Romanticizing Bugs Will Lead to Death of Information Security

Too much focus on vulnerabilities and their impact is leading information security into a slow death.

Romanticizing Bugs Will Lead to Death of Information Security

Speaking in the keynote address at 44CON in London, security researcher Don A. Bailey said that while “we’re getting good at reducing problems and addressing problems, information security is dying a death it has earned.”

Focusing on bugs and vulnerabilities, Bailey said that his initial perception of information security was about reducing risk for consumers, but that perception was “so off base as all we do is talk about bugs but we are blind to what they mean and are composed of.

“We see new technology coming out, the punditry reel starts spinning with a cool new ‘whatever’ and we ignore technology and where it comes from and how it is sold and what manufacturing looks like, and we ignore the engineers that put effort into building the technology.”

Calling the concept “bug fetishizing’, Bailey pointed at the Blueborne vulnerability, which has received fresh attention this week after Microsoft issued a patch for it. Bailey argued that while the bug is massive, it has been around for a while and it is super easy to remediate it.

“People use it to raise money and we see it in the community all the time and not only by start-ups, but to raise money creating an environment in how cool a vulnerability is,” he said.

“I get a bit tired of hearing about these issues over and over as there is nothing new about Bluetooth vulnerabilities, it is the same old crap as we found a couple of years ago. This is nothing new and not pushing things forward.”

Bailey highlighted what he called the “romantic nature of bugs” and their “reproduction”, saying that we “see vulnerabilities in the wild and they are reproduced a million times” which is not reducing vulnerabilities in any way.

He also said that we are taking extremely small issues and blowing them up, and also focus more on intricate vulnerabilities than the defenses against them.

“Finding bugs that are useful is a great thing, but doing something with it is another thing; we want real models in information security and IoT that we can resolve.”

Bailey concluded by saying that information security is in a worse state than 10 years ago, and 10 years ago there were probably 10 consultancies and now, only a few organizations are doing groundbreaking research.

“Companies say specialize in information security but outsource for skills and don’t feel like paying someone for expertise when they can hire, with reputable universities pumping out graduates with information security degrees. It is true we need more people but who needs them: consultancies who break ground, or companies who need more people – a fraction of a % are doing groundbreaking research and that is why information security is dying.”

Four Things Businesses Should be Doing to Protect from Cyber-Attacks

It’s a fact that every business needs to accept: everyone is at risk of a cyber-attack. What’s unfortunate is how many companies aren’t taking this seriously.

There are a host of basic best practices that a majority of corporate networks are failing to implement, and it’s leaving them critically vulnerable.

At the very minimum, there are four things every business should be doing to protect their online presence and to protect their customers from the fallout from a cyber-attack: instituting employee password policies; encrypting and hashing sensitive information; hosting their whole site over HTTPS; and keeping their software up-to-date.

Password Policies
If anything in the cybersecurity industry can be called an epidemic, it has to be bad password habits. It’s a serious problem, and one that has been poorly addressed. People are using poorly designed passwords, and they’re using them for a multitude of online profiles, meaning that if their login is cracked once, it’s cracked everywhere.

Part of the problem is how we’ve addressed it so far. Some websites and systems take it upon themselves to enforce password requirements mechanically, rejecting passwords for new profiles unless they meet certain criteria. This is problematic for two reasons: first, when faced with the prospect of having to generate yet another complicated “P@s5w0rd!” the user either comes up with something painfully simple and easy to guess with a dictionary attack, or they reuse a password that has worked in the past. Neither is a safe practice.

The other problem is on the hacker’s side. If they know that a website requires a number, a capital, and a special character, then they can trim their dictionary attack, removing all options that don’t include those values. So rather than making the passwords harder to crack, it actually makes it a lot easier.

The matter has been discussed by a number of very smart people, who have all commented on how flawed the system is. While the issue is hard to address with the general public (who tend to use paths of least resistance), something can definitely be done with regards to employees of a company. Good password habits (including the optional use of a password manager) can and should be taught, and a password policy instituted. It won’t fix every case, but a majority of people can get on board, it will significantly reduce the risk of intrusion.

Encryption and Hashing
For reasons that are hard to fathom, many businesses are still keeping sensitive information stored in cleartext. Everything from customer information to login passwords are left vulnerable and unguarded, just waiting for someone to guess the manager’s “justinbieber4eva” password and gain root privileges.

This is a basic practice that so many have neglected; hash what you can, encrypt everything else. Even in smaller businesses that don’t always have access to the same level of cyber talent, it’s not that hard to get in touch with experts who can help with that sort of thing.

HTTPS Hosting
HTTPS came out in all the way back in 2000. Nearly 20 years later, and data transfer protocols are still a serious issue. The sooner each business gets on the bandwagon and hosts their whole website over HTTPS, the sooner we can migrate the majority of the internet to more secure protocols.

The reason it’s important to host the whole website on HTTPS is that leaving portions of the site unencrypted leaves a backdoor access to more sensitive areas for hackers. We’re past the point where just encrypting the page where you enter credit card information is good enough. If you have an online presence, it should be hosted on HTTPS. What’s more, keeping keys and certificates in order is also important. The whole system is essentially useless if unscrupulous individuals gain access to valid certificates.

Software Updates
The uninitiated think software updates are annoying. The rest of us, though, are well aware that, in many cases, the updates are all that stand between you and the hacker. If you’re one of the enlightened, be sure you’re spreading the word at your company, so that those with administrator privileges are keeping things up-to-date.

If you aren’t aware, here’s your infosec crash course. Software updates do three things: fix bugs, add features, and plug security holes. Without software patches, when a hacker learns to exploit a flaw in the software, there’s nothing stopping them, or any of their friends they talk to about the hole. When developers find these gaps in security, they patch them. You shouldn’t be frustrated that Microsoft or Apple just pushed out another update for the OS. You should be thanking them.

If we, and the businesses we work for, could catch up in these four areas, it would go a long way towards defending against incursion. It’s true that no system is 100% secure. Let’s be honest though; the ones we’ve got now could do a lot better.

Why You Need Private Browsing

If you thought browsing securely (and privately) was as easy as opening a new incognito window, think again.

Private browsing is all the rage now that it’s necessary in order to access certain websites in some countries. Luckily, there are lots of ways to access the web that doesn’t require Safari, Firefox, or Chrome. There are also ways to surf the internet that aren’t actually secure at all — even if they’re advertised as such. The first step to tapping into a safe connection is understanding what a safe connection is — and what it’s not.

This is not what private browsing looks like.

Google Chrome’s Incognito mode may cover your tracks online locally, but it doesn’t erase them entirely. When you choose to browse privately using a major web browser, the places you visit online will not accumulate in your computer’s history. This way, no one else who accesses your device will be able to see the websites you used during your private browsing session. (In fact, you won’t even be able to see them yourself.)

Except…you can. In fact, anyone can; That is, anyone who has access to your internet bill. All it takes is calling up your internet service provider and requesting a log of the websites you visited at any given time and day. (Yes, this can include times and days when you were browsing “privately.”)

Yet you and anyone with access to your internet bill aren’t the only ones with access to your browsing history! All of the websites you’re visiting can also see you, even if you’re not logged into an account associated with their services. This is because your path to that website isn’t protected. Online, who you are is defined by how you arrived there.

Encryption is the Key

Truly private browsing requires an encrypted connection through a browser that has Virtual Private Network (VPN) capabilities. This isn’t your typical browser, but rather a special kind that you may have to do a bit of Googling to find (that is, unless you’re lucky enough to find yourself reading this article).

When you connect to the internet through a VPN, where your connection originates is indistinguishable. This is because your connection is made possible through a web of devices and a remote server (some private browsers allow users to choose from a number of remote servers, but most don’t). Unlike when you connect to the web using a standard connection, when you browse through a VPN, your device’s point of origin is unidentifiable.

The only thing that is visible when you’re browsing utilizing a VPN, is the location you choose to be visible. Private browsers with VPN capabilities allow you to choose from connections around the world to display as your point of origin. (If you connect through a VPN location in Switzerland, it will appear as though you are browsing the web via Switzerland, even if your physical location is Palo Alto, California.)

Encrypted Browsing in the Work Place

In the workplace, things get a bit more complicated. Although a VPN connection will encrypt your traffic, your employer’s IT department may be able to still tell if you are using an encrypted connection especially if you’re on the company network. This may be against your company’s policy, so be aware of the consequences.

Also if you’re on a company machine, then it may already be controlled by corporate and your activities are already being monitored regardless if a VPN is on or not. The safest bet is use to a VPN on your own personal device over data and not on your company network to keep your browsing private from your employer.

How to Choose a Private Browser

There are many private browsers out there that are completely free, which is why choosing the right one to do the job can be a daunting task. Ever since the rise in popularity of private browsing in recent months, some have even adopted questionable means of serving their users (including feigning VPN capabilities and selling data).

The first thing to note when shopping for a private browser is what makes it private. If the only thing advertised is an ability to delete your local history, then you’re being pushed a glorified incognito window. Almost all today’s browser’s incognito mode does not encrypt your traffic.

The first thing that should be advertised is what VPN options the browser offers. A user friendly private encrypted browser will have different servers to connect to the web through, easy ways to switch between servers, as well as an intuitive interface for connecting, and disconnecting from the web.

Encryption is crucial for truly private browsing because it masks information about your surfing habits such as how long you stayed on a site, how many times you visited, and what your activity log looked like for any particular website. Someone snooping on your online activity may be able to see how much data you’re using in a browsing session, but they won’t be able to see how it’s used if your connection is encrypted.

There are a number of quality private browsers out there that can be downloaded for free, but it’s important to lookout for any hidden catch. When a web product or service is offered for free, sometimes the reason for that is because you’re paying for it with your data.

Other Ways to Stay Safe Online

Browsing privately isn’t the only way to protect your data on the internet. You can start using these tools even without a private browser to enhance your traditional web experience and make it harder to be tracked.

Start by switching up your default search engine. Google’s AdSense makes a private browsing experience impossible using Google. A private search engine such as DuckDuckGo and StartPage don’t creep on your habits for the sake of targeting advertisements to you.

If you browse the web primarily from your phone, be sure to turn off Geotagging to prevent the public caching of your physical location each time you take a photo. (If you’re using a private browser but still have this feature turned on, your browsing location with conflate with your physical location.)

There are many free password managers available that will help you generate passwords that are difficult to be compromised, and will remind you when it’s time to change up your passwords.

Last but not least, you can use browser security tools such as HTTPS Everywhere and Privacy Badger to protect your data even when you’re not browsing privately.

French official begins anti-encryption campaign

French official begins anti-encryption campaign

This story was delivered to BI Intelligence Apps and Platforms Briefing subscribers. To learn more and subscribe, please click here.

A French official plans to begin mobilizing a global effort — starting with Germany — against tech companies encrypting their messaging apps, according to Reuters.

Messaging apps, such as Telegram and WhatsApp, that promote end-to-end encryption, are used by terrorists to organize attacks in Europe, the minister said. Although individual governments have previously explored seeking mandatory backdoors from tech companies, this is the first attempt to unify the case across countries. If successful, it could make it more difficult for these companies to resist the requests.

The debate over the use of end-to-end encryption in chat apps recently made headlines after it was revealed that terrorists might have used secure chat apps to coordinate a slew of attacks in France. Law-enforcement officials argue that the highly secure tech impedes their ability to carry out investigations relating to crimes that use the chat apps.

Tech companies argue that providing backdoor access to their apps, even to governments, creates a potential vulnerability that can be targeted by malicious players seeking access to users’ personal data. To add weight to this argument, it was revealed last week that a “golden key” built by Microsoft for developers was accidentally leaked. And while the company has sent out patches for a majority of its devices, it’s unlikely to reach those potentially affected.

BI Intelligence, Business Insider’s premium research service, has compiled a detailed report on messaging apps that takes a close look at the size of the messaging app market, how these apps are changing, and the types of opportunities for monetization that have emerged from the growing audience that uses messaging services daily.

Here are some of the key takeaways from the report:

  • Mobile messaging apps are massive. The largest services have hundreds of millions of monthly active users (MAU). Falling data prices, cheaper devices, and improved features are helping propel their growth.
  • Messaging apps are about more than messaging. The first stage of the chat app revolution was focused on growth. In the next phase, companies will focus on building out services and monetizing chat apps’ massive user base.
  • Popular Asian messaging apps like WeChat, KakaoTalk, and LINE have taken the lead in finding innovative ways to keep users engaged. They’ve also built successful strategies for monetizing their services.
  • Media companies, and marketers are still investing more time and resources into social networks like Facebook and Twitter than they are into messaging services. That will change as messaging companies build out their services and provide more avenues for connecting brands, publishers, and advertisers with users.

In full, this report:

  • Gives a high-level overview of the messaging market in the US by comparing total monthly active users for the top chat apps.
  • Examines the user behavior of chat app users, specifically what makes them so attractive to brands, publishers, and advertisers.
  • Identifies what distinguishes chat apps in the West from their counterparts in the East.
  • Discusses the potentially lucrative avenues companies are pursuing to monetize their services.
  • Offers key insights and implications for marketers as they consider interacting with users through these new platforms.

FBI Chief Calls for National Talk Over Encryption vs. Safety

SAN FRANCISCO — The FBI’s director says the agency is collecting data that he will present next year in hopes of sparking a national conversation about law enforcement’s increasing inability to access encrypted electronic devices.

Speaking on Friday at the American Bar Association conference in San Francisco, James Comey says the agency was unable to access 650 of 5,000 electronic devices investigators attempted to search over the last 10 months.

FBI Chief Calls for National Talk Over Encryption vs. Safety

Comey says encryption technology makes it impossible in a growing number of cases to search electronic devices. He says it’s up to U.S. citizens to decide whether to modify the technology.

The FBI earlier this year engaged in a high-profile fight with Apple to access data from a locked iPhone used by a shooter in the San Bernardino, California, terrorist attack.

Google finally adds HSTS encryption to google.com

Google finally adds HSTS encryption to google.com

Google, known for its security practices, has finally brought HTTP Strict Transport Security (HSTS) to google.com to strengthen its data encryption. HSTS helps protect against eavesdroppers, man-in-the-middle attacks, and hijackers who attempt to spoof a trusted website. Chrome, Safari, and Internet Explorer all support HSTS.

“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs,” said Jay Brown, a senior technical program manager for security at Google, in a blog post. “Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.”

Typically, implementing HSTS is a fairly simple process, Brown said. But, due to Google’s complex algorithms, the company had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access the core domain.

Brown also noted that the team accidentally broke Google’s Santa Tracker just before Christmas last year during testing.

According to Google, about 80% of requests to its servers today use encrypted connections. The use of HSTS goes a step further by preventing users from mistakenly visiting unsafe URLs.

Certain domains, including Paypal and Twitter, will be automatically configured with HSTS to keep users safe, according to Google’s HSTS Preload List.

Google is now focused on increasing the “max-age,” or the duration that the header is active. The max-age is currently set to one day to help mitigate the risk of any potential problems with the rollout. “By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.com happens over HTTP,” Brown said. “Over the next few months, we will ramp up the max-age of the header to at least one year.”

Increasing encryption

Google is currently working to implement HTTPS across all of its products. In March 2014, the company announced the use of HTTPS-only for Gmail.

Increasing encryption and security around its core products will be key for Google to remain in good standing with enterprise and consumer customers as concerns over cybersecurity ramp up across verticals.

Encryption remains at the forefront of many cybersecurity discussions, especially after last year’s terrorist attack in San Bernardino, CA, and the FBI’s dispute with Apple over access to the shooter’s iPhone.

In March, Google joined Facebook, Microsoft, and others who filed in support of Apple in its refusal of a court order forcing it to unlock the shooter’s iPhone for authorities.

The Federal Bureau of Investigations is holding ongoing talks with technology companies about a range of privacy and encryption issues, according to FBI director James Comey. The agency is also collecting statistics on the effect of encryption on its investigations.

“Encrypting data in transit helps keep our users and their data secure,” Brown said. “We’re excited to be implementing HSTS and will continue to extend it to more domains and Google products in the coming months.”

Hacker finds breach in WhatsApp’s encryption system

A security expert has found a breach in WhatsApp’s supposed ‘end-to-end’ encryption system. On earlier 2016, the Facebook-owned company proudly announced that messages would feature end-to-end encryption, thus giving users the tranquility that their private conversations would remain untouched.

Jonathan Zdziarski, a digital forensic specialist and digital security expert, published an article on Thursday with bold declarations. He stated that WhatsApp does not really delete users’ messages. Zdziarski started several conversations on his WhatsApp account, using an iPhone. After a bit of chit-chat, he deleted, cleared and archived some of the conversations. Finally, he clicked the “Clear All Chats” feature.

Hacker finds breach in WhatsApp’s encryption system

The “deleted records” were not actually deleted since the messages still appeared in SQLite, a relational database management system. According to Zdziarski, the chat’s database gets copied every time an iPhone users does a backup, saving it in a desktop backup and iCloud (Zdziarski states that this is “irrelevant to whether or not you use WhatsApp’s built-in iCloud sync”).

Which are the risks?

Zdziarski stated that the “leftover” evidence in SQLite poses some risks. For example, if somebody has physical access to a smartphone, he or she could hack it and create a backup of that information. In the same way, if a hacker has physical access to a computer, he or she could enter an “unencrypted backup” and access messages.

Law enforcement could obtain clear records of conversations by giving Apple a court order. Zdziarski has been very clear in stating that he doesn’t believe WhatsApp is keeping information on purpose. He even offers some advice in the article about how the company could make the service better and safer.

Hacker finds breach in WhatsApp’s encryption system

Alternatives

For Zdziarski, the only way to truly delete WhatsApp messages is to remove the app entirely. However, he offered some tips to “minimize” risks. For example, using iTunes to set a very complex backup password could help. Using Configurator to lock the smartphone is also a good idea since it makes harder for someone else to steal the phone’s passwords.

Finally, users would have to disable iCloud backup. If the user still feels uneasy, there are still a few safer alternatives. Telegram, an app available for Android and iOS, promises to have end-to-end encryption. The app is very popular in NGOs for even having a “self-destruct” modality for messages.

Telegram’s founder, Pavel Durov, founded the social networking site VK. He had an argument with Russian authorities and left his country in a self-imposed exile. VK is now owned by Mail.Ru Group, which has the monopoly of social networking market in Russia and is a Putin ally.

After this, he decided to create the instant messaging service with the aim of giving Russians a secure messaging app that would be unbreakable by Russian intelligence services. The BlackBerry Messenger service is also secure since the PIN-to-PIN service uses “Triple Data Encryption Standard”.

Do anti-encryption Democrats see the importance of encryption now?

Do anti-encryption Democrats see the importance of encryption now?

One would certainly hope so after the turmoil that has followed the release of thousands of DNC emails by Wikileaks. But Democratic lawmakers in the past have worked to weaken encryption standards, demanding backdoors that they say can be used by law enforcement authorities to track terrorists, but also leave computers vulnerable to hackers.
Consider CISA, a bill introduced to the Senate by California Democrat Dianne Feinstein. Despite near-unanimous expert testimony opposing the bill, along with a vocal public outcry, 30 Democratic senators voted in favor of passing the bill last year. This year, Feinstein coauthored the “Compliance with Court Orders Act of 2016” with Republican Senator Richard Burr, in the name of protecting America from terrorism following the FBI’s battle with Apple over decrypting the San Bernardino shooter’s iPhone.

As encryption expert Jonathan Zdziarski wrote following the announcement of the Feinstein-Burr bill, “The reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States.” While it’s still unclear how, exactly, hackers got into the DNC’s servers, Democrats now know, in the most personal way, the kinds of embarrassments that can result from encryption vulnerabilities.

The Democrats can blame Russia all they want. The fact of the matter is that stronger encryption, like the end-to-end encryption now standard in everything from iMessage to Whatsapp, continues to be the best defense against hackers.

Facebook to add end-to-end encryption to Messenger app

Facebook to add end-to-end encryption to Messenger app

Facebook has started to introduce a setting to its “Messenger” app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent.

The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available to all of its estimated 900-million users by late summer or in the fall, the social media giant said.

The feature will be called “secret conversations”.

“That means the messages are intended just for you and the other person – not anyone else, including us,” Facebook announced in a blog post.

The feature will also allow users to set a timer, causing messages to expire after the allotted amount of time passes.

Facebook is the latest to join an ongoing trend of encryption among apps.

Back in April, Whatsapp, which is owned by Facebook and has more than a billion users, strengthened encryption settings so that messages were only visible on the sending and recipient devices.

Whatsapp had been providing limited encryption services since 2014.

The company says it is now using a powerful form of encryption to protect the security of photos, videos, group chats and voice calls in addition to the text messages sent by more than a billion users around the globe.

Controversy

Encryption has become a hotly debated subject, with some US authorities warning that criminals and armed groups can use it to hide their tracks.

“WhatsApp has always prioritised making your data and communication as secure as possible,” a blog post by WhatsApp co-founders Jan Koum and Brian Acton said, announcing the change at the time.

Like Facebook has until now, Google and Yahoo use less extensive encryption to protect emails and messages while they are in transit, to prevent outsiders from eavesdropping.

Apple uses end-to-end encryption for its iMessage service, but some experts say WhatsApp’s method may be more secure because it provides a security code that senders and recipients can use to verify a message came from someone they know – and not from a hacker posing as a friend.

Full disk encryption flaw could affect millions of Android users

Full disk encryption flaw could affect millions of Android users

When it comes to vulnerabilities and security, Google’s Android has never been in the good books of security experts or even its users to a great extent. Now, another vulnerability has surfaced that claims to leave millions of devices affected. Security expert Gal Beniamini has now revealed another flaw in Android encryption.

According to the DailyMail, the security researcher has said that Android devices with full disk encryption and powered by Qualcomm processors are at risk of brute force attacks wherein hackers can use persistent trial and error approach. Full disk encryption is on all devices running Android 5.0 onwards. It generates a 128-bit master key for a user’s password. The report adds that the key is stored in the device and can be cracked by malicious minds.

“Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE,” Beniamini explains.

A combination of things like Qualcomm processors verifying security and Android kernels are causing the vulnerability. Google along with Qualcomm is working at releasing security patches, but Beniamini said hat fixing the issue may require hardware upgrade.

“Full disk encryption is used world-wide, and can sometimes be instrumental to ensuring the privacy of people’s most intimate pieces of information. As such, I believe the encryption scheme should be designed to be as “bullet-proof” as possible, against all types of adversaries. As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” he adds.

Lately, encryption debate had taken centre stage when Apple refused to unlock an iPhone belonging to a terrorist involved in San Bernardino shooting. The FBI reportedly managed to break into the device without Apple’s help and is believed to have paid a whopping $13 million to do so.