Clean out your contact lists

I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.

Let’s dig deeper.

If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.

Image courtesy Aussie Broadband

Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.

Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.

I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.

Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.

Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.

Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.

Until recently, I didn’t consider my accumulated contacts a liability, but I do now.

In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit.  Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.

Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?

Why encryption is important in communications

Communications between devices often passes over public networks that have varying risks of eavesdropping and interference by adversaries. While the endpoints involved in a communications session may be protected, the communications itself might not be. For this reason, cryptography is often employed to make communications unreadable by anyone (or any thing) that may be able to intercept them. Like the courier running an encrypted message through a battlefield in ancient times, an encrypted message in the modern context of computers and the Internet cannot be read by others.

• excerpt from a book in progress

The security breaches continue

As of Tuesday, September 2, 2014, Home Depot was the latest merchant to announce a potential security breach.

Any more, this means intruders have stolen credit card numbers from its POS (point of sale) systems. The details have yet to be revealed.

If there is any silver lining for Home Depot, it’s the likelihood that another large merchant will probably soon announce its own breach.  But one thing that’s going to be interesting with Home Depot is how they handle the breach, and whether their CEO, CIO, and CISO/CSO (if they have a CISO/CSO) manage to keep their jobs. Recall that Target’s CEO and CIO lost their jobs over the late 2013 Target breach.

Merchants are in trouble. Aging technologies, some related to the continued use of magnetic stripe credit cards, are making it easier for intruders to steal credit card numbers from merchant POS systems.  Chip-and-PIN cards are coming (they’ve been in Europe for years), but they will not make breaches like this a thing of the past; rather, organized criminal organizations, which have made a lot of money from recent break-ins, are developing more advanced technologies like the memory scraping malware that was allegedly used in the Target breach. You can be sure that there will be further improvements on the part of criminal organizations and their advanced malware.

A promising development is the practice of encrypting card numbers in the hardware of the card reader, instead of in the POS system software.  But even this is not wholly secure: companies that manufacture this hardware will themselves be attacked, in the hopes that intruders will be able to steal the secrets of this encryption and exploit it. In case this sounds like science fiction, remember the RSA breach that was very similar.

The cat-and-mouse game continues.

Trusting Cryptography

The information security profession, and cryptography in particular, has passed into a new era where credible evidence has surfaced that reveal that several world governments have played a role in the deliberate weakening of cryptosystems, to facilitate domestic and international espionage. Prior to these revelations, information security professionals could place their trust in national standards bodies, major encryption product vendors, and government organizations. This trust has been broken and will not be easily mended.

A significant challenge in both public and private sectors will be the establishment of new ways to measure the validity and integrity of cryptosystems.  Or, perhaps a new approach will be new and novel uses of cryptography in order to make the compromise of a cryptosystem more difficult than before. The collective discussion on this topic will run its course over several years, resulting in the development of new validation platforms as well as improved application of cryptosystems.

– excerpt from the cryptography chapter of a college textbook still in development

Disk encryption vulnerable to attack

A recently released demonstration from Princeton University shows that most disk encryption systems, including Microsoft Vista Bitlocker, Apple FileVault, Linux dm-crypt, and TrueCrypt, are vulnerable to a simple attack that will result in the attacker being able to read the entire contents of an encrypted hard drive.

Lessons learned:

• It is still highly important to prevent physical theft of a laptop computer
• It is preferable to shut down a system as opposed to leaving it in sleep mode

Articles:

Wired Magazine

News.com

Princeton University

Electronic Frontier Foundation

The Register

New York Times

AP

Network World

Law enforcement unable to perform lawful wiretaps of Skype calls

Skype uses robust encryption that protects its Internet-based phone calls from eavesdroppers. The problem is, if you’re law enforcement and need to conduct a lawful wiretap on a Skype account, you’re out of luck.

Skype’s encryption is end-to-end, and its design includes no provision for a lawful wiretap such as those that are routinely conducted over cellular and landline based phones.

There is no question in my mind that Skype’s encryption is robust. Here is an excellent cryptanalysis (PDF) of the Skype service that was performed by Tom Berson of Anagram Laboratories.

Recent article: Internet Telephone Encryption Stumps German Police

Cryptanalysis of the Skype service

I am a big fan of Skype, particularly because it utilizes full session encryption. I use Skype on a daily basis, both for text messaging as well as for voice communications.

I recently became aware of an excellent cryptanalysis (PDF) of the Skype service that was performed by Tom Berson of Anagram Laboratories.

Don’t want to pay for PGP? Use compatible GPG

Submit:

PGP is pricey these days – starting at $83/yr, single quantity.

If you only need to encrypt files and e-mail in Windows, consider using GPG. It is compatible with PGP, and it’s free.

GPG has an Outlook plug-in, and tools to manage keys (including importing your PGP keys).

One thing GPG won’t do is create self-decrypting archives.

Get GPG here:

http://www.gnupg.org/

Simple analogy for a cryptosystem

Submit:

An analogy of a cryptosystem is a deadbolt lock. A deadbolt lock can be easily identified, and its inner working mechanisms aren’t closely guarded state secrets. What makes a deadbolt lock effective is the individual key that controls a specific lock on a specific door. However, if the key is weak (imagine only one or two notches on a flat key) or not well protected (left under your doormat), the lock won’t protect your belongings. Similarly, if an attacker is able to determine what cryptographic algorithm (lock) was used to encrypt a message, it should still be protected because you’re using a strong key (128 bit) that you have kept secret rather than a 6-character password written on a scrap of paper left under your mousepad.

From CISSP for Dummies, 2nd edition

How to upgrade your WiFi to WPA

Read this advisory if you are not sure why you would want to move from WEP to WPA.

To do this, you’ll need to change the configuration on your wireless access point (which may be the same device as your broadband router), as well as every computer that access the Internet – wirelessly – through that access point.

Find your brand of wireless access point below:

DLink

Linksys

NetGear

ActionTec

If you have a link or a procedure and you want it listed here, contact me. I’ll even give you credit! Or, put your link/procedure in the comment fields below.

Find your version of Windows below:

Microsoft Windows XP

Microsoft Windows Vista (sorry, I can’t find a decent page on Microsoft.com)

WEP cracked, time to move to WPA

Last week, some German researchers promised to demonstrate how they could crack WEP in under a minute.

They did it.

Using a 1.7GHz laptop, they cracked WEP in under a minute, 95% percent of the time.

Wow. And we thought WEPCrack was good.

By summer, I’m sure that there were be a nice selection of new WEP cracking tools available that can harvest WEP keys almost as fast as we can drive by them. Heck, there might even be a PDA version.

It’s time to switch to WPA. Now. Most newer access points support it. It’s not hard. Go to this page for links on popular access points and Windows.

Don’t wait.

(Update: the TJX intrusion was through WEP. Still not convinced?)

Sources:

http://www.darkreading.com/document.asp?doc_id=121412

http://www.darkreading.com/blog.asp?blog_sectionid=415

http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1250687,00.html

http://www.theregister.co.uk/2007/04/04/wireless_code_cracking/

Use TrueCrypt to encrypt stored data on your laptop computer

Laptops are stolen. Data is compromised. Tens of thousands of individuals are notified of a breach of their private information.

We see this in the news every week.

There is a good product that you can use to safely and effectively encrypt your data; it’s called TrueCrypt.

I have used TrueCrypt for several months and have found it to be solid and reliable. Previously, I used PGP Desktop version 8.1, which is costly and was not reliable for me.

With TrueCrypt you can:

• Create and mount NTFS volumes as drive letters
• Encrypt an entire hard disk partition or portable (e.g. USB) drive
• Create hidden volumes that are impossible to prove that the volume even exists
• Encryption algorithms supported: AES-256, Serpent, and Twofish

TrueCrypt supports Microsoft Vista UAC (User Account Control) (requires version 4.3 released in March 2007).

TrueCrypt is very popular – to date it has been downloaded well over two million times.

(Disclaimer: I have no affiliation with TrueCrypt other than being a satisfied customer)

More information here: http://www.truecrypt.org/

Use WinZip 9+ to safely encrypt files

If you are using a version of WinZip that is older than version 9, I urge you to upgrade to version 9 or better. Why? Beginning with version 9, WinZip includes AES encryption. Prior to version 9, WinZip’s encryption algorithm was weak and prone to attack.

With Winzip 9 or better, you can safely encrypt individual files, or entire directories, for transit over e-mail or other means, without fear that anyone else will be able to read the protected data. This, however, is predicated on two important facts:

1. You need to use a strong password when encrypting the archive. Use a password or pass phrase with at least 8, or more ideally, 10, characters.

2. Anyone who can read the WinZip file can see all of the names of the files and directories in the archive. If your file and directory names give away vital information (for instance, a directory named “Merger Companies” containing files such as “General Motors.doc”, “Daimler Chrysler” and “Volkswagon”), then anyone who intercepts your Winzip archive will be able to discern what you or your organization are up to. If your archive contains sensitive file names, then I suggest you “double Zip” your archive to protect your secrets.

Get WinZip here: http://www.winzip.com/

Use Password Safe to manage passwords

If you have several online services accounts (e-mail, banking, etc.), then you are probably challenged with the task of remembering all of your different userids and passwords.

• Surely you are NOT using the SAME password on all of these sites, God forbid!)
• I hope that you are NOT storing them in an Excel worksheet (even if it’s password protected)
• Maybe you have them written down, but NOT somewhere that is easily found by others

I recommend you use the Password Safe tool to store and manage your passwords. Password Safe, originally developed at Counterpane, is now open source at Sourceforge.

Some of the features and advantages of Password Safe are:

• Password vault encrypted with AES, making it impervious to attack, even by determined individuals.
• Comes with a good password generator that you can use when starting a new account or changing a password on an existing one.
• Once in place, you need not ever see your password, which is handy if you are logging in when others are watching (“shoulder surfing” will no longer be a useful attack).
• Password safe also remembers your URL, so you can also go to the site with a single click.
• It copies your userid and password into your clipboard for easy pasting into your login screen (whether for a web browser or client application). You can also clear your clipboard easily if you’re concerned about that.
• Permits you to arrange your accounts by category, making them easier to find if you have a lot of them (like me).

Here are some screen shots (click to enlarge):

…..

Download Password Safe here:

http://sourceforge.net/projects/passwordsafe