Category: Network Security

Most of us who have used Facebook have found ourselves seeing a friend request for someone who is already our Facebook Friend. This is a form of account compromise where someone creates a doppleganger of our account as a way to impersonate our online personality.

Such “clone” accounts of our online presence can be used as a way to facilitate a “man-in-the-middle” attack especially when dealing with an encrypted communication setup. It is an issue that is becoming more real with state-sponsored cybercrime where authoritarian states are hacking computer and communications equipment belonging to journalists, human-rights activists or a democracy’s government officials and contractors.

Mutually-verified contacts

In most implementations, each contact has a code that is generated by the messaging or social media platform as a human-readable or machine-readable form. The former approach would be a series of letters and numbers while the latter would be a barcode or QR code that you scan with your computing device’s camera.

In a lot of cases, this code changes if the user installs the social-media app on a new device or reinstalls it on the same device. The latter situation can occur if your phone is playing up and you have to reinstall all of your apps from scratch.

Users are encouraged to verify each other using this authentication code either in person or through another, preferably secure, means of communication. In-person verification may take place in the form of one user scanning the other user’s machine-readable code with their phone.

This allows each user of the platform to be sure they are communicating with the user they intend to communicate with and there isn’t anything that is between each party of the conversation. It is similar to a classic contact-authentication approach of asking someone a question that both you and the contact know the answer to mutually like a common fact or simply using a nickname for example.

The feature is part of Signal but is being baked in to Apple iMessage as part of iOS/iPadOS 16.3 and MacOS Ventura 13.1. But I see this as a feature that will become part of various instant-messaging, social media and similar products as the market demands more secure conversation.

Zoom also implements this as part of its end-to-end encryption feature for videoconferences. Here, users can verify that they are in a secure videoconference by comparing a number sequence read out by the meeting host after they click on a “shield” icon that appears during an encrypted videoconference. Here, this feature could come in to play with Signal and similar apps that are used for group conversations.

Relevance

Primarily this feature is being pitched towards users who stand to lose a lot, including their lives because they engage in “high-stakes” activities. Such users are government officials, public servants and military in democratic states, vendors who sell goods and services to government or military in these states, journalists and media workers in states that value a free press along with human-rights activists and NGSs.

Here, these users become highly vulnerable due to them being of interest to authoritarian states and organisations or individuals that aid and abet these states.  It is also being applied to countries that have undergone a significant amount of democratic backsliding or are considered to be socially unstable.

Personally, I see this as being important for everyday use so you can be sure that whom you want as part of your social-media or online messaging circle is whom you actually want. Here, it can avoid you dealing with scams based on others impersonating you or others in your social circle such as the “relative in distress” scam. As well, it can also be seen as a way to be sure you are linking with the right person when you add a new person to your social-media list.

Conclusion

I would see an increasing number of communications, social media and similar platforms acquiring the “mutual contact verification” function as a security feature. This would be more so where the platform supports end-to-end encryption in any way or there is a reliance on some form of personal safety or business confidentiality.

Articles

UK mulls security warnings for smart home devices | Engadget

New UK Laws to Make Broadband Routers and IoT Kit More Secure | ISP Review

From the horse’s mouth

UK Government – Department of Digital, Culture, Media and Sport

Plans announced to introduce new laws for internet connected devices (Press Release}

My Comments

A common issue that is being continually raised through the IT security circles is the lack of security associated with network-infrastructure devices and dedicated-function devices. This is more so with devices that are targeted at households or small businesses.

Typical issues include use of simple default user credentials which are rarely changed by the end-user once the device is commissioned and the ability to slip malware on to this class of device. This led to situations like the Mirai botnet used for distributed denial-of-service attacks along with a recent Russia-sponsored malware attack involving home-network routers.

Various government bodies aren’t letting industry handle this issue themselves and are using secondary legislation or mandated standards to enforce the availability of devices that are “secure by design”. This is in addition to technology standards bodies like Z-Wave who stand behind logo-driven standards using their clout to enforce a secure-by-design approach.

Home-network routers will soon be required to have a cybersecurity-compliance label to be sold in the UK

The German federal government took a step towards having home-network routers “secure by design”. This is by having the BSI who are the country’s federal office for information security determine the TR-03148 secure-design standard for this class of device.  This addresses minimum standards for Wi-Fi network segments, the device management account and user experience, along with software quality control for the device’s firmware.

Similarly, the European Union have started on the legal framework for a “secure-by-design” certification approach, perhaps with what the press describe as an analogy to the “traffic-light” labelling on food and drink packaging to indicate nutritional value. It is based on their GDPR data-security and user-privacy efforts and both the German and European efforts are underscoring the European concern about data security and user privacy thanks to the existence of police states within Europe through the 20th century.

… as will smart-home devices like the Amazon Echo

But the UK government have taken their own steps towards mandating home-network devices be designed for security. It will use their consumer-protection and trading-standards laws to have a security-rating label on these devices, with a long-term view of making these labels mandatory. It is in a similar vein to various product-labelling requirements for other consumer goods to denote factors like energy or water consumption or functionality abilities.

Here, the device will be have requirements like proper credential management for user and management credentials; proper software quality and integrity control including update and end-of-support policies; simplified setup and maintenance procedures; and the ability to remove personal data from the device or reset it to a known state such as when the customer relinquishes the device.

Other countries may use their trading-standards laws in this same vein to enforce a secure-by-design approach for dedicated-function devices sold to consumers and small businesses. It may also be part of various data-security and user-privacy remits that various jurisdictions will be pursuing.

The emphasis on having proper software quality and integrity requirements as part of a secure-by-design approach for modem routers, smart TVs and “smart-home” devices is something I value. This is due to the fact that a bug in the device’s firmware could make it vulnerable to a security exploit. As well, it will also encourage the ability to have these devices work with highly-optimised firmware and implement newer requirements effectively.

At least more countries are taking a step towards proper cybersecurity requirements for devices sold to households and small businesses by using labels and trading-standards requirements for this purpose.

Articles

UK government tackles online abuse with anti-trolling website | We Live Security blog (ESET)

Cyberbullies: Anti-trolling website launched to help victims | The Independent

Government launches anti-trolling website to help victims of online abuse | The Guardian

Previous Coverage

What can you do about people who use the Social Web to menace

Dealing with Internet trolls

From the horse’s mouth

Stop Online Abuse (UK-based)

My Comments

The UK government have launched a Website focusing on online abuse and how to deal with it, including legal remedies and resources.

It is focused more towards women and the LGBT (gay/lesbian/bi/trans) community who are facing these issues because, from various surveys, these user groups are often copping it the most. This covers online abouse related to domestic violence, sexism and sexual harassment, along with homophobia and related anti-LGBT abuse. But there are other situations where people do suffer in silence such as general racism, issues-focused or business-level disputes.

I see the “Stop Online Abuse” website applying to all situations where the Internet is involved and a lot of the commentary is very generic. But I do see some limitations with the legal remedies because there may be difficulties with applying them when situations happen across jurisdictions as is the norm with the Internet.

For example, the crime of “sending messages using any public electronic communications network such as Twitter or Facebook, which are grossly offensive or of an indecent, obscene or menacing character” that is part of the UK’s Communications Act 2003 may have a legal equivalent in your jurisdiction. This may be in the form of one or more national communications statute that proscribes the use of a communications service or “common carriage service” to harass others. Similarly, there are court injunctions that were cited for the UK like the Family Law Act 1996 Non-Molestation Order or the Protection From Harassment Act 1997 restraining order that have equivalents under your jurisdiction’s criminal, civil or family law but with different names.

It is worth contacting your local citizen’s advice bureau or similar government or voluntary organisation for more resources. Infact, locating an organisation that specialises in your particular circumstances like a domestic-violence support organisation may provide you with better information suited to your exact needs.

Similarly, it is a wise move for these organisations to “bone up” on the issue of online abuse so they can provide the right advice to suit their clients’ situations and needs. National, regional and local governments along with the judiciary can also see this site as a chance to provide a Web-hosted “one-stop shop” for their constituents to know more about these issues. This is in addition to creating legislative remedies for online-abuse problems. As well, as each case is litigated in a family, criminal or civil context, the knowledge created from the legal action can be used to tackle this situation better in the courtroom.

Article (French language / Langue Française)

VeraCrypt, une alternative française à TrueCrypt | Le Monde Informatique

From the horse’s mouth

Idrix

VeraCrypt product page

My Comments

TrueCrypt is a source-available encryption engine used primarily in Windows 7 and 8 as part of the BitLocker volume encryption function that the operating systems offer. Lately, further maintenance of this encryption engine had ceased with accusations of the likes of NSA putting pressure on the developers to cease maintaining it.

A few other third-party encryption engines have surfaced from Europe such as the VeraCrypt engine from France and a fork of this engine constructed in Switzerland. This is in response to Europeans having a distrust for “big government” having access to personal data due to being burnt by the Hitler, Mussolini and Franco regimes in the West and the Communist governments in Russia and the East.

Idrix has worked on the French VeraCrypt project which is pitched as being easy to use for small business, non-profit organisations and individual users. Like all encryption software, it doesn’t support the ability to “trans-crypt” i.e. convert an encrypted volume over to another encryption mechanism.

It will be initially issued for the Windows regular-computer platform but a port is being expected soon for the MacOS X (Apple Macintosh) and Linux platforms. As well, it is being made available for free and as open-source software.

But what I see of this is an attempt for European companies to “break through” the US stranglehold that can accompany the computer software scene and for European culture and norms to be respected in this field.

Article (Broadcast transcript)

HACKED! – Four Corners (ABC) Video and transcript through this link

Previous coverage on HomeNetworking01.info

Interview and Presentation–Security Issues associated with cloud-based computing (Interview with Alastair MacGibbon and Brahman Thyagalingham )

Symantec Symposium 2012 – My Observations From This Event

My Comments

I had watched the Four Corners “Hacked” broadcast concerning data security and cyber espionage, which encompassed the issue of the cyber attacks affecting nations as a whole.

The show had touched on a few key points, some of which were raised in the previous events that I attended. Here, it underscored the factor of hacking being part of espionage by nation-states like China. The targets of this espionage were intellectual-property belonging to private-sector companies or government departments, especially where military information was involved.

Example incidents include the recent theft of blueprints for ASIO’s new offices along with a cyber attack against Codan who is an electronics supplier to Australian and allied defence forces. The tactics that were used against Codan included use of a public-access Wi-Fi network to install malware on a laptop belonging to a representative of that company when they visited China, along with a “spear-phishing” attack on their email. It also underscored the fact that it is not the entity’s computer networks that are at risk but the “crown jewels” i.e. the key intellectual property that belongs to the entity.

The same show also underscored the use of malware to target essential-services systems like a nuclear enrichment plant in Iran and an Indian telecommunications satellite. Here, they raised the spectre of electricity grids, telecommunications backbones and similar infrastructure being targeted by sophisticated cyber attacks. This becomes more real as most essential-services systems become computer-controlled and connected to the Internet and I would like to see the issue of these systems designed with fail-safe operation in mind such as working offline and providing the core services at known specifications if things go wrong online.

Later on in this show, Alastair MacGibbon had called for the Australian government to require businesses and other organisations to publicly disclose cyber attacks and wanted this across the board for all entities. This was previously underscored by him through the interview and presentation where he described Australia’s data protection laws as being careless as typical of the “She’ll Be Right” nation.

The Australian Government had improved their data-protection laws by tabling bills that require cyber-attack disclosure on the larger public companies rather than all companies.

As well, the issue of cyber espionage by nation-states was being considered as the equivalent of wartime activities like nuclear war and treatment of civillians and needed to be tackled on an international level in a similar way that other similar wartime activities have been dealt with. Personally, I see the latest cyber-attacks, especially those emanating from countries that were behind the Iron Curtain, as the makings of another “Cold War” and these have to be treated accordingly.

Articles

Locked Out Of Your Facebook Account? Trusted Contacts Will Save You | Gizmodo Australia

Facebook puts account security in the hands of your friends |CNet

My Comments

Commonly most of us leave a set of keys for our home with someone else that we trust like a close friend or neighbour. This is to allow us to get back in to our home if we lock ourselves out, which can be easily done if you can lock that front door without the need for a key typically by flicking a thumbturn or pressing a button.

Facebook has taken this practice to their account-security procedures by allowing us to work with a “trusted person” to gain access to our accounts. Here, you let Facebook know the contact details of the three to five trusted people and if a lockout occurs, Facebook would send the codes to these people and you contact these people preferably via phone or SMS for these codes. This can come in handy with older people who forget their Facebook credentials or if someone’s account was hacked and the password was changed.

Facebook are in a position to do this not just because of them being a highly-popular social network but users are using their Facebook parameters to sign in to a large number of consumer-oriented Websites and mobile apps. I wouldn’t put it past Microsoft or Google to implement this in to their account systems, especially more so with Microsoft using the Web-hosted credentials as the key to our Windows 8 computers.

Introduction

The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.

Conclusion

Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.