The niner noteworthy stories of 2017 (week 15)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

PGP public key and self-service postal kiosk expose online drug dealers


Yes we leave digital prints everywhere, but if you want to do something which is illegal according to the law then you probably need to be a lot smarter then these people to avoid being caught.
Using the same e-mail address to register your personal social media account as well as the public key-pair (PGP in this case) you are using for your criminal activities is not a very good idea. Specifically if you then also post that public key to a key server as well where it is accessible for everybody who is looking for it.
Interesting though that pictures are being taken at that self-service kiosk the postage stamps were obtained. Although even in the Netherlands camera security is present on all self-service outlets, including self-payment terminals in supermarkets, although the regulations probably differ on how long that data can be stored before it has to be deleted.
One last bit that is interesting in this article is the fact that the FBI apparently was able to image 3 different types of iPhones. It would be interesting to know under what circumstances they were able to do so as this will help to understand one more piece of the puzzle in which the FBI, and others, are crying foul over the increasingly difficult to “hack” Apple devices.
source: Ars Technica (external link)

Password analysis shows employees still aren’t getting the message


The problem also is that the longer and the more complex the password strings need to be, the more difficult it is to really remember them easily. No level of security awareness training, password policies or even password rules that are set into the system will change this. People, employees, will always find a way to “cheat” the password system. Their reason? Doing so will make their work easier, it’s as simple as that.
Although passwords won’t go away overnight, we need to think of other systems that are more secure but have access methods that are easier for employees to be used. Biometrics is often suggested in this discussion but that poses an entirely different risk, as biometric data is compromised it can never be reused anywhere for anything again.
This is a difficult topic and solutions will depend on environment and the level of security required for certain data sets and/or systems. There is no silver bullet solution here.
A good risk management strategy, aligned with business requirements is a good starting point. I can help your company in changing your security posture as well as train your employees in not only their security awareness but also why it is important. Interested to see where I can strengthen your organisation? Contact me for an initial conversation.
source: IT World Canada News (external link)

Windows bug used to spread Stuxnet remains world’s most exploited


So why is a vulnerability that is published in 2010 and patched that same year still the top most being used in 2015 and 2016 alike? Interesting question and there can obviously be multiple reasons for this. The one I find the most likely is as simple as elegant as it is disturbing: lack of patchingg.
Apparently there are still enough computer systems around that are vulnerable for this 2010 USB stick worm to be very effective even in the last two years about 5 or 6 years after it has been patched.
Another contributing factor is the very human response of wanting to see what’s on a USB drive that was found in the parking lot, similarly to one of the methods the Iranians got infected as well. If you go the more devious route then you could also handout infected USB drives as marketing materials or make sure they are sold with the infection present from within the factory as HP has done many years ago.
It is interesting yet worrying to see that these kind of worms that use vulnerabilities that were patched a long time ago still are this effective in spreading and causing damage. Are we really learning nothing?
source: Ars Technica (external link)

What we’re doing to prevent account takeovers


Okay so account take-overs are on the rise, really? Or has the AirBnB staff finally realised these are on the rise probably because of some high value and/or media covered cases.
So they are now taking two additional steps:

  • Multi-factor authentication. We’re requiring additional verification whenever a user logs in from a new device, such as a computer, phone, or tablet — as is often the case for other services such as online banking. When you sign up for Airbnb, we’ll remember the device you used and allow you to log in from that device, as long as you have the password. Any new device you use, however, will require an additional verification even if you have the password. This defense is typically referred to as multi-factor authentication. We’ll confirm that you are the true account owner by sending a one-time unique confirmation code to your account phone number or email. Once you’ve entered that code on our site through your new device, you won’t have to do it again on that machine.
  • Improving account alerts. We’ve added SMS in addition to email to the ways in which we alert you, as well as expanded the range of changes we’ll proactively notify you about. We do this in order to let you know these changes have taken place — and so that you can take action to recover your account in the event you were not the one who made those changes.

Whilst the second measure is only useful for recovery and detection of of the fact that something went wrong in the first place, the first method seems reasonable. However, since more and more users will have the app on their mobile phone, next to their E-mail addresses and incoming text messages, this may not always be the case. Next to that, a lot of people will use the same password for multiple services too, if that’s your AirBnB account as well as the E-mail address associated with that account then this measure will obviously not work.
Oh and yes if you are annoying enough, a social media account login or a 30 second video will get you your badge for offline credential verification instead of having to hand over your passport copy to an American firm and a 2nd one doing the identity document “verification”.
source: Airbnb Citizen (external link)

Alert: Using a web ad blocker may identify you – to advertisers


You probably already knew that logging out of, as specially social media, sites is a good idea, blocking 3rd party cookies too. But did you know that deleting all those unused or maybe no longer required plugins will help you being less visible on the web as well?
I have tried the test and, as I expected, I will probably be trackable to some extend on the web, just like anybody else. Although I didn’t activate the 3rd party cookies as they requested to do for a good result. As such some of my plugins weren’t detected.
Although be careful with those cookie settings. Restricting them too much may break unexpected things. I have had it set to “sites I visit” for a while. However I found out it completely breaks the Digid (The way we need to login to government websites in this country) login procedure as apparently it is using cookies to store session information which are not matching the site you are actually visiting, because I blocked these I was redirected to pages other then the login screen. It took me a while to realise the cookie setting was the issue as no clear error message was provided either.
source: The Register (external link)

How Apple, Google, and other tech titans aim to shake up the way we treat disease


With massive databases of personal identifiable information being required for any of these projects to really succeed and at least a significant number of companies funding this research (Google, Microsoft) aren’t particularly known for spotless privacy records or even being breach free, the question is not if but when one of these databases gets compromised and leaked. Or even worse maybe, the data being sold to health insurance companies because of changing regulations the advertising revenues are drying up and hey we still have that big database let’s sell it’s contents to the companies who can benefit the most of it aka insurance firms.
Although at the surface it may seem a good idea and even very ethical towards society, do note that for all these American firms only one thing is more important then you as a customer (or product in case of Google and to a varying but alarmingly increasing degree Microsoft as well) and that’s their stock value.
source: STAT (external link)

Honesty is not the best privacy policy


(Originally posted on Computerworld) This is unfortunately the way we need to go: lie about what we are doing online, creating fake web histories, creating fake social media accounts, pollute our chat history and hope that tracking companies don’t find even more ways to track us across browsers and platforms. You may even need to have multiple browsers, use secure browsing windows, clear history and caches and cookies and combine this with multiple changing VPN endpoints to really screw up the algorithms.
Although there are already technologies out there that will identify your machine by using audio and video fingerprinting methods. So how effective this all really is, may be debatable.
This is a worrying trend, not only because of what governments are doing and demanding but also the constant level of tracking and profiling by the advertising industry. See the next article for a prime example.
source: CIO (external link)

Sydney Buses: Privacy concerns at APN Outdoors’ Catch free Wi-Fi service


If there is any good example required why so-called “free” are actually paid with your privacy, it’s certainly this one. This is a very nice example on how most of the internet is working these days namely on a business model thriving on your privacy, personal data, automatically generated profiles, auctions for advertising space and the ad revenues themselves.
The article starts with a question: “Can You Take Back Your Online Privacy?” The answer is complicated and would involve we as users wanting to pay for online services with hard cash instead of our private data and inferenced profiles based on that data and obscure algorithms. If the masses decide they rather lose their privacy to multi-billion dollar tech firms who are worse in spying on us then the intelligence community (who know this and make greedy use of that fact), then privacy is really close to non-existent. The European general data protection regulation and upcoming e-privacy regulation aim to limit this trend, but may fail in that objective.
source: News LTD. Australia (external link)

Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack


The highest promoted comment in this article is probably the one that is closest to the truth: the signal was recorded and simply replayed over and over and over again. It doesn’t take a genius to do that, just somebody with enough radio knowledge and the ability to build a small transmitter to the correct frequency.
It is interesting to see that for these kind of applications the local government is still using unencrypted signals that are prone to a replay attack in this manner.
However, they have learned and seemed to have bolstered the security by additional cryptographic measures according to CSO Online (external link).
Although the article states that it could have been a brute-force attack on cryptographic signals I propose it could have been one key used for all transmissions (symmetric) without any changes. If that’s correct, then even replaying the cryptographically encoded signal would work as well as if the signal wasn’t encoded in the first place.
source: Ars Technica (external link)