Your Car, TV, Phone, Computer and Other Devices Spy On You

Years ago this would be called a “conspiracy theory” but now that the CIA’s “Vault 7” hacking tools have been released this is an established truth.  What’s more scary is the revelation applies to pretty much all computing devices and all OS’s.   The CIA has found exploits and used backdoors into the various devices.  I suspect the backdoors and some vulnerabilities were forcefully injected by the US government.  To make it more scary we have the NSA’s PRISM and this combined with the CIA dump is alarming because those entities combined with other governments surely have a lot more than what has been revealed.  It is not a stretch but rather insane to believe you are not likely being watched and listened to.  We haven’t even covered well funded, private hacking groups.

There are two issues here.  The first one is companies who willingly create vulnerabilities and backdoors at the request of governments and private groups.  The second issue is compounded by the first one where on top of that many products and companies also spy on their customers and also share that data with third party companies and governments at will without any disclosure or regulation.

It’s more than just following where you’ve gone and listening and watching you, the new smart vehicles can be hacked and likely have government mandated malware or backdoors.  Imagine if a government doesn’t like someone and they suddenly have a tragic accident.  There is absolutely no reason why this shouldn’t be the case and perhaps one day we may learn of cases of bizarre traffic accidents that were not really accidents at all.

On an interesting note the “Marble Framework” was released which is essentially an anti-forensic tool to make it difficult for malware and virus experts to attribute the code to the CIA or the US government.  The framework would essentially make it look like enemies of the US such as China, Russia, Iran, or North Korea were responsible for cyberattacks and malware that the US itself had created.

With all this it sounds hopeless but it is not, Edward Snowden famously stated “do not give up on encryption” as clearly not everything is hackable and compromised, there are steps we can take to prevent ourselves from being hacked by the government.  Edward Snowden’s comments and actions are of particular use, the fact that he still says to use encryption means there are ways to be secure.  We should also remember that he used the Tails distribution for communication and used OpenPGP, so it appears at least in the recent past, this was a secure and unbreakable way of communicating.

“What last year’s revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default,” he said. — Edward Snowden

How can you protect yourself?  There are steps we can take but avoiding the usage of free, insecure services to communicate such as gmail,facebook,whatsapp and also avoiding products that spy on us.  Try to get an older TV or if you get a newer one rip it open and disable the microphone, wifi etc.  If you drive a vehicle consider again seeing if it is possible to disable some of the spying features on it or drive an older vehicle without technology that logs and calls home.  It’s time to get armed and follow certain procedures, avoid certain products and make it as a difficult as possible to be spied on.  Although the programs and hacking methods, groups like the CIA possess are incredible, not all are guaranteed to be successful especially on those who do not run default or standard settings.

Cloud VPS Server Comparison by Techrich

Recently a friend asked me to compare ourselves to other large Cloud providers.  It didn’t take me long to think about it, considering essentially Techrich and Compevo architecture are identical. This wasn’t by accident, but by my own principles on how an IT company should function.  Since designing what is now known as the “Super High Performance Cloud Architecture” back in 2009. I knew I wanted Techrich to be smart on security, strict on reliability, and strong on IT protocols.

This infographic probably says it the best but I’ll do my best to explain it as well (explanation below the infographic).

Techrich Cloud VPS Server Hosting Comparison

In a nutshell most of the other Cloud architectures out there rely heavily on a shared storage pool for their VPS’s. We don’t do this.

Some companies have even gone down completely when one of their “main shared storage nodes” was hacked or had a hardware failure.

The problem with shared storage nodes/SANs (Storage Area Networks)

The problem with this architecture is that multiple physical hostnodes rely on a single point of failure for storage.  Not only that, but you can imagine the performance issues that shared network bandwidth cause when multiple hostnodes are competing for the same disk IO resources from a single shared node.

Now I know some companies have redundant shared storage but this is not good enough for both performance, security and reliability reasons.

The Techrich way of doing things is that we have tons of individual nodes that are active/failover.  This eliminates the possibility that a shared storage fault could take offline multiple hostnodes.

In our architecture we have Cloud in a 1-to-1 structure, that means data is live replicated to a standby server which does nothing but wait in case the main server fails or has an issue.

By doing this the performance is also higher, since storage is all local, you get the benefit of Cloud architecture but none of the high risks or performance issues that traditional “shared storage” Cloud brings you.

That’s the Techrich advantage and why we developed our own proprietary and hybrid system to accomplish this.  To date we’ve never been hacked or had any downtime and this is because of the architecture we’ve pursued while sparing no expense in delivering what we feel is the best product.  This is what I’d recommend all of my colleagues and friends to do if they went Cloud.  If they were going to use a shared storage cloud I’d recommend that they just make their own with a few dedicated servers or even a single dedicated server can sometimes be better, more affordable and reliable in the long-run.

When these large Cloud companies like Amazon and Alibaba started out, we did wonder would we lose out to customers who valued price over quality, security and reliability?  We were shocked when the opposite ended up happening- there was a sudden rush of sign ups, and not only that, we had to order a ton of extra servers to keep up with the demand.  I had my IT support staff double and working overtime to meet the crazy rush. It was a good problem to have, but it forced me to grow a lot faster than predicted.

In fact we’ve now noticed a trend that the bottom feeders (scammers, hackers, spammers) have gone to the cheap Cloud companies and a lot of larger players have moved to us.  This is in part, because companies who are more tech and privacy orientated who don’t want to be in a PRISM country or be at risk of the NSA being given access to their sensitive, private and proprietary business/ client information  (which is mandated for large-Cloud providers operating out of any PRISM country), so they moved to us and remain with us.

Now we get clients who even run small or middle scale businesses who have found us and switched to us simply because they do not want to be on something as risky as Amazon or Alibaba. I guess you could call Techrich and Compevo, the original IT business security company. And I plan to keep it that way.

 

Cryptocurrency Groups Sue Google, Facebook, Twitter and Yandex For Advertising Ban

This is very interesting and about high time.  There is hardly any legal basis to single out the banning of cryptocurrency and ICOs when so many other questionable things are promoted on Google, Facebook and Twitter.  They could have probably gotten away with banning a few confirmed scam coins or ICOs but they’d also have to demonstrate similar action in other industries that they have never done with this.

The allegation of collusion is important and I am very curious how this plays out.  My suspicion is that these actions are voluntary.  The CEOs of these companies were essentially convinced and paid out to it by stakeholders of fiat and traditional securities.  If not that, here would be an interesting defense if they could make such a defense legally in this scenario I propose.  Of course all 3 of the major companies are based in the US and are subject to the laws of the US including being obliged to co-operate by providing the NSA backdoors for spying.  What if under the pretext of national security these companies were forced to ban cryptocurrency advertising?  It may sound far fetched but the US government even wanted to put tariffs on Canada during negotiations for NAFTA under the pre-text of National Security.

It is hard to say for sure what the truth is but I’ll be following these lawsuits as some of the truth may come out in the reply to the claim, discovery and other filings.  One thing I am sure of is that neither company came up with the idea of their own volition.  It would be another thing to prove which external force or entity is really responsible for this.  Financially it makes little sense since they all stood to profit more from the increased advertising revenue so it is very plausible that some other stakeholders made an offer they couldn’t refuse whether in the form of enticement or being obliged by law (even if falsely under the pre-text of national security).

 

Why Deleting Facebook Is Futile Unless…..

I’ve had this conversion with a lot of people over the years and what I’ve found is that the majority of people are complacent about privacy and security.  In a way it is good that some have woken up to what Facebook is and has been doing but this idea of some floated around that “I will trust Facebook until it gave me reason not to”.  This is a completely flawed idea in my opinion.  Facebook was never trustworthy and its TOS always gave it a right to violate your privacy, harvest your data for both government and marketing purposes etc… In fact Google, Gmail, Hotmail, Telegram, Whatsapp and the list goes on are free for a reason.  One, they make money by spying on you and they also provide a great backdoor to the NSA to spy on you (hopefully everyone now understand the PRISM spying network).

There were times where some would debate about the length and depth of spying by major free services but this is no longer in debate.  If you are using these freebie services and just delete Facebook alone you haven’t done enough.

Here are some steps to secure yourself and your privacy:

Delete Everything!

Seriously stop using these free chat and e-mail services and tell your friends and family that you won’t communicate via those mediums.

Secure Your E-mail

Use your very own, owned e-mail server with encryption including GnuPG to encrypt e-mails in both transit and storage.  There are providers who can get you a VPS or full Dedicated Server for this purpose.  You will probably find that your e-mail stops going missing, is fast and more reliable to boot!

Stop Using US Based Massive Cloud Servers

This could be in the form of an Amazon, Microsoft, Alibaba VPS instance but you can expect that those services will not be keeping your data private and most likely have been obliged to allow backdoor access to your server and data.

Another type of user would again be those who “store data in the Microsoft, Google or Apple Cloud”.  Stop using those services if you value your privacy.

Secure Your Chat

Everyone likes instant chat but did you ever wonder why all the traditional chat services like ICQ and MSN Messenger shutdown?  My belief is that being forced to chat on your phone makes it easier to both identify and track you but also to spy on you.  Once again top offenders are Telegram, Whatsapp and any similar ones.

To secure your chat you should run your own encrypted chat server.

These are just a few common sense things you can do to make it much more difficult to have your rights and privacy violated.  Personal and intimate moments shouldn’t be uploaded to the Cloud for corporate and government agencies to peruse!]

In general try to think in a security minded way perhaps as you would your house.  Would you feel secure at home if you knew your living quarters was shared with multiple people or that it was being spied on constantly.   Think about steps you would take to protect your house or property from intruders and spies.  Your digital house works the same way, so be sure to keep the keys and access in your control and not that of a third party which can’t be trusted.

The NSA is spying on cryptocurrency including Bitcoin – Edward Snowden

Unsurprisingly Edward Snowden recently revealed to the world that the NSA is tracking cryptocurrency users including Bitcoin.  What makes it worse, but also not surprising is that they tricked users to install security software they wrote that actually feeds all of their private data, cryptokeys, back to the NSA directly.  It is soon going to be an absolutely necessity to increase your own security and to start using better, more secure coins that cannot be so easily tracked.  This is the equivalent of the government following you around and poking around your wallet and watching each transaction you do even with cash.  There’s no privacy anymore and ironically cryptocurrency is part of this reason, or shall we say at least, the majority of insecure, public, permissionless blockchain based currencies.    This could send the value of currencies like XMR/Monero skyrocketing as a Bitcoin alternative.  While Monero is in my opinion better in almost everyway to Bitcoin, it is still not the perfect coin as it does have some issues including the use of PoW and of course the whole public, permissionless issue, speed issues etc..

My Take On Meltdown and Spectre Computer Security Flaws

Spectre and Meltdown allow a non-privileged user (non-root/non-Admin)  to access memory they aren’t supposed to essentially dissolving the majority of computing security and privacy barriers.  This could be a guest user collecting sensitive information/passwords for an entire database, group of users, network etc..

If you are using any computing device whether it be an ARM based device, Intel CPU (although Intel is the worst offender at this point), AMD CPU this issue affects you and billions of other devices and users around the world.  Whether you are on Linux, Unix, Windows, Mac this applies to you.  It is really an unmitigated scandal and disaster for both privacy, security and even safety with long lasting and wide ranging ramifications that will continue to playout for years.

I’ve made a comment in the past about security, IOT and how there are many devices that are now unsupported or can’t be updated leading to huge security issues.  We are now unfortunately there and have been since 1995.

This issue was first reported by Google Project Zero and they are known as the Meltdown and Spectre Vulnerabilities that affect all microprocessors made since 1995 (the modern computing era).

To make it worse there are 3 known “variants” or attack vectors known (I suggest there may be more that are undisclosed or not yet known to the public).  With variants 1,2 being very similar (known as Spectre) and variant 3 known as Meltdown.

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

The attack is possible due to “speculative execution” where CPUs (computer chips) essentially try to predict future work needed and will actually do sometimes unneeded work as the performance hit for doing this is less than waiting to execute the instructions later.   This means the computer sometimes performs work that isn’t needed and not used to increase performance, where things have gotten bad is through this feature, it’s possible for a normal user/process to gain unrestricted access to memory that you shouldn’t have access to.

What is Spectre?

The primary variants (1,2) that make up Spectre  rely on the user exploiting the speculative feature of the CPU to write to memory under their control.  This allows a normal user to read basically all memory processes allowing keys, passwords and confidential data to be intercepted.  AMD Claims that Variant #2 does not impact them as well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

What is Meltdown?

Meltdown is the third and more serious and nasty variant that still relies on the speculative execution exploit/flaw but actually allows the attacker to read arbitrary memory (so basically anywhere at will).  The key feature of Meltdown is that it is the easiest attack to perform and it has been demonstrated on the Intel platform already.

The only good news is that apparently this Meltdown attack only affects Intel and not AMD.

https://access.redhat.com/security/vulnerabilities/speculativeexecution

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Redhat has also done an excellent writeup about the issue here:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

How To Protect Yourself

First and foremost you should update your devices as soon as patches become available.  In Linux enabling KPTI can protect you.   However for some major distributions of Linux users are still waiting for a patch.

If you are vulnerable and performing critical operations it’s time to make tough choices including possibly turning off your machines or denying all non-admin users access to a server/services if possible.

Ensuring rotation of keys and passwords can also mitigate your risks even if passwords have been compromised.

It comes down to good security practices all around such as segregating services to different physical machines, restricting physical and virtual user access.

If possible remove all non-essential or untrusted applications from your device/computer/server.

Dedicated Servers Will Become More Popular

There has been a huge trend to put everything into the Cloud, one that I have reservations with despite owning companies that offer our own private Cloud.

Fortunately we haven’t been impacted by Spectre and Meltdown and are not vulnerable but it does raise questions from our clients that we’ve mentioned before.

I’ve always advocated for physical segregation, which means that if possible you should have your own physical dedicated server that is encrypted and running a minimum set of services with as a few users as possible.  By doing this you significantly reduce your risk in a scenario like this by putting your company database, e-mail, VPN, websites, file server on physically different servers.

Serious Questions and Concerns Raised

I would raise the question that is it really possible that such a wide-ranging exploit was completely unknown for this long until a team from Google discovered it?  Considering the budgets of major intelligence agencies around the world who are constantly looking to find exploits of their own it is conceivable that this vulnerability may have been exploited for far longer than it was publicly known by specific groups.

Another one is Intel’s response to it by apparently being accused of singling out AMD when as of now, Intel is far more vulnerable.

Since these chip makers are all US based is it possible they were mandated by law to introduce speculative execution in such a similar way that this vulnerability would be possible?  Considering recent revelations I don’t think it would be inconceivable.

Are there more than 3 variants and if we assume that no one else really knew about Variants 1-3 is it not possible that a well-armed team could find new ways to exploit them?

Long-term Value for Intel, AMD and ARM

At the time of writing Intel’s stock was down about 3% but this could get worse for either of these companies if one’s vulnerabilities keep increasing and/or one of them is hit with a larger exploit.

Conclusion

It’s hard to give an honest conclusion as we’re just getting started and this is all we know about the Variants 1,2 (Spectre) and Meltdown.  So far it looks like we were lucky to choose AMD.  The key issue that will come out of this is how many devices and users will remain vulnerable by being unable to patch or if they have a device that cannot be easily patched or there is no longer any support from the vendor?  This would increase the amount of zombies and data security breaches several fold.

This is also a good time and a wakeup call for all companies to do a security audit and if they don’t have dedicated security staff, to bring in some good IT and security auditors to assess and mitigate these risks before they become costly losses.

My Take On WannaCry

Reading media coverage of the WannaCry, ransomware attack has been excruciatingly frustrating because little to no information was offered on how infection happens and how to protect yourself.

This issue has been a bit frustrating and unhelpful as an IT professional and user if I didn’t find the right answers there is something seriously wrong.  I couldn’t find the important information in any of the mainstream articles so certainly a novice or amateur user would have no chance of protecting themselves.

How Did WannaCry Infect and Spread?

Long version here from Malwarebytes

One of the key ways is still the oldest “phishing” trick in the book, via e-mail which many users are tricked into opening infected attachments.  This was not readily available in media coverage and this simple warning or announcement could have prevented a lot of new infections.  I believe this is a key factor that has not been discussed since many networks will be behind NAT and external SMB services would be blocked, having users on the LAN install the worm is an easy way to get inside and spread the infection to areas that are hardened on the outside.

The more technical explanation there is an exploit called “ETERNALBLUE” which was a hacking tool leaked from the NSA which exploited a weakness in Microsoft’s implementation of SMB (Server Message Block/filesharing protocol).   This has been widely reported but the simple way to prevent automatic infection through this method has not.

Once infected the worm essentially scans your LAN and then the internet to spread the infection further which quickly multiplied the damage and scope of this attack.

How to protect yourself?

  1. First and foremost is to update your Microsoft Windows regardless of OS (whether you have XP, Vista, 7, 10, 12 or any Server) because all Microsoft versions are apparently impacted by MS17-010 ETERNALBLUE/WannaCry
  2. Disable SMB/Filesharing in Windows and if that is not possible at least use firewall settings to block SMB/filesharing/CIFS.
  3. If the above is not possible you should physically unplug any impacted machines from the network (it could be a simple as disabling all ports on your network/switch or even unplugging entire switches if possible).

Who is to blame?

There is plenty of blame to go around but currently a lot of it is coming from Microsoft who is blaming users for not patching and the NSA for hoarding these exploits and not notifying them or users beforehand.

In all fairness Microsoft did issue patches for even unsupported OS’s like Vista and XP on March 14th, 2017.

Many have mused that the NSA should have at last notified Microsoft the moment they realized their hacking tools were leaked.

At the end of the day the question is how could Microsoft have left open such a serious vulnerability for so long?  Was it an intentional backdoor and was it collaboration between Microsoft and the NSA or other third parties?

Some Can’t Patch

Some systems may be running on internal networks on their own LAN but were still infected so they wouldn’t be patched.  To make matters worse the chances are these would more likely be critical data and infrastructure that are impacted in this case.

Other machines are not managed properly or remotely and are deployed with internet access making them sitting ducks for these types of attacks.

There are also some who just don’t patch because the risk to impacting existing services is too great.  Although I would argue the risk is much higher to not patch and not upgrade or migrate your applications to a more secure platform if you get hit with ransomware like this.

These Issues Are Nothing New

With the Snowden revelations many have worried that US tech companies being forced to provide backdoor access to the NSA would be vulnerable should other hackers discovery the vulnerabilities or intentional backdoors on their own, or in this case when the tools and exploits were somehow leaked.

In the wider scope of things Microsoft has seen worms of this scale in the past, it’s nothing new.  There are no worldwide protocols for notifying users or defending against such worms and this will certainly become an increasingly problem with more and more devices online especially with IoT and so many devices that are connected that we don’t think about, and that don’t get patched or may not have an easy or automatic way of updating.

Apple CEO Tim Cook’s Business Decision to Fight the FBI/Court Order

Mr. Cook has clearly made a strategic decision to be one of the first and few tech companies to challenge a court order of this magnitude, and if anyone can do it, it would be Apple.

Now to be clear there is a very serious matter in this case, and it is a tricky rope for investigators and business to get it right.  A crime has been committed and the authorities have presumably presented credible evidence and there is a court order, however the order is essentially unlimited access to all Apple devices.  The business (Apple) has two choices, co-operate or deal with the consequences of not doing so, in Apple’s case there is little financial consequence to not co-operate.  The opposite case could be made that Apple recognizes that if the public finds out that they complied that their encryption is as good as useless, their analysts probably put a price tag on the customer backlash and likely predicted a huge drop in AAPL shares.  Aside from the business case, it looks like now that the issue of privacy has come knocking on his doorstep, he has no choice but to take a bold and very public stand.

This is not a typical court order but is in effect a blanket and mass surveillance project.  Apple is basically being asked to make an app and backdoor to bypass their encryption, or at least disable the 10-try mechanism so they can try traditional bruteforce password methods.  Tim Cook stated very clearly that the ramifications would go far beyond this one case and validated his concerns by mentioning there would be little control over oversight over such a mechanism if Apple complied, which could mean the backdoor could be abused without due cause, as has been the case in the past with other surveillance.

One wonders if Apple has pondered its next move because it is unlikely that Apple can indefinitely delay or win the fight in the end.  They are legally under US jurisdiction and must win their challenge or comply.  Failing that Apple’s only option would be to move overseas/off-shore and this would be a huge blow for the US economy, tech sector and other companies may follow suit, such as McAfee’s weighing in on the issue and offer to crack the iPhone.

My philosophy has always been the US is a great place to do business with huge potential, but I always advise people to understand that any traffic transiting the US and especially data stored there is subject to US laws and regulations.

It will be interesting to watch where this goes, I have a feeling that most are cheering for Apple and Tim Cook at the moment and it is really no wonder with what is at stake.