Archives

All posts by cpw

If one good thing has come out of the recent Hacking Team hack (apart from a fairly scummy company getting their come-uppance and failing to initiate their own internal kill processes), it’s a salutary warning on the issues with mobile code. In particular, the issues with our old friend, Adobe Flash.

3 o-day vulnerabilities in Flash have been released in 2 weeks, and the frequent upgrade cycle can’t be helping with not introducing other issues. Yet we still see a huge number of sites (and even better, security tools) using it. Among the best was the US Senate debate on cybersecurity requiring you to load flash to watch it — while there were 0-day flash vulnerabilities in the wild).

Cisco, for all that I’ve spent a lot of time working with and promoting their products, requires flash for functions in the console of ISE. It’s time for this to stop; HTML5 is available, and we can use more secure (in fact, I’m not sure we can use less secure unless it’s Java) methods to present data. Flash WWW sites have been irritating for years — now they’re irritating and dangerous. Yet if industry leaders and vendors continue to REQUIRE Flash to effectively use their products, how fast can we actually get rid of it?

On a more personal note, I’ve been endorsing running a flash-blocker, click-to-flash, or some sort of browser plug-in for years.  It’s even more pressing these days — just do it. Once you’ve done it, think before you click on that flash video elf-bowling game!

.. and there’s nothing important in my e-mail.

I’ve heard this a lot more than I’m comfortable with when talking to people. It’s just their e-mail, they don’t use it for anything important really, there’s nothing confidential in there so why not just use (or, even BETTER, re-use) a nice simple password so it’s easy to access.

Or why worry when your school has an e-mail breach.

There’s a lot people aren’t considering here:

  • Password re-use. While I absolutely believe the password SHOULD be dead, there isn’t a suitably convenient and effective replacement. Mastercard is trying for selfie-based authentication, but we’ve seen most of the facial recognition systems can be fooled by a photo — and if it’s just the single-factor, then it’s PERMANENTLY compromised if it’s broken. Breach records and password analysis have repeatedly shown that people continue to re-use passwords, so once one is broken, what else is out there?
  • Password and account recovery. This one is, to me, scarier than the above. So you’ve practiced good password hygiene, used a different password and it’s a nice strong one. You’re even using a password manager and don’t type it in in case you get screen scraped. Now your e-mail is compromised, and you click the link to send the password to the recovery account. Ooops.
  • Last (and probably least) now people can use your account for whatever — spam, malware, phishing. While it’s relatively easy to fake this still, a real account will pass more checks.

E-mail remains the gateway to a lot of information, regardless of it’s various levels of insecurity (unencrypted SMTP across  untrusted networks with confidential data? WIN!). It needs protecting, and that’s why I’m so happy when I see services start to offer 2-factor authentication. It’s not as convenient, but having some kind of extra authentication whether via SMS, an application on your smart phone, or a token is one of the best defences you can have if and when someone gets the back end database for your system.

It’s probably, depressingly, when.

 

 

Well… maybe.

Unless the exit node isn’t safe. Tor only encrypts as you traverse their network, so if you want to see what someone is using, just set up an exit node and monitor it.

It appears this is going on. Can you trust a Tor node?

In short, look at what you’re trying to achieve and then pick a tool that meets it. Want end-to-end encryption? Make sure you’re using it in the application, or via some other mechanism. This same logic applies to VPN — the services that you use terminating in an Internet end point may not be secure, so just because you’re encrypted to them, don’t trust people aren’t seeing what you do.