The internet is growing darker day-by-day

In the deepest corners of the dark web, anything goes. These are sites that cannot be found using typical search browsers like Google and Yahoo and are usually not accessed via a standard operating system like Microsoft or Apple. Instead, individuals access these sites using The Onion Router (TOR) browser and a hidden operating system (e.g. Tails) booted from a USB or CD.

TOR isn’t secret, in fact TOR is widely used by a diverse range of groups including criminals, non-criminals, NGOS, journalists, security researchers and government authorities alike who need to browse anonymously for a number of reasons. It is the security in numbers that can protect a TOR user’s anonymity and freedom from censorship.

For those interested in using TOR though – beware. TOR is not banned, which means that authorities, like the NSA, may be gaining good intelligence on TOR users. For user’s who are not security savvy, the government may even know what they are visiting.

TOR is a free utility that anyone can download and configure. The TOR website offers clear instructions on how to do this. Once set-up, the user connects to a series of encrypted TOR servers (which are also physically located in a secure location) before they connect to the destination site. As the connection is encrypted at each node, it is not possible to detect where the original request came from through traffic packet analysis alone. However, it is possible for Internet Security Provider’s (ISP’s) to distinguish TOR traffic from regular traffic– they just won’t know what you are accessing. Even if authorities took over a hidden dark web server or set-up a dark web honeypot to lure users, it will be difficult for them to identify the users (but not impossible*).

Despite the risks of being caught – the use of TOR in accessing the dark web is increasing. On the dark web, users can purchase personal credentials, illegal drugs and weapons. They can also hire hitmen, order DDos or other attacks and plan criminal/terrorist activities. The dark web is also full of some of the most terrifying web content shared by disturbed minds. Silk Road may have been closed down but it can easily be replaced. It is a continual struggle of power between criminals and authorities.  

UK close to banning the use of WhatsApp, iMessage and SnapChat to protect National Security.

Applications that provide an encrypted messaging platform, like WhatsApp, are under threat by countries that are increasingly reliant on snooping as part of their National Security strategy. The UK is proposing a new law as part of their “Snoopers Charter”, also known as Draft Communication Bill, to enforce a ban on applications like WhatsApp, iMessage and SnapChat that use encrypted messages. Under this new proposed bill, Internet Service Providers must monitor the online activity of customers and keep logs of their activities for 12 months.

This isn’t a surprise though, as the use of mass surveillance to protect national security and counter terrorism is widely used and increasing around the world. The five most controversial ones include:

China – 1998 the Great Firewall of China

	This is a censorship and surveillance program designed by the Chinese government to filter and control the content that is accessed by the public. This program also prohibits individuals from using the internet to harm national security, spread false rumors or encourage socially undesirable behavior like gambling, violence or murder. This is an extremely controversial program that China has been widely criticized for by human rights and civil liberties groups.
USA – 2001 Patriot Act
	This was introduced following the September 11 and anthrax attacks. This was an extremely controversial bill which many felt was an over-extension of the US government’s surveillance powers. Some of the most controversial parts allowed government agencies to:
Confiscate the property of foreigners who are believed to have aided in a war or an attack on the USA. Authorize the roving surveillance of any individuals under investigation (using any means available to intercept a person’s communications. An extension of wire-tapping) Authorize the use of National Security Letters to demand a release of information about individuals without them knowing. Detain terrorism suspects without providing them with access to lawyers and without hearings or formal charges This law was controversial as it reversed many of the civil liberties that were guaranteed under the US Constitution e.g. right to privacy and freedom from unreasonable searches and seizures. Originally introduced by the Bush administration, subsequent US administrations have tried to remove it but the US has grown too reliant on this as an Anti-Terrorism measure. The original bill which expired in 2011, has been renewed two times since (including in 2015) and will be up for renewal again in 2019.
France – 2015 Patriot Act
	Following the Charlie Hebdo attacks, France passed their own version of the Patriot Act in June this year. Despite opposition from civil liberties groups, the bill was passed by the Senate on June 9 2015 with overwhelming support. This gives French government agencies the authorization to conduct mass surveillance over all communications without judicial approval and deploy new infrastructure to sniff all electronic communications. The new law also requires Internet Service providers to be able to crawl through internet traffic to identify terrorist activities.
Australia – 2015 Data Retention laws
	Australia has been wire-tapping phones for years and this has increased year-on-year. The government has also requested ISP’s and search engines (like Google) to provide private information on web browsing histories and private user information. And transparency reports have shown that this activity is increasing. As of August 2014, government agencies can obtain this information without a warrant or user disclosure. Recently, the government has passed a data retention bill that mandates ISP’s to store data on user activities for two years. Australia is also part of the Five Eyes alliance.
Russia – SORM (System of Operative Measures)
	Russia is a surveillance state and their powers are extensive. This has even led to US issuing this travel warning ahead of tourists travelling to Sochi for the 2013 Winter Olympics.
“Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary” http://www.worldpolicy.org/journal/fall2013/Russia-surveillance

Cracking the Enigma: How Alan Turing was destroyed by the people he saved

During WW2, Germany coordinated their war strategy through a series of encrypted messages, passed from central command to their armed forces. German cryptologists used an Enigma machine to do this. Enigma used Symmetric Cryptography, meaning that the same key was used for both encryption and decryption. Each letter was sent through a series of circuits (consisting of a plug board and 3 rotating wheels) to create a highly randomized output.  The key is the Enigma set-up itself, which is the choice/order of the wheels, the ring setting and plug connections. Enigma configurations were changed daily. Every month, the Germans distributed a key sheet to Enigma operators. This contained a list of different configurations for each day of the month. This key sheet was critical to be able to decrypt the codes. As there were 159 million possible Enigma settings, the time taken to go through all the possible Enigma configurations to decrypt a message would not have been worth the effort.
The British needed a fast method to decrypt the codes. German troops were advancing fast and the Allied troops needed an advantage. They hired a team of mathematicians and problem solvers to create a decryption machine. Alan Turing lead efforts in Bletchley Park to create one he called The Bombe (not to be confused with another Polish machine of the same name). Exploiting a critical flaw in Enigma, the Bombe was able to decrypt Enigma messages in under 20 minutes. As the Enigma has a rule that a letter could not become itself, the Bombe worked backwards to deduce all the impossible rotor and plug board configurations that violated this rule. It was able to do this very quickly via electrical circuits.

Click here for more information about how Enigma worked and how it was finally broken: 

As the British wanted to continue to spy on the German forces, the operation continued on in secret. This action resulted in the saving of countless lives and the allied success of key battles, including D-Day. After the war, Alan Turing went on to work for the National Physical Laboratory and published a paper on Artificial Intelligence in 1950 called “The Turing Test”.

Despite all his achievements, Alan Turing’s contributions to allied war victory went mostly unnoticed. He was disgraced and arrested for homosexuality in 1952. He was given a choice of imprisonment or hormone treatments to “cure” his homosexuality. He chose hormone treatments. This didn’t “cure” his homosexuality, instead it resulted in his suffering of emotional and physical scars during the ordeal, eventually culminating to his death at the young age of 41. It wasn’t until 2009 that Britain issued an official apology to Turing.

Gordon Brown “He truly was one of those individuals we can point to whose unique contribution helped to turn the tide of war,” said Brown. “The debt of gratitude he is owed makes it all the more horrifying, therefore, that he was treated so inhumanely. … Alan and the many thousands of other gay men who were convicted as he was convicted, under homophobic laws, were treated terribly.”

http://www.findingdulcinea.com/news/on-this-day/March-April-08/On-this-Day–British-WWII-Code-Breaker-Goes-on-Trial-for-Homosexuality.html

Alan Turing is now regarded as a father of Cryptography, Artificial Intelligence and the modern computer. In 2014, Benedict Cumberbatch starred as Alan Turing in The Imitation Game, which became the highest grossing independent film in the year. It was nominated in eight categories in the 87^th Academy Awards and won the People’s Choice Award at the 39^th Toronto International Film Festival. This film was also honored for bringing Turing’s legacy to the public. Alan Turing was also honored at the 2015 London Pride march as a Pride Hero for his contributions. His family represented him in the march. This also happened to coincide with a landmark USA Supreme Court ruling that gay marriage would be recognized under the US Constitution, making all marriages legal across America

Is cloud ever secure enough?

The simplest way to define cloud is to describe it as a shared service. Instead of individuals and businesses setting up their own software/platforms or infrastructure to manage their data, they can outsource this to a cloud provider. Cloud is seen as a cost effective and environmentally friendly solution. There are now many providers offering different cloud solutions including SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). But is cloud secure enough?

This is a big question to tackle and there is no right or wrong answer that can be applied en masse. Instead, deciding on whether adopting cloud will fulfil your business/individual requirements will need to be assessed on a case-by-case basis. To make this assessment, here are some of the key questions that may be considered.

1. How good is my local storage?

How good are you currently at protecting the availability, confidentiality, integrity and authenticity of your data?
If your data is stored on a hard-drive on a networked computer then chances are, you may not be applying best practice. However, if your data is stored encrypted & backed up on two or more file-servers, with good physical/logical access control and logging, then there may not be much to improve on than what you already do. These are two extremes and most likely, you will be sitting somewhere in between.

2. How much am I willing to invest?
To avoid spending too much on protecting data that is not really critical or too little where data needs be secured, you should assess the availability, confidentiality, authentication and integrity of your data against current local storage protections to see how it stacks up. This should help you identify whether you have been investing adequately in protecting your data or if it needs to be adjusted. Then, you will be able to determine whether going to a cloud provider will be a cost effective and secure solution for you.

3. How important is availability?
Despite whatever assurances cloud providers give about providing a highly-available solution, end-users will still need an active internet connection to access the data, which is not always guaranteed. This also makes it harder and more time consuming to detect connection problems should they arise. Additionally, there is also the added problem of network latency which can result in additional delay/drop-outs when connecting to the cloud provider. This will only get worse over the next few years with ever more connections choking up bandwidth and causing congestion/more drop-outs.

4. How important is confidentiality and trust?
Cloud offers new challenges for data confidentiality as the data needs to travel over the internet, is stored remotely and is administrated by somebody else. Even with cloud providers providing assurances that they apply best practices to secure your data at rest and in transit, there is still the danger that even given best intentions, their security controls may not be up to the mark. E.g. Adobe’s security breach leading to stolen logins and IDs. . Additionally, transport layer encryption may not always be that secure. I have described in previous blog posts, the security defects affecting SSL and weak TLS encryption.
The best way to guarantee confidentiality is to encrypt the data before sending it to the cloud and to keep the keys yourself!

What do you think of these questions and should there be more? Please add to the discussion below.

How hackable are you really?

As long as we are online, we are vulnerable to malware, viruses etc. that can steal sensitive information, hijack web sessions/webcams or spy on our keystrokes. This is especially true in cases where individuals are specifically targeted by those who have the persistence, time and skills to profile and craft an attack.

There are some things you can do now to minimize your risk and reduce the impact, should you get hacked. This is by no means a comprehensive list but a good start. Please share any additional tips in the comment section below. This information is applicable for home personal use.

1. Backup personal/sensitive files frequently. Encrypt, store & backup personal/sensitive information in a detachable hardware device (e.g. USB/hard disk). Any sensitive information should at least be encrypted and stored separately from a network-attached device. VeraCrypt and CipherShed are two free open-source encryption software solutions that are readily available for download. Just make sure you store your private keys in a safe location.

2. Optimize your firewall. You can use a free utility like Shields UP to allow you to check if you have any open ports that can be exploited. The utility also provides detailed explanation for the results you see and some advice about how to proceed. While enabling a firewall is certainly better than having none, default firewall configurations are often not restrictive enough (e.g. allowing connections to never-used applications installed during setup). Although you can configure your firewall to disable most outbound traffic, this requires some knowledge of firewall rules to set-up without stuffing up your internet connection. This is why it is important to…

3. Invest in a good Anti-Virus solution and keep your OS patched. Don’t skimp on anti-virus. The paid ones are often better at keeping up-to-date with the newest virus signatures. It is also important to ensure that you keep up-to-date with OS updates too. With Microsoft, you can also turn on automatic updates so you get the latest patches. If your OS is too old to be patched (e.g. Windows XP) – time to upgrade!

4. Switch to using Chrome. Chrome is considered the safest browser while Microsoft Internet Explorer has been plagued by malware and security defects. Another great thing about Chrome is that you can download an extension to use HTTPS everywhere to encrypt non-encrypted http traffic for added security

5. Go Green. Before submitting login/password details or inputting any sensitive information online (e.g. credit card information), make sure you are connecting via an encrypted https session. Furthermore, you can also check the organization that owns the certificate. In Chrome, you can do this by clicking the green lock on the address bar and viewing the Security Certificate.

More tips: http://www.techrepublic.com/blog/10-things/10-ways-to-avoid-viruses-and-spyware/

Breaking https:// with POODLE. How does it work?

This is an introduction to some basic concepts around how POODLE (Padding Oracle on downgraded legacy encryption) works. There are plenty of other blogs/videos that go into greater detail about how it works but the basics can help to provide a framework to navigate through the detail. 

Basically POODLE discovered that it was possible to decrypt some parts of encrypted SSL sessions via a man-in-the-middle. A victim can be vulnerable when using public wifi or if they have some nasty malware on their computers. 

1. Basics of Cipher Block Chaining 

During the SSL handshake, symmetric keys are exchanged to encrypt sessions. Sessions encrypted via the Cipher block chaining method are susceptible to what is known as a padding oracle attack. CBC is a method of symmetric block cipher cryptography. In CBC, a message is broken into 3 blocks of equal size blocks (eg 8 bit blocks). Each plaintext block is encrypted sequentially until you end up with 3 blocks of ciphertext. Before each block is encrypted, it is XOR’ed with the previous ciphertext block (the first block is XOR’ed with a block of random bytes known as IV) . To decrypt, this operation is reversed e.g.  Encrypted block is XOR’ed with the previous ciphertext block and then decrypted. This operation results in a very random block of ciphertext being produced every time. It is almost impossible to break however….

2. Padding in CBC

Most messages are not perfect block sizes of x bytes. Actually, messages may be of varying length. As block ciphers require the blocks to be of exact x bytes, extra padding (a string of random bytes) is added to fill up any unused bytes. The length of the padding is also stored as the last byte of the encrypted block. 

3. How padding checks can weaken security

Once the message is decrypted, servers undergo two checks. The first is to validate the padding length. If the padding length doesn’t match the actual padding, this will result in an error. The second check is a MAC on the encrypted block. This check verifies that the encrypted block hasn’t been altered during the transition.

This poses a problem. As the padding is checked before the MAC checks, a man-in-the-middle can intercept the message and try to guess what the padding length is. In only 255 guesses, he/she will be able to decrypt the last byte. 

4. Chosen ciphertext attack

If you recall, encrypted blocks are XOR’ed with the previous ciphertext block before it is decrypted. Therefore, you can substitute the last byte of the previous ciphertext block as many times as needed until the padding length is valid. Once that happens, you know you successfully guessed the padding length and cracked the last byte. You can also continue to decrypt more bytes using similar methods. 

5. What next? 

To stop padding oracle attacks, the server can provide more validation around the padding and also ensure that error messages don’t specify whether a failed session is caused by bad padding or a bad MAC.  Unfortunately, SSLv3 implementations don’t do this, which is why users should disable SSLv3. Whilst TLS does, on certain TLS implementations (e.g. TLSv1.0- TLSv1.1), a padding oracle may still be possible if there is significant time difference between sessions failing due to bad padding vs bad MAC. This can occur in certain server setups (e.g. when load balancing is used)

Want more information?

https://blog.skullsecurity.org/2013/padding-oracle-attacks-in-depth

http://www.limited-entropy.com/padding-oracle-attacks/

3 PR disasters caused by innocent mistakes

What the Hillary Clinton email scandal proves is that you don’t even need a proven data leak to brew a public relations storm. The media will punish you nevertheless. It was recently discovered that Hillary Clinton ran a private email server from home for all emails, including work related ones. This makes it easy for eavesdroppers to obtain state secrets. (Which they can do without her knowing) Given that she is Secretary of State and in regular contact with the President, this is bad news for US national security. How bad? The backlash is severe and may affect her chances of securing Presidency at the next election. She is not alone though. History is littered with many examples of how disastrous, even a potential data leak may be.

1. Bank of America

In 2005, the Bank of America lost unencrypted backup tapes containing the banking and credit card details of 1.2 million federal employees (including senators). This was embarrassing. Technology executives were forced to issue public statements about the loss and regulators made fresh inquiries into whether new regulations were needed. 

2. NARA

In 2009, the National Archive and Records Administration lost two unencrypted hard drives. One contained the names and social security numbers of 76 million US military veterans. The other contained the private information and social security numbers of 250000 White House employees (including the daughter of Al Gore). They were thrashed by the media and had to compensate the victims. A $50,000 bounty was also offered for the missing hard drives. Not sure if that offer still stands. 

3. Emory Healthcare

In 2012, Emory healthcare misplaced 10 unencrypted backup discs containing 315,000 patient file records and social security numbers. These were misplaced or stolen after being placed in an unlocked cabinet. They were never found. The CEO of the company had to publicly apologise for the data breach. 

This may seem extreme but this is more commonplace than you would think, even in companies with solid IT Security controls. Voltage security found that 85% employees bypass security controls to get access to more data and 46% companies have breached security controls to avoid the possibility of a sales loss. The worst offenders are senior managers. Stroz Friedberg found that senior executives are the guiltiest culprits when it comes to sending work emails to their personal email and taking intellectual property with them when they leave the job.

To defend against this, classify information, encrypt your data and increase security awareness across all levels. 

5 Lessons from the SHA-1 deprecation

When Microsoft announced that they will no longer accept SHA1 certificates from 1 January 2017, and Google said that they will start showing warnings as early as 2015, a cold sweat ran down the backs of IT operators across the world. This was a ticking time bomb, one that would require many wires to be carefully cut before services dropped dead come 2017. For those working in environments which may be infested with hundreds of these SHA1 instances (possibly hidden in legacy servers, clients and applications), this was going to be one messy clean-up exercise.

Even as you are busily working away all your SHA-1 dramas, know that you are not alone! We can get through this together. In fact, the greatest thing is that there are tons of support out there. So let us grab a drink (non-alcoholic if you are on-call) and recap over what we have learnt over the past couple of months.

5. Cuz Microsoft hurts too…

The fact that the active deprecation of SHA1 is Microsoft led and that even the Certification Authorities were ill-prepared for this change, bought a lot of questions to mind. Was this a joke just to show us how powerful they are? Will Microsoft take it back in time? Unfortunately, this isn’t a joke and Microsoft are deadly serious.

What may have contributed to this is the Flame virus, discovered by Russian antivirus firm Kaspersky in 2012. Attackers performed a hash-collision on a weak md5 certificate to create a fake certificate. In doing so, they were able to impersonate Microsoft and distribute malware through their Update Service. This was used for spying and espionage on infected targeted systems in Iran, Lebanon, Syria, Sudan and the Israeli Occupied Territories for an unknown period (2-5 years potentially). Although this was a rare and highly sophisticated attack requiring massive amounts of computing power and one that is difficult for the standard attacker to replicate, it is fair to say that this is probably something Microsoft doesn’t want a repeat of.

4. Microsoft and Google ARE almighty.

When Google announced that they were going to begin showing warnings as early as 2015, from the “Secure, but with minor errors” to the flat-out “Insecure” warnings, many of us wanted to boycott Google Chrome and tell our users to use another browser. However, after additional thought (30 seconds), this was replaced by a sigh of resignation. After all, Google Chrome do own a huge slice of the pie when it comes to market share. In Australia, they own the majority of market-share and they ARE trying to do the right thing.

Their view is that, as long as SHA-1 continues to be supported, there will be little work to deprecate SHA1. Even though the CA/Browser Forum’s Baseline Requirements recommended an upgrade to SHA-2 in 2011, CA’s were reluctant to stop issuing SHA-1 certificates due to market pressure. The transition from MD5 to SHA-1 took ages and caused many headaches for Google when they finally removed support for the algorithm. Therefore, the only way to give this the push it requires is for a browser-led initiative.

3. When it rains, it storms

As if SHA-1 deprecation wasn’t enough for IT operators to deal with, some versions of OpenSSL were bleeding with Heartbleed while POODLE killed SSLv3. Then after some reprieve, FREAK came along to remind us that the rain never really stops. It was like being in the middle of a heart transplant, when fluid starts leaking into the lungs and then the liver fails. I will explore some of these attacks in more detail in my next post.

2. Migrating to SHA-2 is painful

In complex environments, it may be difficult to discover all the SHA1 certificates out there. Especially if there are certificates issued by multiple External and Internal Certification Authorities. It can also take a long time to identify the support teams and businesses that own the domains. There are some certificate discovery tools that can be purchased from your CA (e.g. Symantec or Digicert both issue them). These scan the network for any SSL certificates (issued by any CA). A good discovery tool should be fast to implement and easy to set-up (they may also be able to detect misconfigured certificates or other vulnerabilities (e.g. BEAST).

While most modern and commonly used clients, devices and servers support SHA-2, there are legacy clients, devices, applications and servers that do not support SHA-2 and may require additional patching before the migration can occur. For example, Windows Server 2003 will require further patching. Windows XP running on anything less that Service Pack 3 will require an upgrade (even though XP should no longer be used). Some applications running on supported systems may not be able to validate SHA2 certificates (e.g. Outlook 2003). The true impact will not be known until you begin testing.

1. Getting support and prioritization from the business is hard

Let’s be honest here, nobody really cares about the insecurities of SHA-1, not really. Especially since the attacks are still practically infeasible and will take huge amounts of computing power to achieve. The CA browser community didn’t care enough to do anything about it until Microsoft and Google posed their challenge, so why would businesses care? In a large organization, where change is slow and budgets are spliced, coordinating an effort as big as this one, in a short timeline, is suffice to say, difficult. Success will require a coordinated effort by IT Support, customer support, business application owners, managers and security to collaborate effectively. To get all these teams on board and motivated to take action, there needs to be strong buy-in. It is all in or nothing. Therefore, Microsoft setting a review of this, sometime in July this year to “assess” whether to go ahead or not sets us in limbo and makes it hard to gather appropriate prioritization and support. There can be no “yes this may happen but maybe it won’t” scenarios to play out. Teams are busy enough. What helps is to have a clear deadline. What doesn’t help is any ambiguity. Meanwhile, time is ticking…