Xinophobia

We all knew this day would come. A (claimed) reliable and practical method for cracking WPA-TKIP has been discovered.

Erik Tews and Martin Beck will present their findings at PacSec net week but the message is clear: layered security is your best chance at actually achieving security.

I held out on posting this until the whitepaper was released. You can now find it here: http://dl.aircrack-ng.org/breakingwepandwpa.pdf

I don’t have time read the whole thing before class recommend that you do!

Why I care and why you should care, too

At the 2007 InformationWeek conference, the CEO of McAfee announced that the value of cybercrime reached $104B USD annually.  This surpassed the value of global wholesale illicit drug trade.

I have reservations about both of these numbers. However, even if we believe that these numbers are only correct to an order of magnitude, we still see an immense problem.

I can give a variety of statistics and theories and the-sky-is-falling rants but let’s think about a couple particular examples.

1) The Corporate Whistleblower

Alice wants to expose corporate wrongdoing but has a family to support. She can’t affort to lose her job.

Alice finds the data, plugs in a USB drive containing PGP, finds the public key for the Attorney General and encrypts the data using the AG’s key. Anyone searching her computer would only find gibberish. At this point, the original data remains untouched on the company server. The copy is only readable by the AG.

Alice launches Privoxy and Tor to disguise her connection to her gmail account. Corporate spies can see her outbound communication to the first proxy but can’t tell that she’s connecting to her email.

Alice sends the data to the AG, closes her net connections and wipes the file and free space on her hard drive.

Most corporate IT teams will not even register that anything unusual happened. Those that do would have a hard time figuring out exactly what. A few very paranoid and very skilled teams will be able to identify Alice as the source of the leak.

2) The Hungry Sales Agent

Bob is a life insurance agent for a nationwide firm. His client files including a lot of personal and sensitive information reside on his laptop. This makes it easy for Bob and saves him the trouble of logging into the corporate VPN.

Bob is at a corporate client’s site and finishes his morning session with management. He leaves his laptop and briefcase in the conference room. Fifteen minutes later, lunch in hand, Bob returns to find his laptop missing.

The thief, Eve, reboots to a custom operating system from her CD. She quickly downloads the client data and packages it to sell to identity thieves. Eve wipes the computer and sells it for a couple hundred bucks.

Three months later, customers of this firm receive a notice that their personal data may have been compromised and are advised to hire a credit monitoring service. In most cases, the damage will already have been done.

(This actually happened to me. Even large companies show remarkable apathy towards the danger that their clients face. I start getting notices when I’m 30 days late paying a $30 cable bill. A Fortune 500 has no excuse waiting three months when my personal credit and personal reputation are at stake.)

The bottom line is this: The proper implementation of information security allows people live their lives free of interference from those who do wrong. It is as basic as the latch on your window and the lock on your door.

Installing and Using PGP or
HOW TO DO THE STUFF I TALKED ABOUT IN THE LAST POST

This should be no more than a 15-minute process but as the disembodied voice says, your experience may vary.  It looks long but it’s not really that bad.

Part 1) Install PGP

1) The basic functionality of PGP (encryption/decryption/signing…) is available for free in perpetuity as part of PGP Corporation’s PGP Desktop software license. Go to www.pgp.com and click on the “Evaluation” link towards the bottom of the page.
2) Select “PGP Desktop Trial Software (Desktop Client Only)”.
3) Read the text and the license agreement at the bottom of the page. Check the box to accept the license and click “Accept”.
4) Fill out the required information and submit it. PGP Corp will email you a download link to the software. Open the link and click the white “Download” button on the left side of the page.
5) Unzip the downloaded package. There are two files inside and unzip the larger one. The small file is a signature package to verify that the files are legitimate.
6) Follow the install instructions. Reboot as necessary.

Part 2) Creating Your Keys

1) Open up the PGP Desktop and click on “File -> New PGP Key”
2) Follow the instructions and type in your name and email, etc. This will be one of the ways for people to find you. Don’t use aliases unless people can link you to your alias!
3) Enter your passphrase. You can type anything you want in here. Go ahead and use numbers and spaces and wierd symbols. Make it 1) long enough and varied enough to be secure (look at the little bar at the bottom) and 2) short and easy enough that you can type it all the time.
4) Click, click, click and finish.
5) Congratulations! You made a keypair! That’s right, in that little icon is a private key for you and a public key for the world. Don’t give out your private key. Give your public key to *everybody.*

Part 3) Upload your keys and Download others’ keys

1) Go to “Tools -> Edit Keyservers”
2) Add any servers you’d like. I recommend looking at this page (http://www.rossde.com/PGP/pgp_keyserv.html#pubserv) and adding the servers in bold. Be sure to select whether the server is LDAP or HTTP and enter the correct port number. For example, I would select Type:” PGP Keyserver HTTP”, Address: “cryptonomicon.mit.edu”, port: “11371″ and click “OK”.
3) Click on the “All Keys” tab at the top left of the window, find your key and right click to select “Send to -> cryptonomicon.mit.edu”. This will upload your key to the server so that others can find encrypt messages that only you can read.
4) Then click on “Search for keys” and from the dropdown box at the top of the screen select “Everywhere”. This will search all the servers for the key you want. You can also select particular servers if you know which one you want.
5) In the search box, type “xinophobia” and click search. Right click on the most likely-looking result and add it to “All keys”.
5a) My key is on my Contacts page.

Part 4) Excitement! Sending encrypted email

1) Log into your gmail. (The process is mostly the same for desktop email programs)
2) Write a message to someone (ex. xinophobia)
3) Place the cursor in the main body of the text. Find the PGP lock icon on the system tray (lower right side of the screen) and right click on it. Select “Current window -> Encrypt and Sign”
4) Select the recipient of the message and drag it to the “Recipients” box. Click “Ok” and then enter your passphrase to sign it with your key.
5) The plaintext message is automatically replaced with the a strange looking cyphertext block. If not, try pasting the cyphertext from the clipboard.
6) Send it!

Part 5) What to do when you get encrypted email

1) Place your cursor in the body of the cyphertext.
2) Right click on the PGP icon and select “Current Window -> Decrypt and Verify”
3) Enter your key and a box will pop up with the message. If you like, the message can be copied to the clipboard and pasted somewhere else.
4) Read your friend’s encrypted message about this weekend’s BBQ!

Part 6) Sharing your keys

1) Tell your friends where you uploaded your key.
2) Select your key in PGP desktop and click “email this key”.

—The End—

—Epilogue—
Please don’t forget your passphrase. Don’t write it down anywhere! Just don’t forget it. If you use your key everyday, you’ll be pretty safe. It is rumored that “The Government” (which one???) can crack PGP but it’s unlikely “The Government” will help you if you forget your key.

As case law stands now, you are not required to divulge your passphrase. There is still a great deal of controversy as to whether or not encryption is really protected under the 5th Amendment. Try to stay out of trouble.

Any tool which can be used for good can be used for evil and vice versa. (Generally speaking this is true. I’m struggling to come up with a “good” use for Puppy-kicking Boots. Whoever invented that needs to be shot.) Use PGP for good!

As a followup to my post from a few days ago, I posted my PGP public key block on the Contacts page.

Now you can send me secure email!

I will write a brief tutorial on how to install and use PGP shortly…

As the saying goes, “a secure system that an attacker can physically access is not a secure system.”

I keep an eye on the police blogs in my area just to get a feel for what kinds of incidents occur. Many of them relate to purses and laptops walking out of unsecured rooms. This kind of breach does not require a ton of commentary. If practical, lock the door to your offices. Lock your computer to a solid object. Encrypt your data and lock down your terminal when you step away. (There is software to do this for you!) Finally, don’t leave stuff unattended for prolonged periods.

As evidenced by the police blogs and personal experience, many restricted-access buildings depend on unauthorized persons voluntarily not attempting to enter. Despite the assertions of facilities administrators, these buildings and by extension the offices within should be considered public.

To end on a lighter note, I offer an excerpt from the daily police blog:

“Public Intoxication / Possession of a Fictitious Document: A Student, who was under the age of 21, was reported as leaping a tall fire hydrant in a single bound and staggering as he attempted to walk along the sidewalk…”

Students! If you are under 21 and drunk, do not leap tall fire hydrants in a single bound! You will attract unwanted attention. Next time, try a doublejump.

(credit: Penny Arcade)

I noticed something very strange that really should not be: official emails from UT are signed with PGP.

This is very strange because I have rarely come across anyone who used PGP, or any form of public key encryption, on a daily basis.

This shouldn’t be because it’s one of the easiest encryption methods to use. In addition, it is powerful and free.

So why don’t more people use it?

I actually have a keypair generated way back in the mid-90s. At that point, I was still using “edit README.txt” to get instructions. Of course, the passphrase for those keys are long lost. I can only hope that the keys have been revoked for staleness.

Even then, I thought it was terribly neat to be able to send encrypted emails. Besides PGP, there were entire mail services with security as a core component. I still remember my girlfriend and I getting HushMail accounts in all their garish purple glory.

Whatever happened?

GnuPG and PGP desktop are still free. The community, as far as I can tell, is larger than ever. After initial setup, the process is virtually transparent to the user if configured that way.

I don’t use it. Nobody else I know uses it. I wonder how many people who receive UT emails bother to verify the integrity of the message and signature.

I’d like to get your thoughts on why public key encryption isn’t more common especially with the high demand for privacy and security.

And for those of you interested:
GnuPG: http://www.gnupg.org/
PGP Desktop: http://www.pgp.com/downloads/desktoptrial2.php

PGP Desktop, despite the annoying “buy me” ads, has been really handy for local encryption needs on my Windows machines.

Now seems like a good time to create another keypair. Anybody want to join me and trade signatures?

Even though I am a big proponent of everyone using the strongest possible security, I also support open wireless networks. I propose the following: if you are going to secure an AP then use the highest level of security practical (WPA2) otherwise, run a completely open AP.

Open APs make life, especially in a densely populated city, just a little bit easier. The prevalence of 802.11x-capable devices creates a high demand for basic connectivity. Aside from laptops, think of the iPhones, N95s and even Wiis that rely on WiFi to fully exploit their functionality. When you need Internet access, you really need net access. Help out your neighbors, guests and random passerbys. If it doesn’t hurt you, setup an open AP.

Otherwise, please use strong security. From my apartment, I can receive signals from a dozen APs. Technically, these are SSIDs but I’m assuming that residential areas will typically have one AP per SSID.

Of these, three are open, six or seven use WEP and the remainder use WPA/WPA2.

I would have expected to see virtually all WPA/WPA2 networks except for the one or two that are 802.11b. I have three theories regarding this:
1) It might be that the “Easy Setup” software that comes with most routers defaults to WEP for the sake compatibility.
2) Possibly the wording on the setup instructions is such that users would be more inclined to choose WEP.
3) Or it could simply be that users have no incentive to choose their encryption scheme.

To support theory three: I believe that most residential users have no idea that WEP is almost useless for wireless encryption. Therefore, if there is some small benefit in compatibility and no preceptible increase in security, a reasonable user would have no incentive to choose WPA over WEP.

To give an analogy, I see WEP as the equivalent to closing your door. Most people won’t come in but it requires minimal effort to do so. WPA2 is like closing your door and locking it. An attacker must expend significant effort to break in. To extend the analogy, an open AP is like an open door. Thirsty people will come in and drink water from your kitchen faucet.

That middle road will both deny people a resource and provide a false sense of security. Go all the way either for security or openness.