Tuesday, October 25, 2011

The New Skype "Vulnerabiity"

Recently, a privacy flaw has been discovered in Skype, as well as other P2P applications. Please see this link for more details.

What the privacy flaw does is allow another person to make a Skype call to you and before you answer, or even if you don't, the caller can acquire your public IP address. With the public IP address, it is possible through IP location technology to determine where you are--sometimes even down to the street level. By calling throughout the day, it is possible to trace your movements and this information is useful in a variety of ways.

The article mentions that a firewall will not protect you, and this is not surprising because on the Internet you communicate with your public IP address and not the one behind the firewall.

Now, while I believe this is a privacy issue, I think it is a bit overblown. For one thing, every time we visit a website our public IP address is logged somewhere. Indeed, any time we connect to another public IP address for any reason we should assume it is logged somewhere. What makes this Skype issue problematic is that people may assume that because they are not calling anyone, their Skype VOIP is "hung up", so they are pretty safe and unreachable unless they answer the call. Unfortunately, Skype, and other P2P protocols do not work that way. When you log on to Skype, you connect to an outside server to advertise that you are on line, so just like a any other connection your public IP is now "known" on the Internet. Now, it is not known by everyone, but it is known by any system with which you are communicating. Skype and other P2P protocols by definition implicitly or explicitly share this information--if they did not, it would be difficult to establish the P2P connections necessary to make these protocols useful.

To find the other guy's IP address, it is only necessary to capture the packets as the call is trying to go through. This is something which is not too technically difficult to perform. And unfortunately, there is no way to hide your IP address given the way Skype and other P2P networks work.

So, what should we do?

First, we need to be aware, because awareness is power. If I know my IP address is knowable by others, I can take necessary action and change my behavior--for one, I can behave "as if" my location is known. How would that change my behavior if I was posting a venomous "anonymous" post somewhere? I would be more careful about what I say and do, just as I would do in any public place with people around.

Second, I could only bring up P2P applications when I need to use them. Unfortunately, if this practice becomes widespread it will lessen the utility of P2P applications. But if my location is so important, this may be the only option if I want to use P2P at all.

What we are seeing is the erosion of the assumption of anonymity, which is one reason the Internet has flourished. The day may soon arrive, and it may already be here, when we are no more anonymous on the Internet than we are in real life.

Wednesday, October 19, 2011

Why I side with the Government over Anonymous

In my update to the post regarding Anonymous and SCADA, I pointed out that Dan Kaplan disagrees with DOHS' characterization of Anonymous as targeting critical infrastructure.

Now, it does not seem to me that Mr. Kaplan carries a brief for Anonymous, he just thinks that:

1) The DOHS statement is at least partially motivated by a desire to paint Anonymous as a terrorist orgnization
2) That reliable Anonymous sources have not confirmed the SCADA story
3) Anonymous cares about the environment and sympathizes with the Occupy Wall Street movement, so they care about people and the planet

I cannot speak with authority about DOHS' motivation. Indeed, it is possible that DOHS is motivated by a desire to protect Americans. There is nothing in the press release itself which would lead me to believe that their motives are nefarious. However, Anonymous has already decided that the Alberta oil sands should be shut down, and Anonymous will, in its own words, "The continued development of the tar sands is a major step backward in the effort to curb global warming. Anonymous will not suffer this without a fight, and Operation Green Rights will always support the rights of the people to live in an unpolluted world, and aim to help safeguard it for the future. One way or another." (Operation Greenrights) That sounds pretty threatening to me. YMMV

That some in Anonymous have different priorities, or that there is disagreement within Anonymous, is beside the point. As a distributed, non-hierarchal organization, no one individual or group of individuals can be said to represent "Anonymous" more than another. Nor does support for Occupy Wall Street make a difference.

It is possible to support Occupy wall Street (who's ideas are difficult to pin down, honestly) and support "direct action" against the companies exploiting the tar sands. In other words, the organization of Anonymous, or its lack of organization, comes with benefits as well as disadvantages.

Basically, Anonymous comes across to me as a bunch of self righteous individuals who, if given the chance, would love the fame of bringing down a big target like the "evil" oil companies so they can confirm themselves in their own alleged moral superiority. And while I don't think they are necessarily trying to kill people, if one messes with some types of SCADA controls that will more then likely be the effect.

And that IS terrorism.

Stuxnet breaks out of its Siemens box

It appears Stuxnet has been modified so that it no longer attacks SCADA, but is now a Remote Access Tool (RAT). It is unclear if the variant is from the same group which created Stuxnet, or if Stuxnet was simply reverse-engineered. Unlike the original Stuxnet, though, this variant does not seem to use a 0 Day attack. This means we need to ensure our systems are fully patched, which is the one thing which anyone can do to protect themselves from the vast majority of malware.

Monday, October 17, 2011

Anonymous to Target SCADA?

According to this link, Anonymous may be trying to target SCADA.

SCADA is the control software for environmental controls, such as AC and heating, factory machinery, dams, power plants and a host of other things we take for granted will operate correctly.

An attack on SCADA could mean more than a data breach, it could mean injury or death. It is not too difficult to envision a scenario where, for instance, a sewage treatment plant is compromised such that potable water is contaminated. Or where a generator is damaged through controls.

In other words, if a SCADA system is compromised by Anonymous, the group will have graduated from being a nuisance to becoming life-threatening. What is worrisome is that Anonymous typically compromises systems by "low hanging fruit"--unpatched systems, default, shared or easily guessed passwords or other vectors which are not too difficult to use.

I am afraid we live in interesting times.

UPDATE: Dan Kaplan pushes back http://goo.gl/5slJj

Monday, September 26, 2011

Methinks he doth protest too much

Nir Zuk, the inventor of stateful packet inspection and an all around firewall guru and founder of Palo Alto Networks, said that SourceFire's entry into the Next Generation Firewall market is "bull**it" because firewalls are so much more difficult to design than IPS. Now, I have evaluated Palo Alto's product and it is quite good, but I think that saying things like this about SourceFire's imminent offering shows a little bit of anxiety on his part. The NG firewall market is supposed to experience high growth, and it will probably take a while for things to settle down. Right now Palo Alto is the market leader, but that could change. Barracuda Networks (another product I evaluated) has an excellent offering, too. So yes, things could change--I think it is better to wait for the market to decide these things rather than engage in such talk, as it only makes the one screaming look desperate.

http://goo.gl/UP04G

Saturday, July 16, 2011

Password Koolaid Part II

So, there is some tension between the complexity of passwords and the tendency of users to make it easier to remember complex passwords. Since this is really just a numbers game--we are trying to make passwords change in a time frame which makes it unfeasible to guess--suppose we make passwords change more frequently but eliminate the features which make them more difficult to remember?

But now we are fiddling with passwords again and not really adding any more security.

We could add a second factor of authentication and make the whole system functionally impossible to crack. Two factor authentication means that besides requiring something the user (or cracker) knows, she would have to either supply something she possesses or a biometric authentication mechanism. This is, in my opinion, a better way to allocate scarce security resources than making users create complex passwords (or not complex, if they are clever enough to put Fluffy!1 as their password) than the false sense of security complex passwords give.