Underground, overground, travelling free !

So the Tube – the London Underground is going NFC for payment transactions then … [LINK] … can you see the weakness here ?

We’ve had Oyster cards for some time now in London as a means to pay at the turnstiles to travel on the London networks – bus, Underground etc. I assume some contractual issues came in to play and the scheme was moved to a new contactless system. I noted that the tech at the turnstiles appeared to not change which indicated that the readers stayed the same but perhaps the software behind the system did change.

 

So we have a NFC reader and a piece of software to read those NFC chips to authenticate that the code being presented indeed is for a valid card.

I also noted a conversation with First Group commercial director in Manchester during 2013 when they were talking about trialling contactless payment systems.

This is definitely pointing to a payment on the device environment coming up for the UK. I kind of support it as it is rare I don’t go out without my device .. but often that I forget to take my travel card !

 

I have a Samsung i9100P specifically for its NFC chip – I see NFC in several devices and with the announcement of the iPhone 6 – I see it also features NFC. The good news is that it can allow micro-payments not only from your bank but also against your phone provider which means you can use a variety of accounts. Massive benefits to the consumer – I can see its adoption.

I also see the criminals rubbing their hands in glee. How many bus drivers will be checking that the app you pay for the journey with is the genuine one ?

 

In the London Underground with good connectivity, they could probably spot the fake NFC payment coming in and block you going through the turnstiles but on a vehicle such as a bus or unmanned station – I can see fake apps springing up to allow you to reset your “payment card” to get free journeys.

I found this link some time ago [LINK] and yes indeed San Francisco has had this problem with a weakness in the NFC cards allowing them to be tinkered with.

 

But this is now 2 years later – with a rooted Android phone I can see NFC becoming an interesting new vector for attack … I wonder if anyone is :

  1. looking at it (vendor, supplier and corporate)
  2. thinking about it at a coding level at the vendor
  3. working out the legals of what is involved – is it illegal ? What are the laws around this ?

 

An interesting subject that I think could grow especially with iPay from Apple also.

 

*UPDATE

And as if by magic comes news that Subway restaurants are going NFC also (LINK). Interestingly here is that iPay won’t be accepted yet … I guess they’re waiting for trusted security to be proven.

 

What do you think ?

 

Undersea data – the evidence of the snoop ?

It’s been a while since I put out a blog, but this caught my eye.

This [LINK] interactive graphic shows the undersea cable maps of the world. It’s a really good graphic and is very useful in giving us some intelligence. We’ve seen other graphics of the undersea cable maps [LINK] but this new interactive one can show the cable routes per year.

So how come this important ?

Well, if we look at the Snowden leak info of the NSA PowerPoint screenshots, we can see that most of the dates quoted on these documents are from 2004 onwards. [LINK]

If we also add this intelligence with the time to lay a cable – which is around 100-150km per day [LINK] we can start making projections backwards as to which cables are being used for which projects and where the boosts in investment may have come from. If you fancy having a go and putting projects to cables, feel free to get in touch and I’ll add an update to this blog.

More info about undersea cables [LINK]

 

@SPCoulson

Digital Freedom – the manifesto is launched

Mikko Hypponen and David Hasselhoff have appeared on stage at re:publica 14 and launched the new Digital Freedom manifesto.

The manifesto is based on 4 points :

  1. Freedom from mass surveillance (target / blanket)
  2. Freedom from digital persecution (privacy in the future)
  3. Freedom from digital colonisation
  4. Freedom of digital access, movement and speech

 

I watched the keynote with interest and have the following thoughts :

Freedom from mass surveillance (target / blanket)

I appreciate that there is a time and place for surveillance. CCTV watches our every move and our internet traffic is scanned for key words. To remove this I believe would be a mistake – but instead, they should be more transparent instead. Go ahead, watch me and scan me … but only if you do something useful with this data to keep me safer. Sure I have secrets and sure, I am aware of what I post … but can you imagine a world where facial recognition does not pick up the criminals ? I think that there is a specific use case for mass surveillance, but it is currently not being handled well and certainly not following the same standard of disclosure globally.

Freedom from digital persecution (privacy in the future)

This I understand and totally support. Right now, May 2014, it is OK to have certain views, prejudices etc, but in 2020, will those standards still hold. Will my old opinion still be the same ? I once thought I was going to be an electrical engineer – that didn’t work out, so why should the opinions I have still hold ANY weight in the future ? We need to isolate a case, sure, look back in history to see if it a long-held opinion, but certainly not to use it to persecute in the future.

Freedom from digital colonisation

The lines between technology and our existence are more blurred than ever. With the Internet of Things, mobile tech etc … we see more intrusion of technology into our lives. And it is just that .. an intrusion. We need to learn to adopt the divide between tech and life. Just because technology exists doesn’t mean we have to shoe-horn it into every day lives – especially if it is to the detriment of our privacy. We all need to learn to have down-days. Non-tech days … and if you don’t know the answer to a problem, instead of Googling it … use this method:

  • Brain – think about it, work out the options and the theory.
  • Book – read it in a book, they are more than paperweights !
  • Buddy – ask a friend, a colleague … the meat space !
  • Boss – ask a person in authority, your boss, a department head, a lecturer, they generally got there by knowing something !

Freedom of digital access, movement and speech

Should I be allowed to write what I want ? What about offending someone or prejudice ? Should I be restricted in what I can/can’t say ? I think this comes down to an old skill that we seem to have forgotten with the advent of technology – the art of common sense. So I would like to introduce you to Gran’s law. Think about an elderly relative (a Grand-parent for example). Now go ahead and type your real feelings about something you feel passionate about. If your Gran were to read it, would she be offended, clip you round the ear, would she be horrified about it … if the answer is yes, then it is probably best to keep it off the internet ! Common sense can save you a lot of conversations later. You should not be thinking about your intended audience but that the internet sees all.

 

What are your thoughts ? Have you posted on the Digital Freedom site ?

 

What is an ‘Ethical Hack’ ?

This great question was posted on LinkedIn and it got me thinking.

 

In the strictest use of the phrase ethical security testing – I believe an accurate description would include:

  • explicit instruction
  • authorisation
  • owned system

 

However, we need to get pernickety about definitions with this phrase:

Ethical.

‘No-one got hurt’ or  ‘no data was exfiltrated’ perhaps.

Hacking.

A wide description can be inferred here – but let us allow the words ‘attack’ or ‘exfiltration’ to be used.

 

So let us see if these example instances are Ethical Hacking and therefore explore the relevance and use of the phrase :

Example 1:

An Anonymous DDoS is ethical hacking is it not ?

    • Ethical – fighting for the masses,
    • Hacking – a form of hacking is DDoS.

Technically yes and no. Ethical – whose ethics ? Ethical in that it is a their belief they are fighting for, so I guess yes, but hacking – DDoS. Hmm I have a problem with DDoS as it is an orchestrated attack with the intent to cease traffic hitting a website or web service. As a result of the ‘intent’ I believe that this no longer becomes ethical.

Example 2:

Is Edward Snowden an ethical hacker ?

    • Ethical – he released documents that exposed government misdemeanours
    • Hacking – using social engineering techniques.

No, because he broke the law. Quite a simple line here. Irrelevant of what the Governments allegedly have been up to, he broke the law by stealing information and for that this is not ethical hacking – but crime.

Example 3:

NSA backdoors in common-use technologies

    • Ethical – they are protecting the greater good of the US
    • Hacking – creating backdoors in code for later use

Here we see an easy delineation – there is a potential Ethical standpoint, but there is no visibility / transparency of intent and as such, no ethical standpoint.

 

Summary :

Ethical Hacking is a not so common term and we are more used to seeing Ethical Security Testing. This implies testing – part of a project lifecycle. The very introduction of the term hacking takes an already broad term Ethical and muddies it with an already media-hyped phrase Hacking and as such creates a phrase which could describe crime or business activity. As such, I would recommend to avoid using the term Ethical Hacking and concentrate on a much stricter phrase Ethical Security Testing.

The joys of the 3D future !

When I first read about 3D printers being used to print gun parts, I actually wasn’t that surprised. I mean … if you are going to test out the bounds and limitations, a gun is a good start. You need precision plus strength so yep – good idea to start with gun technologies.

Since then, I’ve watched the industries cropping up:

Jewellery :
http://www.shapeways.com/jewelry

http://www.rosslovegrove.com/index.php/louisa-guinness-foliates-collection/

Body Parts :

http://www.popsci.com/science/gallery/2013-07/5-body-parts-scientists-can-3-d-print

Food :

http://siliconangle.com/blog/2014/01/21/get-ready-to-sink-your-teeth-in-3d-printed-hersheys-chocolates/

3D printing has come a long way from those first simple structures that looked like they’d been printed in 8-bit !

But where will they lead us to ?

Regulation

One thing I can see is regulation over the designs so that restricted parts cannot be produced unless you have downloaded the instructions from an authorised agent. At least this will reduce the crazies from firing plastic bullets at each other and the guns being blamed !

Smaller scale printers

Instead of requiring a whole desk in the corner, I can see them becoming much smaller … the trick will to make them portable – the briefcase sized printer or smaller. This will enable us to make devices on the go and introduce them in to the mainstream environment.

For those involved in the security industry, how amazing will it be to copy the key of your target and 3D print a one-off usable key replacement.

Retail versions

If you lose your keys, authenticate who you are and get another key printed…

Like a design but want it bigger / smaller / different colour – it will give the consumer more choices over design.

Where do you see 3D printers going ?

The not so shocking NSA revelations

I don’t work for the government.
I am a UK citizen.
I work in IT security.

 
Edward Snowden stole 1.2 million documents and has started leaking them in small batches. News agency Spiegel has found some interesting stuff in there :

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

It appears that the NSA in 2007 (7 years ago) had a catalog of tools that could be used to allow varying degrees access to devices. This confidential document is now public for all to see and we can now browse through this catalog ourselves – http://t.co/Ra19VNCwEJ
 
Although it is revealing as to what was available back in 2007, we need to remember that we are judging 2007 technology through 2014 eyes. Our perception as to how we view privacy etc has changed in the last 7 years. If we could rewind to 2007, how many people would have supported this technology at that time ?

So let us put ourselves back in the frame of mind of 2007 :

  • the first iPhone was launched (June 29th)which means …
  • Steve Jobs is still alive (in fact he hasn’t got ill yet)
  • We launch the Core 2 duo this year
  • Dropbox … 1st lines of code are written
  • Vista and Office 2007 were January 30th
  • Tumblr is launched
  • There is no Anonymous
  • Android was released November 2007

In 1 year Chrome will be launched

In 2 years Minecraft is to be launched

In 3 years we get Stuxnet discovery

In 4 years Aarown Swartz gets arrested

In 5 years SOPA protests get commercial backing

In 6 years Hotmail brand gets shut down
 
 
Since 2007 we have had a hell of a ride and we are now all so much more paranoid about our security and our privacy. We loved the lack of privacy in 2007 – I mean, 7 years ago, how much were you posting on Facebook/MySpace/Bebo before you realised what was going on ?

And so we need to think about the NSA again. In 2007, they were snooping – isn’t that their job? Now I don’t know about you but I’m not surprised. I mean, the UK has had Goonhilly since 1962. Why are we all so shocked?

And so to get to the point…

If you are a good citizen who is behaving responsibly then what fear have you if the NSA/GCHQ/FSB or whoever the hell is in authority reads what you are doing. If you are so concerned about your privacy then why are you on the internet exposing all your data to all the parties involved in getting you online ?

When I connect to the internet, I connect via a router I do not own over a telecoms company’s cable through ISP equipment onto undersea cables owned by someone else to a data-centre owned by a hosting company to a web developers server to a website of a person who I hope knows how to write secure code and give them my credit card number and delivery address which is then passed on to my bank and his bank to complete the transaction. Privacy ? Where ?

If the NSA want to read all emails and therefore build up a profile of how a typical user in the US / UK / France or wherever should operate, then it is easier for those who do not behave like the norm to be spotted. If we find in the UK that no-one uses the word bomb and fertiliser together but ‘da bomb’ is popularised, then we can discount 90% of noise from the holistic view and focus on only those who appear to be creating an unusual profile.

So

Reading that catalog from the eyes of the NSA : We have got a massive set of interfaces that we need to be aware of and somehow access .. how can we make it easy to monitor ?

If we have access to the machine use the USB, if the target uses common routers then have an accessible backdoor in that router etc. Now build this up to a nation of billions of people – the targets can then be targeted and if an innocent is picked up – so long as they fit the population normal model then they’ll be fine. There is no way the NSA could monitor the whole of the US – the traffic would be so massive it could not be analysed realtime and the storage would be prohibitively massive – so it cannot be a whole population monitor. That NSA shopping list is designed for specific targets not for whole populations.

Am I concerned ?

Well no actually. I know my privacy is shot – I gave it up well before 2007 when we had that thing called the internet and I first naively connected to that BBS using my real name!
 
 
So I guess the real question is ..
 
If that was the 2007 catalog .. I wonder what the 2014 catalog looks like ?
 
 

Infosec in 2013

So it looks like we survived 2013! No comets came crashing into Earth, the zombies stayed and the sun didn’t explode.

It’s always at this point in the year we see those blogs – “Retrospective on 2013” Well to save you the bother of reading them, here’s a little tip. Everything in 2012 happened again but to various different degrees.

  • Instead of Sony being attacked it was Target
  • Instead of Wikileaks it was Snowden
  • Instead of 123456 being the most common password to be leaked it was … 123456

And herein lies the problem with information security.

We spend all year inventing new technologies .. Web Application Firewalls, APT threat detection, Cloud Based anti-DDoS solutions – the list of tin and “solution” is vast. As an end user you now have a bewildering array at your disposal. But does it work ?

Well .. to put it bluntly .. no.

  • It’ll never work when the user thinks to be safe I’ll use 123456 for a password.
  • It’ll never work when users post photos of their debit cards on social media.
  • It’ll never work when companies store credentials plain text.
  • It’ll never work when vendors can be swayed by $10million from the NSA.

You can surround yourself with as much defence and attack capabilities as you like but if you are compromised before you start then save your money.

So that was 2013 …

A lot happened and the infosec community cannot say we won this year. If anything .. we took a bad battering. Take stock of what you learned and face 2014 with new energies to this year get it right.
 
 

Start with yourself,

then your family,

then your friends,

then the company you work for.

Do something. Anything … but do SOMETHING.