Monday 28 January 2013

Cyber arms race begins... time to take your security seriously

Cyber war sounds like something from an Orson Wells radio program. Unfortunately, it’s a reality. In just the past couple of years we’ve seen everything from Stuxnet taking out refinement facilities in Iran to hackers bringing down 30,000 computers at a Saudi oil firm.
Image courtesy of U.S. Naval War College
What’s the world to do?
In the United States’ case, it’s hiring around 4,000 experts to quintuple the size of the US Cyber Command. That’s a pretty serious escalation. Granted, it’s certainly the right move.
For years now, security experts, including outgoing Defense Secretary Leon Panetta, have warned of impending cyber attacks targeting critical infrastructure in the United States like power grids. The right attack could be devastating.
"We've got good people that are involved in it, but, very frankly," he said in November speech at a defence (sic – silly Brits) think tank, "if we're going to stay on the cutting edge of what's happening with regards to the changes that are occurring, we have got to invest more in that area." [BBC]
But the offensive side of the US Cyber Command is talked about a little less. The fact is, a large portion of the revamped command will be responsible for designing and executing attacks overseas. Targets are expected to include Russia, China, and Iran, among others.
We have no idea how this digital arms race is going to play out, but you can be sure, that, globally, collateral damage will include civilians. Now, more than ever, is the time to beef up your digital security. Use strong passwords, download an antivirus program, and encrypt your digital data with a VPN.

Wednesday 23 January 2013

Mega awesome? or Mega insecure?

If you keep up with tech news at all, you’ve probably heard a lot about Kim Dotcom’s new cloud service, Mega.

Before the launch, Mega’s founders hailed the system as employing thorough encryption and security, but now, only a week after launch, analysts are coming out of the woodwork criticizing serious security flaws with the service.

Just a little bit of irony from ars technica

A lot has been written, but here’s the breakdown:

What is it?

If you’re unfamiliar, Mega is the successor to Dotcom’s government-seized MegaUpload. Basically, it’s a cloud storage service.

What makes Mega different from competitors like Google Drive, Dropbox, and Microsoft SkyDrive, is the fact that Mega encrypts files on the users’ side and stores the encrypted information rather than the actual files – the benefit being that nobody except the user knows what any of the files actually are.

This encryption format is a response to last year’s MegaUpload debacle where the U.S. government seized all stored content and has yet to return access to users. Furthermore, user-side encryption keeps everyone, except the subscriber, in the dark regarding what content is being stored. Dotcom said this allows Mega to use a larger number of server companies (who would otherwise have issues with hosting pirated content) and thus ensures the FBI won’t seize users’ data.

It should also be mentioned that this style of encryption covers Dotcom’s own butt. Were he to be charged – as he is currently in relation to MegaUpload – he could easily, and accurately, claim he had no idea what content was being stored by his service.

What’s with the security stuff?

Pre-launch, Mega’s super-tight security was the talk of the town. Given his company’s previous problems with authority, a tight grip on security made sense.

Unfortunately, it’s looking like more security was placed around the company than the users. Only a week into operations, several analysts have already located and begun exploiting some major holes.

Chief among the security sins, Marcan (a member of fail0verflow) said, is the hashing of files using the cryptographic technique known as cipher block chaining message authentication code -- better known as CBC-MAC – which, as the name implies, is meant to authenticate messages rather than be used as a hashing function. "A few people have asked what the correct approach would've been here," he said. "The straightforward choice would've been to use SHA1, though MD5 or SHA256 -- for the more paranoid -- would also have worked well." Basically, the content hosted on Mega, though encrypted, is using weak keys that could easily be intercepted and cracked. 
Thanks to using CBC-MAC, however, the Mega service is vulnerable to having uploaded files intercepted. "If you were hosting one of Mega's CDN [content delivery network] nodes (or you were a government official of the CDN hoster's jurisdiction), you could now take over Mega and steal users' encryption keys," Marcan said. "While Mega's sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it." [InformationWeek]

But here’s the rub. From what we can see, the encryption isn’t about content security. After all, Mega is designed, unofficially, to host pirated content, not business and trade secrets. Even weak encryption gives the company a way out should they ever be charged as pirates.

And that’s not all. A security researcher named Steve “sc00bz” Thomas discovered that password confirmation emails from Mega include plain-text hashed copies of users’ passwords.

Hashing is a common technique for encrypting passwords. When looking at a hash, instead of seeing “password1234” you would see something like “qi8H8R7OM4xMUNMPuRAZxlY".

Since emails generally travel without encryption, anyone could snag the message off a network and simply use a brute-force attack (random guessing of common words) to crack the hash. If your password is something stupid like, “password”, or “mylittlepony”, a brute force attack can crack it in no time. If you’re smart and use something like “fd3kie?ba”, the brute force attack will likely take until the end of time.

In other words, Mega’s user security depends almost entirely on the strength of a user’s password… which, as of this writing, cannot be reset by the user should it become compromised. Splendid.

What now?

Good question, nobody’s really sure. U.S. authorities have already said they’re ready to come at Dotcom with more charges pertaining to Mega, but with the format of his new endeavor, those might be tough to serve.

For now, if you decide to use the service, just keep in mind that your information, while encrypted, could be vulnerable. And as always, use a strong password!

Friday 18 January 2013

Fraud and Identity Theft is on the Rise. Lock that info up!

Photo Credit: Adam Thomas
Blightly's Fraud Prevention Service said two out of three fraud cases in the UK involved identity theft.

I know, I know, we're all aware that identity theft happens. But most people don't think about how it happens.

Of known attacks, hacking is used in about 11%. But, and this is a big but, 65% of identity theft victims don't know how their identity was stolen. Experts believe a large portion of that 65% is a result of hacking. (Here's an interesting Wired piece on it.)

Here's some data on fraud from CIFAS, a fraud prevention organization in the UK:

·         Nearly 250,000 confirmed frauds were identified during 2012 by CIFAS Members, the highest number of frauds ever recorded by CIFAS Members and over 150,000 cases had an identifiable victim.
·         The continued blight of Identity Fraud accounts for over 50% of all frauds recorded in 2012.
·         The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
·         Conversely, frauds committed by the genuine account holder or applicant have all declined: the most notable being the decrease in fraudulent misuse of an account (Misuse of Facility fraud) which fell in 2012 by over 15% from the record levels seen in 2011. There has also been a fall in proven false insurance claims and instances of individuals submitting false details or documents in support of an application.

So here’s the takeaway: Fraud and identity theft are on the rise and a lot of it is linked to your online activity.

This is just a friendly reminder to take your online security seriously. Get an antivirus program, be smart when you click on links, and use a VPN! If you haven’t heard us say it a thousand times, a VPN is one of the best ways to keep your online information safe! Remember, identity thieves won’t think twice to snoop on your Wi-Fi connection to snag your banking credentials, your credit card number, or even your home address. But if you lock that information up with 128-bit encryption and a VPN tunnel, even the most adept hackers won’t have a hope of stealing your data!