is it safe?

Today’s title comes from the movie Marathon Man with Dustin Hoffman as the lead. I must admit that I haven’t seen it. The concept sounds scary enough, though: someone is expected to know information which they simply don’t possess. Somewhere in the movie the lead character is mistaken for a spy, perhaps and finds himself in a dentist chair where he is asked repeatedly this question.

Believe it or not, we have a very big security problem at the moment and few people are focusing much attention on it. Let me explain…

IPv6

IPV4

For a long time, we’ve all enjoyed the Internet. Packets of information are sent here and there. The underlying mechanism is usually called TCP/IP and that last “IP” part is described as version 4 or simply IPV4. Within all these specifications, there’s the concept of the sending computer’s address and the recipient’s. These “IP addresses” are critical to delivering content. A popular IP address is 8.8.8.8 which is Google’s primary DNS server. There are four numbers in each case, separated by periods.

Zipcodes

A good analogy here is the zipcode system in place at the United States Postal Service, for example. Some five-digit combination of codes like 90210 points to a specific post office. If you were fortunate enough to have a P.O. box there, 90210 plus that box number would allow you to receive your copy of Beverly Hills Magazine or similar.

Often, though, cities grow bigger and the USPS needs to break up zipcodes (re-issuing new ones) or other clever methods to accommodate more and more people. They decided to extend the five-digit system to add four more digits to the end. An example might be 90210-1234.

IPV6

In a similar fashion, the Internet got more popular and something needed to be done. We ran out of IP addresses a long time ago, to be honest. There’s only so many individual computers which may be addressed using those four numbers from the IPV4 section above.

For decades, they’ve been putting off doing anything serious about this problem because of some reasonably-good workarounds. The best of these is to have everyone inside their own homes, businesses and even colleges use what is essentially, an unusable set of IP addresses. The technical term is a private IP address range. Buy a Netgear router for your home, plug it in and I could reasonably guess that your new home router now has the IP address of 192.168.0.1 just like other consumers. In one way, it’s not really a valid, routable address but things just work because of some trickery involved.

So, making those four-number styles of IP addresses longer in theory might make everything better, right? For two decades now, various people have been pushing hard to add those extra numbers to everyone’s computers, to every router, to all routing software, to all computer operating systems, to all software development kits.

Imagine thousands and thousands of ants silently working hard to build something that most of us cannot see, don’t understand and then one day twenty years later we find out that some huge anthill has taken over. The work happened so slowly that we didn’t take much notice.

IPV6 is here and we didn’t even know it. In fact, few know anything about it at all.

Rest Inertia

Unfortunately, the current system is what everyone understands. If you ask the average computer geek to “issue an IPV6 address” you will be met by a blank stare, shortly followed by hostility in many cases. Nobody wants to deal with these new addresses. Nobody wants to test their computers with these new addresses. Nobody wants to test their software or their websites with these new addresses.

I will go further to suggest that nobody knows how to do any of these things.

Too Long, Didn’t Read

Here’s an excerpt from the Wikipedia page on IPV6. Part of the problem is that these technical descriptions are written by people who don’t understand that end-users ultimately must understand what’s being talked about.

The 128 bits of an IPv6 address are represented in 8 groups of 16 bits each. Each group is written as four hexadecimal digits (sometimes called hextets) and the groups are separated by colons (:). An example of this representation is 2001:0db8:0000:0000:0000:ff00:0042:8329.

For convenience, an IPv6 address may be abbreviated to shorter notations by application of the following rules.

  • One or more leading zeroes from any groups of hexadecimal digits are removed; this is usually done to either all or none of the leading zeroes. For example, the group 0042 is converted to 42.
  • Consecutive sections of zeroes are replaced with a double colon (::). The double colon may only be used once in an address, as multiple use would render the address indeterminate. RFC5952 recommends that a double colon not be used to denote an omitted single section of zeroes.

An example of application of these rules:

Initial address: 2001:0db8:0000:0000:0000:ff00:0042:8329
After removing all leading zeroes in each group: 2001:db8:0:0:0:ff00:42:8329
After omitting consecutive sections of zeroes: 2001:db8::ff00:42:8329

The loopback address, 0000:0000:0000:0000:0000:0000:0000:0001, may be abbreviated to ::1 by using both rules.

As an IPv6 address may have more than one representation, the IETF has issued a proposed standard for representing them in text.

For most computer professionals, avoidance has been their interaction with this feature.

Security

The problem, then, is our network security globally. Silently, people are adding a routing feature into everything-that-is. Usually, when something like that happens, all computer professionals then are trained about how this new feature works. That definitely has not happened. We are in for such trouble on this one.

Update Fatigue

Another contributing factor to all this is the recent trend to push updates to end-users relentlessly, daily, (too often). For many people, toggling on some auto-update feature lowers their own sense of being nagged into daily updates. The “magic” just seems to happen and the users assume that literally hundreds of people have tested the safety of everything before it’s put out there for an upgrade. The dirty little secret is that it isn’t tested at all in areas like IPV6.

Conclusion

In short, turn off IPV6 support from every computer, router, device and smartphone in your life. Do it as soon as you learn how to do so.

Turn off IPV6 support on everything you own and everything you can control within your life. It’s a ticking time bomb from the standpoint of Internet security.

There will be a time when this new technology is safe. I’m guessing that this will be at least one decade in the future.

For more information, search for “turn off ipv6” in your favorite search engine.

Advertisements

give a man a phish…

There’s an old quote, of course…

Give a man a fish and you feed him for a day.  Teach him to fish and you’ve fed him for life.

Today’s topic is about phishing, the activity in which a con artist sends a fake email to others and convinces them into giving up their credentials, credit card details, etc.

What They’re After

It’s almost always about money. They want the login details for your checking account or your credit card. If they can get your email account’s credentials then they’ll search your emails for links to your checking account or credit card. If they get your social media account’s credentials then they’ll know the people who trust you and they’ll send them email as if they’re you, conning your friends into clicking these sorts of links.

041017-Phishing-Activity-minTrust

If a stranger on the sidewalk asked you to put your wallet into a magic hat, you probably wouldn’t. You don’t trust him. So when a stranger on the Internet sends you an email, then you are probably smart enough not to click any links in it.

But now, what happens when an email arrives and it has the correct logo and content from Microsoft?  You trust them.  They wrote the software that’s on your computer, possibly.  They’re telling you that you are about to lose something or in other cases, that you could get something for free.

But of course, that email could seemingly arrive from UPS, FedEx, the U.S. Postal Service, Wells Fargo, Bank of America, Chase, Logitech, Intel, Apple, Google, Intuit, Adobe, Samsung, HP, Facebook, Twitter, Verizon, AT&T, Starbucks, Staples, Yahoo, Bing, MSN, Firefox, Chrome, WordPress…  Literally any name brand or product name you trust can be used to fool you.

Urgency

If someone told you that you had thirty years left in your lifetime, you’d probably be interested but it wouldn’t necessarily change what you do today as a result.  You’d have time to get a second opinion from another doctor, say.

We’re programmed, though, to panic when we have a limited amount of time to make a decision.  If the doctor told you that you needed to get your affairs in order because you have 24 hours left, then you probably wouldn’t calmly make an appointment with that second doctor.  You’d very likely go on a shopping spree or make some other not-so-mature decision in the spur of the moment.  In other words, the rational/analytical part of your brain wouldn’t be in charge.  Your would-be scammer knows this.  So all these attempts have some sort of expiration date/time attached to them.

Free… Isn’t

I’m not sure why people are such suckers for the word “free”.  It seems to be another method of short-circuiting the brain.  Combine free with an expiration date of some kind plus a spoofed pedigree and most people will stupidly click that link.

Antivirus Isn’t “Anti-Stupid Protection”

Unfortunately, your antivirus program can’t protect you from doing something, well… stupid, in this case.  It would be stupid to enter your credentials for anything prompted by any email.

But, what if this is legitimate?  Okay, so what if I have received an email from Geico and they’re trying to tell me that my policy is about to expire?  (Let’s assume for a moment that I have Geico insurance.)  Do I actually need to click their link to find out the status of my policy?  No.  It is infinitely safer for me to open my browser, type in Geico.com in the location field, verify that I haven’t mis-typed the domain name and then to enter my credentials on their website.  In doing so, I’ve completely removed all the dangers of phishing.

Digital Extortion

According to statistics, 64% of Americans are willing to pay a ransom to get their data back (or say control of their computer) and the average bounty demanded is $1,077 per victim. Only 34% of people globally are willing to pay money in these circumstances. Unfortunately, that makes the U.S. a prime focus for these people.

what myspace’s mistake means to us

You might not have heard about this but someone internally back in 2006 stole a huge password file for all known Myspace accounts at the time. It would takes years for this knowledge to be known by Myspace themselves at which time they then forced a password reset for everyone on their site. In their minds at least, the problem was solved.

Unfortunately for the world, a much bigger problem was born.

Password hacking

Back in World War II, for example, what was essentially a form of hacking (decrypting encoded text) would actually mean the difference in saving lives, well at least for one side of the game. You could easily suggest that it also cost lives for those whose secrets were now known by the opposition.

In today’s war against cybercrime, identity theft, credit card fraud, espionage, stalkers, blackmail and such, there are people who wish to know your secrets.

Using a file which contains a dictionary of words and adding to this the available numbers and symbols, hackers have written code to auto-generate a password and then programmatically compare the results with something that’s stored in these administrative files. If things match then they know your password and then they can log into a remote website or system as you. If that website is your checking account or PayPal then the damage could be more than just your pride; you could actually lose money.

Password hashing

Most modern websites and computer systems don’t actually store your password. They routinely create something called a hash from it. So what’s actually available in the public domain now is a few hundred million usernames + hashes of their passwords.

Immediate progress

In no time at all, very nearly every single password from that list was cracked using these hacking programs. We’re talking at least 400 million passwords. And yet, still, people don’t understand just how very terrible it is to be us now.

What this really means to us now

Several things can be learned here from this second-generation database (now with the known passwords).

  • In this database is a known list of usernames that the Internet at large has used at one time. This alone should scare you. Hackers now don’t need to try 36^8 combinations of characters and numbers to try to generate what could be a username. Their search space just became a lot smaller.
    • Having a list of several hundred million usernames means that cryptographers can use something called frequency analysis to determine which characters are more likely to appear in the next username you might create.
  • In this database is a known list of passwords that the Internet at large has used at one time. I would suggest that the average user has re-used a single password at least ten times across most websites and computer systems which they use.
    • Again, cryptographers now may do frequency analysis on characters we use to create passwords. So they know that the lowercase letter ‘a’ is used 7% of the time, roughly. In other words, it’s no longer necessary to try perhaps 50^8 combinations of characters + numbers + symbols; they can now just use this database as a simple dictionary attack!  Four hundred million may seem like a large number but it’s very much smaller than 39,062,500,000,000 (39 quadrillion).

In other words, hacking passwords just got infinitely easier due to Myspace’s mistake.

Could it get any worse?

Yes, actually. With a database this large, someone could create an artificial intelligence program which could then describe how we humans generate them in the first place. Presumably, it would look for patterns in the same way that hackers do, for example, we are often faced with the challenge of creating a password that would make Microsoft’s websites happy.

From Microsoft’s website:  “Passwords must have at least 8 characters and contain at least two of the following: uppercase letters, lowercase letters, numbers, and symbols.”

So this AI program would then look at the database and announce:

AI computer program output:  “Humans are lazy and stupid therefore they will do the following…”

  1. The password will have a length of eight or nine
  2. The first will be an uppercase character
  3. The second thru sixth/seventh will be lowercase characters
  4. 30% of the time the next will be the number one, in 20% the next will be four, in 8% the next will be two, etc
  5. 40% of the time the last will be an exclamation point, in 30% the last will be an asterisk, in 10% the last will be an ampersand, etc

The bad part is that this would be correct for about half of the passwords on the planet. And the other half would probably be the 1337 (leet) version of this where someone thinks that they’re being clever by substituting in numbers which each resemble a character:

  • zero looks like the uppercase letter ‘oh’
  • one looks like the lowercase letter ‘el’
  • seven looks like the uppercase letter ‘T’
  • three looks like a backwards uppercase letter ‘E’

All this is the fruit of crypanalysis. It tells you how to make your problem easier by restricting the search space. But if it’s now easier for hackers it’s now much harder for us, the people who want to keep our secrets and our money intact.

What if we let systems generate our passwords for us?

There are many that would suggest that this is our future. We let the system auto-generate a seemingly-random password for us and then we store that somewhere. We’d then copy/paste that when prompted. In fact, I see this done within the I.T. administrative space and each person who does this probably feels secure.

And yet, someone wrote that password generator routine. What if this person “salted” 75% of the so-called randomness with a string of characters known only to them? The NSA routinely forces big business to build things like this into cryptography so that—for the NSA at least—the problem becomes infinitely easier.

The real problem is that we believe in the security of these systems and perhaps we simply should stop believing.

What do we do now?

The cost of running many computers (virtual or real-metal) keeps going down. The cost of terabytes of storage in the cloud is still expensive ($3,000+/TB) but there are people who have ten computers in their basement each with a terabyte drive.

In the past, the search space would have required perhaps 300TB of database space to “brute force” and store the combination of all possible passwords plus their hashes. The knowledge made available from Myspace’s mistake, once fully realized, now might mean that in practical terms somebody with 10TB of space could essentially own the actual password space we use.

I wish I had some practical advice for you. The only takeaway lesson from this is that we have to do something completely different when generating passwords or we have to stop storing our secrets and our money as we’re doing now.

crowd-sourcing your bugs

Most of us in the contracting space are interested in alternate ways of making money. Personally, I enjoy straight programming to almost any other means of earning it but I discovered something recently that looks interesting. There’s a website now that seemingly pays for finding bugs in the code of others. As programmers we are often good at spotting problems early and we’re probably the best at finding them. Troubleshooting is usually something that isn’t seen as a profit center so why not flip things and make some money doing it?

Bugcrowd.com

Enter the new website which appears to be crowd-sourcing the problem of code testing. Various companies then work with the website to outsource this task to others who attempt to identify a problem worth fixing. If they decide that it’s indeed a bug then they usually pay some form of money to the researcher.

My Anecdote

From my own limited experience, I created an account, reviewed the many offers and picked the Tesla Motors website to look for security problems. Within an hour I identified something from a third-party webtiming partner which turned out to be flagged by Microsoft Security Essentials as the Win32/Spursint.A Trojan. (Not bad for just an hour’s work, I thought.) I then wrote up my findings and awaited  a response. Someone  did respond within 24 hours.

But then the fun began as I attempted to communicate what I’d found. Since they couldn’t recreate what I’d seen they submitted the linked JavaScript to other antivirus sites which found it to be clean.

Next, I tried to explain the nature of the Akamai network of caching servers and how a local version of their server might be delivering different content than what I’d received: some get the Trojan and some do not, in other words. Again, this was falling upon deaf ears.

I then tried to convince them that development-related timing code isn’t normally pushed to production, that their build process should have groomed this out in the first place. Again, no sale. They just didn’t want to hear that their third-party JavaScript provider could have been compromised. Lesson learned: don’t waste your time twice with the same company who won’t listen to reason.

Closing Thoughts

Will I use Bugcrowd again? I like the concept. I think I had rather spend my time, though, in a more fruitful venture with a less risky return.

New wisdom: Avoid systems in which you perform labor and then someone else decides whether or not your labor deserves getting paid for. Oh, and unless you have an up-to-date virus checker you may want to avoid the Tesla website since it sometimes delivers a Trojan to your browser.