encryption, ban so called “burner” phones, ban hate speech, ban tor, and ban anonymous speech.  If we don’t fight back hard now we will lose our free speech rights and once lost those freedoms may never be recovered.  I recently read 1984 for the first time and it was terrifying.  But the most terrifying thing is that I can see such a state actually existing and many people would be just fine with it.  Freedom doesn’t belong to the left wing or the right wing, it belongs to every human being.  Don’t give it up for a little perceived safety.  You won’t be safer in a police state, but you will be well on your way to living in hell.

Good Encryption is Hard Enough Without Government Back Doors

One thing I’ve found recently is that it can be hard to explain to people who don’t understand the nature of encryption on the Internet exactly why we can’t have a system of encryption that keeps the bad guys out but can let the good guys in. It sounds so simple in the abstract, our government should not be denied the ability to get to important data just because it is encrypted. What is wrong with key escrow or back doors? No matter what I say about encryption keys being stolen, governments being corrupt, etc. I just can’t seem to make my point the way I want to.

Fortunately Bruce Schneier has posted a blog piece that makes the case for us. It is called “Encryption is Harder Than It Looks.” This piece does a great job of explaining just why good encryption cannot and should not be undermined.  He points out two truths in cryptography:

  1. Cryptography is harder than it looks.
  2. Complexity is the worst enemy of security.

And gets right to the point:

“Cryptography is harder than it looks, primarily because it looks like math. Both algorithms and protocols can be precisely defined and analyzed. This isn’t easy, and there’s a lot of insecure crypto out there, but we cryptographers have gotten pretty good at getting this part right. However, math has no agency; it can’t actually secure anything. For cryptography to work, it needs to be written in software, embedded in a larger software system, managed by an operating system, run on hardware, connected to a network, and configured and operated by users. Each of these steps brings with it difficulties and vulnerabilities.”

“Although cryptography gives an inherent mathematical advantage to the defender, computer and network security are much more balanced. Again and again, we find vulnerabilities not in the underlying mathematics, but in all this other stuff. It’s far easier for an attacker to bypass cryptography by exploiting a vulnerability in the system than it is to break the mathematics. This has been true for decades, and it’s one of the lessons that Edward Snowden reiterated.”

“The second truism is that complexity is still the worst enemy of security. The more complex a system is, the more lines of code, interactions with other systems, configuration options, and vulnerabilities there are. Implementing cryptography involves getting everything right, and the more complexity there is, the more there is to get wrong.”

“Vulnerabilities come from options within a system, interactions between systems, interfaces between users and systems– everywhere.”

A security researcher told him:

If anyone tells you that [the vendor] can just ‘tweak’ the system a little bit to add key escrow or to man-in-the-middle specific users, they need to spend a few days watching the authentication dance between [the client device/software] and the umpteen servers it talks to just to log into the network. I’m frankly amazed that any of it works at all, and you couldn’t pay me enough to tamper with any of it.

Says Schneier – “The designers of this system aren’t novices. They’re an experienced team with some of the best security engineers in the field. If these guys can’t get the security right, just imagine how much worse it is for smaller companies without this team’s level of expertise and resources. Now imagine how much worse it would be if you added a government-mandated back door.”

Please take a moment to read his post. I think every business leader, politician, and anyone else with an opinion on the encryption debate should read his post and the references he provides. If we don’t stand strong on encryption now, we will never gain back the ground that is lost.


EFF Starts the Electronic Frontier Alliance

The Electronic Frontier Foundation announced that they are launching the Electronic Frontier Alliance to bring together diverse groups of activists and organizations.  The idea is for the Alliance to be a central “hub” of information and activity in the fight for digital rights and civil liberties.  It is encouraging to see that they are reaching out to a broad range of ideologically diverse groups – from BLM to the Tea Party.  Any organization that champions free speech and digital rights must do so for all groups regardless of political affiliation.

“The Alliance will bring together groups pursuing a range of strategies and tactics—from hacker spaces crowdsourcing the open source development of software tools, to student groups hosting teach-ins and documentary screenings.”

To join the group an organization must affirm 5 fundamental principles:

  1. free expression: people should be able to speak their minds to whomever will listen.

  2. security: technology should be trustworthy and answer to its users.

  3. privacy: technology should allow private and anonymous speech, and allow users to set their own parameters about what to share with whom.

  4. creativity: technology should promote progress by allowing people to build on the ideas, creations, and inventions of others.

  5. access to knowledge: curiosity should be rewarded, not stifled

These principles are the bedrock of a free and open internet and society. Give the EFF whatever support you can.  They deserve it.

New Push for Encryption Backdoors After Latest Terrorist Attacks

Congress is once again getting worked up about the need to pass legislation that will effectively make strong encryption the enemy.  The The International Business Times is reporting that Congress is “discussing various pieces of legislation that would address the use of encryption and could potentially require that tech companies build backdoors into their products for law enforcement officials.”  The attacks on encryption are all too predictable after terrorist attacks occur.  Unfortunately, the general public does not understand encryption technology or the need for it.  It is an abstract concept in most people’s minds that quickly gets pushed aside when they become frightened.  Indeed, most members of Congress do not understand how encryption makes the internet a safer place than it would otherwise be.  They also don’t understand why you can’t just “break it a little bit” and still have good security.  Encryption helps secure people’s privacy in a concrete and meaningful way.  It is precisely at times like this that there needs to be a strong push to protect privacy and resist knee jerk reactions.  Members of Congress must be made aware of how requiring tech companies to backdoor their products would devastate their international sales and ruin their credibility.  They should also know how those backdoors would open the doors to hackers and criminals.  Look for more attacks on anonymity and anonymizing tools like no contract cell phones.  This is only the beginning.  Big government wants unlimited control of everything – the Internet and you as well.

Tor Engineers Would Rather Quit Than Backdoor Tor

It was reassuring to hear Apple engineers threaten to quit their jobs rather than hack the iPhone.  Now comes another encouraging post from the engineers who work at the Tor Project.  In a statement issued on Mike Perry’s Tor Blog it is reported that Tor Engineers would rather resign than compromise the integrity of the Tor network.  Fortunately, Tor is open source and its code can be reviewed and verified by outside experts.  This makes malicious code hard to hide.  Tor is used by people all over the world to communicate sensitive information in a secure way.  Without it, those fighting for freedom in very dangerous countries would have one less tool with which to accomplish their work of bringing the truth to light.  We should all salute the integrity and determination of those working on and sustaining the Tor network.

Obama (and government in general): No Friend of Encryption and Privacy

Well, its official now. President Obama is all for a key escrow concept that undermines privacy and security.  He may not have used that term but that is exactly what he wants. At the same time, the FBI is also proving to the world that it is not content with just that one Apple iPhone in the San Bernardino case.  A leaker has revealed that it is now going after WhatsApp.  WhatsApp offers an instant messaging application with end to end encryption.  This gives WhatsApp the ability to ensure customer privacy and inadvertently evade court ordered wiretaps. There are very few details of the WhatsApp situation because the whole case is under seal. The only thing they will say is that it isn’t a terrorism case.  Which goes to show, this isn’t just about terrorism, its about the government’s insatiable appetite to get whatever the hell it wants.

Specifically, President Obama said:

     “You cannot take an absolutist view on this,” Obama said at the South  by Southwest festival in Austin, Texas. “If your argument is strong       encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it’s fetishizing our phones above every other value.”

     “The question we now have to ask is, if technologically it is possible to make an impenetrable device or system, where the encryption is so strong there’s no key, there’s no door at all, then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot?” Obama said. “If in fact you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket.”

The Obama Administration’s schizophrenic position on encryption stems from its desire to be all things to all people: strong on encryption on the one hand while wanting some kind of key escrow program on the other.  I don’t see how anything other than a key escrow program will satisfy the government a this point.  The FBI position in the WhatsApp case illustrates the same points.  Only a key escrow program will give the government what they want while pretending to promote strong encryption and safe communications and data storage.  In fact, a requirement that companies be able to provide all customer data to the government could end up outlawing Tor and all encryption with perfect forward secrecy.  Make no mistake, key escrow undermines strong encryption and violates people’s fundamental right to privacy.  Some things are so private and personal that they should be beyond the government’s reach – one of those things is our computer hard drives.  In this day and age computer storage is an extension of the person – people pour their lives and souls in their computers. Whether that is a smart thing to do or not is irrelevant – it is a reality we must live with.  If, in the future, there is technology that can hack your brain, do you want a court order to be the only thing standing between you and a machine that can rape your brain and lay all your private thoughts and emotions bare for all the world to see?  I don’t, but that is where this is headed.  I hate to say it, but maybe it’s time for big US Tech companies to consider moving their operations offshore (and taking their jobs with them) to locations that are more privacy friendly. In the future I plan to add some pages to this site detailing easy steps anyone can take to safeguard their privacy – Tor, VPNs, encryption applications, disk cleaners, etc.

Here are the relevant links: