Disclaimer: The opinions expressed here are my own, and are not representative of any employer, employee, or anyone, anywhere, at any time. Oh, and I’m NOT a lawyer.
As most everyone knows, Apple and the Courts are engaged in a standoff over the request for assistance in building an update to send to a specific phone, to remove the auto-clean function of the phone, that deletes cryptographic keys when 10 failed passwords are entered.
I’ve spent some time reviewing the Motion to Compel, (https://assets.documentcloud.org/documents/2715997/Apple-iPhone-Access-MOTION-to-COMPEL.pdf) from the US District Court in CA, and the assertions that are being made by the FBI and the court present several interesting legal arguments. Regardless of how this issue is resolved, I think that we’re going to see some interesting decisions that will affect electronic privacy and personal security for everyone.
Points that I’m watching:
- Argument that Apple is not “far removed” from this matter – pg 10 of the linked pdf
- tl:dr – Apple, being the only key holder of the crypto for signing updates, is the only one who is suitable to assist, and since they keep their software and code under strict control, they are the only ones who CAN do it.
- Apple has not directly stated that it is “impossible”, therefore it is possible
- The Government is allowing Apple to destroy any/all updated code after the investigation is completed.
If you have a few minutes, take a read into the Motion to Compel, there are some very valid points of law, that are being used to make some valid arguments. While I was formerly applauding the public statement from Apple, I am now in doubt of Apple’s ability to refuse this motion.
What do you think is going to happen?
- Apple’s Security Can be Bypassed?(lifelibertytech.com)
- Judge orders Apple to unlock San Bernardino gunman’s phone(pcauthority.com.au)
- Apple’s next move in its privacy fight against the FBI(oddonion.com)
Apparently, someone at a university took umbrage with a joke that Adrian Crenshaw, (AKA IronGeek http://www.irongeek.com/), put up a joke on his personal website on April fools day 2015, and began the act of trolling Adrian and his site due to the joke being “sexist” or “misogynistic”.
Well, you know what happened next… a shitstorm of people pointing fingers, the “Social Justice Warriors” (herein as #sjw) took up arms against Adrian, and the fallout is still happening. Adrian was politely asked to NOT come to bsidesLV and perform the videography that he had been doing for some time. Basically this problem began to spill out of the internet, and into REAL LIFE.
Let me back up… I met Adrian over 15 years ago, when I was living in the Southeast US. I found him to be a very intelligent person with a great sense of humor, and an amazing sense of purpose, specifically focused around educating people about the risks of not securing data, systems, and networks. He began hosting videos of smaller conferences, mostly those that don’t have the budget of the larger conferences and their ability to purchase and maintain those costs. Adrian has never laid claim to any of the data that he hosts on behalf of any conference, nor has he modified any data to make himself look better. He’s a consummate professional with a solid passion for Information Security.
Now, back to the present… this person who trolled Adrian, is someone in academia, made the claim that Adrian’s april fools’ joke was sexist or misogynistic. Now, I don’t know this person… and I don’t care to, but, the first rule of dealing with people is to take the problem to the person, not to the internet. (Unless you’re a troll or a drama loving idiot)
First off, most academics aren’t in touch with the world at large. They have a cursory view of the world and they have the luxury of not actually doing any of the things that they teach. They also have the eyes and ears of our nations’ student population, a vast majority of which are highly suggestible. Now, couple that with this person’s view of what is ‘sexist/misogynistic’, and you have someone who is going to go off ‘half-cocked’. <- not a sexist term, look it up.Then, someone else I know, from bsidesLV, whom I respect, sent a letter to Adrian, telling him that his professional services are no longer desired at bsidesLV, because of this person in academia stirring the pot.
Now, I don’t know if you’ve even read this far… but here’s my take on the ENTIRE THING.
1) Don’t take the bait. I don’t care what I post, and to whom, and where. These are MY PERSONAL FEELINGS and my PERSONAL VIEWS and not the views of any company, organization, volunteer effort or any other charitable things that I do. You (the global you), shouldn’t take anything that I say as any indication of how professional I can be at work, and what I can do with my brain. My views, beliefs, and actions, are my own. IF YOU HAVE A PROBLEM WITH THAT. STOP READING, You’re done.
For the rest of you, thanks for staying with me.
My synopsis on one thread was simple… and It’s paraphrased here:
1) Someone made a joke on their website.
2) some troll called it “misogynist” and the internet freedom winners stayed flaming
3) 1st guy blocks source ip’s on personal website.
4) bsidesLV cuts ties with 1st guy, and shoots itself in the foot.
5) drama unfolds
6) you read this.
The best thing about all of this? It’s only going to polarize the community into two camps… Those who think that everyone should be included in everything… (#derpDicon?) Or the information security professionals should have their conferences… Oh, wait, we have those… except that they’re being taken over by the #derpDicon folks…. So.. enjoy…
This will get FAR WORSE before it get’s better.
Oh, and Adrian Crenshaw? You are STILL the man…
That’s my 2¢, YMMV.
How do you want YOUR data protected?
I have been asked to put together some of my thoughts around information security to share with a wider audience. While I could lead off with complicated or technical topics, I won’t. Instead, I’m going to talk to each and every reader, on the most basic of levels. Hopefully this change of view will resonate with some of the readers, and if it does, then I’ve achieved my goals.
How do you want yourself to be protected?
Let’s get started then. Ok, most of you have automobiles, homes, apartments, perhaps children. Let’s talk about the basic security you perform without thinking every day. Most of you lock your cars, homes, and work very hard to keep your children safe. This unconscious process is not something you were born with, it’s a habit that you’ve taught yourself. While there are some genetic things that make you want to survive, we don’t normally operate in a constant state of fight-or-flight. We simply do what we do, because we have taught ourselves, directly or indirectly, to perform those tasks to lower our risk of theft and harm. So what are some of these tasks?
We take for granted our remote controls for our cars, our door locks, the thought process around where to drive, and where not to go after dark. These are all learned behaviors. If you take a different route to avoid a high crime area, that doesn’t make you a bad person. That makes you risk aware. Your re-routing may take longer, but it is clearly safer, for a myriad of reasons.
When we talk about securing applications, data, and people, we are also asking that you take a slightly different route. We’re asking you to take the extra time to lock the doors, check the windows and ensure that you, and everything / everyone you are responsible for, is safe and secure. This is a very minor ask in the grand scheme of things. To take the time to think about how someone might try to gain access to internal systems to take business data is something that should be in the forefront of everyone’s mind. If you don’t do this today, you need to add it to your routine. Just like you added locking your home when you moved in.
In some businesses, there are also requirements around protecting customer data. This is a higher level of security that is needed, as your business is trusted with protecting that customer data. Privacy laws already exist in Europe and other parts of the world, and are coming to the United States. Wouldn’t it be wise to get ahead of those laws? Also, if your customer data is held within the company you are employed by, ask yourself this:
How do you want YOUR data protected?
Let’s take the analogy of a submarine. Any submarine has at least one hatch, and the vast majority of them have several hatches, valves and other areas where water can infiltrate the areas that humans are occupying. When a submarine is on the surface, many of these hatches are open. On older diesel submarines, there is/was a Hull Opening Status Panel (sometimes called the “Christmas Tree” or “Green Board”) that shows red and green lights for every hull opening that could allow sea water to enter the submarine. Before the submarine can dive, all of the lights on the board need to be green (showing closed/safe hull openings). It is not enough to secure all but one of the hull openings, all of them must be closed.
This equates to covering ALL of the information security requirements, not just to satisfy an audit, but to go beyond that, and secure things to the SPIRIT of the requirements, not the LETTER. Sadly most companies don’t see a value proposition (read immediate return on investment or money) in doing so. This is one of the major reasons that data breaches exist today. It is not because security is difficult, or that the “hackers” have better skills, it’s that companies aren’t willing to go to the extra steps needed to properly secure their computers, data, and people. Believing that it is difficult is simply a delusion, perpetrated by people that don’t want to do the extra work, or pay the extra money to secure themselves. This would be like someone living in a cardboard box complaining that someone stole their belongings, while they left it unattended. When you leave things out in the open, people are curious by nature, and will look through it. Be sensible.
There are several types of audits that should be accomplished, and the results of these must be shared with business partners, trading partners, and some regulatory agencies. While a company may pass an audit, it does not mean that the company is actually protecting the information properly, or even securely. For example, every company that has been breached with PCI DSS Audit requirements, NOT ONE OF THEM HAD FAILED A PCI Audit! So, don’t be complacent with a “passed” audit. It only means that you’ve convinced an auditor that has taken a 2 day class and an open book test, that you are compliant. Is this the type of “security” you want to rely upon for your data?
In an even smaller business arena, there are businesses that hold highly sensitive data about every person in the United States, the United Kingdom, and other countries. This data is highly regulated, and there are strict laws around the use, distribution, dissemination, storage and security of said customer data. You already know this from your annual training, however, most people only think about it once a year when they have to go through the training. Let’s talk about this data.
For any company working with Personal Identifying Information, or PII, there are significant responsibilities around this information. In each of the areas of the world mentioned above, there are laws around how the data is to be used, stored and secured. To put this type of information in perspective, think how it would feel for you to lose your wallet with all of your information in it, while you also know, that there are people who are willing to pay real money for all of the information that your wallet holds. (Because there are)
Now think of how you would feel if your credit report was left out on a table in a coffee shop, or posted to a bulletin board in your grocery store?
How do you want YOUR data protected?
What are some of the things that you do that add to risk?
- Those shortcuts that you try to take? Risky
- The ambivalence that is expressed when you discover a weakness in the security? Risky
- Allowing Sr. Managers to cover up or ignore deficiencies? Risky
- Allowing PII to sit unencrypted for everyone to see? Risky
- Requesting that old and outdated methods of storage, transport or delivery of information? Risky
These are akin to these real life examples:
- Your home locks are breached, but you don’t call a locksmith for two weeks.
- You look at the broken window, shrug your shoulders and say, “It’s not that big of a deal, no one is going to climb through those shards of glass.”
- Your local police tell you that there is nothing to worry about, after your home has been burgled, and you really don’t need to replace the broken front door that now doesn’t close
- All of your private and personal information is written on a huge billboard, for all of your close friends, family, strangers, and thieves to see.
- Instead of driving a car to work, you choose to ride a horse, where there are only highways.
The above sound ridiculous? That’s because they are…
If YOU don’t take a few minutes every day to think about what you are doing with the information you are working with, you are contributing to the PROBLEM of information security. It would be wise for C-Level staff to lead with this idea… to make all employees more aware that everything they do, is either aiding or detracting from securing information.
Ask yourself, What could you do to make your company more secure?
That’s my 2¢, YMMV.
- Target Data Breach Much Worse Than First Thought…(news.filehippo.com)
- Think you’re now untrackable? Think again. HTML5 is now tracking you.(dc0de.com)
I was in a chatroom this afternoon, and saw a conversation go by from FnC about a problem with ASUS Technical support not taking understanding the MD5 check sums not matching on their latest version of the RTAC3200 Wireless Router Firmware. ASUS is pushing this firmware upgrade as a security issue, and the download cannot be validated. And when they were called to explain why the discrepancy exists, he was met with an uncaring and uncooperative technical support representative. In FnC’s view, the technical support personnel that he spoke to didn’t even UNDERSTAND what the MD5 check sum was for, and why the he was so concerned.
taking the information regarding the Firmware, I went out to do some validation on what he was saying.
He said to go to “http://www.asus.com/Networking/RTAC3200/HelpDesk_Download/” and select an OS, and to download version ASUS RT-AC3200 Firmware version 220.127.116.11.378.4145. I did this, and copied the checksum data as provided on their website. (MD5 checksum: 3F4CED45895966E595FA454D24CFF8D9)
The download appears to be coming from http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC3200/FW_RT_AC3200_30043784145.zip, and when I downloaded it and checked the MD5Sum, I received:
dc0de@t61:~/Downloads$ md5sum FW_RT_AC3200_30043784145.zip
Let me put this result together with the published result.
|Source of Data||md5sum|
|md5sum (GNU coreutils) 8.21||cd38a003f18c2302d469e6ae983e1cda|
Clearly something is wrong, and people should be looking at this very carefully.
Wow, I’m happy to put last week behind me… however, over the weekend, my left kidney decided that it should try to pass a stone that has apparently grown there. Sadly, it only caused me pain, and didn’t pass… although, I tried…
Whee, now I have a Kidney Stone Timebomb in my left kidney waiting to move… Yum…
The good news? I’m ready for it, and I hope it decides to leave soon…
Tuesday started my week out poorly, with my elbow making a large cracking noise as I rolled my hand off of my mouse from left to right as normal. This crack was immediately followed by a sharp and severe pain in the joint, and a loss of 10º of extension. Any attempt to extend the elbow was met with painful resistance. I did what most people would do, I called my Dr’s office, setup an appointment, and got in to see her on Wednesday. For the rest of the day Tuesday, the pain level slowly rose, until it was a steady 6 (on a scale of 1-10, 10 being the worst), and I went home and took some pain relief. Wednesday morning, I saw my Dr, got some X-rays taken, and scheduled the referral with the surgeon who did my last elbow surgery in November of 2013, for Thursday the 23rd of Jan.
I go see the Orthopedic Surgeon on Thursday, who tells me the following: “Well, the sharp cracking sound was you breaking off a bone spur, and now it’s floating around in your elbow… I need to schedule an MRI so we can determine how best to remove the pieces, and possibly we’ll discuss removing the entire radial head of the radius.”
We spent a few minutes discussing next steps, and we parted, with the knowledge that someone will be calling me to setup the MRI, once Insurance approves.
In the mean time, I’m taking an extra heavy dose of Naproxen Sodium, and being very delicate with my elbow. Thankfully, typing doesn’t harm the elbow…
So, now I’m just in a holding pattern… waiting for the call to setup the MRI… or to hear what excuse United Healthcare will provide for denying it.
So, I get to spend the weekend resting, and keeping from using my right arm, until I hear back from the Ortho… Yippee!
Today has been an eventful day.
To finish off dealing with my elbow popping and causing me incredible pain, organizing a return visit to my surgeon to see what is wrong, to dealing with people at the office that don’t understand why they have to encrypt PII being sent to a 3rd party.
As I drove home to get some pain meds for my elbow, less than a mile from home, I’m struck by another driver, who moved into my lane on North El Camino Real and made contact with the right rear of my vehicle. I contacted 911, who told me since there were no injuries, to share information with the other driver, and let the insurance companies deal with the issue.
The woman who was driving refused to provide her insurance information, and when I told her that I wasn’t going to give her any information if she wasn’t going to provide the information, she called the police.
So, when I finally got home, I wrote this up to memorialize the information from the accident.
I was driving a Blue Honda Accord (Vehicle A) in the left most lane on El Camino Real in Oceanside, approaching a slight left turn on to Douglas drive. As I had passed the White Lexus (Vehicle B) in the middle lane, the driver of the Vehicle B moved into the lane I was occupying, and struck my vehicle (B) on the right rear quarter panel, with their left front quarter panel. As seen in the images below, the damage to the Honda (Vehicle B) is on the left rear quarter panel, and the White Lexus (Vehicle B) front left quarter panel showing damage.
How this woman believes that this was not her fault, is beyond me.
Now to submit to insurance… groan…
Dear News Agencies – Please wake up.
Marc Rogers prepared a fantastic writeup on his blog entitled “Why the Sony hack is unlikely to be the work of North Korea.”. I suggest that EVERY media outlet take a moment, and review it. It is clear that there is far more research and digging to be done with regards to this security breach, and ANY future stories pertaining to Information Security breaches.
For the most part, (Brian Krebs being the primary exception), mainstream news has a significant knowledge gap when it comes to technology. They haven’t figured out how to report security breaches, without flogging the word “hack” or immediately blaming someone to gain headlines.
The most alarming part, IMHO, is that there is a chance that we will NEVER know the real root cause, however, Marc’s blog post does find some very insightful indicators that the North Korea angle is simply wrong.
Lastly, Thank you Marc, for a well reasoned and thought out contribution to the current Sony issues.
Welcome to the December Holiday Season! With our current December busy schedules, we need to be aware data breaches also occur during the Holiday Season. Criminals understand that the holiday season is a very busy time, not just for individuals, but also for employers, companies, and all sectors of industry.
For those that may have missed it, 60 Minutes did a short 13-minute piece on Credit Card fraud, and for those that remember, there were several breaches this past year, and many of them were in place far before the 2013 Holiday Season. The main point of all of this is to create an environment where we can all be on the lookout for the risks, have open discussions, and to ensure that we are all doing our part to secure our personal information. Please take a moment to view the video.
Original Video – More videos at TinyPic
Some Data Breach Presents for under your tree!
We have found a few infographics for you that show the number and sources of some of the largest breaches of 2013/2014. You can find them below.
As always, have a productive, safe and happy holiday season, from all of us here.
- 60 Minutes Video – As hacking of top retailers make headlines, Bill Whitaker discovers how insecure your credit card information is this holiday season(opensourcesinfo.org)
- More data breaches expected this holiday season(bizjournals.com)
- Avoiding credit card fraud in the holiday season(lexingtonlaw.com)
For those who have been following, there are some nuances of the latest Crypto Security flaws that may have been missed by most…
Adding to my previous post, you should not only completely disable SSL v 3, and 2, but consider disabling TLS v 1.0 as well.
As well, another good site to test your browser / client for it’s security configuration is https://www.howsmyssl.com/
- New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue(threatpost.com)
Not So Fast on BEAST Attack Mitigations (threatpost.com)