Tag: Hacking

Categories
Quotations

2012.7.30

You hereby grant Ninja Tel permission to listen to, read, view and/or record any and all communications sent via the network to which you are a party,“ one section stated. “Before you get all upset about this, you already know full well that AT&T does this for the NSA. You understand that you have no reasonable expectation of privacy as to any on the Ninja Tel network. You grant Ninja Tel a worldwide, perpetual, assignable, royalty-free license to use any and all recorded or real-time communications sent via the Ninja Tel network to which you are a party. Don’t worry, most of this is for the lulz.

Ninja Tel Terms of Service (read more at Ars)
Categories
Links Writing

The Problems With Smartphone Password Managers

In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.

Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.

In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.

The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.

Abstract:

In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection

Access the paper (.pdf)

The Problems With Smartphone Password Managers

Categories
Videos

On the inherent (in)security of the software-driven devices

A quick TEDx talk about the inherent (in)security of the software-driven devices that are increasingly embedded throughout our lives.

Categories
Links

Fallout from Comodo and DigiNotar Hacks Continues

The hacking of major certificate authorities, Comodo and DigiNotar, has been somewhat addressed by certificate blacklists and revocations. Despite these measures, however, the fallout of the hacks continues. As picked up by PC Magazine,

This week Kaspersky has discovered malicious droppers – programs that install malware – bearing stolen VeriSign certificates originally issued to a Swiss company called Conpavi AG.

One of the droppers carries a 32-bit driver containing a malicious DLL, which gets injected into your Internet browser process. A malicious 64-bit dropper injects the DLL directly.

From there, the DLL reroutes all your search queries in Google, Yahoo!, and Bing, to a pay-per-click search engine called Search 123. Search 123 makes money off people who search and click on their results.

As a colleague of mine commented, this is just another nail in X.509’s coffin. Let’s just hope that not too many innocents are buried along with it.

Categories
Links Writing

On Hiring Hackers

Kevin McArthur has a response to firms who are demanding highly credentialed security staff: stop it!

Much of his argument surrounds problems with the credentialing process. He focuses on the fact that the time spent achieving an undergrad, MA, and set of professional certifications leaves prospective hires woefully out-of-date and unprepared to address existing security threats.

I recognize the argument but think that it’s somewhat of a strawman: there is nothing in a credentialing process forcing individuals to solely focus on building and achieving their credentials. Indeed, many of the larger companies that I’m familiar with hire hackers as employees and then offer them opportunities to pursue credentials on their own time, on the company dime, over the course of their employment. Many take advantage of this opportunity. This serves two purposes: adds ‘book smarts’ to a repertoire of critical thinking habits and makes the company ‘stickier’ to the employee because of the educational benefits of working for the company.

Under the rubric of enabling education opportunities for staff you can get security talent that is very good and also happens to be well educated. It’s a false dichotomy to suggest that you can have either ‘book smarts’ or ‘real world smarts’: there are lots of people with both. They don’t tend to be right out of university or high school, but they are out there.

What’s more important, and what I think the real focus of the article is meant to be, is that relying on credentials instead of work accomplished is the wrong way of evaluating prospective security staff hires. On that point, we entirely agree.

Categories
Quotations

Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources – Facebook must be a favorite – or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user’s absence.

Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.

~Kim Davis, from Internet Evolution