Preventing a DDOS is not going to be easy

As a follow-up to my previous post on DDOS attacks [1,2], I’ve seen a lot of so-called ‘solutions’ to the problem, which really aren’t solutions at all.

While it’s still not explicitly clear that the StarHub DDOS was executed by Mirai, a recently released malware built specifically for DDOS, the timing and similarity of it to other Mirai attacks leave little room for doubt–at least to me.

If indeed, StarHub was a victim of a Mirai based attack, it would seem extremely odd that their CTO would reference phishing emails as a vector for infection. So a few things don’t quite line up here, including the advice from the CTO to change the default username and password, when Brian Krebs already reported that doesn’t quite help:

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” <IP address> to reach a username and password prompt at the target host).

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

If you’re more technically inclined, I strongly suggest listening the feature interview on last week’s risky business podcast.

But the last piece of advice that the StarHub CTO gave, that didn’t make sense to me at all was this:

“If you were to buy a webcam from Sim Lim Square, try to get a reputable one”

Again, this may seem like good advice, but it doesn’t conform to the evidence. Brian Krebs has a list of devices that are hack-able, and they include the likes of Panasonic, RealTek, Samsung and Xerox. All of which regular consumers would consider ‘reputable’.

So StarHub claimed that you should change your passwords–but doesn’t protect you from Mirai.

StarHub claim that you should buy equipment from ‘reputable’ suppliers, but even reputable suppliers produce hackable IOT devices, that can’t be secured.

Finally StarHub are going to be sending technicians out in the field to help subscribers, and while this is laudable, it’s not a sustainable solution. It only fixes a short-term problem, because as long consumers continue to buy hack-able IOT devices, the threat isn’t going to go away.

And how often can StarHub afford to send technicians to make home visits before the cost start becoming un-bearable?

The way to view this issue is from a legal, economical and technical perspective–and in that order. Continue reading

Internet of shitty things!

b66b95478fBrian Krebs is the most reputable name in CyberSecurity reporting, his krebsonsecurity website is the best source of ‘real’ journalism on the subject.

But reputation works both ways, the same thing that makes him popular in some circles, makes him unpopular in other. He’s had criminal hackers send him heroin in the mail and even have SWAT teams descend on his home with guns all blazing (in a phenomenon called swatting!). Reporting and exposing underground cyber-criminals comes at a price, you don’t piss of darknet crime lords without taking a few hits along the way.

The problem though is when those ‘few’ hits, turn into a hurricane of web traffic aimed at your server, because that’s exactly what descended on Krebs’ server late last week, when krebsonsecurity was hit by an epic DDOS attack

DDOS is an acronym for Distributed-Denial-of-Service, which basically means forcing so much web traffic to a single website that it eventually collapses–making it unable to provide services to the ‘real’ visitors of the site. All websites run on servers with finite capacity, DDOS attacks are about sending enough traffic to those servers that they eventually exceed that capacity.

But this DDOS was different, and krebsonsecurity will go down in history as the Hiroshima of this type of DDOS. But nuclear weapons only had Hiroshima and Nagasaki, krebsonsecurity will be the first in a Looooong line of DDOS attacks of this scale.

So what makes this attack so different as to merit it’s own class? Well 3 things.
Continue reading

The safest place for your money is under the mattress

money-under-mattress

When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest.

In the 80’s this was a compelling argument, when interest rates were high and banks really did provide security,but is that thinking still applicable today?

In June of 2000, Maybank launched their ‘new’ internet banking platform, Maybank2u, which allowed their customers to do their banking online, outside of traditional branches or even ATMs. Few years later, it begun offering online purchases and soon after the mobile app was launched.

But while online banking platforms brought convenience, they also introduced new security threats — and it wasn’t clear whose job it was to secure against those new threats, and who would be liable for inevitable financial losses.

Was it going to be bank who assumed liability, just like they did before, or would it be the account holder, or possibly a mixture of both?

The answer depends on who gets attacked, because not all attacks are equal.

Not all attacks are equal

There’s two types of attack, one where the bank itself is attacked, and another where the account holder is targeted instead.

When someone walks into a bank  with the threat of violence, and walks out with $30,000 of the banks cash, the bank absorbs all the loses. After all, that’s why your money is in their safe and not under the mattresses.

507d7acb92f46ed8d8779be14e3f2051But there exist another class of attack–customer impersonation, where the attacker isn’t threatening violence or even ‘attacking’, but trying to fool the bank into believing they are the rightful account holders. In other words, the attacker is trying to impersonate you, to get to your money.

And in the digital world, customer impersonation is far more common. Consider the case of ATM fraud.

ATMs identify a user by verifying their ATM cards, and then prompting them for the PIN. More specifically, the ATM first authenticates the inserted ATM card (is this card real?) and then proceeds to ask the user for the PIN (is the person the accountholder?), once an ATM is satisfied, it then proceeds to grant the user access to the account.

Hence if an attacker managed to steal your card and knows your PIN, the ATM has no way to differentiate between you and the attacker. Anyone could take your money from your account, by just having your ATM card and PIN, in contrast robbers attacking a bank would simply be taking the bank’s cash…not yours.

Credit Card fraud is another prime example, but at least in Malaysia end customers have their liability capped at RM250 provided they report their lost cards in a ‘reasonable’ amount of time. For debit cards and ATM cards are not protected in the same way. Which is strange because the poorer sections of society who need more protection usually have debit instead of credit cards.

But even credit card users need to be wary, because changes in the liability model are bound to happen when we introduce Chip and Pin. (read more here)

To summarize, customer impersonation isn’t the same as a bank robbery, when the bank issues you credentials (like PINs, passwords or ATM cards), the responsibility to secure those credentials are yours–and if those credentials are compromised, then you’ll have to shoulder some of the financial losses as well.

Continue reading

Show notes for today

 

Some interesting links you might want to check out during my interview on BFM today, will tidy up this list later in the week.

Office of Personnel Management Data Breach (Chinese hackers breaking into US Federal Employee Databases)

China arrested the hackers responsible for OPM breach

Turkey losing Personal Information on 50 Million Citizens

Philippines Data Breach, Troy Hunt’s perspective.

Check if your e-mail address has been part of a previous breach from the HaveIbeenPwned website.

24 year old IT grad behind Philippines Breach caught

Phineas Fisher explains how he hacked Hacking Team (in under 100 hours)

Hackers break into a Jeep connected to the internet

Hackers breaking into baby monitors, and shouting profanities at children

Baby monitors (and everything else) connected to the internet, aren’t good ideas..

Why anti-viruses aren’t any good these days

My take on why people with Anti-Viruses end up with MORE malware

Why I don’t believe passwords should be changed constantly

Why GCHQ (the British equivalent of the NSA) share my thoughts

Great article on how hackers guess hashes

Some guy built a computer to guess 380+ Billion hashes a second

Enabling 2 Factor for your Google Account

Norton Dossier on Stuxnet (interesting, but VERY long read)

Countdown to Day Zero (more interesting, and even longer read on Stuxnet)

Or just watch the Ted Talk on Stuxnet

This is how Pedophiles get caught

SexOffenderThis will easily be the most controversial blog post I ever wrote, so consider yourself warned.

It’s controversial, because it touches on multiple taboos in our society, sex, child abuse and security theater. You see, there’s been a growing call for a national sex offender registry, especially in the wake of news that a British Pedophile had sexually abused up to 200 children in Malaysia.

The news is especially shocking for Malaysians, who are still coming to grips with the fact that a foreign ‘mat salleh’ abused our children, in our country, right under our fucking noses, and we’re only now learning about it….years after the abuse had taken place and even then, the details are sketchy.

As I said,many have renewed the call for a Sex Offender registry. The idea being, that if we start registering sex offenders, we could more easily monitor them, and be able cut-off  their ability to further abuse children. It’s a great idea, but it wouldn’t have saved these 200 children, simply because Richard Huckle wasn’t convicted of any sexual abuse, he wouldn’t have been on the registry even if had one.

Then we have calls for better screening procedures of people who work with children. Another great idea, but again wouldn’t have stopped Richard Huckle. Maybe a extremely thorough and in-depth screening  process that interviewed his parents, grandparents and fourth grade history teacher would have uncovered something about his psychology that may have triggered some alarms–but that level of screening is both unrealistic and a gross invasion of privacy.

Finally we have calls for better sex-education in schools, which I’m 100% in favor off. Proper sex education may have prompted one of Huckle’s victims to speak out and report the issue, which may prompted his arrest at a much earlier time–but ultimately these were impoverished children who were not given access to proper education anyway, so sex education in public schools probably wouldn’t have helped them.

But are we forgetting something obvious? Continue reading

The law shouldn’t rely on good behavior from Billionaires

Gawker is the internet’s most slimy news organization, a online website that has no qualms disclosing people’s sexual infidelities regardless of the cost such disclosures have on their personal lives.

So for most people, seeing WWF superstar Hulk Hogan win a lawsuit against Gawker to the tune of $140 Million dollars was a real sight for sore eyes. But when it was revealed that Hogan was funded by Billionaire Peter Thiel, the internet suddenly lost its damn mind.

Peter Thiel is a giant of the Venture Capitalist industry, a co-founder of Paypal, and an early investor a Facebook he’s earned his VC hall of fame status, but despite all his successes he’s remained deeply private. His feud with gawker started way back in 2007, when Gawker published an article (not linked to here), claiming he was ‘totally gay’.

Thiel didn’t earn his Billions sitting on your arse, and so he turned his laser intellect and vast resources to enact revenge on gawker for the personal grief and hurt the online publication caused him.

He launched a ‘proxy war’ against gawker, using a Wrestler (of all things), and going straight for the jugular. If gawker loses the appeal, the hundreds of millions in damages it must pay to Hulk Hogan would bankrupt the company, so claiming Gawker is literally fighting for its life is not an understatement.

Essentially, Peter Thiel may have pushed Gawker to bankruptcy with nothing more than pocket change and a retired WWF superstar.

The fact that a Billionaire could potentially shutdown a news outlet (even one as disgusting as gawker) is appalling and goes against the grain of that most cherished of Constitution amendments. The first thing the founding fathers of that great country chose to amend in their constitution was a guarantee for Freedom of Speech, and while the law may be in effect–it isn’t effective– especially against someone with ridiculous wealth on their side.

To most non-Americans this seems a bit odd. After all, isn’t America the land where everyone sues everyone, and where the legal system is choked to the brim with cases of people suing McDonalds because the coffee was too hot.

So allow me to correct some misconceptions.

While America is choked full of Libel and Slander suits, a Supreme court case in 1964 made a clear distinction if the victim was a “Public Figure”, setting the bar to an almost impossibly high standard.

If you’re a Public Figure, suing someone for slander or libel is damn near impossible, because you have to prove the statements were made with ‘actual malice’—that is with reckless disregard to whether it was false. Needless to say, trying to prove someone did something is easy, trying to prove they did it with ‘actual malice’ is not.

In fact, it’s ridiculously difficult, Hulk Hogan’s legal bills ran up to $10 million US dollars, and even a successful show person (yes, folks Wrestling isn’t real) like Hulk Hogan can’t afford that sort of funding.

And not to get too political, but if our ‘beloved’ Prime Minister ever decided to sue the Wall Street Journal, he’ll have to prove the ‘actual malice’ component as well, something it seems only Hulk Hogan and $10 million dollars have succeeded in doing. Suing the Wall Street Journal may send a political message, and a signal confidence, but legally speaking it will end up nowhere, unless Najib has $10 million–oh wait, he does.

But for those defenders of the first amendment who are so adamantly opposing Peter Thiel’s proxy vendetta, aren’t you missing the point?

The law shouldn’t depend on Billionaires behaving well–it should be water-tight to the point where even Billions isn’t going to get anywhere. If your legal system is at the mercy of a the top 1-percenters behaving, you’ve got a pretty shitty legal system.

Fortunately, Gawker would most likely succeed on appeal, and all should be well in the world, but shouldn’t this indicate that stronger and higher bars be set for court cases regarding public figures.

In Malaysia of course, this bar is far lower, which explains why many politicians have already sued news outlets and succeeded. Shouldn’t this indicate to us as well, that our laws need to be strengthened to allow for freedom of expression?

Many don’t believe this of course, because few Malaysians believe in having a truly robust freedom of speech framework. We still would like a few ‘clauses’ here and there to prevent hate speech, and political speech and ‘sensitivities’.

But unless we open up the marketplace of ideas, the rich and powerful will always dictate the narrative.

~~~~~~~~~~~

Ben Thompson wrote a great piece in Stratechery that put this story in a fascinating perspective:

Thiel made the largest part of his fortune by investing in Facebook, where he still sits on the board. Facebook specifically and the Internet broadly has made it possible for sensationalistic rags like Gawker to exist, even as it has fundamentally weakened journalism by destroying the geographic monopolies that guaranteed the financial freedom to comfort the afflicted and afflict the comfortable. Thiel as the personification of the tech industry is very much the superhero looking to remedy a problem he created.

In the same vein, Jeff Bezos, a similar Billionaire to Thiel is single-handedly keeping the Washington Post alive. So it seems the media is now in the hands of billionaires, and only they can keep alive what only they can kill.

Interesting.

Passcodes should be protected

Diverse_torture_instrumentsSome people are fans of medieval torture, and who can blame them. There’s just something about the sadistic treatment of people that makes us both want to watch with a bowl of popcorn in our hands, yet at the same time turn away in disgust and discomfort.

How else do you explain the popularity of shows like Saw?

I personally am a fan of the Iron Maiden, which before it became a name of rock band, was a evil torture device designed to impale its victims with spikes, but meticilously avoid crucial organs thereby prolonging the agony, letting the victim slowly bleed to death rather than die from something boring like heart failure or liver damage.

There’s a list on Wikipedia, that has all the gory details of medieval torture techniques, including keel-hauling (which I always though was some pirate term) and Scaphism, which is  a Persian specialty where the victims dies of Diarrhea.

It’s a whole new level when the victim dies of Diarrhea—Diarrhea!! (and the smart-ass know it all types probably are thinking that Persia wasn’t in the medieval period–yes, I know and I don’t care)

[*Steve in the comments points out that Scaphism didn’t really die from diarrhea but from insects feasting on them. Which doesn’t exactly make it sound any better ]

Fortunately, we live in a modern world, where such barbarism is consigned to history classes rather than current affair shows, and trust me while water boarding is torture, it’s probably a couple of rungs lower on the cruelty scale than an Iron Maiden or Scaphism.

It’s good to view out past just to figure our far along we’ve come along as a species, to take stock in the great progress we’ve made in civil liberties. Torture is a fine example of such progress, but take for example the what 16th century English had to deal with, when they were sent to the Star Chamber! Continue reading

Hate Speech is defined by private companies

FirstAmendmentYou don’t have a right to freedom of speech.

Obviously true if you’re Malaysian, but even Americans only enjoy a liberty in freedom of speech and not an absolute right.

The difference is clear, liberties are protections you have from the government, while rights are something you have from everyone.

So if someone threatened your right to live, the government is obligated to intervene and protect that right, because your right to live is a protection you have from everyone, whether it be a common criminal, abusive husband or Ayotollah Khomeini.

On the other hand you only have a liberty in freedom of speech (at least in an American context), which means that the government can’t prevent you from speaking, or penalize you for something you said.

However, the government is under no obligation to ensure your speech gets equal ‘air-time’, a newspaper may decline to publish your article, an auditorium may elect to deny you their roster, and online platforms like Facebook may choose to remove your post–all of which do not violate your freedom of speech, because freedom of speech is protection only from the government (state actors) and not from private entities.

And like all liberties and rights, freedom speech is not absolute. Under strict conditions even the US government can impose limits to what they’re citizens can say, or penalize them for things they have said.

In the case of freedom of speech, a liberty defined in their first amendment, those strict conditions are very strict indeed. In order for the government to infringe on the freedom of speech, it must demonstrate a imminent danger that will result in a serious effect.

In other words the government must be able to prove that if the speech were given freedom, there would be an imminent threat of something serious. Both the imminence and seriousness must be proven, failing which the government cannot infringe on that speech. This is indeed a very tall hurdle to climb, and based on my cursory research no case has ever reached this limit. Continue reading

FBI vs. Apple : Everything you need to know part 2

broken-fence

The Apple vs. FBI story has evolved so much in the past weeks, I thought I needed to write a separate post just on the updates. Admittedly, the story is far more complex and nuanced that I initially presumed, and everyone wants to be part of the conversation.

On one side, we have the silicon valley tech geeks, who seem to be unanimously in the corner of Tim Cook and Apple, while on the other  we have the Washington D.C policy makers, who are equally supportive of James Comey and the FBI whom he directs.

But to understand this issue from a fair and balanced perspective, we need to frame the correct question, not just what the issue about, but who is the  issue really focused on.

This isn’t just about the FBI or Apple

Framing this as the FBI vs. Apple or The Government vs. Apple is wrong. This is Law Enforcement vs. Tech Companies.

The FBI is just a part of the The Government, specifically the part tasked with investigating federal crimes.James Comey, FBI director, is genuinely trying to do his job when he uses the All Writs Act to compel Apple to create a version of iOS that would allow them to brute-force the PIN code.

But there are other parts of The Government, like the NSA, who have the wholly different task of national security. To them, if a smartphone, is genuinely secured from FBI, then it’s secured from Russian Cybercriminals and Chinese State Sponsored actors too (probably!).

And because so much data are on smartphones, including the smartphones of federal government employees, the national security interest of America is better protected by having phones that are completely unbreakable, rather than ones the provide exceptional access to law-enforcement. Exceptional being defined as, no one has access except for law enforcement, and perhaps TSA agents, maybe border patrol and coast guard–you can see how slippery a slope ‘exceptional’ can be. Oh and by the way, exceptional doesn’t exist in end-to-end encryption.

Former NSA director, Michael Hayden, has openly said “I disagree with Jim Comey. I actually think end-to-end encryption is good for America”. So it appears the NSA has an interest of national security that competes with the FBIs interest of investigating crimes.

The Government isn’t a single entity with just one interest, rather it is a collection of agencies with sometimes competing objectives, even though they all ultimately serve their citizens.  Experts believe the NSA has the capability to crack the iPhone encryption easily, but are refusing to indulge the FBI, because–well it’s hard to guess why the NSA don’t like the FBI.

Susan Landau,  a member of Cybersecurity hall of fame (yes it does exist), detailed two methods the FBI could hack the iPhone in her testimony to House Judiciary Committee. Both methods involved complicated forensics tools, but would cost a few hundred thousand dollars (cheap!) , and wouldn’t require Apple to write a weakened version of iOS. If the goverment can get into the phone for $100,000 , that would mean it couldn’t compel Apple under the All Writs Act (AWA).

Remember, the FBI buy their spyware from the lowlifes at hacking team, which means they’re about as competent as the MACC and Malaysian PMO, but if Comey and Co. can afford $775,000 on shit from Hacking Team, I’m guessing $100,000 for a proper computer forensics expert isn’t a problem.

But maybe there’s an ulterior motive here, at the very recently concluded Brooklyn iPhone case, Magistrate Judge Orenstein noted that necessity was a pre-requisite for any request made under AWA, and if the FBI have an alternative for a reasonable price, then Apple’s support was not necessary, and hence outside the ambit of the AWA. So maybe the NSA isn’t providing the support to necessitate the NSA.

An this isn’t singularly about the FBI either. The New York A-G is waiting for this case to set precedent before he makes request for the 175 iPhones he’s hoping to unlock for cases that aren’t related to terrorism or ISIS. You can bet he’s not the only A-G waiting for the outcome, and it’s highly unlikely for the Judge to make her ruling so specific that nobody except the FBI could use it as precedent.

But it’s also not just about Apple. The legal precedent set by this case would apply not just to every other iPhone, but possibly every other smartphone, laptop, car or anything else we could squeeze into the definition of a computer. This is about more than Apple, and that’s why the tech companies are lining up in support of Mr. Cook, 32  such companies the last I checked.us vs. them

But now that we’ve framed the ‘who’ , let’s frame the ‘what’. Continue reading

Apple vs. FBI: Everything you need to know

broken-fenceA judge in the US has ordered Apple to provide ‘technical assistance’ to FBI, in creating what some (but not all) cybersecurity experts call a backdoor. In the few years I’ve written about these issues, I’ve never seen anything as hotly debated as this one, across the folks from digital security to foreign policy all coming down on both sides of the debate.

On one hand it seems a bit snarky of the FBI to use this one particular case, that looks to have the highest possible chance of success to set precedent, but on the other hand it seems mighty nasty of Apple to refuse to comply with a court order, to crack into a terrorist phone.

So here’s some facts of the case.

The phone in question belonged to Syed Rizwan Farook, a shooter in the San Bernadino shooting, which caused the deaths of 14 people. America has numerous mass shootings, but this one involved two Muslims aligned to ISIS–and hence more easily labeled terrorism, without the need for adjectives like ‘domestic’.

As I blogged about last week, self-radicalized terrorist don’t get funding from headquarters, and without that glorious ISIS-oil money, all these guys could afford for was an iPhone 5C, an entry-level phone with hardware identical to that of the iPhone 5, a phone launched waaaayy back in 2012 (you’ll remember that as the year Manchester United last won the Premier League). As an older phone, the security architecture of the 5C lagged behind the current generation iPhones, all of which have a secure enclave, but make no mistake, it’s still pretty secure.

By pretty secure, I mean that the phone has all of its contents encrypted, and un-readable to anyone without the encryption key. The key is derived from both the user passcode, and a randomly generated hardware key that is unique to the specific iPhone. It is generally understood that Apple doesn’t keep track of the hardware key, and therefore unable to provide it, as you might expect the hardware will also never give up it’s key under any circumstance. Without the hardware key, the encrypted  data is unreadable, even with the passcode. Which explains why the FBI can’t suck the data out of the device for decryption on a more powerful computer, or load the data into 1000’s of iPhones for parallel cracking. Continue reading