Recently, a privacy flaw has been discovered in Skype, as well as other P2P applications. Please see this link for more details.
What the privacy flaw does is allow another person to make a Skype call to you and before you answer, or even if you don't, the caller can acquire your public IP address. With the public IP address, it is possible through IP location technology to determine where you are--sometimes even down to the street level. By calling throughout the day, it is possible to trace your movements and this information is useful in a variety of ways.
The article mentions that a firewall will not protect you, and this is not surprising because on the Internet you communicate with your public IP address and not the one behind the firewall.
Now, while I believe this is a privacy issue, I think it is a bit overblown. For one thing, every time we visit a website our public IP address is logged somewhere. Indeed, any time we connect to another public IP address for any reason we should assume it is logged somewhere. What makes this Skype issue problematic is that people may assume that because they are not calling anyone, their Skype VOIP is "hung up", so they are pretty safe and unreachable unless they answer the call. Unfortunately, Skype, and other P2P protocols do not work that way. When you log on to Skype, you connect to an outside server to advertise that you are on line, so just like a any other connection your public IP is now "known" on the Internet. Now, it is not known by everyone, but it is known by any system with which you are communicating. Skype and other P2P protocols by definition implicitly or explicitly share this information--if they did not, it would be difficult to establish the P2P connections necessary to make these protocols useful.
To find the other guy's IP address, it is only necessary to capture the packets as the call is trying to go through. This is something which is not too technically difficult to perform. And unfortunately, there is no way to hide your IP address given the way Skype and other P2P networks work.
So, what should we do?
First, we need to be aware, because awareness is power. If I know my IP address is knowable by others, I can take necessary action and change my behavior--for one, I can behave "as if" my location is known. How would that change my behavior if I was posting a venomous "anonymous" post somewhere? I would be more careful about what I say and do, just as I would do in any public place with people around.
Second, I could only bring up P2P applications when I need to use them. Unfortunately, if this practice becomes widespread it will lessen the utility of P2P applications. But if my location is so important, this may be the only option if I want to use P2P at all.
What we are seeing is the erosion of the assumption of anonymity, which is one reason the Internet has flourished. The day may soon arrive, and it may already be here, when we are no more anonymous on the Internet than we are in real life.
Tuesday, October 25, 2011
Wednesday, October 19, 2011
Why I side with the Government over Anonymous
In my update to the post regarding Anonymous and SCADA, I pointed out that Dan Kaplan disagrees with DOHS' characterization of Anonymous as targeting critical infrastructure.
Now, it does not seem to me that Mr. Kaplan carries a brief for Anonymous, he just thinks that:
1) The DOHS statement is at least partially motivated by a desire to paint Anonymous as a terrorist orgnization
2) That reliable Anonymous sources have not confirmed the SCADA story
3) Anonymous cares about the environment and sympathizes with the Occupy Wall Street movement, so they care about people and the planet
I cannot speak with authority about DOHS' motivation. Indeed, it is possible that DOHS is motivated by a desire to protect Americans. There is nothing in the press release itself which would lead me to believe that their motives are nefarious. However, Anonymous has already decided that the Alberta oil sands should be shut down, and Anonymous will, in its own words, "The continued development of the tar sands is a major step backward in the effort to curb global warming. Anonymous will not suffer this without a fight, and Operation Green Rights will always support the rights of the people to live in an unpolluted world, and aim to help safeguard it for the future. One way or another." (Operation Greenrights) That sounds pretty threatening to me. YMMV
That some in Anonymous have different priorities, or that there is disagreement within Anonymous, is beside the point. As a distributed, non-hierarchal organization, no one individual or group of individuals can be said to represent "Anonymous" more than another. Nor does support for Occupy Wall Street make a difference.
It is possible to support Occupy wall Street (who's ideas are difficult to pin down, honestly) and support "direct action" against the companies exploiting the tar sands. In other words, the organization of Anonymous, or its lack of organization, comes with benefits as well as disadvantages.
Basically, Anonymous comes across to me as a bunch of self righteous individuals who, if given the chance, would love the fame of bringing down a big target like the "evil" oil companies so they can confirm themselves in their own alleged moral superiority. And while I don't think they are necessarily trying to kill people, if one messes with some types of SCADA controls that will more then likely be the effect.
And that IS terrorism.
Now, it does not seem to me that Mr. Kaplan carries a brief for Anonymous, he just thinks that:
1) The DOHS statement is at least partially motivated by a desire to paint Anonymous as a terrorist orgnization
2) That reliable Anonymous sources have not confirmed the SCADA story
3) Anonymous cares about the environment and sympathizes with the Occupy Wall Street movement, so they care about people and the planet
I cannot speak with authority about DOHS' motivation. Indeed, it is possible that DOHS is motivated by a desire to protect Americans. There is nothing in the press release itself which would lead me to believe that their motives are nefarious. However, Anonymous has already decided that the Alberta oil sands should be shut down, and Anonymous will, in its own words, "The continued development of the tar sands is a major step backward in the effort to curb global warming. Anonymous will not suffer this without a fight, and Operation Green Rights will always support the rights of the people to live in an unpolluted world, and aim to help safeguard it for the future. One way or another." (Operation Greenrights) That sounds pretty threatening to me. YMMV
That some in Anonymous have different priorities, or that there is disagreement within Anonymous, is beside the point. As a distributed, non-hierarchal organization, no one individual or group of individuals can be said to represent "Anonymous" more than another. Nor does support for Occupy Wall Street make a difference.
It is possible to support Occupy wall Street (who's ideas are difficult to pin down, honestly) and support "direct action" against the companies exploiting the tar sands. In other words, the organization of Anonymous, or its lack of organization, comes with benefits as well as disadvantages.
Basically, Anonymous comes across to me as a bunch of self righteous individuals who, if given the chance, would love the fame of bringing down a big target like the "evil" oil companies so they can confirm themselves in their own alleged moral superiority. And while I don't think they are necessarily trying to kill people, if one messes with some types of SCADA controls that will more then likely be the effect.
And that IS terrorism.
Stuxnet breaks out of its Siemens box
It appears Stuxnet has been modified so that it no longer attacks SCADA, but is now a Remote Access Tool (RAT). It is unclear if the variant is from the same group which created Stuxnet, or if Stuxnet was simply reverse-engineered. Unlike the original Stuxnet, though, this variant does not seem to use a 0 Day attack. This means we need to ensure our systems are fully patched, which is the one thing which anyone can do to protect themselves from the vast majority of malware.
Monday, October 17, 2011
Anonymous to Target SCADA?
According to this link, Anonymous may be trying to target SCADA.
SCADA is the control software for environmental controls, such as AC and heating, factory machinery, dams, power plants and a host of other things we take for granted will operate correctly.
An attack on SCADA could mean more than a data breach, it could mean injury or death. It is not too difficult to envision a scenario where, for instance, a sewage treatment plant is compromised such that potable water is contaminated. Or where a generator is damaged through controls.
In other words, if a SCADA system is compromised by Anonymous, the group will have graduated from being a nuisance to becoming life-threatening. What is worrisome is that Anonymous typically compromises systems by "low hanging fruit"--unpatched systems, default, shared or easily guessed passwords or other vectors which are not too difficult to use.
I am afraid we live in interesting times.
UPDATE: Dan Kaplan pushes back http://goo.gl/5slJj
SCADA is the control software for environmental controls, such as AC and heating, factory machinery, dams, power plants and a host of other things we take for granted will operate correctly.
An attack on SCADA could mean more than a data breach, it could mean injury or death. It is not too difficult to envision a scenario where, for instance, a sewage treatment plant is compromised such that potable water is contaminated. Or where a generator is damaged through controls.
In other words, if a SCADA system is compromised by Anonymous, the group will have graduated from being a nuisance to becoming life-threatening. What is worrisome is that Anonymous typically compromises systems by "low hanging fruit"--unpatched systems, default, shared or easily guessed passwords or other vectors which are not too difficult to use.
I am afraid we live in interesting times.
UPDATE: Dan Kaplan pushes back http://goo.gl/5slJj
Subscribe to:
Posts (Atom)