Categories
Links

Tracking by GSM

From Ars Technica:

The attack works by exploiting features in GSM, or Global System for Mobile Communications, cellular networks that transmit data sent between base stations and phones in clear text. By simply calling the target’s mobile number and monitoring the network’s radio signals as it locates the phone, the attacker can quickly confirm if the person is located in what’s known as the LAC, or Location Area Code. Attackers can use the same technique to determine if the target is within close proximity to a given base station within the LAC.

This is helpful for figuring out where, in a specific geographic area, a person is or (in case you’re interested) where they aren’t. This latter use – clarifying that a person isn’t in a specific LAC – is particularly useful if you are launching some action that is made easier by a person’s non-presence. (Hint: Think burglary).

This new GSM attack builds on other research around monitoring a person’s location by exploiting mobile phones. For a good overview of the information used in similar kinds of surveillance, see Claudio A. Ardagna et als. chapter in Digital Privacy: Theory, Technologies, and Practices.

Categories
Links Writing

SSL Skeleton Keys

From the Ars lede:

Critics are calling for the ouster of Trustwave as a trusted issuer of secure sockets layer certificates after it admitted minting a credential it knew would be used by a customer to impersonate websites it didn’t own.

The so-called subordinate root certificate allowed the customer to issue SSL credentials that Internet Explorer and other major browsers would accept as valid for any server on the Internet. The unnamed buyer of this skeleton key used it to perform what amounted to man-in-the-middle attacks that monitored users of its internal network as they accessed SSL-encrypted websites and services. The data-loss-prevention system used a hardware security module to ensure the private key at the heart of the root certificate wasn’t accidentally leaked or retrieved by hackers.

It’s not new that these keys are issued – and, in fact, governments are strongly believed to compel such keys from authorities in their jurisdiction – but the significance of these keys cannot be overstated. SSL is intended to encourage trust: if you see that a site is using SSL then that site is supposed to be ‘safe’. This is the lesson that the Internet industry has been pounding into end-users/consumers for ages. eCommerce largely depends on consumers ‘getting’ this message.

The problem is that the lesson is increasingly untrue.

Given the sale of ‘skeleton key’ certs, the hacking of authorities to generate (illegitimate) certs for major websites (e.g. addons.mozilla.com, hotmail.com, gmail.com, etc), and widespread backend problems with SSL implementation, it is practically impossible to claim the SSL makes things ‘safe’. While SSL isn’t in the domain of security theatre, it can only be seen as marginally increasing protection instead of making individuals, and their online transactions, safe.

This is significant for the end-user/consumer, because they psychologically respond to the difference between ‘safe’ and ‘safer’. Ideally a next-generation, peer-reviewable and trust agile, system will be formally adopted by the major players in the near future. Only after the existing problems around SSL are worked out – through trust agility, certificate pinning, and so forth – will the user experience be moved back towards the ‘safe’ position in the ‘safe/unsafe’ continuum.

Categories
Writing

Stupid Problem with BlackBerry Data

I use my mobile phones a lot and most batteries just barely last me through a day on a single charge. With my iPhone and Windows Phone, when the batteries are almost exhausted, various functions (including radios) are disabled to make the last bit of juice last as long as possible. My BlackBerry does the same thing.

I’m fine with this.

What’s I’m not fine with is the following: once I charge the BlackBerry and the radios are re-activated, I have to pull the battery and fully reboot the device to get access to the various services that course through the BIS. If I don’t pull the battery, I get a warning that my plan doesn’t cover data services and thus I cannot access the phone’s various Internet-related functions. On the face of things, it seems that after charging the device, RIM’s software fails to indicate to their network infrastructure that I have a data plan and thus can access the BIS.

Needless to say, this is absurd.

I cannot believe that I’m the only person running into this and regardless of whether the problem is with my particular carrier, or the device, it isn’t something that I should ever experience. These are the kinds of problems that should be sorted out well before a device is put in the consumer’s hands.

Categories
Aside Links

Self-Mutating Trojans Come to Android

Symantec is warning that the next generation of smartphone viruses has come:

Researchers from security vendor Symantec Corp. have identified a new premium-rate SMS Android Trojan horse that modifies its code every time it gets downloaded in order to bypass antivirus detection.

This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it.

A special mechanism that runs on the distribution server modifies certain parts of the Trojan in order to ensure that every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed.

This is a clever means to avoid the rudimentary analysis systems that the major vendors use to ID malware. It’s also (another) indication of how important antivirus is going to become for the mobile marketplaces. I suspect that, by the end of the year, a lot of users (on iOS, Android, and the rest) are going to wish that the post-Steve Jobs smartphones on the market today met Jobs’ initial thoughts regarding smartphones when Apple released the iPhone. Specifically, he held that:

He didn’t want outsiders to create applications for the iPhone that could mess it up, infect it with viruses, or pollute its integrity

While our pocket computers are better now that apps are available, I can’t help but think that Jobs’ earliest worries are now looming at today’s potential nightmares.

Categories
Videos

Fixing SSL, Moxie-Style

A follow up to my last post; if you want insight into how to fix the cruft that is SSL, take the time to watch Moxie’s presentation on SSL and The Future of Authenticity.

Categories
Links

Chrome Kills CA Revocation Checks

From Ars:

“While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy,” Langley added. That’s because the checks add a median time of 300 milliseconds and a mean of almost 1 second to page loads, making many websites reluctant to use SSL. Marlinspike and others have also complained that the services allow certificate authorities to compile logs of user IP addresses and the sites they visit over time.

Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are “on the order of months,” a Google spokesman said.

The problems with CA revocation checks have been particularly prominent over the past 12 months, given the large number of serious CA breaches. While even the Google fetch mechanism isn’t ideal – really, we need to move to an agile trust framework combined (ideally) with browser pinning that can’t be compromised by corporate admins – it’s better. Still, there’s a long way to go until SSL and the CA system are reformed to the point of being actual ‘trusted’ facets of the Internet.

Categories
Quotations

The most important detail to focus on, is (per comment 12 by Brian Trzupek above) that Trustwave knew when it issued the certificate that it would be used to sign certificates for websites not owned by Trustwave’s corporate customer.

That is, Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic.

This is very very different than the usual argument that is used to justify “legitimate” intermediate certificates: the corporate customer wants to generate lots of certs for internal servers that it owns.

Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done.

With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate).

~Christopher Soghoian, in comment about Trustwave

Categories
Links

Wind on a Leaf: Dear startups and other relevant parties: It’s 2012. It is no longer ok to

chartier:

  • Not offer a way to download our data in some sort of a standard, transparent, and at least somewhat human-siftable format
  • Hide or otherwise be opaque about precisely what personal data you smuggle out of our devices
  • Not offer a one-to-two-click process for deleting our accounts
  • Fail to actually remove our data from your servers after we delete our accounts (while complying with applicable regional laws governing data retention)
  • Believe that taking VC and selling your customers’s private information is the only way to get a company off the ground, let alone run a successful business
  • Not use SSL for passing even the slightest bit of private information

Did I miss anything?

One thing: use rhetoric and spin to try and convince users that rabidly anti-consumer practices (such as those noted above) are good for society and that this kind of ‘radical transparency’ (i.e. screwing the customer for the benefit of the bottom line) is somehow going to make the world a better and happier place.

Categories
Videos

OK GO and Advertise to Me

I had no idea that OK GO’s recent video was largely a sponsored ad for the car they’re driving.

I also don’t care, because:

  1. I had no idea what the car was until I read an analysis of the video;
  2. It’s just (to my mind) another ridiculously awesome music video from this band.

I’m willing to sit through the ‘ad’ on the basis that the ‘brand’ of the car is non-obtrusive: it’s just a particular vehicle (pardon the pun) to deliver a really cool cultural experience.

Categories
Quotations

Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources – Facebook must be a favorite – or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user’s absence.

Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.

~Kim Davis, from Internet Evolution