Impossible Dream

Moderately private, moderately secure, browsing

Thu, 29 Mar 2012 08:00:05 +0100

It’s a common assertion that you have no privacy on the web.

You have zero privacy anyway. Get over it

- Scott McNealy, then Sun CEO

Most people don’t care. After all, their supermarket loyalty card lets the store track and store all their purchases.

In the other corner, we have the tin-foil hat world where the Illuminati/Goldman Sachs/Lizards are following your every move.

The middle of an argument isn’t always right (evolution is 100% real, creationism is 100% wrong) but here it has relevance. We are tracked: ad cookies, flash cookies and targetted advertising driven by databases of behaviour do exist and contain a lot of information.

Coming at it from another direction, ad networks are a common source of malware and flash is, to be kind, not the most secure part of the browser tool chain.

So, what do we do? Well, let’s start by looking at what it takes to be really private or really secure

Really private browsing

How do you do really private browsing? Easy. Always use Tor and browse EVERYTHING in ‘Private Browsing’/’Incognito’ mode.

Great. Until you get a trojan from downloading a “codec to view this content”. Then all your privacy is subverted at source. Which is why governments like this approach

Doing this is also slow. Slow enough that for most people, the trade off is too high. Even for those for whom the privacy matters, it’s fragile. One mistake exposes your misdeads

A moderately practical solution is to leave out Tor, but still use Private Browsing mode for everything. This leaves logs at the ISP, but none on the local device. However, both Firefox and Chrome share cookies within a private browsing session, so website A and website B will still see the tracking cookie from ad broker C. This means that avoiding tracking means always starting new sessions in addition to doing much of the things I discuss below. For my use, the extra privacy is far outweighed by the impracticality.

This method also doesn’t improve security much. Flash is still enabled, ditto javascript so the attack surface is not reduced.

So, to get really, really private browsing, we’ve going to have to combine this with really secure browsing

Really Secure Browsing

This is possible, but it’s not going to catch on.

For a good idea of what is needed, and the software needed to make it happen, see the Invisble Things/Qubes blog

The basic idea is that we run a large number of virtual machines, and are very, very carefully about how data flows between them. Then if one VM gets compromised, no other data is lost. By limiting ‘dangerous’ browsing to an untrusted VM we get security, and byusing Tor in every VM where we need privacy, we get privacy as well

All in all, it’s not going to catch on for the same reasons we’re not all running Trusted Solaris. It’s too much of a pain for most users. If I was working on Top Secret Nuclear Explosions then this would be the way to go. But I don’t

The Middle Way

So here’s what I actually do. I start from these asumptions:

I’m not trying to hide anything illegal, or worried about hiding from our ISP’s logs
I wish to avoid advertising cookies and targeted advertising as much as possible
For security, I want to control flash
I want security against random ‘drive-by’ attacks, but am not trying to defend against a sophisticated, well resourced attacker such as a nation state security service.

So what do

Choose your browser and base OS carefully. I currently use Linux on Chrome
Don’t run flash at all
Use extensions to control tracking cookies, advertising etc.

Most of the security comes from point 1 and 2. Most ‘drive-by’ malware is targeted where it’ll make money. That means Windows, with some recent excursions into OS X. By running Linux I gain a good deal of security for free. I also use OS X for dealing with my digital photos, but by avoiding doing general web browsing within OS X, there’s no extra risk.

For the browser, Chrome is my choice but Firefox would work just as well. Both of the other major browsers (IE9 and Safari) have reasonable basic security (we’ll pass lightly over IE < 9), but don’t meet my needs as they have no eco-system of extensions around them.

Now, to get control over where our data goes, we need a set of browser add-ons.

First up, the indispensable Adblock (Chrome, Firefox). When used with one of the auto-updating block lists, this will stop most ads from ever being shown. Even better, since the ads are never loaded, a malware infected ad broker can no longer attack us.

Next up, Ghostery (Chrome, Firefox) . Cookies aren’t the only way of tracking. One pixel images, beacons and more are used to track visitors across sites. Ghostery, set to auto-update it’s block list, works in a similar way to adblock and blocks all of these.

Now we get into belt-and-braces territory: Many ad networks allow users to opt out of tracking by setting a cookie. The problem with this is that any time cookies are cleared, the opt-out has to be set manually, and there’s a lot of ad brokers to go and do this for. Keep My Opt Outs (Chrome, Firefox) ensures that these cookies remain set at all times.

I mentioned that I don’t run Flash. This isn’t always practical. If you need it, a good solution is to use FlashBlock (Chrome,Firefox) to create a white list of sites which are allowed to run flash, blocking it everywhere else

Finally, something I don’t do, but can be worth it for some people. NoScript (Chrome, Firefox) works like FlashBlock but for Javascript. Using FlashBlock and NoScript along with the extension above gives a major increase in security, but, for me, the pain is to much. Nearly every website needs Javascript so the blocking becomes a pain very fast.

So is it worth it?

Like many things, it depends. For me, it’s worth it just to get a nicer web browsing experience with a reasonable increase in security. The lack of tracking is just a bonus.

Doing Passwords Right

Thu, 01 Sep 2011 15:07:00 +0100

A student once told me, in all seriousness, that his password of “password” was secure because:

It’s a double bluff. No-one would believe I’m stupid enough to use that as a password

Yeah, right.

The trouble is that passwords are hard. One password is easy, two ok but most of us need tens, if not hundreds, of passwords for all our different services. Work password, personal email, facebook, Google, ebay, three banks, that random quiz site, phishme.com….

Then each of these sites will have a different password complexity/strength checker, work insists your password is changed every 30 days and on it goes.

In attempting to deal with this, most people work their way down this sequence:

I’ve thought of a good password. It’s “fred”.
Oh dear. It’s rejected as too short. Let’s try “fredfred”
Now it needs numbers. Try “fr3dfr3d”.
Accepted

And we’re all good to go until….

The next site comes along. Now we have to have a special character as well. So let’s use ‘fr3dfr3d!’.
Now sign up to internet banking. Best use a different password. Ok. ‘G30rge!’. Done
Now what about the credit card? ebills? Oh dear.

The only way to deal with this and keep everything in a human brain is to have two or three basic passwords (say one for banking, one for login and one for other websites) and reuse them everywhere, with random variations to deal with different sites password policies. This way madness lies. The small variations cause endless problems and the sharing of password across sites means that one compromised site is a disaster.

The solution: write your passwords down. As prohibited in every security policy ever.

Use the paper, Luke

By ‘write it down’ I don’t suggest you physically write it down in any way, but rather than you stop trying to remember passwords and use a password manager to store them.

Password mangement (or “Password Safe”) software encrypts away all your passwords with one master password so that you now only have one password to remember, but your passwords are still safe from prying eyes. Unlike the ‘post-it-note under the keyboard’ approach.

Once you stop trying to remember passwords, all sorts of good things happen:

You can (and should) have a unique password for every single site or application. Even the silly ‘joke’ websites. Everything
You can stop trying to think up passwords. Just let the password manager generate a random one for you. It’ll be impossible to remember (e.g. mine has just generated ‘eRxz%b3gtV’ for me) but it doesn’t matter. You never need to remember it

And that’s it. Now you can have complex, unique passwords everywhere and also have less stuff cluttering up your brain and making you stupid. What’s not to like? Just do it.

The Details

That’s the basic principle, but like everything, the details matter.

You’ll still have to remember your login password and a master password for your password safe. That’s only two passwords. Not so bad
You may also want to remember your internet banking passwords.
Remember that the strength of this whole system depends on the strength of the master password you set for your password safe. Since you don’t have to type it very often I suggest just going for a very long phrase (30-50 characters).
Don’t use any random piece of software. Writing secure cryptographic products is hard and you want to be very sure that if you are putting all your passwords in one place that you haven’t just made it easy for them to be all stolen at once.

Finally, most of us use many different computers over the course of a day so need these passwords everywhere. There’s two basic approaches:

Let the software itself store the data in the cloud, or,
Store the encrypted file on a sync service like Dropbox

Either works. You’ll also want to have a copy of the program and your passwords on your phone for those times when you want to login into a site on a different computer/internet cafe etc.

All of the recommended products below can be integrated into your web browser as well to allow for seemless logins to everything web based (which is going to be 95% of everything for most of us).

Sophos

Sun, 07 Aug 2011 19:32:00 +0100

I’ve finally read the details in Travis Ormandy’s Sophail report. Oh dear.

Sophos’ response is a classic.

Tavis has questioned the performance of Sophos buffer overflow protection and made other statements questioning the quality of Sophos protection. Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests. In fact, we consistently rank well in these tests.

Or, to translate:

We’re not going to comment on the details as they are too embarrassing and we don’t even come top compared to other a/v products

I highly recommend the full report. It’s a little less dry than the average security paper. e.g.

This guarantees that any attacker will simply give up writing their ret2libc payload, as they will be unable to concentrate due to uncontrollable laughter

Other gems include the packer protection being so out of date that it was hard to find an old enough version of the packer to test it and the pre-execution analysis that hard codes constants so it only really works on Windows Server 2003 SP1.

So what’s a defender to do? We knew already a targeted attack was likely to succeed. Sophos just makes it easier by allowing direct exploitation of the out-of-date embedded JavaScript engine.

Are other a/v engines better than Sophos? If so, which? And how could the average (enterprise) purchaser do a serious evaluation?

"Wicked Problems"

Tue, 02 Aug 2011 18:00:02 +0100

Over on Charlie Stross’ blog guest author Karl Schroeder introduces the concept of “wicked problems”. I recommend spending the time to read the whole article and the links in its first paragraph.

It’s not a concept I’d come across before:

But often, in the human sphere, there are what’re called “wicked” problems. In 1973, Horst Rittel and Melvin Webber defined a wicked problem this way:
There is no definitive formulation of a wicked problem (defining wicked problems is itself a wicked problem).

Wicked problems have no stopping rule.

Solutions to wicked problems are not true-or-false, but better or worse.

There is no immediate and no ultimate test of a solution to a wicked problem.

Every solution to a wicked problem is a “one-shot operation”; because there is no opportunity to learn by trial and error, every attempt counts significantly.

Wicked problems do not have an enumerable (or an exhaustively describable) set of potential solutions, nor is there a well-described set of permissible operations that may be incorporated into the plan.

Every wicked problem is essentially unique.

Every wicked problem can be considered to be a symptom of another problem.

The existence of a discrepancy representing a wicked problem can be explained in numerous ways. The choice of explanation determines the nature of the problem’s resolution.

The social planner who tackles a wicked problem has no right to be wrong (planners are liable for the consequences of the actions they generate).

The examples given are the obvious ones: fiscal policy, climate change etc, but it’s also a useful insight to bring to security problems. We can divide security issues into two groups (if not cleanly, then in a way that gains insight):

Non-wicked problems: does this patch crash my server? Does this exploit work? What’s the patch level of my server estate?
Wicked problems: how should we trade off privacy online for physical security?

Between these two, these a set of semi-wicked problems where much of the day-to-day difficulties in security policy come from e.g.

if we lock down all our client machines really hard, is that worth the trade off in innovation?

Problems in this class might not fit all the requirements above but will fit many of them E.g. 3, 9 and 10 seem very relevant here: often the person writing the security policy has no motivation other than to be as restrictive as possible, while the person doing the work wants to do the least possible.

A good counter when confronted with the more technological end of things.

Installing Big Apps on Galaxy S Froyo

Mon, 04 Jul 2011 21:56:06 +0100

Just in case anyone else gets this issue. The Samsung Galaxy S with Froyo can’t download apps bigger than 30Mb from the Market as /cache is only 30Mb.

Here’s the fix: get z4root, root phone, then use z4mod to change type of /data from rfs to ext2 (aka Lag Fix). You’ll want to do these anyway if you haven’t already lag fixed the phone.

Then in a terminal window:

mkdir /data/cache
umount /cache
mount -o rw,remount /
rmdir /cache
ln -s /cache /data/cache

Now install away from the Market.

To Undo

rm /cache
mkdir /cache
chmod 770 /cache

and reboot.

Important This fix will not persist across reboots and you will want revert this before rebooting. Once the app is installed it’ll run fine with /cache set back to normal

So, this here wedding thingy

Tue, 03 May 2011 15:58:56 +0100

There was a wedding last week and it seems that lots and lots and lots of our users wanted to watch it…..

The graph below shows streaming video traffic for the last week. The time scale is a little confusing, but the low point of the traffic corresponds to the small hours of the morning.

Remember, this is on a 1Gb link. Since there is other traffic on the link, it’s fair to say that we’d have generated even more streaming traffic with a bigger link.

Links for 2011-03-21

Tue, 22 Mar 2011 03:23:03 +0000

iostat on Linux

Debian/Ubuntu two factor auth with Google

Tue, 22 Feb 2011 13:57:44 +0000

Following the excellent guide from MNX Solution I’ve got two-factor auth working on my desktop.

There’s a couple of things I thought worth noting that aren’t mentioned there.

1) You’ll need the pam headers installed and they aren’t by default.

$ sudo apt-get install libpam0g-dev

Then follow the instructions as given.

2) When you edit /etc/ssh/sshd_config you’ll need to set

RSAAuthentication no
PubkeyAuthentication no

to disable pub-key auth (at least for testing), since that will be tried before ChallengeResponse. For production use, enabling pub-key with a fallback to ChallengeResponse might be ideal.

Through a glass, darkly

Mon, 21 Feb 2011 08:30:07 +0000

There’s been plenty written on t’interwebs about the HBGary/Anonymous hack: ArsTechnica have the best write up on how it was done plus, using the hacked emails for details, some of the gory details on how HBGary wrote custom rootkits/backdoors for various US three-letter orgs. If you haven’t read the details of how it was done, do so. It’s both sophisticated (rainbow tables), cunning (social engineering) and aiming at low hanging fruit (a SQL injection on an externally facing website).

So what does this have do with with organisations in more mainstream fields? Well, after the UEA hack I was asked “Could this happen here?”. I’m sure the questioner was hoping for a reassuring “Of course not: we have a/v, firewalls, polices, procedures, dogs AND ponies. Nope, definately not”. But of course it could.

HBGary brings that lesson into even sharper relief. This was a IT Security company, working on classified projects for the NSA. And they still got owned.

Now compare this to the situation in the average University:

Q: Do we have any sql injection vulnerabilities? A: Not that I know of.

So far, so good. Now let’s keep going

Q: Do you know which versions of applications are running for all externally facing servers? A: No

No, since in most older Universities, IT is decentralised and the centre doesn’t know exactly what the edges are doing or have any control over it except the big hammer marked “Firewall”. So…

Q: How do you know you don’t have any SQL injection vulnerabilities in all the masses of custom code out there? A: Errrrr.

There’s no easy answer. It gets even worse in Universities where departmental IT can run up externally facing services with no oversight (*). Then we get to this situation:

Q: Do we know how many webservers we have? A: Yes, Definitely. They all have to have holes in the firewall. Oh, except for those departments that have worked out mod_proxy. Oh.

Still, like HBGary, we can rely on our security cleared, Infosec expert users. Can’t we? Did anyone mention students? Oh.

So what can we do?

One option is to lock down everything: remove autonomy from Departments, lock down the desktop, ban personal equipment etc. Which all seems good (and it’s what most auditors want) but it has the minor disadvantage for a research-led University of destroying research productivity, especially in fields where software is commonly written/modified/mashed together (e.g. most sciences, maths etc.)

This leaves us with plan B. Segregate, firewall, least access. Don’t regard inside the outside as bad and the inside as good. It’s de-perimeterisation (as promoted by the Jericho group). It’s sometimes a hard sell, but it’s seems a very good match for the University environment. Which is ironic, since most of the founders of the Jericho group are banks :)

And if we’d reached this nirvana, would that make us immune to this type of attack? I know my answer.

(*) Of course, the centre never fecks up. Nope. Never.

Links for 2011-02-16

Thu, 17 Feb 2011 03:23:03 +0000

How debuggers work: Interesting series from Eli Bendersky on how debuggers work on Linux

Google User Group write-up

Wed, 16 Feb 2011 14:09:42 +0000

Yesterday I went to Google User Group 2011 meetup in Loughborough. I was just about to start copying my notes in a more coherent form from yesterday, but Chris Sexton beat me to it

Instead, here’s a dump of my notes in a pretty unstructed format. I’ve removed anything that Chris has already covered so you’ll want to read that blog as well.

General

Google CloudConnect for MS Office to be released next week. Looks very nice. Allows storage of docs in Google Docs complete with versioning etc.
Google Apps can do OCR on pdfs. I had no idea.
There was a very nice demo of the translation facilities - live real-time translation in chat and demos of Google Sites being made available in any language via translation. They stressed it was machine translation so not perfect but good enough for people to understand.
Nice ideas about using templates with Sites to give easy setups for projects etc
Google also demoed the Chrome laptop. If we went with Apps this would be ideal for use as lending devices. Cheap, no local data, usable by anyone with a Google account. They are aiming for 99.99% uptime next year (including all downtime - any duration, planned + unplanned). No price or release date given.

The OU

The OU are moving students to Google, but are still working through contractual issues with Google. In contrast, Sheffield ‘just signed it’ and didn’t get any legal look over at all. The OU reported a very low load on their help desk (~120 calls from first 10,000 users moved) almost all about privacy etc not the user experience. 270,000 students in total.
Thinking about using Apps to store eportfolios via mashups. They mentioned that they found the google groups API not rich enough for their needs. No details were given, but they are working with Google to resolve this. Be good to have a chat with them about exactly what they had issues with.
Looking at a Google Marketplace app called ( Aprigo Cloudlock ) to allow students to share files with examiners etc in a controlled way. Mentioned it might be a bit too pricy from them however.
They are also looking at igoogle as a student homepage (the ‘P’ word wasn’t mentioned).

Misc

bboogle looks interesting. It’s a open source Blackboard building block for Google integration http://projects.oscelot.org/gf/project/bboogle/

Links for 2011-01-13

Thu, 13 Jan 2011 23:23:07 +0000

Graph viz in the browser

Links for 2010-09-29

Wed, 29 Sep 2010 23:23:03 +0100

Forgot administrator password? The Sticky Keys trick - 4sysops

Links for 2010-09-22

Wed, 22 Sep 2010 23:23:06 +0100

SCADA worm a ‘nation state search-and-destroy weapon’ The Register: Now this is interesting. Possibly the first use of a worm in this way? I’m sure there’s been other direct hacking done, but not worms. At least, not that have been noticed :)

Links for 2010-09-21

Tue, 21 Sep 2010 23:23:04 +0100

Twitter Mouseover Security Flaw Affecting Thousands of Users [WARNING]: Mouse over attacks are cool

Links for 2010-09-17

Fri, 17 Sep 2010 23:23:05 +0100

Akamai: Why our IPv6 upgrade is harder than Google’s: Some very interesting quotes in there. “Address exhaustation is real”

Protecting Yourself from Facebook Places

Fri, 17 Sep 2010 20:19:23 +0100

Protecting Yourself from Facebook Places:

I’m shocked, shocked I tell you, by how hard Facebook make it to find all the options. Ok, no I’m not. It’s just par for the course, but I was surprised to find that I’d missed the option that lets friend’s applications read your location. Graham Cluley has an excellent step-by-step guide to getting it right.

Links for 2010-09-16

Thu, 16 Sep 2010 23:23:06 +0100

How Can the Large Hadron Collider Withstand One Petabyte of Data aSecond?: Interesting article from High Scalability on the data management issues of the LHC
Understanding the HDCP Master Key Leak | Freedom to Tinker: Ed Felten with a clear write-up of the implications of the HDCP key leak

Links for 2010-09-14

Tue, 14 Sep 2010 23:23:06 +0100

Claimed HDCP master key leak could be fatal to DRM scheme: Now this is interesting. Is it the real master key? If it is, that’s a really bad leak

Disk encryption attacks explained

Tue, 14 Sep 2010 08:30:00 +0100

Following on from my last rant about the TechMesh event I went to recently, I’m finally getting round to writing up an explanation of the BitLocker decryption attack demoed there as “scary software from Russia that can decrypt your drive and an attack which Microsoft needs to fix RIGHT NOW” (I paraphrase).

The demo is a good one, and really impressive to see in action. Given physical access to a machine with an encrypted disk, powered on but with the screen locked, the software retrieves the encryption key and provides a decrypted copy of the disk.

To explain how this works let’s go back an few stages and look at how disk encryption itself works at the highest of high level views.

After a machine boots, the OS uses the decryption key to decrypt the hard drive on the fly and present it to applications as an un-encrypted disk. The important point to remember here is that the OS must have a copy of the decryption key in memory once it’s booted so that it can decrypt the disk (or sectors thereof) as required.

There is no way round this. The only alternative would be for the OS to request the passphrase every time it needed to read the disk. This might impact somewhat negatively on performance :) The problem with this is that if the key is in memory, it can be read by an attacker as well.

So, we need a thinking hat:

to come up with some attacks.

I place a virus on your machine somehow (“Click here to see to install the codec to see this video”) and run it as an administrator (either because the user already is an administrator or via a privilege escalation attack). Now I can read the encryption key from memory……except that I don’t need to. Since the OS presents the drive as unencrypted to applications, my virus can just read your data without worrying about disk encryption at all.
I have physical access to the device, but it’s powered off. We’ll come to this later.
I have physical access to the device and it’s powered on. It doesn’t matter if it’s screen locked or not.

Attack 1 is something often forgotten - if I can run code on your machine while you are using it, it doesn’t matter if the disk is encrypted. You need it decrypted to use and if you can read it so can my code.

Attack 3 is the subject of this post and the TechMesh talk. The demo’d attack uses a firewire connection to a locked machine. Why Firewire? Because the Firewire spec requires Direct Memory Access (DMA) for performance. Even better, it doesn’t matter if the laptop targeted doesn’t have a firewire port since PCMCIA or ExpressCard slots can be used to add a Firewire adaptor and the Windows will helpfully load the relevant drivers even if the screen is locked.

The original explanation of the attack, “0wned by an ipod” was presented at PacSec in 2004. The observation is a simple one - DMA means the Firewire attached device can read or write any area of memory, and because it’s required in the spec, all firewire implementations must allow this. The original attack re-wrote the Windows screen lock code to accept any password. The variant used here just reads out the Bitlocker key directly from memory, while also taking a copy of the disk itself via Firewire. Combine the two and you get a copy of the disk that the attacker can read, all with no need to login to the target machine.

As I said at the start, it makes for an impressive demo.

The sotware used in this demo looked remarkably similar to Passware’s product. I didn’t get a good enough look to see if it was just a hacked copy resold or a genuine re-implementation of the attack. Russian software developers are capable of either. Eitherway, the take-away here is that this isn’t a flaw in Bitlocker. It’s inherent in how Firewire works and how disk encryption works. The same attack works against encryption on a Mac as well.

I’ll leave the final word to Microsoft (via PCMag.com):

The claims being made by Passware that they are able “to break Microsoft BitLocker hard drive encryption” must be taken in context of the needs of data recovery and forensics tools. The Passware Kit Forensic product, like others used legitimately for digital forensics analysis, requires “a physical memory image file of the target computer and extracts all the encryption keys for a BitLocker disk.” We have always been up front in our discussions of Windows BitLocker and that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it is possible to take advantage of the fact that the contents that are in a computer’s memory are accessible through users with administrative privilege and/or specific direct memory access hardware methods (if available.

BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like most full volume encryption products on the market, BitLocker utilizes a key in memory when the system is running in order to encrypt/decrypt data on the fly for the drives in use. We recognize users want advice with regards to BitLocker and have published best practice guidance in The Data Encryption Toolkit for Mobile PCs. In the toolkit, we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication. Using this method, a machine that is powered off or in hibernate mode would protect users from the ability to extract a physical memory image of the computer.

That’s the end of this post. It’s nearly 10.30pm and time for bed. Next time, I’ll look at attacks that work when the machine is powered off, and at the role of Trusted Computing Modules (TPM chips), and try and explain why disk encryption is still a good thing even if it’s not quite the magic bullet it’s often assumed to be.