Security | Read Write Collect

Replied to Remote Desktop Access History: Pretty Cool, Until a Hacker Does It (Tedium: The Dull Side of the Internet.)

In the years to come, there will most assuredly be books and oral histories written about what happened in Florida, the sheer folly of leaving remote access open with so little focus on security. But it should not be a knock on remote access, which was a super-novel concept back in the mid-’80s and is still pretty awesome today as it has improved along with GUIs and network access.

Really, it’s a knock on the fact that, all these years later, we suck at security when we should be good at it.

Ernie, here I was thinking that email was our biggest point of concern, clearly remote desktop access is up there too. Maybe this explain why Apple make you complete so many steps to connect?

Watched

Troy Hunt walks through why HTTPS is important, even for a static website.

Bookmarked Padlocks, Phishing and Privacy; The Value Proposition of a VPN by Troy Hunt (troyhunt.com)

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Troy Hunt explains that even with HTTPS, there is still a need for VPNs and the added security/privacy they provide.

As the old saying goes, privacy isn’t necessarily about having something to hide, it’s also about not having something you want to share; if you’re depressed and going to beyondblue.org.au then you may not wish to share that with other people. If you’re having trouble with alcohol and visit aa.org.au then you may not want to share that either. If you’re pregnant and hopping over to pregnancybirthbaby.org.au then, again, you may expect to keep that information private (let us not forget the story of how Target managed to “data-mine its way into [a teenage girl’s] womb”). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I’m not a depressed alcoholic teenager who’s expecting…)

Liked When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number (mango.pdf.zone)

tl; dr

Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.

How it works

The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.

Bookmarked We Didn’t Encrypt Your Password, We Hashed It. Here’s What That Means: by Troy Hunt (troyhunt.com)

A password hash is a representation of your password that can’t be reversed, but the original password may still be determined if someone hashes it again and gets the same result.

Troy Hunt discusses the difference between encryption and hashing when it comes to passwords.

Bookmarked Major Security Flaws Found in South Korea Quarantine App (nytimes.com)

The defects, which have been fixed, exposed private details of people in quarantine. The country has been hailed as a pioneer in digital public health.

Aaron Krolik, Choe Sang-Hunnatasha Singer and Raymond Zhong report on Flaws found in the South Korean quarantine app:

In May, Mr. Rechtenstein returned to his home in Seoul from a trip abroad. While self-isolating at home, he became curious about the government’s seemingly simple app and what extra features it might have. That prompted Mr. Rechtenstein to peek under the hood of the code, which is how he discovered several major security flaws.

He found that the software’s developers were assigning users ID numbers that were easily guessable. After guessing a person’s credentials, a hacker could have retrieved the information provided upon registration, including name, date of birth, sex, nationality, address, phone number, real-time location and medical symptoms.

It would seem that each country has had its sway.

The Times found this spring that a virus-tracing app in India could leak users’ precise locations, prompting the Indian government to fix the problem. Amnesty International discovered flaws in an exposure-alert app in Qatar, which the authorities there quickly updated. Other nations, including Norway and Britain, have had to change course on their virus apps after public outcry about privacy.

Although Australia’s issue seems to have been that it does not work.

RSVPed Interested in Attending Introduction to Cyber Security – Online Course – FutureLearn

Gain essential cyber security knowledge and skills, to help protect your digital life. Join this GCHQ Certified Training course from The Open University.

This looks like a worthy learning opportunity.

via Cory Doctorow

Liked Something you know, Something you have by Chris Betcher (chrisbetcher.com)

The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember. But it’s not enough. It’s just one factor.

The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password. Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.

Bookmarked Rethinking Encryption (Lawfare)

We all need to deal with reality. And in my experience, that’s what the people who have dedicated their lives to protecting all of us—such as the employees of the FBI—usually do best. How else do you stop the bad guys but by living in reality and aggressively taking the fight to them based on an accurate assessment of the facts? I am most certainly not advocating surrender, but public safety officials need to take a different approach to encryption as a way to more effectively thwart our adversaries, protect the American people and uphold the Constitution in light of the existential cybersecurity threat that society faces. If law enforcement doesn’t want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.

Jim Baker takes a deep dive into the world or security, encryption and zero-trust networks. He touches on the current confusion over the law, that the government can request access, but there is nothing to say that such access should not be encrypted:

Put differently, the legal problem for law enforcement is not the Fourth Amendment. Investigators and prosecutors can and do obtain warrants to authorize searches, seizures and surveillance of encrypted digital evidence. The problem is that there is no law that clearly empowers governmental actors to obtain court orders to compel third parties (such as equipment manufacturers and service providers) to configure their systems to allow the government to obtain the plain text (i.e., decrypted) contents of, for example, an Android or iPhone or messages sent via iMessage or WhatsApp. In other words, under current law, the most the government can do with respect to encrypted systems where the manufacturer or service provider does not hold the encryption keys is to demand that companies provide it with an encrypted blob for which they have no mechanism to decrypt.

One suggested workaround is better use of metadata to support crime enforcement:

If, in fact, governments more aggressively support encryption, they will have to focus even more on collecting and analyzing noncontent metadata, increasingly aided by advanced data analytics driven by machine learning and other artificial intelligence tools. I know full well that obtaining noncontent metadata, while useful, is not the same as collecting the full content of communications and documents. It is hard to use metadata, for example, to prove criminal intent or to understand exactly what a spy or a terrorist is plotting. But we are in a world where content is increasingly unavailable and there is a wealth of metadata. So, the government should focus on collecting the right data and developing or buying top-notch analytical tools. In doing so, of course, it needs to make sure that such metadata collection and analysis is consistent with the Fourth Amendment. Admittedly, that will be more complicated in light of the U.S. Supreme Court’s decision in Carpenter v. United States. And it will be harder to do all this in the face of efforts by some companies to further anonymize public internet metadata. Nevertheless, this is where law enforcement finds itself since it has not persuaded Congress to act.

However, what this all highlights is that every country has a different set of rules, therefore this is a debate that needs to be had in a number of places.

Listened Security vs privacy – who wins? Chips with Everything podcast from the Guardian

Ministers from several countries have written an open letter to the Facebook CEO, Mark Zuckerberg, asking him not to fully encrypt all of the company’s messaging services. This week, Jordan Erica Webber talks to The Guardian’s tech reporter Julia Carrie Wong and security expert Alan Woodward about the implications of restricting end-to-end encryption

Jordan Erica Webber unpacks the push by some governments to limit end-to-end encryption and the impact this would have on privacy and security. Cory Doctorow also discusses this on the Bitcoin Podcast, while Edwina Stott explores this topic on the Future Tense Podcast.

Replied to Decluttering and Securing Our Digital Spaces (rtschuetz.net)

A blog about learning supported by innovation and social networks.

Thank you for this reflection Robert. Another alternative to Salt the Pass is Lesspass.

Liked Your phone is a crimewave in your pocket, and it’s all the fault of greedy carriers and complicit regulators (Boing Boing)

Insider attacks, cell-site simulators, SIM-swap attacks, thriving markets in super-cheap, fine-grained location data, robocalls, fictitious coverage maps, and more: does the fact that all this terrible shit keeps happening, and only gets worse, mean that mobile companies and the FCC just don’t give a fuck if your mobile phone is a crime wave you carry around with you on your pocket?

Liked I was 7 words away from being spear-phished | Robert Heaton (Robert Heaton)

Three weeks ago I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics:

Bookmarked #Domains19: Minority Report – One Nation Under CCTV (MASHe)

As the creator of TAGS privacy and surveillance often sit at the back on my mind. From the beginning TAGS was designed to help show people the amount of data we personally share and how easy it is for anyone to access. We all know that technology is not neutral and whilst there is a long list of people using TAGS for positive purposes by its nature there are some who turn to the darkside.

In a keynote for Domains19, Martin Hawksey takes a look at privacy and security. He shares a number of experiments (Domain Invaders and They Live) designed to highlight what is possible. It is interesting to consider all this alongside Kin Lane’s sentinelization of APIs. I wonder if it is about being informed?

Bookmarked Do You Trust Your VPN? Are You Sure? by Will Oremus (Slate Magazine)

Virtual private networks are now a must-have privacy tool. But good luck figuring out which ones will actually make you safer.

Will Oremus explores the world VPNs. He explains the differences between free and paid subscriptions, as well as who owns the company and why it is not always possible to know.

Marginalia

One of the only definitive takeaways, besides “steer clear of free VPNs,” is that your choice of VPN should depend on what you’re using it for. If you’re just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that’s clear about both who owns it and how it treats your data. If your goal is to torrent pirated files, view blocked content, assassinate an ambassador, or otherwise evade the long arm of your government (or the governments it shares intelligence with), one based offshore might be a better bet—provided you’re quite sure it doesn’t have secret ties to the government you’re trying to evade.

via Ian O’Byrne

Liked 11 Top Reasons Why WordPress Sites Get Hacked (and How to Prevent it) by syedbalkhi (WPBeginner)

Want to know the reasons why a WordPress site gets hacked? Check out the top reasons why WordPress sites get hacked and how to avoid them.

Liked Phone Numbers Were Never Meant as ID. Now We’re All At Risk (WIRED)

So if you’re looking for an alternative to the phone number, start with something more easily replaceable. Hardjono suggests, for example, that smartphones could generate unique identifiers by combing a user’s phone number and the IMEI device ID number assigned to every smartphone. That number would be valid for the life of the device, and would naturally change whenever you got a new phone. If you needed to change it for whatever reason, you could do so with relative ease. Under that system, you could continue to give out their phone number without worrying about what else it might affect.

Bookmarked Here’s Why Public Wifi is a Public Health Hazard – Matter – Medium by an author (Medium)

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled

Mr Robot in real life?

Replied to Too Long; Didn’t Read #163 (W. Ian O’Byrne)

I’ve talked about two factor authentication (2FA) in the past. Basically when you log in to a site/service, you need to give another proof of identity. In this case, you would insert the USB stick, or click the bluetooth sensor on your keychain.

This reminds me, I got given a Kubikey and never got around to setting everything up.

Bookmarked B-Tags, Photos, Technology & Surveillance by Ian O’Byrne (W. Ian O'Byrne)

These technologies provide amazing opportunities to provide real services to our lives. I experienced this first hand as we enjoyed our time in this road race, and will look forward to the next one together. I was impressed by the use of technology as I was interacting with these sources and signals. At the same time, I was still plagued by a number of questions as I was thinking about these tools, and other possible uses. In our current and future societies, we need to examine these uses and think about how or why we use these solutions.

Ian O’Byrne reflects on the use of ChronoTrack B-Tags consisting of two stickers that contain RFID antennas to track participants in a fun run. This is used to monitor participants, but also connect them with commercial opportunities. Along with facial recognition and smart badges, this is another example of the continual evolution of the surveillance state.