Security, Computer Computer Philosophy, Security, Cyberwar, Computer Crime, Malware, Passwords, Two Factor Authentication, 2FA, December 15, 2018
Rules
* New accounts should use a unique username, email address and password
* Passwords should be 16 characters, this is short enough I could type it in if I had to.
* Change Passwords every time I get to a site that is using an old or standard password.
* Use two factor authentication where possible, but you have to make sure there is a backup mechanism, that everything is not lost of your token breaks. Google authenticator allows me to input the private key manually and I can save that independently, preferably not online.
* I want to eliminate use of Thumb Drives. They are lost too easily for me. Too hard to know what is on them.
* If its complicated, there is probably a hole in it. Security should be understandable.
* Never believe your internal network is secure.
* Never believe that your computer is secure.
* Never believe that a sight you are visiting is secure
Computer Philosophy
* I don’t want to buy new desktop computers. They are expensive use too much power, things fail like hardisks, fans, graphics cards.
* I want to have my disks online
* I want small disks in my laptops, iPads
* Intel NUCs are OK
* Mac Mini’s are OK.
* Laptops are OK.
* iPads are OK.
* I do want big monitors
* I do want my good trackballs and keyboards.
Observations, Thoughts
* Its the wild west
* Software vendors don't want to take any responsibility, certainly not in their licenses
* Hardware vendors, even Google, my example is the Nexus 6 on Google Fi, don’t want to be bothered with updating software or addressing cyber attacks, they just want to move on to building the next piece of hardware. Router vendors and IOT vendors are particularly bad at this point in time.
* Nation States are going to insert backdoors into hardware and software that they produce, especially ones not aligned with our interest. That is what spies do.
* Spies are going to spy on people, nations, etc. That’s what they do.
* State sponsored cyber war, such as Flame and Stuxnet destabilize security
* The wide diversity of new platforms, phones, tablets, pads, and applications (apps) make it much more complicated for a vendor to secure a system.
* The growth of everything interconnected makes securing systems more problematic.
* Second, Ken Thompson’s point was that we can’t guarantee the security of our systems unless we have a complete binary understanding of every program which we execute on them, something that has been impossible for a very long time. He meant that no matter what we do, we have to put our trust in someone else’s code. From
https://users.rust-lang.org/t/possible-to-build-rust-without-using-blobs-at-all/4797/7,
http://www.cs.tufts.edu/comp/98/Ken_Thompson_84-Reflections_on_Trusting_Trust.pdf
* Spam, Robocalls, Fake Pops, State Sponsored Malware, IRS Scams
* The scripts are continuously being refined, they aren’t very good, but they are getting better
* Scammers intelligence is getting better with all the public information available.
* They are distributing the scam among many people, they are building a hierarchy of scammer services.
* There are lots of companies, who are willing to host content or provide services because they will make money at it, even big companies like CloudFlair, and Google, especially YouTube seems to be schizophrenic about what they will tolerate. A lot of times, I call this Corporate Cognitive Dissonance. Some of it is pure scam or illegal content and then you see lots of cases of them taking down content that seems appropriate. And yet, YouTube seems to get it sometimes, like the congratulation letter to Hoax Hotel.
* In DO-178 or similar certifications, we see where people want to speak the language of what should be done, but sometimes they just drop down to checking the boxes.
* Hunting down people is getting harder, because of proxies, encrypted networks, encryption in general, companies that will sell services to anyone, countries like India that just don’t seem to care. Things like VPNFilter really make it hard.
* You can not verify the security of anything but the smallest of programs, so people just wave their hands telling you it will be OK.
* When I evaluate my own programs, even certified ones, I see where they can be broken, where their security won’t hold up. I think I am one of the careful people, I like to compile everything with warning levels turned way up, I religiously use PC-Lint, Understand Code Check, the Clang static analyzer, CPPCheck and others.
* It scares me to think about the un-encrypted, un-authenticated protocols we deal with in the aviation world. Its just a matter of time until someone looks at them and comes up with a system to spoof them.
* Technology breeds crime - Frank Abagnale - “Catch Me If You Can”
* The end of RSA, and Diffie Hellman is coming, we need to be ready.
* Nation states are going to spy on people, they are going to interfere in elections, interfere with important computers, spread false news, test their limits. That’s the kind of thing spy agencies do.
* Spies will spy on people, expect that.
* If I was going to spy on a company, I would be a janitor. I have worked as a janitor, janitor’s know everything. It’s amazing what you find out or hear as a janitor. I would probably hire a spy janitor that looked mexican, or maybe someone who looked old and haggered. Someone who maybe looked like janitor was one of the few options open to them.
* If I was going to embed a back door into something, I would do it in VHDL or as a ASIC. It would be easy to hide. Although when you get to 8 million lines of code, there would be places to hide.
* There is a lot of talks about News Leaks, like from the White House, the F-35 program. If I wanted to capture those people, I would probably setup an organization like POGO.org, publish information that was either public domain or already known, that was mildly critical of the White House or F-35 or whatever. Then I would provide an anonymous tip drop, probably a secure one like Richoete. I would wait for folks to drop news then I would try to work on them to have confidence in our relationship and try to get them to open up more personal details.
* Be wary of things like the Electron Software Framework, where you take insecure Javascript code and put it on the Desktop Think of how many third party packages are included to render a Web page. Now you don’t have sandboxing protection.
* I think all applications should be Sandboxed or Application VMs.
Two Factor Authentication, 2FA
* I like hardware tokens, since they are truly separate, “Something you have”.
* The problem with hardware tokens, is you can lose them or they can be damaged or their batteries go dead.
* Hardware tokens have been breached. The RSA breach forced us at L3 to swap out ALL tokens. There is a vulnerability to worry about.
* I like Google Authenticator/OATH. While it is not a true second factor, I can recreate all the token generators if a computer is damaged.
* There is an additional risk with Google Authenticator/OATH, that you have a copy of the private key you have to keep secure.
The Cloud
* Anything going to or from the cloud needs to be encrypted
* Any data in the cloud needs to be encrypted at rest.
* Maybe more general, any data needs to be encrypted at rest
* All public protocols web, aviation (TCAS, ACARS, ADS-B), telephony (SS7), banking (Swift), need to have strong authentication and encryption. I think there is a crisis coming on these protocols.
* Do I want a VPN provider, or my own OpenVPN server out on Internet? Or are Opera’s desktop VPN and/or TOR sufficient for a VPN?
Networking
* I think everything that goes over networks, Car Can Bus networks, Airplane 1394, Fibre Channel, ARINC429, 1553, anything over the Internet has to be encrypted and signed. You just can’t prevent man in the middle if you don’t do that. The one that personally bothers me is TCAS resolution advisories. TCAS replies can be spoofed and planes will maneuver based on TCAS replies.
Why its not going to get better soon
* Windows is a mess, there is no uniform way to know that all your installed programs are up to date and secure.
* Things that you don’t have good control over, like National Instruments libraries are putting all sorts of directories in your path, DLLs into the system, opening ports, etc. You can not practically know where all this stuff is.
* GSM is broken, reddit found out the hard way that two factor via phone is not secure.
* The current wave of processor bugs, Meltdown, Spector, Port Smash, Row Hammer, just keep coming. How long will it be before we have a processor that is secure against these attacks? Remember they were able to weaponize Row Hammer, and change page table entries so they could break out of VPS and gain access to other VPS instances.
* The idea of FPGA Malware, Intel or PowerPC or ARM Microcode Malware, ASIC Malware is fascinating and its just starting. Attacks only get stronger. The idea or FPGA Malware or Microcode Malware or Graphics Card Shader Malware is fascinating to me. I look back on my computer career and there was a time we just blindly trusted the operating system we booted. There was no security, no administrator, no curator of applications. Even the early Internet, I would just download programs from USENET and never thought about Malware. I remember when people would put raw Windows disk shares on the Internet.
* The computers are so complex, the OS’s are so complex, programs are so complex, we can’t know that a computer doesn’t have Malware on it.
* More and more hand waving in security, certification, as time goes on, because nobody can stomach the amount of work it would take to validate even small programs.
* More and more system administrators lean on “We don’t see anything wrong” rather than knowing.
* Everyone wants to Bring Your Own Device, BYOD, to work. The idea of securing that, is really troubling.
* The amount of personal devices is exploding.
* We are seeing waves of Routers, IOT devices, old computers, that just don’t get patched, and are being used to create botnets.
* Companies have little incentive to fix or update, potentially vulnerable Routers, IOT devices, old computers. They just want to get on to selling you something new. Even Google with my Nexus 6. This goes from cars, to computers, to cell phones, to IOT devices. People want to sell you Internet connected devices, but don’t have intentions of maintaining and updating the devices.
* Super Micro news article, Can you hide a malicious chip on a board? I think it would be pretty likely you could. Hide it as a filter chip or transformer or Pay chip.
* I find bugs in my own code all the time, how can you protect 8 million lines of code (JSF)?
* Criminals are making money and getting away with it. Ransomware, Fake Microsoft Support, Fake IRS, Fake Police, using technology like VOIP to hide their tracks. They have a lot of incentive to expand the use of malicious technology.
* An attacker needs one crack in the security. We, on the other hand, need to make sure every crack is protected. The complexity of protecting everything, gives an advantage to the attacker.
Cryptography
* We want well understood algorithms, proprietary or closed source algorithms we have know way of knowing if they are easily vulnerable.
* It shouldn’t matter if the algorithm is publicly known.
* It shouldn’t matter if an attacker has both unencrypted text and the matching encrypted text
* It shouldn’t matter if an attacker can see the entire encrypted conversation, including the first time key exchange.
* It shouldn’t matter if the same text, the same data, is sent over the channel multiple times.
* It would be ideal, if I didn’t have to hold onto any secrets, like when GRC squirrel gives websites no secrets to keep.
* The governments will get back doors put in our encryption, get over it.
DNS
* I want DNS over HTTPS or TLS, since this is a point where man in the middle is practical and we are seeing waves of DNS Hijacking.
* Firefox supports DNS over HTTPS
* See
https://blog.usejournal.com/getting-started-with-dns-over-https-on-firefox-e9b5fc865a43
* It drives me nuts that Comcast re-writes my DNS queries to use their own servers.
My computers, Next Steps
* I think I want Back to My Mac turned off
* I think in general, I want to avoid remoting back to my computers. I need to put anything I need out on a secure share on the Internet, protected by multiple factors, on a provider that has a great deal to lose if there is a security breach, Apple, Google, Dropbox.
* I want my Apples to disconnect the network when they go to sleep, I like how Qubes does this.
* I need to think about what to do about Apple discontinuing Time Capsule.
* I need to get a router in front of centosi
* I need to get Email certificates on cloneofcyrix and centosi
* I need to get the disks encrypted on cloneofcyrix and centosi
* I need to get better logs for centosi
* I need to work on cleaning up the log entries that are happening on cloneofcyrix
* Every piece of computer equipment I have is going to die. Need to plan for it.
* Every cloud service I use has the potential of going out of business. I need to plan for it.
* Most of these Internet services, cloud services will go out of business. Like we’ve seen many times before. Data can end up exposed on the Internet when a company goes out of business.
* Turn on the IOS offloading app function. If an unused app is not loaded on the iPad, we know its not running code. Safe guards against old applications doing nefarious things.
* I should get a free subscription to ProtonVPN
* Try to buy services and computers from US based companies. Other nation states have an interest in spying on the US and its people.
* DNS Crypt or DNS over SSL or DNS over TLS
* I need to get comfortable with ecryptfs
Advice for Friends and Relatives
* Make a password for every site
* Write it down in a book
* Be very skeptical on the Web or anybody who calls you
* Don’t open a link that you didn’t intentionally go for.