Insights For Success

Strategy, Innovation, Leadership and Security

infosec

Operational security tips to safeguard your privacy when crossing a border

GeneralEdward Kiledjian1 Comment
barbed-wire-1899854.jpg

Every week I read about another traveller that is hassled at the border to turn over his laptop, tablet or smartphone and their associated passwords. Knowing that a stranger has gone through your personal “stuff” feels dirty (similar to being robbed).

A question I get asked often by readers, friends and colleagues is “How do I travel through international borders without worrying that my life will be put on show for some stranger with a badge?”. You don’t believe that this can happen; here are some interesting articles:

Operational Security 101

The work of physical security and digital (cyber) security are merging fast and you cannot have one without the other. So what is a traveler to do?

  1. Identify your sensitive data. Before travelling, conduct an extensive analysis of the data you will be crossing the border with. This doesn’t just include intellectual property or employee information but remember that once authorities have access to your email, without you present, they can figure out what social media accounts you have, they can reset your password for any site, they can build a social graph of all your contacts (using your email, instant messages and contacts), etc.

  2. Prepare a lists of vulnerabilities you are subject to? You should consider everything from device theft to authorities riffling through your personal data with no regard for privacy.

  3. Determine your risk level for each vulnerability. As long as you back up your data and your device is encrypted, then your risk after a theft is limited to the cost of replacing your device or scrambling to buy a new one while in transit. You will realize your risk level quickly rises when you consider the exponentially increasing risk of having your device analyzed at the border.

  4. Design your countermeasure plan. For each vulnerability, design a mitigation or risk minimization plan. This is what the rest of the article will talk about.

Countermeasures

Like a broken record, I will now extol the virtues of the Chromebooks and why many security professionals rely solely on these devices when security is essential. I know many of you will email me to explain why Google is evil and shouldn’t be trusted. I respect everyone’s opinion, and if you believe using Google products and services doesn’t meet your security requirements, then, by all means, choose something else.

A Chromebook is designed to be reinitialized anytime and to restore its state very quickly. Log into a device connected to a respectable network, and within minutes, you are back up and running with your apps, extensions, bookmarks and settings. Your data is stored in the cloud, and local device storage is encrypted.

Theft

If some numskull steals your device, you will have to buy a new one but at least your data is safely stored in the cloud, and there is no unencrypted data locally to expose you. I have had my device stolen on a train in Europe (on my way to speak at a conference). At my destination, I bought a Chromebook, used the store's WIFI to restore my device, and I was up and running within 30 minutes.

Border inspection

Border inspection is a different beast because they have the authority to force you to turn over your passwords. In this case, the only protection strategy is trickery.

For people crossing the border with sensitive information, I recommend that you use a Chromebook and sync everything to the cloud. Before travelling, you Powerwash the Chromebook (aka set it back to factory default) and then log into it with a dummy Google account.

This Google account should have some emails, contacts, favourites, files stored on your Google drive, etc. It should look like it is an authentic and genuine account. When your device is inspected, it will have nothing of interest, and you will not endanger your “real” data.

Once you cross the border, find a WIFI network, Powerwash your device and log in with your “real” account.

What about your smartphone

I trust the Chromebook Powerwash process enough to reuse a Chromebook that was inspected by border security but not a smartphone. Smartphones (iPhone or Android) do not have the excellent backup and recovery properties of the Chromebook. In most cases, I travel with a real fully loaded smartphone and will destroy it if it is ever taken from me. I will immediately change all my passwords and implement honeypot style detection tools to see if they attempt to exploit me.

What are these detection techniques I am talking about? Well one example is to use the Free Canary Tokens to generate different honeypots in your work environment.

Screenshot 2019-05-25 at 9.32.34 PM.png

As an example, you create an easy to find (weaponized) Word or PDF file (stored in your Google drive) and phone that sends out a beacon when it is opened. Think of these tools as motion sensors warning you that your digital being is at risk and that you need to take extraordinary measures to protect yourself.

Conclusion

An article about traveller airport border crossing security (OPSEC) can be very long, but I wanted to give you a gentle introduction. If you are a journalist, politician or senior executive at risk, hire a good security consultant to guide you. The most expensive advice is free advice.

If you are a journalist with a reputable organization working on high-risk reporting and need security advice, I am always available to provide free guidance. I believe free and open journalism is a pillar of our modern democracy.


Continuous authentication is the future

GeneralEdward KiledjianComment
eye-2771174.jpg

User authentication is one of the most important and fundamental building blocks of security. Authentication is built on username, password, token, biometrics or any combination of these. Regardless of the model, authentication is performed when the user starts his/her interaction with the target system.

What do you do if you require a higher level of authentication? What if you need to make sure the user interacting with your system is always whom they say they are. This is where the concept of continuous authentication comes in. We started to see this concept implemented for the mass-market with the Apple Watch and Apple Pay. You authenticate Apple Pay once and as long as the watch stays on your wrist (validated with a pulse), you do not need to re-authenticate. Apple pay can be sure that the person wanting to make a payment is the user that authenticated originally.

Continuous Authentication is a paradigm shift moving authentication from an event to a continuous risk management process.

Dynamic risk-based authentication means the system is continuously monitoring changes to environmental parameters and can decide the trustworthiness of users continually.

The shift to continuous authentication is inevitable. Not only will it make authentication more natural for the user but it will allow security administrators to implement much tighter security models.

As an example, if the user walks away from the computer, the system could notice and freeze the interactive session. Another example is a user working on a PC is tricked and launches malware. The system could be intelligent enough to know that a rogue process is attempting to masquerade as the user and block access.

Continuous authentication is to use the full array of modern technologies and others that have yet to be released. Parameters such as keyboard typing speed and style, how the user swipes on a touchscreen device, how the user moves the mouse, the camera input (from modern day cameras), gait analysis using the accelerometer in a smartphone or smartwatch, etc.

Although continuous authentication will be easy for users, expect it to be very complicated for developers. Expect this to be a burgeoning market in the coming years, something most security professionals have to start thinking about. We expect to start seeing serious mass market products around 2020-2021.

US bans use of Huawei technology through Defense Authorization Act

GeneralEdward KiledjianComment
Capture.PNG

US President Donald Trump has signed the Defense Authorization Act into law. Section 889 ( PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT) bans use by government agencies and contractors of Huawei or ZTE technologies. 

The language of the act is ambiguous and doesn't clearly list what technology is or isn't covered by the prohibition. 

procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system

ZTE and Huawei should not be used to access government systems that display personal data, therefore it is safe to assume that most agencies and contractors will purge their networks of systems designed or that use these technologies.

I have not yet seen an official response from either of the tech complanies.

Stay tuned. 

Fun with Shodan and IOT

Edward KiledjianComment
shodan1.PNG

Read this related article: Find phishing and malware with a simple search

Search engines have become a favourite starting point for threat actors, so it should also be your starting point. Beyond Google, there are a bunch of specialized search engines that are powerful and scary. This article talks a bit about Shodan. Think of this article as a gentle introduction.

What is shodan

shodan2.PNG

Shodan is often called the world's most dangerous search engine. Shodan attempts to catalogue metadata about its targets and its targets are often Internet of Things (IOT) devices. Hackers and security researches use Shodan daily to find vulnerable webcams, open traffic light systems, SCADA in manufacturing plants and much more.

I'm going to assume you have a free Shodan account.

Browse the categories

If you visit the Shodan Explore section, you can find all kinds of interesting systems listed.

Unprotected webcam

shodan4.PNG

For this example, I searched for the Axis 212 webcam which is known to have many vulnerabilities and a known default password.

As an example, the webcam I highlighted seems to be in a daycare facility and isn't even password protected.

I've blurred out the children and teacher.

I've blurred out the children and teacher.

Some are unprotected. Some have kept their default passwords (there are lots of default password lists like this one). Obviously many of these cameras are made by a handful of manufacturers in China and are never updated. Once you find a vulnerability on one model it is often workable on dozens of others.

Routers

shodan7.PNG

You can search Shodan for common router brands like Belkin, D-Link, Netgear, etc and then try to log in using the default admin passwords. Above is an example of a Linksys router exposed to the internet without a password. Others are exposed with the default password.

Intel AMT Exposed to the internet

There is a major Intel AMT vulnerability but Shodan shows that 4,647 devices with AMT (on July 22) were connected to the internet.

shodan8.PNG

If you search for "http intel active management" in Shodan, you will get a listing of these devices.

shodan9.PNG

Other searches you can perform

Netgear device with port 80 open to the internet

Netgear device with port 80 open to the internet

Bitcoin servers

Bitcoin servers

You can even use the Shodan ShipTracker dashboard to track realtime ship

Screenshot 2018-07-23 at 10.45.49 PM.png

ShipTracker is harmless on its own, but combined with data available from other sources and the knowledge that many ship systems use default passwords and it is a disaster waiting to happen.

Screenshot 2018-07-23 at 10.54.59 PM.png

There is a known vulnerability that allows a threat actor to steal or modify information from a Memcached server. This vulnerability was used to target GitHub with a massive DDoS attack. Not all Memcached servers are vulnerable ( I won't show you how to find the vulnerable ones) but how would you search for Memcached servers on the net? The answer is with a Shodan query.

Screenshot 2018-07-23 at 10.53.36 PM.png

 

Conclusion

Obviously, this is just the tip of the iceberg. A true threat intel specialist will be able to automate Shodan queries and then combine them with known vulnerabilities, exploits or default credentials. I am hoping this article created a bit of interest in you to learn more. 

For this article, I only chose examples that were exposed to the internet and were not password protected. Be careful as laws differ around the world. In some countries even testing default passwords could be considered "hacking". 

Google Chrome's Spectre Mitigation is consuming 10% more RAM

GeneralEdward KiledjianComment
data-2793195.jpg

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction. 

Additional reading: