CAT | Podcast
Two new attacks on Tor were recently announced.
The first involves using an exit node to automatically modify software patches to include malware. This one is being seen in the wild already.
The second uses Tor and some quirks in the security model of Bitcoin to allow attackers to create double spending and even create an alternative shadow hash chain visible only to the victims.
Recently a colleague was reading a blog post by a Russian based VPN provider which talked about their privacy stance. He was incredulous. “Why would anyone trust a Russian VPN company?!?!”
It is a reasonable question about many locations. Russia, China, Iran, and many other companies are justifiably known for Internet monitoring and censorship. Of course, in the post Snowden era, a lot of attention has been focused on US surveillance as well.
I think that many people have the feeling that they should trust anyone but their own governments. After all, foreign intelligence services are unlikely to do anything about any intercepts unless they see some kind of global doomsday scenario. You might worry that your local intelligence agency could pass along information to local law enforcement, but that too seems generally unlikely. Exposing such intercepts would also expose sources and methods, which are some of the most highly protected secrets out there.
To me the question is what the VPN / Privacy provider is ALLOWED to keep private. It is clear that many governments put a huge amount of pressure, or actually pass laws, on companies to keep all kinds of user activity records. Interestingly that is not the case in the United States.
Anonymizer has no requirement to keep any records about what our users do through our service, or any way to identify associate any activity with a given user. Our systems are architected so that we don’t need to refuse to provide any of that information, we are simply incapable of doing so.
The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.
GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.
If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.
The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.
The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.
A couple of months ago researcher Karsten Nohl demonstrated a security vulnerability that he called BadUSB. Basically it was a demonstration that an attacker could alter the firmware in a USB device to automatically attack anything it was plugged in to. At the recent DerbyCon, researchers Adam Caudill and Brandon Wilson demonstrated their version of the attack and released sample code for how to implement it. This really opens pandora’s box.
The problem here is that this is not actually a bug in USB. It is exactly how USB is designed to work (as insecure as that might be), and changing that behavior is likely to break a lot of other things. A good and effective fix for this vulnerability is probably years away.
In the mean time, take great care with USB devices. My suggestion is to never use another person’s USB device. Don’t use USB to transfer files, and make sure that any USB devices you do use are obtained directly in unopened packaging. There could still be exploits introduced in manufacturing, but at least you are as safe as reasonably possible.
Apple is getting taken to task for a couple of security issues.
First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.
Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.