arkanoid
Rating
+0.20
Power
0.53

A hacker’s guide to not get hacked

Assume you are a technically savvy person who knows the basics. You never install random crap from the internet. A typical phishing email makes you laugh, you almost pity the mankind which can be fooled by scammers as silly as those. Your phone screen is locked by default, and you use a password manager.

In multiple ways (sometimes inevitable, oftentimes obscure and cryptic) you depend on things (software, data, hardware) you do not own nor control locally (unless you are extremely paranoid and have accepted huge operational overhead). And I do not mean continuously bleeding “digital trail” of metadata and behavioural tracking. Let’s talk about a risk of being really hacked.

Understand (and prioritize) your assets


You obviously give the top priority to your bank accounts and launch codes, but some other things might be more expensive than you imagine at a first glance.
«There is nothing secret and I have all that information elsewhere» might lead you, in case of a loss event, spending a whole weekend handpicking it from… from said «elsewhere», and sorting everything in the precise OCDish way it use to be. Some other things may be of sentimental value and little interest to anyone but you certainly do not want everyone to see it (and you are likely underestimating the importance of your feelings, until said «everyone» see those files). You better archive all conversations with your ex-es and don't leave it hanging in your chat history (which would not help much unless other parties do the same). Ah, and, if you own some cryptocurrency, I hope you keep it on a local wallet, otherwise you do not really own it.

Understand (and prioritize) your attack surface.


A computer is not that unsafe unless you physically lose it (while having no disk encryption in place) or forgot (you did not, right?) to remove Adobe Flash from your system. If you adopted a good habit to handle MS Office and PDF documents with web-based services (as long as the content of said documents are not secret) you further improve the overall security of your local system.

Thus, your chances to get hacked via a 0day exploit (unless you do really store actual launch codes on your computer) are negligible.

Portable devices, I mean iOS and Android… Really, you cannot be serious. Android malware? Which requires your consent, like, three times to run, (ok, or just one if you have a system which is 5 years old with unpatched security bugs)? Again, your worst-case scenario always implies someone getting your device in physical possession.

Third party services (I want to avoid using the word “cloud” because the worst things aren’t even cloud, see below) are your only real concern. It is something completely outside of your control. It is not necessarily bad, but they may be vastly distributed, prone to breaches, accidental social engineering attacks and all those factors are unpredictable. To add insult to injury, they often actively encourage, just a little bit short of enforcing, “questionable" security practices. So the rest of the essay will be dedicated to them.

Build dependency graphs and rebuild it wisely



Here the hell begins. Common consensus dictates that the general public is totally incapable of managing their own access credentials without either losing access or leaking it to a malicious entity. Thus said, it all revolves around "recovery methods" which make your access credentials tightly interdependent and susceptible to a cascade failure unless you take special care of that. Let's do a simple dissection.

Worst of all is your phone number used for verification. Because the phone number is something you do not actually own in any way. Even the SIM card is legally the property of the cellular operator which provided it to you for lease (just like your bank card is). You do not own the number, you do not even own the network authentication key (try to reprogram or extract it!). As a practical consequence, not to mention slightly more complicated SS7 attacks, any cellular operator employee may issue a replacement SIM card on your behalf to anyone looking credible enough to them.

The funniest part is it is the sole ultimate trusted method for many services, including some banks, instant messengers and — Facebook. On Facebook, you cannot deny it from providing SMS recovery codes unless you remove the phone number from the system completely. Google is a bit less persistent, it just keeps whining about how insecure it is not to have an SMS recovery option (UPD: no, you need to remove the phone number there, too).

Then there are email accounts. You may have multiple ones, you may consider different threat models which would either convince you to stay on Gmail (at least it is really hard to divert anything in transit there) or to use your own mail server (think BGP hijacks, domain hijacks, and all that nasty stuff, email is generally not designed to be very secure). Anyway, once one of your critical email accounts gets compromised, things can get very nasty. It is one more «recovery method» you often cannot simply turn off (and in most cases, you do not really want to).

There are social network logins. Not to mention the direct problems you would have, many services would let you in on email/phone match without additional checks. Say, if you log into Booking.com with Facebook, you do not provide any authorization on the Booking.com side to recognize your Facebook login: you just let Facebook share your email and phone number and you are instantly connected.

Security questions should be, without any doubt, nominated for one of humanity’s stupidest inventions. Just imagine how attractive would it be to give up access to your account to any person who happens to find out some trivial fact about you. Especially one of those facts you can find in a public database. Yet you can suppress your disgust and treat it as usual recovery codes. Make sure you use a decent random string generator. You may use questions that are really private — but they are non-reusable and you should keep that in mind.

To minimize dependencies and maximize security, you need to turn off all unnecessary recovery options (especially phone numbers), turn on a second factor (one-time passwords, definitely not SMS!), and generate recovery codes and store them in a safe place. Offline and on a hardcopy, preferably.

It does not guarantee anything. Security models for most of the services are incredibly stupid, because they are ad hoc and lack consistency from ground up. I designed a better one for a customer a while ago: it was simple as that:

* every authentication factor that is not under the direct control of the user is considered insecure
* no combination of insecure authentication factors may be ever treated as secure
* recovery procedures that rely on insecure factors should be implemented with extreme caution.

Is it hard to understand or hard to implement? No. Does it impair user experience? Unlikely. Yet it does not scale well enough for services with billions of customers, unfortunately for them. Therefore, when you accept Google or Facebook policy, you are solving their problem on your own expense.

Have a contingency plan


There are no silver bullets, and my advice are not panacea. Anything can fail. Be prepared.

Some useful links:
On second factor: ithipster.com/blog/unorthodox/34.html
On NIST warning not to use SMS: www.theregister.co.uk/2016/12/06/2fa_missed_warning/
On cascade failures in authentication: https://www.cs.uic.edu/~polakis/papers/sso-usenix18.pdf

Self-signed TLS certificates are not evil, nor they are "broken"

One more hopeless rant I was engaged in, like, for last 20 years or more. What is totally broken, however, is UX decisions that mark them «evil». Self-signed TLS certificates possess no more intrinsic evil qualities than your beloved ssh and gpg keys.

The intent behind ostracising self-signed certificates is noble: everybody should do… should be forced to do things the one proper way: for intranet you should deploy our own private root CA and distribute its certificate to all the clients, for internet there are affordable solutions like letsencrypt to save you from calamities of certificate management and huge expenses.

Yet it is nothing but wishful thinking and thus is rotten to the root. Every, I repeat, every single company network I ever seen (with a few exceptions that qualify as hobbyist projects) had tons and tons of self-signed stuff, regardless if they had internal CA or not. Most of it was just «temporary» yet you know most permanent things are those «temporary» ones. Smaller companies just do not have an internal CA at all.

(I intentionally leave out the question if it is always a good idea to get a «trusted third party» involved, and, moreover, to give infinite total trust to vast and vague amount of «third parties», for now at least)

We need to accept this situation, understand it and adapt accordingly. The pretty narrow vulnerability window for a self-signed certificate exists just for the very moment you engage into an «initial» contact with the resource (or when the certificate changes, which is quite uncommon scenario). If no evil actor intervened at this moment you are safe from now on; there are numerous scenarios where there is actually no need of any trusted third party. The same way it works with ssh (unless you deployed that complex set of scripts, you know). Oh, no. You would be safe, if that stupid broken UIs did not complicate things, distracting you with a flood of pointless warnings that never stops, effectively concealing the actual attack when it happens.

For now, however, we see a lot of totally unprotected resources susceptible to MITM attacks because you know, self-signed certificates were proclaimed evil and you should not use it anyway, mkay? And that's why nearly all small/home office wireless environments are contaminated with hideously misdesigned WPA2 PSK (until we have WPA3 on the horizon), because WPA2-enterprise requires complicated «certificate management» — you cannot just say «remember this access point» on the client and no vendor bothers to have a builtin Radius server on the wireless controller therefore.

Every time I add a self-signed certificate to Safari I get a scary dialog about «changing my trust settings» which always makes me doubt — did I just add a site certificate to the trust store? Or was it Honest Achmed's root CA that I granted with full permissions right now? With current workflow it is hard to tell.

How (not) to do GDPR

I prepared a few simple recommendations for you.

1. Do not rush to break your software and business, unless you are deep into advertisement or social profiling or your IT processes imply dumping every piece of data you have on an unprotected file server. If you are doing personal data processing for a legitimate business purpose in a reasonable manner, it is safe to assume you can stand your ground under any GDPR related scrutiny.

I know a retail company that ceased CCTV recording in all their warehouses. The hell broke loose, even before the theft. The company turned completely unable to find misplaced items. Why? Because there was a guy «responsible» for GDPR compliance who had authority to handle it that way. When anyone opposed him, his answer was simple: fines are huge, risks are high and is your advice to do otherwise backed with any willingness to cover possible non-compliance issues from your own pocket? Ah, you do not have enough money anyway, so get lost.

What this guy was essentially doing is covering his own ass on INSANELY HUGE company's expense. Don't do it. GDPR is not about ruining your business (unless your business is very questionable already).

2. Do not buy shit. GDPR fearmongering is a goldmine for people selling «compliance solutions». But the truth is, there is no «compliance solution» you can buy. Under this hot GDPR sauce you would only buy things you do neither need nor want to buy. Less creative «solution providers» will sell to you some firewall-antivirus-encryption stuff for twice the regular price. More creative ones will sell to you data intelligence and audit tools of the most expensive variety, that won't help you at all. GDPR is not about buying anything (unless you neglected your basics before).

3. Do not pay for any certification. Currently there is no GDPR certification, which literally means any certification you get is totally irrelevant for GDPR. The idea «there must be some checklists and papers, so it is worth to get your ISO27K or whatever until more specific requirements would be in place, because ISO27K is a default way to prove to everyone you are a good citizen» sounds appealing, but the appeal of the idea is in its deceptive psychological comfort and nothing more.

Of course it is not all that simple. Some minor organisational effort is still required — as described by countless howto's: remove everything you do not actually need (and stop gathering it «just in case»), get consent when appropriate and keep track on what you do both for yourself and for data subject.

KRACK: no big deal either

Either your vital communications are end2end encrypted already, or you have more reasons to worry than just KRACK.

  • Endpoints are movable. There was a communication once performed via direct patch cord link. Next day it could go around half of the internet: someone decides to move one of endpoints to the cloud, to a different location, or else. And if you ever use your laptop or smartphone on the public wifi, the attack surface never changed for you at all.

  • You cannot reliably protect all endpoints on an Ethernet-like network 100% of the time. Chances are, someone is sniffing you from a compromised device with much higher probability than he/she could get through (relatively) short KRACK vulnerability window.

  • Do you watch your wired infrastructure close enough? Are you sure not just every network socket, but every centimetre of your network cabling is under control? Really? If your TV screen or printer in a public conference room is connected to the office network without 802.1x and VLAN separation, KRACK is not an issue.

On the doorsteps of ivory tower: encryption for a "demanding" customer

Recently I took a somewhat deeper-than-intended dive into a wonderful world of so-called “secure communications” (don’t ask me why, maybe I will tell you eventually). No, not Signal or Protonmail, nor Tox or OTR. I mean paid (and rather expensive) services and devices you probably never heard of (and had every reason not to). Do the names like Myntex, Encrochat, Skyecc, Ennetcom ring a bell? Probably it does not, as it should be, unless they fuck something up spectacularly enough to hit the newspaper headlines (some of them really did).

Three lessons should be learned

FIRST, while experts are discussing technical peculiarities, John Q. Public is not interested in all that technobabble. This attitude constitutes a security issue in its own right, but at least it is well-known and we know what we need to do: to educate the customer about several basic, intuitive and easy for a non-technical person concepts — OPSEC, attack surface, threat models, supply chain security, encryption key life cycle etc. And then we leave everything «more technical» to a trustworthy independent audit.

Right? NO. Those people are not interested AT ALL (technobabble included), and they treat your aforementioned audit with the same amount of interest. And your educational initiative goes the same way since the entire syllabus you call «very very basics every human being must understand» fits comfortably into the category «technobabble» in the customer's world view. For them «Military grade security» is just as convincing as «we had a public independent review» — a little more than white noise and the former is still more than the latter. Let alone the popular opinion about audit: «You could compromise your security by allowing god-knows-who look into the implementation details! It was careless!»

SECOND, as “business” customers do not really care about technology, you cannot show them the trustworthiness of your solution by using the technological correctness of this solution. There is no common ground, no scientific consensus, no expert is trusted, everything is «my word vs your word», no audit is reliable (and that’s yet another reason nobody is interested in audits).

For your customers the very notion of «trust» implies interpersonal relations. They cannot trust anything but people. A piece of software being trusted? Or better still: trusted for a certain particular property? — those notions are not welcome in a businessman's brain. However, that may not be a detriment. In the end of the day we can not eliminate the «human factor» from the software as long as humans write it (with all the backdoors and eastereggs). Trust (as your customers understand it) is all about loyalty. Trust (as you understand it) is an expression of your knowledge of the software capabilities. Perhaps someone should stop abusing the word, and I suggest to stick to the older meaning. Get yourself a new word! On the other hand, the traditional loyalty-driven interpretation of trust leads to horrible decisions in the context of infosec. A catastrophic clusterfuck of any magnitude, is easily forgiveable as long as it is caused by mere negligence as opposed to sabotage. «Yeah, people make mistakes, but they did their best, yes? They TRIED!»

THIRD is that trust issues with people lead those customers into miserable situations, as they know people no better than they know technology, but for no reason they feel more confident in that area. Running a successful business (especially risky one, if you know what I mean) reinforces confirmation bias about knowing people. First you make a lot of money, and next day you get scammed by a Nigerian prince, a Russian bride or a fake crypto.

I guess I should write a separate essay about liability shift and self-preservation mechanisms that sometimes fail in unexpected way for unexpected people, but not now.

On positive impact of ransomware on information security

I truly hate I need to write this. And I feel really sorry for those who were forced to learn it the hard way, but don't tell me you haven't been warned in advance years before. However.


— The end of compliance-driven security is now official. Petya is not impressed with your ISO27K certificate. Nor does it give a flying fsck about your recent audit performed by a Big4 company.
— Make prevention great again (in detection dominated world we live in now)! Too busy playing with your all-new AI-driven deep learning UEBA box? Ooops, your homework goes first. Get patched, enable smb signing, check your account privileges and do other boring stuff and then you may play.

Did I say BCP and business process maturity? Forget that, I was kidding, hahaha. That's for grown-ups.

Any sales pitch mentioning WannaCry is a scam.

snake oil
To suffer a significant damage from WannaCry, you need to craft a redundant clusterfuck of FIVE SIMULTANEOUSLY MET conditions:

  1. Failure to learn from previous cases (remember Cornflicker? It was pretty much similar thing)
  2. Workflow process failure (why do you need those file shares at all?)
  3. Basic business continuity management process failure (where are your backups?)
  4. Patch management process failure (to miss an almost two month old critical patch?)
  5. Basic threat intelligence and situational awareness failure (not like in «use a fancy IPS with IoC feed and dashboard with world map on it», more like «read several top security-related articles in non-technical media at least weekly»)

And after you won the bingo, you expect you can BUY something that will defeat such an ultimate ability to screw up? Duh.

"Security Management" "Maturity" "Model"

A few days ago I twitted this picture:

RSA model for security management "maturity"
with a comment: guess what's wrong with this picture (hint: EVERYTHING).

Not everyone got the joke, so I think it deserves an explanation (sorry).


At a first glance it makes some sense and reflects quite common real world situation: first you start with some «one size fits all» «common sense» security (antivirus, firewall, vulnerability scanner, whatever). Then you get requirements (mostly compliance driven), then you do risk analysis and then voila, you get really good and start talking business objectives. Right?

Wrong.

It is a maturity level model. Which means a each level is a foundation for the next one and cannot be skipped. Does it work this way? No.

Actually you do some business driven decisions all the time from the very beginning. It is not a result, it is a foundation. You may do it an inefficient way, but you still do. With risk analysis. It may be ad hoc, again, depending on the size of your business and your insight into how things work, but from some mid-sized level you simply cannot stick to «checkbox mentality», you need to prioritize. Then you come with checklists and compliance requirements as part of your business risks.

The picture is all upside-down and plain wrong. I understand they need to sell RSA Archer at some point there and that's why they see it this way, but it does not constitute an excuse for inverting reality.

"One Brand of Firewall"

Gatrner sent me an ad of a quite disturbing report ( www.gartner.com/imagesrv/media-products/pdf/fortinet/fortinet-1-3315BQ3.pdf ) which advocates using «one firewall brand» to reduce complexity.

Sorry, guys, one brand of WHAT?

There is no such thing as «general purpose firewall» that fits all. It is a mythical device (and this myth was supported by Gartner for years).
What you call «firewall» is actually one of three (or more) things:

1) A border/datacenter segmenation device. Think high throughput, ASICs, fault tolerance and basic IPS capabilities.
2) An «office» firewall. Think moderate throughput, egress filtering, in-depth protocol inspection, IAM integration and logging capabilities
3) WAF. Enough said, WAF is completely different beast, having almost nothing in common with any of those.

Ah, and a VPN server. It is not a firewall (though it should have basic firewall capabilities). Not falls into any of those categories.

Dear Gartner, have you ever tried to market a pipe-wrench-hair-dryer? You should, you have a talent for that.

On hypocrisy and spyware

I said it earlier this century, "state-sponsored malware/spyware developers ARE de facto blackhats".

There is no «legitimate» third side to receive zero days. Either you give a priority to your software vendor (and contribute to the defensive side) or you do not and contribute to the bad guys. Yes, bad.

Not that I blame vulnerability researchers for being immoral. I am a free market advocate: if a software vendor is not willing to pay a competitive price for vulnerability information, it certainly deserves the consequences. I just hate hypocrites that fail to admit the obvious fact that they are no different to blackhats — because «we sell to government and law enforcement only» clause makes no real difference.

But, wait!



They ARE different.

The ideal black market for zero day exploits is free and open for anyone, including software vendors searching for the exploits in their software. You, as a seller, do not want to sell your exploit to the vendor of the vulnerable software, because you are interested in the exploit's longevity. But on the black market there is no way for you to know if a buyer works for the vendor (directly or indirectly).

Contrary to that, the real market (thoroughly regulated by the government) completely rigs the game to the detriment of the software vendors. First, a software vendor is explicitly banned from participation (by this «we sell only to law enforcement»), no legitimate purchases for a vendor, tough luck. Second, it is open for trusted brokers who make huge profits from the fact they got government approvals (see HBGary leak to find out how hard some people try to set a foot there with quite limited success).

Needless to say, newly proposed so-called «cyber arms regulations» only worsen the situation, making free black market for zero day exploits illegal in favor of government-approved brokers.

So they are not «just» blackhats. They are the most vicious breed. They found a perfect exploit for the government. They use regulations to defeat their victims.