Featured Posts

<< >>

Another Hole in Internet Armor

Another hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. Researchers from the University of

Mobile Malware FUD?

Just last week, I wondered out-loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?” The author cites several recent reports that back up the claim that

What Triggers Data Breaches?

Cyber-insurer Ace Group recently published data they say predicts a data breach. Based on their data (and the need to sell premiums) the insurer claims that all firms are at risk for a data breach. Matthew Prevost, vice president, ACE Professional Risk recently claimed data breaches are inevitable. When it comes to cyber risk, it is not a

World’s First Hacker?

The story of the first hacker could be a 21st century tale. It includes a zero-day exploit, patent trolling, a live demo, ego’s and industrial espionage. New Scientist has identified its candidate for the world’s first hacker who found a security hole in Marconi’s wireless telegraph technology and used it to publicly show the inventor up. New Scientist’s first hacker

iPads Stalled

Readers of Bach Seat know that I have been a skeptic of iPads role as the leader of the “post-PC” era. The Verge looks back nostalgically to 2010 when Apple (AAPL) first introduced the iPad and Steve Jobs heralded it as a “magical and revolutionary Idevice” that would play a part in the “post-PC” era of devices.

Another Hole in Internet Armor

Another hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

 key exchange Researchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection.

The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

Prime numbersTo prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.

They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.

VPNThere is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.

What should you do?

1 – Go to the researchers website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}

2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;

Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.

3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;

We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.

Patch4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.

5 – DarkReading reports that on the server side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.

The researchers have also provided guidance:

  1. If you have a web or mail server, they recommend  – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
  2. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.
  3. If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

rb-

Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate and tell them to get out-of-the-way. 

Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Mobile Malware FUD?

Mobile Malware FUD?Just last week, I wondered out-loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?

Mobile malwareThe author cites several recent reports that back up the claim that the actual mobile threats that mobile devices introduce into the enterprise is overstated. The data indicates that the mobile malware threat is statistically small and has even decreased since 2012.

• A McAfee report shows out of all the malware now out there, only 1.9% of it is mobile malware. The author equates the mobile threat to 4 million / 195 million McAfee knows about.
• Another report (PDF) from Verizon (VZ) shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.”
hit by lighting• But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report that claims you have a better change of getting hit by lighting than by mobile malware. Dramballa found only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent.

Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012.

Walled gardenThese reports may show mobile threats aren’t as big of a problem as previously thought, but the author asks, why the numbers are so low at all. After all, cyber criminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices?

The truth of the matter is that mobile users tend to get their apps from high quality app stores. The stores from Google (GOOG) and Apple (AAPL) work to filter out suspicious apps. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread. (rb- I noted the advantages of Apple’s Walled Garden here),

remotely wipe devicesThe article concludes that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out like many businesses have done. Most mobile security experts say a mobile device management system remains a good investment to make sure mobile devices are handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.

rb-

What so you think?

Is mobile malware over-hyped FUD?

View Results

Loading ... Loading ...

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

What Triggers Data Breaches?

What Triggers Data Breaches?Cyber-insurer Ace Group recently published data they say predicts a data breach. Based on their data (and the need to sell premiums) the insurer claims that all firms are at risk for a data breach. Matthew Prevost, vice president, ACE Professional Risk recently claimed data breaches are inevitable.

data breaches are inevitableWhen it comes to cyber risk, it is not a question of if or when, but how – how can an organization proactively prepare for and then quickly respond to cyber related breaches and interruptions?

ACE has a unique position to speculate, according to ClaimsJournal ACE has over 15 years experience with cyber-risk. The firm has cataloged a considerable amount of loss data. They recently shared several key insights from their proprietary dataFierceITSecurity explains that based on cyber insurance provider ACE data, the top triggers for data breaches are:

  1. Network security attacksNetwork security attacks – 25%
  2. Lost or stolen devices – 20%
  3. Human error -16%
  4. Rogue employees – 15%
  5. Faulty policies – 9%
  6. Use of paper – 6%
  7. Software error – 3%

The firm’s data says that lost and stolen devices that led to data Stolen laptopsbreaches are:

  1. Laptops – 70%
  2. Memory devices – 28%
  3. Smartphones – 2%

Former employees accounted for 25 percent of insider attacks,
and financial incentive was the motive in 72 percent of insider attacks, according to ACE.

rb-

I have written about the cyber-insurance market here and here. The most surprising factoid to me is that lost or stolen smartphones lead to data breaches 2% of the time. Perhaps the ACE data is old, or the security marketers have spread FUD and hubbub about the need for MDM, EMM and remote wipes just to make a buck.

Do you agree with ACE’s stats? 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

World’s First Hacker?

World's First Hacker?The story of the first hacker could be a 21st century tale. It includes a zero-day exploit, patent trolling, a live demo, ego’s and industrial espionageNew Scientist has identified its candidate for the world’s first hacker who found a security hole in Marconi’s wireless telegraph technology and used it to publicly show the inventor up.

Nevil MaskelynNew Scientist’s first hacker was, Nevil Maskelyn, a stage magician who disrupted a public demo of Marconi’s wireless telegraph in 1903. He disrupted the demo by wirelessly sending insults in Morse code through Marconi confidential channels. Visitors to the Bach Seat should be sophisticated enough to know the risks of running a live demo, but 110+ years ago, they didn’t.

According to the author, the first hack occurred at the Royal Institution in London.  As Marconi associate John A. Fleming (inventor of the vacuüm tube) was preparing the Marconi equipment for a public demo of the long-range wireless communication system developed by his boss, the Italian radio pioneer Guglielmo Marconi when something unplanned happened.

MarconiBefore the demonstration was scheduled to begin, the demo gear began to receive a message that included a poem which accused Marconi of “diddling the public.” Then it started in with some Shakespeare.

Arthur Blok, Fleming’s assistant, figured that someone else was beaming powerful wireless pulses into the theater that were strong enough to interfere with Marconi’s equipment. Unfortunately for Marconi and Fleming, Nevil Maskelyn figured out the hack first. Mr. Maskelyn’s hack proved that Marconi’s gear was insecure and it was likely that they could eavesdrop on supposedly private messages too.

scientific hooliganismIn response, Fleming fired posted a complaint in The Times where he dubbed the hack “scientific hooliganism” and asked the newspaper’s readers to help him find the hacker.

However Maskelyn, whose family had made a fortune making “spend-a-penny” locks in pay toilets outed himself four days later and justified his actions on the grounds that he revealed the security holes for the public good. (Sound familiar?)

Maskelyne who taught himself wireless technology had a great deal of experience with wireless. According to the article, he would use Morse code in “mind-reading” magic tricks to secretly communicate with a partner. And in 1900, Maskelyne sent wireless messages between a ground station and a balloon 10 miles away. But, his ambitions were frustrated by Marconi’s broad patents, leaving him embittered towards the Italian. Maskelyne would soon find a way to get back at Marconi. It turned out that the Eastern Telegraph Companyworried that Marconi’s wireless would kill their global wired communications business hired Maskelyne as a spy.

eavesdrop on the "confidential channel"Maskelyne built a 50-meter radio mast near the Marconi Wireless offices from where the firm was beaming wireless messages to vessels as part of its highly successful “secure” ship-to-shore messaging business. From there, Maskelyne could easily eavesdrop on the “confidential channel” Marconi wireless messages.

Maskelyne gleefully revealed the lack of security by writing in the journal The Electrician in November 1902,

I received Marconi messages with a 25-foot collecting circuit [aerial] raised on a scaffold pole. When eventually the mast was erected the problem was not interception but how to deal with the enormous excess of energy.

To further publicize his results and perhaps extract me revenge on Marconi, Maskelyne staged his Royal Institution poetry broadcast.

The New Scientist concludes that Maskelyne’s name had been forgotten but now he is in the history books as the world’s patron saint of hackers.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

iPads Stalled

iPads StalledReaders of Bach Seat know that I have been a skeptic of iPads role as the leader of the “post-PC” era. The Verge looks back nostalgically to 2010 when Apple (AAPL) first introduced the iPad and Steve Jobs heralded it as a “magical and revolutionary Idevice” that would play a part in the “post-PC” era of devices. In the subsequent years since the launch of the iPad, many have debated whether the laptop is dead and the PC era over. That hasn’t quite happened yet.

"post-pc" epoch upside-downThe latest financial figures from Apple seem to have gotten this “post-pc” epoch upside-down. Apple now earns more money from Macs than it does from iPads. According to the Verge, Apple made $5.6 billion in revenue from its Mac sales in the most recent quarter, and $5.4 billion in iPad revenue.  The surprise revenue turnaround casts some doubt on Apple’s “post-PC revolution” with the iPad. Apple’s iPad sales have been decreasing consistently in recent quarters, and Apple doesn’t have an answer to counter the trend.

Tim CookRumors of an iPad Pro with a stylus have surfaced over the past year, but Apple has only chosen to refresh its line with very few improvements. A decrease in iPad sales is likely related to consumers not refreshing tablets as much, a lack of big improvements to the iPad, and the fact that smartphones are still revolutionizing the industry more than tablets.

Apple CEO Tim Cook famously rejoiced at iPad sales beating rival manufacturer’s PC sales, at the peak of iPad popularity. It’s no longer beating Apple’s own PC sales revenue, and without a major change to the iPad this could be a trend that continues.

iPad Sales - Business InsiderApple is seeing impressive growth on the Mac side. A 10 percent increase year-over-year in Mac sales has helped push revenues past the iPad level, and Apple has been consistently bucking the trend of a PC market in decline.  As for CEO Cook, he still believes in the iPad. “It is what it is. It will play out, and at some point it will stabilize,” Cook told analysts when asked about the lackluster iPad sales. “I am not sure precisely when, but I’m pretty confident it will.”

Broken iPadCEO Cooks’s confidence may be mis-placed. As far back as March 2015 people were saying the iPad had no clothes. The Business Insider pointed out that sales of the iPad hit a wall. They cite Credit Suisse analyst Kulbinder Garcha who believes and has the data to prove it that phablets are eating the iPad for lunch.

phablets are eating the iPad for lunch

rb-

Credit Suisse’s Garcha is right when he speculates why would you buy an iPad when you can buy a big phone that does everything the tablet does, and more?

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.