Posts Tagged ‘personal safety’

It’s not just WannaCry: Thieves are opportunists

Posted: May 19, 2017 by IntentionalPrivacy in Financial vulnerabilities, Personal safety, Ransomeware, Vulnerabilities, WannaCry
Tags: , , , ,

WannaCry has effectively died down according to Wikipedia < https://en.wikipedia.org/wiki/WannaCry_ransomware_attack&gt;. However, if you do not WannaCry about some other malware, take some preventive actions now to make your systems less vulnerable to future attacks. If it is not easy to attack you or your computer systems, in most cases a thief will look for an easier target.

Organizations

  • Keep system and application versions up to date and patched, especially critical patches
    • If the organization still has to run computers running XP (or older operating systems), get them off the network
  • Keep antivirus software current and scan daily
  • Make regular, consistent backups (and test them to ensure files are recoverable)
  • Create network zones
  • Place public-facing web servers in DMZs
  • Restrict administrator rights
  • Change default passwords and enforce password rules on users
  • Train users in security awareness, especially how to avoid clicking harmful links
  • Take infected machines off the network and clean them up as soon as possible, so that the infection does not spread to other machines on the network

These actions alone will stop a considerable amount of malware and other attacks. They do not require expensive equipment or software, just the time to set them up. And these practices will help any organization better comply with regulatory requirements.

For instance, Microsoft came out with a critically rated security patch for Microsoft Windows SMB Server on March 14, 2017. This patch would have made Windows systems resistant to WannaCry. The WannaCry attack started on Friday, May 12, 2017, almost two months later. While I understand the need to test patches to ensure they will work in an environment, testing for a couple of weeks should be adequate, especially for critical updates.

Individual systems

Many of the same actions will keep your systems safe:

  • Keep system and application versions up to date and patched; in fact, set updates to run automatically and schedule them for  a convenient time frame
    • If you are running an older operating system such as XP, take it off the Internet
    • Uninstall applications that you no longer use from both your phones and computers
  • Keep antivirus software current and scan daily
  • Make regular, consistent backups (and test them to make sure files are recoverable)
  • Do not run with administrator rights
  • Change default passwords on routers and modems, and choose long, strong passwords for all your accounts
  • Do not click harmful links in email, on Facebook, or other websites

Prevention is the key for physical theft also.

Our neighborhood has been experiencing a recent rash of car break-ins and theft of items on porches. Many of these thefts happened when someone forgot to lock their car.

Be a little paranoid! Assume that someone is always watching you. For instance, you might not realize the dog walker walking by your house was watching you put a computer case in the trunk or that the 16 year old who lives next to you tries car doors at one am because he is bored or has a drug problem. Leaving a laptop in the car is not ever a good idea, but if you have to leave valuables in your car, put them in your trunk before you get to your destination. Lock your house and car as soon as you shut the door. Do not leave extra keys on your property or stashed on the car. Do not leave the garage door opener in the car. When you are working on that report in a coffeehouse, take your laptop, phone, keys, and wallet with you when you go to the restroom. Do not leave your purse or phone in a grocery cart when you turn around to pick out items for dinner.

Passwords

Posted: January 29, 2016 by uszik11 in Identity theft, Password need-to-knows, Personal safety, Uncategorized, Vulnerabilities
Tags: , , ,

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

Got secure messaging? Part 2

Posted: February 28, 2015 by IntentionalPrivacy in Cell phone, First Steps, free speech, Historical and future use of technology, Identity theft, Privacy, Security or Privacy Initiatives, Tips
Tags: , , , , , , , , ,

Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.

 

App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text https://silentcircle.com/pricing Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.

Sources
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication
http://www.bbc.co.uk/news/technology-16812064
http://www.practiceunite.com/notifications-the-3-factor-in-choosing-a-secure-texting-solution/
http://www.tomsguide.com/us/iphone-jailbreak-risks,news-18850.html

Got Secure Messaging? Part 1 …

Posted: February 25, 2015 by IntentionalPrivacy in Cell phone, First Steps, free speech, Identity theft, Personal safety, Privacy, Security or Privacy Initiatives, Tips
Tags: , , , , , , , , , , ,

When you send a message, who controls your messages? You write them and you get them, but what happens in the middle? Where are they stored? Who can read them? Email, texts, instant messaging and Internet relay chat (IRC), videos, photos, and (of course) phone calls all require software. Those programs are loaded on your phone or your tablet by the device manufacturer and the service provider. However, you can choose to use other – more secure – programs.

In the old days of the 20th century, a landline telephone call (or a fax) was an example of point-to-point service. Except for wiretaps or party lines, or situations where you might be overheard or the fax intercepted, that type of messaging was reasonably secure. Today, messaging does not usually go from your device—whether it is a cell phone, laptop, computer, or tablet—directly to the receiver’s device. Landlines are becoming scarcer, as digital phones using Voice over IP (VoIP) are becoming more prevalent. Messages are just like any other Internet activities: something (or someone) is in the middle.

It’s a lot like the days when an operator was necessary to connect your call. You are never really sure if someone is listening to your message.

What that means is that a digital message is not be secure without taking extra precautions. It may go directly from your device to your provider’s network or it may be forwarded from another network; it often depends on where you are located in relation to a cell phone tower and how busy it is. Once the message has reached your provider’s network, it may bounce to a couple of locations on their network, and then—depending on whether your friend is a subscriber of the same provider—the message may stay on the same network or it may hop to another provider’s network, where it will be stored on their servers, and then finally be delivered to the recipient.

Understand that data has different states and how the data is treated may be different depending on the state. Data can be encrypted when it is transmitted and it can be encrypted when it is stored, or it can remain unencrypted in either state.

Everywhere it stops on the path from your device to the destination, the message is stored. The length of time it is kept in storage depends on the provider’s procedures, and it could be kept for weeks or even years. It gets backed up and it may be sent to offsite storage. At any time along its travels, it can be lost, stolen, intercepted or subpoenaed. If the message itself is encrypted, it cannot be read without access to the key. If the application is your provider’s, they may have access to the message even if it is encrypted if they have access to the key.

Is the message sent over an encrypted channel or is it sent in plain text? If you are sending pictures of LOLZ cats, who cares? But if you are discussing, say, a work-related topic, or a medical or any other confidential issue, you might not want your messages available on the open air. In fact, it’s better for you and your employer if you keep your work and personal information separated on your devices. This can happen by carrying a device strictly for work or maybe through a Mobile Device Management application your employer installed that is a container for your employer’s information. If you do not keep your information separate and your job suddenly comes to an end, they may have the right to wipe your personal device or you may not be able to retrieve any personal information stored on a work phone. Those policies you barely glanced at before you signed them when you started working at XYZ Corporation? It is a good idea to review them at least once a year and have a contingency plan! I have heard horror stories about baby pictures and novels that were lost forever after a job change.

Are you paranoid yet? If not, I have not explained this very well!

A messaging app that uses encryption can protect your communications with the following disclaimers. These apps cannot protect you against a key logger or malware designed to intercept your communications. They cannot protect you if someone has physical or root access to your phone. That is one of the reasons that jail-breaking your phone is such a bad idea—you are breaking your phone’s built-in security protections.

An app also cannot protect you against leaks by someone you trusted with your information. Remember: If you do not want the files or the texts you send to be leaked by someone else, do not send the information.

If you decide that you want to try one or more messaging applications, it is really important to read the documentation thoroughly so you understand what the app does and what it does not do and how to use it correctly. And, finally: Do not forget your passphrase!! Using a password manager such as KeePass or LastPass is a necessity today. Also back up your passwords regularly and put a copy—digital and/or paper—of any passwords you cannot afford to lose in a safe deposit box or cloud storage. If you decide to use cloud storage, make sure you encrypt the file before you upload it. Cloud storage is a term that means you are storing your stuff on someone else’s computer.

Part 2

Who is Watching Through Your Cell Phone?

Posted: January 25, 2015 by uszik11 in Cell phone, Personal safety, Privacy, Tips
Tags: ,

Your cell phone can be taken over by hackers who will view through your camera and watch you enter your passwords and other information.  Here in Austin at the IEEE “Globecom” conference on global communication last December, I attended a presentation from Temple University researchers who compromised an Android cell phone. 

Doctoral candidate Longfei Wu and five colleagues from Temple University, the University of Massachusetts, and Beijing University exploited vulnerabilities in the Android cell phone to seize control of the camera.

Having done that – and having reduced their footprint to one pixel – they then watched finger touches to the keyboard in order to guess passwords.  Some sequences were more secure than others.  1459 and 1479 were easy to identify.  1359 and 1471 were harder to guess.  The fundamental fact remains: They took control of the camera without the cell phone owner being aware of it.

Moreover, the Android operating system does not provide you with a log file of usage.  There is no way for you to review what your phone has been doing. However, the researchers fixed that. 

“We make changes to the CheckPermission() function ofActicityManagerService, and write a lightweight defense app such that whenever the camera is being called by apps with CAMERA permission, the defense app will be informed along with the caller’s Application Package Name.

[…]

There are three parts of warnings in our defense scheme. First, an alert dialog including the name of the suspicious app is displayed. In case the warning message cannot be seen immediately by the user (e.g., the user is not using the phone), the defense app will also make sound and vibration to warn the user of spy camera attacks. Besides, the detailed activity pattern of suspected apps are logged so that the user can check back.” — from “Security Threats to Mobile Multimedia Applications: Camera-based Attacks on Mobile Phones”,IEEE Communications Magazine, March 2014.”

If you want to protect your phone, you have to figure out how for yourself.  Very few ready-made defense apps exist for Android, or iPhone.  You could join a local hacker club such as DefCon.  (For Ann Arbor, it is DefCon 734; for Minneapolis it is DC612.)  That brings up the problem of trust.  When I go to computer security conferences, I never take a computer; and I do not answer my phone.  I do trust the organizers of our local groups, LASCON, ISSA, OWASP,  and B-Sides; but I do not trust everyone who comes to every meeting.  If you want someone to “jailbreak” your phone, and program something on it for you, then you really need strong trust.  It is best to do it for yourself.

“Unfortunately, it’s not uploaded online. To support the defense scheme, I modified the Android system and generate new image files. This means if someone want to use the defense function, he/she must flash the phone. As a result, all the installed stuff may get lost. I think people wouldn’t like that to happen. Besides, the Android version I used for testing is 4.1-4.3, while the most recent release is 5.0.” – Longfei Wu, reply to email.

As “the Internet of Things” connects your washing machine and your car to your home thermostat and puts them all online along with your coffee-maker and alarm clock, all of them connected to the television box that never shuts off and always listens, you will be increasingly exposed to harm.

Protect Your Personal Information Cheat Sheet

Posted: January 2, 2015 by IntentionalPrivacy in Security or Privacy Initiatives, Tips
Tags: , , , , , ,

The amount of information collected on each of us is growing astronomically every day. What can you do to help protect your—as well as your family’s—information?

Note: This information is meant to be a starting place.Technology is constantly changing, so you must consider whether the information provided is timely and applicable to your situation. In order to adequately protect yourself and your family, you also might need to consult with your attorney or accountant or obtain other professional advice.

What information do you want to protect? Here are some categories you might want to consider:

Ad/cookie tracking Identity information Reputation
Digital identity Intellectual property Social media
Electronic devices Location Trash
E-mail Mailbox Travel
Family Medical information Voting
Financial information Personal safety Work information

Where are the threats to your information? Here are some common threats:

Data loss or theft

  • Backup media
  • Mail/trash
  • Organization w/ your info goes bankrupt
  • Paper
  • Website
 Types of Malware

  • DNS Changer
  • Drive-by downloads
  • Keyloggers
  • Phishing email
  • Rootkits
  • Search engine poisoning
  • Social media malware
  • Torrents
  • Spyware, Trojan horse, virus, worms
  • Zombies/botnets
  • Etc.
Device loss or theft

  • Computer
  • DVD/CD
  • Backup media
  • USB drives
  • Portable electronic devices
  • Laptop, iPad, smart phones, tablets
Natural or man-made disasters

  • Fires
  • Floods
  • Tornadoes
  • Earthquakes
 Personal safety

  • Craig’s List
  • Data leakage
  • Identity theft
  • Social media
ID theft Social engineering / Pretexting

Who do you trust with your information? Here are some organizations that you probably trust:

Accountant, lawyer, other professionals Religious & charity organizations
Employers Schools & Libraries
Financial institutions—banks, credit unions, loans & credit cards, brokerages Retailers & e-commerce sites
Government agencies Social sites
Health care—doctor, dentist, hospital, labs Websites
Insurance companies And …?

Why do you trust people or organizations?

  • Do they have a legitimate need for your information?
  • Do they have policies and procedures to tell you what they do with your confidential information?

When do you trust people or organizations?

  • Do you give confidential information on the phone, in email, texting, or in person?
  • Did you initiate the information exchange?
  • If you don’t feel comfortable, don’t do it.

How do you give people or organizations your confidential information? Think about advantages and disadvantages to giving out your information in person, over the phone, in email or in text messages, on a secure website. If you’re uncomfortable giving out information in a particular situation: don’t do it! Find another way to give the information.

General Tips

  • Don’t leave your electronic devices—cell phones, laptops, tablets, iPads, etc.—unattended in public, including hotel rooms.
  • Don’t ask strangers to watch your things while you go to the restroom or load up on more coffee.
  • Don’t leave your purse or briefcase unattended in public: including shopping carts, restaurants, and coffee shops.
  • Don’t use easy-to-guess passwords: http://www.dailymail.co.uk/sciencetech/article-2063203/This-years-easiest-guess-passwords–discovered-hackers-worked-out.html
  • Don’t post private information on social websites. Remember you have no expectation of privacy on social websites.
  • Data leakage:
    • Be careful about the information you throw in your trash.
    • Collect your mail as soon as possible.
    • Use vacation holds or have a friend collect your mail if you will be gone for more than a couple of days.
    • Do not announce on Facebook or other social media that you are going on vacation. Wait until you get back to share those fabulous pictures!
    • Keep your electronic devices and other valuables out of sight in your vehicle.
    • Read software and services licenses.
    • Use a password or a pin to protect your smart phone.

Spam Nation!

Posted: December 1, 2014 by IntentionalPrivacy in Books
Tags: , , , , ,

Krebs.2jpgI recently had the pleasure of attending a presentation put on by Brian Krebs, where he also signed his new book, Spam Nation.

I have been reading his blog, KrebsOnSecurity.com, since I did a paper on the Russian Business Network in 2008 for a class I was taking.

His blog is fascinating, and the book is also! The book has everything you’d look for in a thriller—spies, counterspies, theft, drugs, murder, hackers—and it’s all true. Even if you’re not a techie, I highly recommend this book.

And, if you’re buying pharmaceuticals from an online pharmacy that doesn’t ask for a doctor’s prescription, I hope this book will convince you to stop. It’s a really dangerous practice because you don’t know what you’re ingesting.

Public Key Cryptography Protects Your Information

Posted: October 26, 2014 by uszik11 in First Steps, Security or Privacy Initiatives
Tags: , , ,

The methods of securing data are robust. Your financial transactions, health records and other sensitive information are safeguarded by strong mathematical processes. You can use these same tools yourself to keep your emails private. It is not much harder than learning a new phone and installing an app.

Usually, when your personal data is exposed by organized gangs of Russian “businessmen” or the Chinese People’s Liberation Army, it because of failures in computer security allowed by weaknesses in the programs. The cell phone companies deliver records to the NSA. The NSA does not break your ciphers. As far as we know, no one has ever cracked one of the public key methods developed since 1975. Some theoretical weaknesses have been suggested. Brute force attacks by the NSA have been hinted at, but never demonstrated. The mathematics is as immutable as the Law of Identity: A is A.  It is absolutely true that 1 + 1 = 2, always and forever.

A Crazy Idea

In the early to mid-1970s, independent researchers Whitfield Diffie and Martin Hellman at Stanford, Ralph Merkle at Berkeley, and Ronald Rivest at MIT, along with his doctoral candidates Adi Shamir and Lenard Adelman, all sought and found ways to encrypt information that were not based on any of the historically known methods. As a result, when Ralph Merkle submitted his papers to the Communications of the Association for Computing Machinery, they were rejected for denying the established wisdom of 2000 years. Working on his doctorate at Berkeley, he was told by his professors that he obviously did not know the basics of cryptography.

Codes and Ciphers

A code is a secret translation of one set of symbols for another. If we let
Handkerchief = Train
Scarf = Bus
Blouse = Plane
Red = 2:00PM
Blue = 3:00PM
Green = 3:45 PM
Then, “Thank you for the red scarf “ or “Thank you for the green blouse” could be sent via email or on a post card and the real meaning would be hidden. The weakness is in exchanging the key. Someone has to pass the translation table. However, given the security of the key table, the code is unbreakable.

A cipher is an orderly substitution. Taking the alphabet backwards, A=Z, B=Y, C=X,… turns BARACK OBAMA into YZIZCP LYZNZ. Another kind of cipher just takes the letters in turn say, every third in rotation so that HILLARY CLINTON becomes LRLTHLYIOIACNN.

Ciphers often can be broken with applied arithmetic. In English, e is the most common letter, followed by t a o i n s h r d l u… Among the complicated ciphers was the Vigenere in which a table of letter keys allowed shifting substitutions. During World War II, the Germans employed their “Engima” machine with its shifting and changeable wheels. It fell to the first of the computers, the “Bombe” of Bletchley Park and “Ultra” Project. In The Jefferson Key by Steve Berry (Ballantine Books, 2011), a supposedly unbreakable cipher finally falls to a modern-day sleuth. As constructed, it involved writing the letters vertically, then inserting random letters, then writing the letters horizontally. However, again, common arithmetic allows you to use the fact that any English word with a Q must have that letter followed by a U; and no English words have DK as a digraph. (Until DKNY, of course.) So, the cipher was broken.

Speaking to LASCON in Austin, October 23, 2014, Martin Hellman said that he and his co-workers were considered “insane” for suggesting that an encryption method could be devised in which the formulas were public. In fact, this idea had old roots.

The 19th century founder of mathematical economics, William Stanley Jevons, suggested that certain mathematical functions that were “asymmetric” could be the basis for a new kind of cryptography. Just because A=Z does not mean that Z=A. His idea did not bear fruit. However, Martin Hellman asked his colleagues in the mathematics department if they knew of any such asymmetric functions. Indeed, many exist.  They can be called “trapdoor functions” because they are easy to do in one direction, but computationally difficult in the other.  In other words, they are are unlike the four common arithmetic operations.

The Diffie-Hellman system employs modulo arithmetic.  RSA (Rivest-Shamir-Adleman) uses the totient function discovered by Leonhard Euler in 1763. In 1974, Ralph Merkle, then at Berkeley, thought of using a set of puzzles, where each one is moderately hard, but the full set of 15 becomes computationally difficult. Working together, Merkel and Hellman created a “knapsack” function in which the challenge is to put the “most important objects” (numbers) with the smallest weights (numbers) into a bag (solution set).

You can get the papers online. If you loved high school algebra, and get a kick out of crossword puzzles (especially acrostics) this will be fun. If not, just accept the fact that they work.

The salient facts remain: the cipher system is clearly described, yet stands cryptographically secure.   That is a mandate called “Kerckhoffs Law” named for Auguste Kerckhoffs, a 19th century Dutch linguist. A cryptographic system should remain secure, even if everything about it is known, except the key. Thus, in our time, you can find the mathematical theorems and computer code for public key systems. You can download almost instantly clickable applications to secure your email.

Pretty Good Privacy
A hundred years ago, codes and ciphers and the study of cryptography all were controlled by the secret services of governments. In our time, academic theoreticians publish papers. To be patented, a device must be published. And so, Phil Zimmermann took the mathematical theorems and processes of the RSA encryption algorithm and recoded them from scratch to create a new system, just as powerful, but available to anyone without need for a license. Zimmermann was threatened with lawsuits and such, but he prevailed. Today, PGP is a free product offered by software sales giant Symantec on their website here. It is something a “loss leader” for Symantec. You can get PGP from other places as well, see here.

With it, you can encrypt your emails. Know, however, that (1) you would need to be “approved” by another PGP user (easy enough) and that (2) anyone you send emails to with this also needs it to read your emails to them. Be that as it may, it is no harder than setting up a really cool Facebook page, just a bit of work and some close focus.

Someone Could Control Your Car from the Outside

Posted: October 18, 2014 by uszik11 in Historical and future use of technology, Personal safety, Security Breach
Tags: , , , ,

If you have a late model car, someone could disable the brakes, command the steering wheel, set the speed, open the doors, disable the airbags, or explode them, all from a Wi-Fi hotspot.

Perhaps the modern icon is the General Motors OnStar system. Everyone knows it; it shows up in movies and TV as commonly as orange juice or dogs. OnStar was launched in 1995 and went from analog to completely digital in 2006. (Wikipedia here.)  Now, such radio systems are a standard feature on common makes and models. The radios are called “transceivers” for “transmitter and receiver”, that is, a “walkie-talkie” or two-way radio, in other words, a cell phone that is always on. With that link someone can take control of your car.

Computers in cars go back to the 1978 Cadillac Seville. The chip was a Motorola 6800, used also in early personal computers. It ran the car’s onboard display that provided eleven outputs such as fuel economy, estimated time of arrival, and engine speed. By the turn of the Millennium, upscale BMWs and Mercedes boasted 100 processors. Even the low-tech Volvo now has 50. (Automotive Mileposts website here and Embedded website here. Note that “embedded” systems are computer controllers that built into other machines for control or diagnostics. Embedded systems is a branch of computing.)

However, the older your car, the safer you are. A vehicle from the 1980s or 1990s will have electronic controls, but they will be less open to attack from the outside.  Without a radio link such as OnStar, there is no way to control the car from the outside. Also, the older processors were more often dedicated to reporting things such as gas mileage or fuel economy. Electronic fuel ignition replaced carburetors, but, again, was a simple, stand-alone controller that could not be compromised from the outside.

Over the past few years, two different security projects have been reported in which “white hat hackers” (good guys) investigated ways to take control of different models of automobile.

models-panelbg-001

The little antenna on the Prius is not just for the FM radio.

 In 2011, Car and Driver told about the work of the Center for Automotive Embedded Systems Security, a collaboration between academics from the University of Washington and California State University at San Diego. First, they plugged their own device under the dashboard to compromise the on-board diagnostic computer. (Anyone who can get to your car could do that the next time you take in for an oil change or other routine service.) In the second phase, they figured out how to do that remotely.

According to Car and Driver: “Such breaches are possible because the dozens of  independently operating computers on modern vehicles are all connected through an in-car communications network known as a controller-area-network bus, or CAN bus.  Even though vital systems such as the throttle, brakes, and steering are on a separate part of the network that’s not directly connected to less secure infotainment and diagnostic systems, the two networks are so entwined that an entire car can be hacked if any single component is breached.”  (“Hack to the Future” Car and Driver July 2011 by Keith Barry here.)  The original research from the academics is posted online as PDFs.  (See below).

In the words of the researchers:  “We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input—including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”  (Published as “Experimental Security Analysis of a Modern Automobile” by

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
 IEEE Symposium on Security andPrivacy, Oakland, CA, May 16–19, 2010. Available as a PDF from the authors here.)

Then, having figured out how to install their own controller into a car under the dashboard, they turned to the problem of remote control.

“Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model—requiring prior physical access—has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.”  (Published as “Comprehensive Experimental Analyses of Automotive Attack Surfaces” by Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage (University of California, San Diego) and Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno (University of Washington). Available as a PDF from the authors here.)

Two years later, Andy Greenberg, who reports on technology for Forbes, filed a story about Charlie Miller and Chris Valasek who carried out their own car hacking research with a government grant.

“Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.” (Forbes, August 12, 2013 here. This story includes a video of the event. They took Greenberg for a ride that ended in a crash despite everything he could do to fight for control of the car. The 5 mph roll out finally stopped in some high grass. )

 

 

Why does a town of 8,300 people need an armored vehicle and a SWAT team?

Posted: July 24, 2013 by IntentionalPrivacy in Personal safety, Privacy, Vulnerabilities
Tags: , , , ,

I recently read an article called the “Rise of the Warrior Cop” in the Wall Street Journal. Ordinarily, I would tend to blow off an article such as this.

Except there are too many articles like these:

Reasonable search and seizure? It’s supposed to be a right guaranteed by the Fourth Amendment of the Bill of Rights.

Older Entries