Facebook Tracks Non-Users Too!

As some people are just learning, Facebook has been tracking both users and even non-users in a violation of their privacy that most never opted into.  Anytime you visit a Facebook related or enabled site, they are tracking you.  Conversely as a Facebook user, they track and relate all of your off-Facebook activity on any site that uses Facebook plugins or functionality (which are a lot of sites).  This is horrible and should be stopped but in all fairness “they all do it” and if anything Google is probably worse.

If the above is not bad enough, the PRISM network has backdoors to all of these services so you are being violated directly by corporations and multiple governments who index all of your activity.  Privacy is a thing of the past unfortunately.

However there are ways to fight back such as disabling cookies and deleting all cookies regularly and especially to use a random VPN to make tracking harder.

It’s not so much that the majority of people have anything to hide, but privacy is a right everyone has.  Most people would object to having cameras in the washroom, not because they are doing something wrong but because you have the right to dignity and privacy.

Hopefully the longstanding issue with most giant online sites from Facebook, Google etc.. will drive demands from people around the world to restore privacy and digital rights in an era where infringement is common.

 

Lightning Network – LN Network DDOS’d and Attacked By Organized Group

A group calling itself Bitpico has bragged about attacking the LN (Lightning Network).  The group claims it is stress testing the network and the LN developers responded that they are analyzing and trying to close any attack vectors before the currency is used more.

It is almost a traditional DOS attack where nodes were flooded with false transactions to overwhelm them so no real transactions could get through (similar to a web attack that opens frivolous connections to overwhelm the server).

Inevitably almost all networks go through this and it really is a typical cat and mouse game in any public, permissionless blockchains.  It is really an IT security nightmare where no one is authenticated or vetted whatsoever.  There is little disincentive for organized and well-funded groups not to attack blockchains if they have enough motivation, and clearly many do.

 

Why Deleting Facebook Is Futile Unless…..

I’ve had this conversion with a lot of people over the years and what I’ve found is that the majority of people are complacent about privacy and security.  In a way it is good that some have woken up to what Facebook is and has been doing but this idea of some floated around that “I will trust Facebook until it gave me reason not to”.  This is a completely flawed idea in my opinion.  Facebook was never trustworthy and its TOS always gave it a right to violate your privacy, harvest your data for both government and marketing purposes etc… In fact Google, Gmail, Hotmail, Telegram, Whatsapp and the list goes on are free for a reason.  One, they make money by spying on you and they also provide a great backdoor to the NSA to spy on you (hopefully everyone now understand the PRISM spying network).

There were times where some would debate about the length and depth of spying by major free services but this is no longer in debate.  If you are using these freebie services and just delete Facebook alone you haven’t done enough.

Here are some steps to secure yourself and your privacy:

Delete Everything!

Seriously stop using these free chat and e-mail services and tell your friends and family that you won’t communicate via those mediums.

Secure Your E-mail

Use your very own, owned e-mail server with encryption including GnuPG to encrypt e-mails in both transit and storage.  There are providers who can get you a VPS or full Dedicated Server for this purpose.  You will probably find that your e-mail stops going missing, is fast and more reliable to boot!

Stop Using US Based Massive Cloud Servers

This could be in the form of an Amazon, Microsoft, Alibaba VPS instance but you can expect that those services will not be keeping your data private and most likely have been obliged to allow backdoor access to your server and data.

Another type of user would again be those who “store data in the Microsoft, Google or Apple Cloud”.  Stop using those services if you value your privacy.

Secure Your Chat

Everyone likes instant chat but did you ever wonder why all the traditional chat services like ICQ and MSN Messenger shutdown?  My belief is that being forced to chat on your phone makes it easier to both identify and track you but also to spy on you.  Once again top offenders are Telegram, Whatsapp and any similar ones.

To secure your chat you should run your own encrypted chat server.

These are just a few common sense things you can do to make it much more difficult to have your rights and privacy violated.  Personal and intimate moments shouldn’t be uploaded to the Cloud for corporate and government agencies to peruse!]

In general try to think in a security minded way perhaps as you would your house.  Would you feel secure at home if you knew your living quarters was shared with multiple people or that it was being spied on constantly.   Think about steps you would take to protect your house or property from intruders and spies.  Your digital house works the same way, so be sure to keep the keys and access in your control and not that of a third party which can’t be trusted.

The NSA is spying on cryptocurrency including Bitcoin – Edward Snowden

Unsurprisingly Edward Snowden recently revealed to the world that the NSA is tracking cryptocurrency users including Bitcoin.  What makes it worse, but also not surprising is that they tricked users to install security software they wrote that actually feeds all of their private data, cryptokeys, back to the NSA directly.  It is soon going to be an absolutely necessity to increase your own security and to start using better, more secure coins that cannot be so easily tracked.  This is the equivalent of the government following you around and poking around your wallet and watching each transaction you do even with cash.  There’s no privacy anymore and ironically cryptocurrency is part of this reason, or shall we say at least, the majority of insecure, public, permissionless blockchain based currencies.    This could send the value of currencies like XMR/Monero skyrocketing as a Bitcoin alternative.  While Monero is in my opinion better in almost everyway to Bitcoin, it is still not the perfect coin as it does have some issues including the use of PoW and of course the whole public, permissionless issue, speed issues etc..

Ripple’s First Central Bank Contract with Saudi Arabia!

This is huge news for Ripple but apparently at the time of writing Ripple has tumbled more than 5% to .957 USD (under a dollar now).  To be honest I do hold Ripple but I believe my analysis to be unbiased.

The news is huge that Ripple will help Saudi Arabia settle foreign currency transactions and shows Ripple has proven itself in the large scale banking and even central banking industry.  It looks like other gulf countries including the UAE (United Arab Emirates) are going to be involved as well which could be really huge for Ripple.  One thing that many have said though is that none of these banking organizations involved are really interested in XRP.  They are using Ripple’s network but these transactions are not being funded or traded in XRP itself.

Some industry analysts have speculated that Ripple’s relationship with big banks is so strong that it may have strong incentive in the future to literally kill/dissolve XRP.

Despite this my outlook on Ripple is strong with the reservations about it mainly being a tool for large banks.  Don’t get me wrong, the technology works well for transactions in terms of being low-fee, fast not having to sync the blockchain, very secure (aside from no first party wallets….) but can we trust this company to protect our interests and those of its large banking clients?

I think this is why Ripple has been volatile itself, from an investment standpoint it sounds great but also bad because Ripple is kind of a crypto-rebel by essentially being the tool that cryptocurrency was meant to fight or free us from (the tool of big banks and now Saudi Arabia’s central bank.).

To look at it from the other perspective though this could mean a huge rise for Ripple in valuation but it could also mean the opposite.  Ripple has carved out an incredible niche but at the same time risks alienating its main users and investors.  The question is what will Ripple as a private and centralized blockchain do?

I do agree the author of the quoted article above could very well have it right for the end game.   It’s a shame because Ripple solves a number of key issues while also introducing security and trust issues at the same time.  Ripple works well but will it literally sell us users and investors out to central banks in the future?

I’ve attempted to play the lotto and will seek Ripple’s comment on these concerns but regardless of assurances only time will tell where things head.

Meltdown and Spectre Analysis and Current Status

There seems to be a lot of complacent or feel-good news that Meltdown and Spectre will solve themselves or that no worry or care should be taken from users but this couldn’t be further from the truth.  In reality while CPU makers say “there are no known cases of exploits” doesn’t do much to allay fears of those in the know.  This is because Spectre and Meltdown will not leave any trace or evidence that you’ve been hacked.  Although it can be argued that there may be some signs of unauthorized access if that was how access was gained.

However, the nature of Spectre and Meltdown allow for normal authorized users, programs and even scripts on websites to exploit you.  This is why it is so scary as there’s really no way to be certain you haven’t been breached.

It’s an issue for everyone because these exploits could impact anything from your bank, transportation/transit, airplanes, nuclear power plants, and basically anything else that relies on computing security since Meltdown and Spectre are a complete breakdown of those barriers.  I won’t go into more of the basic details but I did make a quick “take on the issue here“.

The good news

There were patches quickly released for a lot of Linux, Windows and Mac devices.  However this doesn’t mean that the users installed the patches or that all users have the ability or access to do so.  Take for example physically remote computers, devices and perhaps some that are running headless that may not be easily accessible or that for some reason have patches disabled (this is more common than you’d think in production or mission critical environments).

Then what about old and unsupported versions of operating systems or that old security system, phone, or TV box, or even ATM whose manufacturer may not be around anymore or is just simply not offering support?

It’s the same issue with many common worms and viruses, patches, and fixes may be issued but millions or more are often still affected long after for various reasons.

The bad news

Even if we assume that Google discovered these flaws first, and if we assume they weren’t mandated to be put there via ARM, AMD and Intel what about insiders who know about this back in June or even earlier on?   From that point a number of individuals and groups could have compromised or damaged sensitive data and computer systems.  There’s still time since a lot of devices and people will not be patched yet.

And to make things worse, the only true way to solve this issue is with a CPU microcode update, which is not simple to deploy especially on embedded devices and any mistake can lead to a bricked device.

These OS patches are just that “patch work”, a hack or work around to mitigate the issue.

Then there’s the question of “we know there are 3 variants or vectors of attack”.  What if there are others that are not yet discovered?  You can be well equipped and funded organizations/hacking groups are working on this as we speak and they certainly won’t be disclosing it.  Until all devices have microcode updates there’s no way to certain we are safe from unknown vectors related to Spector and Meltdown.

What can you do?

Simply look out for the latest updates for your devices/phones/computers and install the update but don’t falsely assume a new update means you are protected unless you’ve read so that “this update fixes the Spectre and Meltdown” issue.

My Take On Meltdown and Spectre Computer Security Flaws

Spectre and Meltdown allow a non-privileged user (non-root/non-Admin)  to access memory they aren’t supposed to essentially dissolving the majority of computing security and privacy barriers.  This could be a guest user collecting sensitive information/passwords for an entire database, group of users, network etc..

If you are using any computing device whether it be an ARM based device, Intel CPU (although Intel is the worst offender at this point), AMD CPU this issue affects you and billions of other devices and users around the world.  Whether you are on Linux, Unix, Windows, Mac this applies to you.  It is really an unmitigated scandal and disaster for both privacy, security and even safety with long lasting and wide ranging ramifications that will continue to playout for years.

I’ve made a comment in the past about security, IOT and how there are many devices that are now unsupported or can’t be updated leading to huge security issues.  We are now unfortunately there and have been since 1995.

This issue was first reported by Google Project Zero and they are known as the Meltdown and Spectre Vulnerabilities that affect all microprocessors made since 1995 (the modern computing era).

To make it worse there are 3 known “variants” or attack vectors known (I suggest there may be more that are undisclosed or not yet known to the public).  With variants 1,2 being very similar (known as Spectre) and variant 3 known as Meltdown.

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

The attack is possible due to “speculative execution” where CPUs (computer chips) essentially try to predict future work needed and will actually do sometimes unneeded work as the performance hit for doing this is less than waiting to execute the instructions later.   This means the computer sometimes performs work that isn’t needed and not used to increase performance, where things have gotten bad is through this feature, it’s possible for a normal user/process to gain unrestricted access to memory that you shouldn’t have access to.

What is Spectre?

The primary variants (1,2) that make up Spectre  rely on the user exploiting the speculative feature of the CPU to write to memory under their control.  This allows a normal user to read basically all memory processes allowing keys, passwords and confidential data to be intercepted.  AMD Claims that Variant #2 does not impact them as well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

What is Meltdown?

Meltdown is the third and more serious and nasty variant that still relies on the speculative execution exploit/flaw but actually allows the attacker to read arbitrary memory (so basically anywhere at will).  The key feature of Meltdown is that it is the easiest attack to perform and it has been demonstrated on the Intel platform already.

The only good news is that apparently this Meltdown attack only affects Intel and not AMD.

https://access.redhat.com/security/vulnerabilities/speculativeexecution

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Redhat has also done an excellent writeup about the issue here:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

How To Protect Yourself

First and foremost you should update your devices as soon as patches become available.  In Linux enabling KPTI can protect you.   However for some major distributions of Linux users are still waiting for a patch.

If you are vulnerable and performing critical operations it’s time to make tough choices including possibly turning off your machines or denying all non-admin users access to a server/services if possible.

Ensuring rotation of keys and passwords can also mitigate your risks even if passwords have been compromised.

It comes down to good security practices all around such as segregating services to different physical machines, restricting physical and virtual user access.

If possible remove all non-essential or untrusted applications from your device/computer/server.

Dedicated Servers Will Become More Popular

There has been a huge trend to put everything into the Cloud, one that I have reservations with despite owning companies that offer our own private Cloud.

Fortunately we haven’t been impacted by Spectre and Meltdown and are not vulnerable but it does raise questions from our clients that we’ve mentioned before.

I’ve always advocated for physical segregation, which means that if possible you should have your own physical dedicated server that is encrypted and running a minimum set of services with as a few users as possible.  By doing this you significantly reduce your risk in a scenario like this by putting your company database, e-mail, VPN, websites, file server on physically different servers.

Serious Questions and Concerns Raised

I would raise the question that is it really possible that such a wide-ranging exploit was completely unknown for this long until a team from Google discovered it?  Considering the budgets of major intelligence agencies around the world who are constantly looking to find exploits of their own it is conceivable that this vulnerability may have been exploited for far longer than it was publicly known by specific groups.

Another one is Intel’s response to it by apparently being accused of singling out AMD when as of now, Intel is far more vulnerable.

Since these chip makers are all US based is it possible they were mandated by law to introduce speculative execution in such a similar way that this vulnerability would be possible?  Considering recent revelations I don’t think it would be inconceivable.

Are there more than 3 variants and if we assume that no one else really knew about Variants 1-3 is it not possible that a well-armed team could find new ways to exploit them?

Long-term Value for Intel, AMD and ARM

At the time of writing Intel’s stock was down about 3% but this could get worse for either of these companies if one’s vulnerabilities keep increasing and/or one of them is hit with a larger exploit.

Conclusion

It’s hard to give an honest conclusion as we’re just getting started and this is all we know about the Variants 1,2 (Spectre) and Meltdown.  So far it looks like we were lucky to choose AMD.  The key issue that will come out of this is how many devices and users will remain vulnerable by being unable to patch or if they have a device that cannot be easily patched or there is no longer any support from the vendor?  This would increase the amount of zombies and data security breaches several fold.

This is also a good time and a wakeup call for all companies to do a security audit and if they don’t have dedicated security staff, to bring in some good IT and security auditors to assess and mitigate these risks before they become costly losses.

IoT (Internet of Things) Security Issues Increase

IoT (Internet of Things) is simply a fancy way of expressing that we have more devices online and connected to the internet than ever before when compared to my favorite tradition of Desktop PCs, Tablets and Phones. With the advent of embedded computing becoming more affordable, powerful and easier to develop than ever using tools like Raspberry Pi based on the ARM platform, this means we have a plethora of new devices and embedded, internet connected devices added to every day things we use.

Common examples of these are new cars, alarm systems, video cameras/surveillance systems, fridges, stoves, home locks, lights, watches, medical equipment and so much more.
The security issue with these devices is more challenging and complex than ever before for both the end user and businesses using them.

There is no doubt or anyone in denial that it’s an issue and the privacy, security and financial risks can be quite high. Security in general works on the basis of weakest link and it is arguable that a random internet connected device in your house or business poses an immense security risk with some of these devices having little to no security or out in the wild vulnerabilities.

These devices are certainly not impossible to secure, in fact the majority of them are easy to secure but it’s simply not the forefront or priority of most device makers or developers. Because of this devices are often completely unsecured and don’t even need to be hacked, sometimes they run a telnet,ssh or web daemon which can be accessed with no password or a dictionary password like admin/admin root/root or with just a username. There are others which cannot be easily updated which have vulnerabilities that end up being found later and exploited. Even more difficult some of these devices are physically inaccessible and installed in appliances and other devices where it can be harder to update them. A lot of companies would be reluctant to push out updates because often if the update failed it would render the device useless without physical intervention.

We can only hope standards emerge in the industry where updates will be easier, standard and guaranteed but this is unlikely to happen. Even with companies who use these products and recognize it is an issue there is only so much planning that can be done for devices that are not easily managed or accessible.

The only practical solution today is to try to firewall and physically isolate IoT devices where ever possible to reduce the risk (but for a lot of companies this is not easy or practical). At the end of the day more advanced network planning and management will be required and so will hardware firewalls play an ever increasing role in trying to prevent and detect attacks to these devices.

My Take On WannaCry

Reading media coverage of the WannaCry, ransomware attack has been excruciatingly frustrating because little to no information was offered on how infection happens and how to protect yourself.

This issue has been a bit frustrating and unhelpful as an IT professional and user if I didn’t find the right answers there is something seriously wrong.  I couldn’t find the important information in any of the mainstream articles so certainly a novice or amateur user would have no chance of protecting themselves.

How Did WannaCry Infect and Spread?

Long version here from Malwarebytes

One of the key ways is still the oldest “phishing” trick in the book, via e-mail which many users are tricked into opening infected attachments.  This was not readily available in media coverage and this simple warning or announcement could have prevented a lot of new infections.  I believe this is a key factor that has not been discussed since many networks will be behind NAT and external SMB services would be blocked, having users on the LAN install the worm is an easy way to get inside and spread the infection to areas that are hardened on the outside.

The more technical explanation there is an exploit called “ETERNALBLUE” which was a hacking tool leaked from the NSA which exploited a weakness in Microsoft’s implementation of SMB (Server Message Block/filesharing protocol).   This has been widely reported but the simple way to prevent automatic infection through this method has not.

Once infected the worm essentially scans your LAN and then the internet to spread the infection further which quickly multiplied the damage and scope of this attack.

How to protect yourself?

  1. First and foremost is to update your Microsoft Windows regardless of OS (whether you have XP, Vista, 7, 10, 12 or any Server) because all Microsoft versions are apparently impacted by MS17-010 ETERNALBLUE/WannaCry
  2. Disable SMB/Filesharing in Windows and if that is not possible at least use firewall settings to block SMB/filesharing/CIFS.
  3. If the above is not possible you should physically unplug any impacted machines from the network (it could be a simple as disabling all ports on your network/switch or even unplugging entire switches if possible).

Who is to blame?

There is plenty of blame to go around but currently a lot of it is coming from Microsoft who is blaming users for not patching and the NSA for hoarding these exploits and not notifying them or users beforehand.

In all fairness Microsoft did issue patches for even unsupported OS’s like Vista and XP on March 14th, 2017.

Many have mused that the NSA should have at last notified Microsoft the moment they realized their hacking tools were leaked.

At the end of the day the question is how could Microsoft have left open such a serious vulnerability for so long?  Was it an intentional backdoor and was it collaboration between Microsoft and the NSA or other third parties?

Some Can’t Patch

Some systems may be running on internal networks on their own LAN but were still infected so they wouldn’t be patched.  To make matters worse the chances are these would more likely be critical data and infrastructure that are impacted in this case.

Other machines are not managed properly or remotely and are deployed with internet access making them sitting ducks for these types of attacks.

There are also some who just don’t patch because the risk to impacting existing services is too great.  Although I would argue the risk is much higher to not patch and not upgrade or migrate your applications to a more secure platform if you get hit with ransomware like this.

These Issues Are Nothing New

With the Snowden revelations many have worried that US tech companies being forced to provide backdoor access to the NSA would be vulnerable should other hackers discovery the vulnerabilities or intentional backdoors on their own, or in this case when the tools and exploits were somehow leaked.

In the wider scope of things Microsoft has seen worms of this scale in the past, it’s nothing new.  There are no worldwide protocols for notifying users or defending against such worms and this will certainly become an increasingly problem with more and more devices online especially with IoT and so many devices that are connected that we don’t think about, and that don’t get patched or may not have an easy or automatic way of updating.