Xinophobia

Think of all we do to ensure that our authentication systems are not compromised. It really takes a fair amount of effort to extract someone’s password from a shadow file or to secretly install a keylogger.

A far simpler solution is to look over their shoulder while they type.* Take care when signing on in public places. The guy standing in line for a coffee may take an interest in your banking password. Admittedly, this kind of attack of opportunity may not happen often. However, this is an easy way to actively hunt prey.

The concern lies in more than just physically proximate attackers. Many public areas will also have security cameras. A good line of sight would reveal a string of credentials: local machine, webmail, banking, etc.

Some thieves are known to target victims at ATMs on the condition that they successfully observe the victim’s PIN. Similarly, a laptop theft is much more severe if the attacker can immediately access the system. This makes possible a number of attacks in which the victim is unaware.

For example, at the library Alice shoulder surfs Bob’s password. Bob locks his computer to the table and goes to the restroom. A couple minutes later, he returns to find his laptop in its original position apparently untouched. However, during that time Alice logged in and installed a backdoor. Bob would probably not find it until the damage had already been done.

As always, watch your back. In terms of information security, it is not unwarranted to assume that everyone, except a trusted few, is your enemy. And what do we know about turning our backs to our enemies?

A quick and easy mitigation is to type very quickly. Otherwise, moving both hands while typing can distract a casual shoulder surfer. As an added distraction, pad the beginning and end of each string i.e. type “in air” without actually depressing keys.

And lest I forget this most valuable piece of advice: CHANGE YOUR PASSWORDS OFTEN. The more sensitive your password, the more often you should change it. If you even suspect it’s been compromised, change it!

*Actually, it’s also possible to listen to the sequence of keystrokes and identify the keys pressed. There’s a paper on this, I’ll link it later.

Links to those who have been fighting the good fight:

Internet Storm Center: isc.sans.org

And to those who watch:

Internet Health Report(US only): www.internetpulse.net
CERTStation: www.certstation.com

I would also recommend a basic home computer security suite:

Avast (www.avast.com) – Antivirus
Ad-Aware (www.lavasoft.com) – Antispyware
ZoneAlarm (www.zonealarm.com) – Firewall

These programs are all free for personal, non-commercial use. While it will certainly not stop all threats, it offers decent security with a minimal maintenance burden. Use this as a starting point and select better choices based on user experience level and personal preference. I would recommend declining any paid upgrades.

For more layers of defense:

Encryption:
PGP Desktop (www.pgp.com)
PGP allows you to encrypt files and also send encrypted email. This provides excellent security against casual eavesdroppers. The trial package has limited functionality after 30 days but remains sufficient for home use.

Software proxy and onion router:
Vidalia (www.vidalia-project.net)
Vidalia will allow you to anonymously access websites. It provides some limited ability to access sites that have been blocked locally (i.e. by government or corporate mandate).

Full disk encryption:
TrueCrypt (www.truecrypt.org)
TrueCrypt provides on-the-fly full disk encryption. I will be testing the lastest version in the near future.

Network Security Operating System:
BackTrack (www.remote-exploit.org/backtrack.html)
BackTrack is filled with tools for those interested in testing their own network defenses.

You can quickly test your status using some internet-based scanners:

Symantec: security.symantec.com
Shields Up: https://www.grc.com/x/ne.dll?bh0bkyd2

For maximum effectiveness, remember to update and scan regularly!

I would also be happy to hear about any options/tools that are particularly good!

In the first story, a man is charged with hacking USC. He claims to have been trying to warn USC of a security vulnerability. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=187201428

In the second story, an attacker potentially compromises data on 800,000 user accounts at UCLA. Presumably, UCLA received no warning. http://www.informationweek.com/news/security/showArticle.jhtml?articleID=196603485

Would USC have suffered the same fate if they were not warned? Would they have been better off if they were given the time and opportunity to fix the problem on their own?

In the next post, I am going to give out links some of my favorite InfoSec sites and tools. Like any tool, it is not intrinsically Good or Bad. It is not the tool that has the intent but the wielder thereof.

Granted, the following links are likely to be well-known. Many of the people who use them will not be swayed by my words. But for those who are new to the field, I offer the following guidance:

The electronic world is just as real and as important as the physical one. In some ways, it is even more complicated than Real Life because there are few hard and fast rules that will apply to every situation.

1) Respect others. Any site or system or network you interact with was built by the effort and resources of a real person. Others you interact with online are real people.
2) Minimize your impact. Computing resources are finite and each user should take what they need and no more. For a specific example: do not crush a Tor relay with your BitTorrent traffic of stolen movies.
3) Be aware of applicable laws and regulations. Something that may be legal in your home country may not be while you are travelling.
4) Act in good faith. A server misconfiguration that allows you access to private files is not an invitation to do so. You may even want to inform the server admin.

When you encounter those ever-so-frequent grey areas, put yourself in the other person’s position. Think about what you would want and not just from a technical perspective.

Think about the first story. USC is not just another host with a vulnerability. It is an educational institution with a full-time mission. It is, in some aspects, a very large business. It is run by a group of people who wish to sleep soundly at night. It may have some very trigger happy executives or an overly protective legal team. These entities, regardless of whether you think they are doing the right thing or not, all have a say in what happens on their systems.

Think broadly and carefully the next time you find yourself in that no-man’s land of legal and technical ambiguity.

The strategy here is going to change a little bit. My original assumption about the Internet access control mechanisms was that the rules would be fairly static. This has proven to not be the case. Given the upcoming Olympic Games, I believe that access is going to be much less restrictive than usual and that changes will be made very quickly.

As of 7/12/08:

Domains not reachable:

- facebook.com (was reachable on 6/29/08)
- icanhascheezburger.com (was previously able to load site without pictures but now totally unreachable)
- uncyclopedia.com
- torproject.org
- dit-inc.us

Domains reachable:

- cnn.com
- bbc.co.uk
- xkcd.com
- wikipedia.org

The combination of Privoxy+Tor is again successful in accessing the blocked sites.
I chose to use this method because of its usability: free, well-integrated into popular browsers, and easy to setup.

However, there are several importants caveats to using tor:

- The network as it exists will not support connections requiring a lot of bandwidth (i.e. bittorrent, massive file transfers, etc.). It will work but it will be extremely slow. I need to stress that such usage will also have a negative impact on other tor users.
- The software is experimental and should not be relied upon for strong anonymity.
- The most reliable source for software and updates (torproject.org) is not reachable without a working copy of Tor.
- Very few entry nodes are reachable. This raises some serious questions about the immediate security and long-term viability of Tor.

In my 80 hours or so logged into a functional circuit, I have seen only three distinct entry nodes. From a security standpoint, it is easy to believe that these entry nodes are planted or otherwise compromised to allow monitoring. Even if the entries are legitimate, it wouldn’t be hard to shutdown the network entirely. I leave this as an exercise to the reader.

There is an interesting paper on timing attacks for any onion router network:
Low-Resource Routing Attacks Against Anonymous Systems by Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno, Douglas Sicker
http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1025-07.pdf

There are many alternatives to Tor which I will decline to list here. One that I am investigating is FreeGate: dit-inc.us.

I encourage readers to have a plan of action in case Internet access is restricted in their area. What tools do you have immediately available to facilitate a breakout? If you don’t usually encrypt communications (i.e. pgp or some variant), will you want/need to? How many of your contacts will you be able to reach via other means (secure or not)?