Comments

Clive Robinson November 15, 2021 10:28 AM

Hmmm,

A warning, if you are squeamish the lead photograph my make you feel a little green around the gills…

I guess because the second page of the post talks about the less than delicately called “pig butchering” that certain Chines call a method of taking money from young smart phone users…

Proving yet again about crypto-coins and smart-contracts,

“No matter how you look at these systems, they’ve lots of angles, and they are all crooked”

But…

There is one thibg not mentioned.

In the intro it mentions that there have been more smartphones –made?– than there are people on the planet. And goes on to mention that many smart phone users have never touched a traditional computer like a PC (not sure if he’s including other “smart” devices like tablets in that).

What he does not mention though is the danger of “Piggy Backing” or “leap frogging” (yes pigs keep on coming up like frog stew).

You have to realise that these days smart phones are nolonger “Communications End-points” but “Communications Nodes”. That is at the very least they have,

1, A broad band FM receiver.
2, WiFi node capability.
3, Bluetooth node capability
4, NFC capability[1].

And a couple more depending on the “System on a Chip”(SoC) silicon is being used inside the phone.

All of these “Over The Air”(OTA) interfaces can receive large parts of the RF Spectrum, where digital data can be picked up. Either from “deliberate emissions” or “unintentional emissions”, which means that at a minimum your Smart phone can be an ElInt / SigInt / TEMPEST or Pasive EmSec receiver (along with the fact it can also “bug” your audio and mechanical vibrations).

So it’s an “evesdropers delight”…

So if you are using a “segregated” / “gapped” computer/laptop to do “Private Work” that you would not want known –think financial or personal etc– you need to keep your Smart Phone well away…

Suprisingly you can these days if you have a careful look find the TEMPEST seperation rules tables these days… or you can just work them out.

But… those OTA interfaces can work not just for receive but transmit as well. This brings up a whole knew set of problems from “hostile active emmissions” or “Active EmSec” concerns. At the very least they can be used as “active emitters” for certain types of “Passive Radar” and such fun as “Fault Injection Attacks” that can change how a running program such as the OS or Apps on a computer behave.

The moral especially for those that do work next to terminals, computers, laptops and similar confidential work devices is,

“Keep Smart Phones atleast the TEMPEST safe distance for the class of device you are using”

Even when you think you’ve “turned it off” you’ve not actually turned off a Smart Phone[2]…

[1] I’m surprised that Ben Gurian Uni students have not published a paper on using the NFC OTA in a smart phone for reading data out of low speed data cables or the envelop of high speed data bursts. As they mebtion in their,”Pita bread” attack you can use a low frequency radio device, they used an AM Radio but an NFC coil and head end would work as well…,

http://www.tau.ac.il/~tromer/radioexp/

[2] Read about how NFC devices keep working even when the phone battery is flat,

https://www.mpe.co.uk/wp-content/uploads/2012/08/Tempest-Level-EMI-Filters-Electronic-Product-News-Jan-20121.pdf

Ted November 15, 2021 5:13 PM

@SpaceLifeForm

Thank you so much for posting the article! Great article.

BTW, do you know if there are any dummies book’s for password managers? I get totally stumped on this. Like how do I use it on both my computer and phone? Also an I at risk if I have just one memorable password for the password manager?

From the article:

Get any reputable password manager (including the free one that probably came with your OS) and use it to generate all your passwords.

SpaceLifeForm November 15, 2021 6:33 PM

Password Managers for Dummies

Brain.

Paper. Paper. Paper.

Do not use accounts across devices.

And, of course, never reuse passwords across accounts. That is where the paper comes in.

Better yet, do not set up an account in the first place.

(Rewards Programs)

Yes, this is not easy. Did I mention password reuse across accounts?

Did I mention cross device usage?

If you have to have an account, try to use it on only one device.

It will help.

Until their infrastructure (cloud, servers) gets hacked.

Most IT SEC folk warn about password reuse across accounts.

But, personally, I think cross device usage may be a bigger issue. Even if you are not reusing passwords across accounts.

Clive Robinson November 15, 2021 7:30 PM

@ Ted,

Like how do I use it on both my computer and phone? Also an I at risk if I have just one memorable password for the password manager?

Two questions so two answers…

In the short “Don’t” and “Yes”.

Now the qualified answers,

Do not use password managers on phones, neither you nor the person who wrote it have sufficient control over the phones memory to be secure.

As for on a computer, again you have the issue of memory but with MS-OSs for Intel/AMD CPU’s you have other issues as well. So if the computer is connected to communications you will be vulnerable.

These days I would not recommend traditional “password manager programs” go for a more modern and more secure method such as using a “stand alone” “Hardware Security Module”(HSM), that is issolated both physically and electronically from any computer or connected to communications etc.

So onto the second question…

As has been noted the human brain is usuall the weakest link in any security system. Many people these days can not remember anything even close to a totally random 64 to 250 character string. Which is kind of the length you need to be secure these days.

That is a software based password manager program and it’s password data file can be mistakenly copied to back up beyond your control (think smart phones that copy modified files to “backup” automatically). Thus your master password file is likely to become available for those that will try high end password crackers going at millions of words a minute etc.

Ted November 15, 2021 8:49 PM

@SpaceLifeForm, Clive

Re: Password Managers

First of all, thank you so much for responses. You both are so helpful. I read everything you wrote at least three times.

Second, dang wow. I didn’t know using password managers was so restrictive. One account per one device? Does this mean like one twitter account for my phone and a different account for my computer? Or one password manager for each device?? Which I guess doesn’t really make sense.

And even then the password manager isn’t necessarily secure?

I’m getting educated today.

I do change my password for each account. So I’ll keep doing that. Otherwise what I hear is just to limit my accounts where possible and do my best to make complex passwords.

The HSM is probably for a more advanced user.

So is using a password manager antiquated advance or good advice for a more sophisticated user?

okmarts2 November 16, 2021 3:28 AM

As the development of digital circuit technology and computer technology, the functional gradation of future HMI products will be less and less necessary, and the functions of HMI will be more and more abundant. The screen of HMI products which is more than 5.7 inches will be all color display, whose service life will be longer.ABB HMI CP620

Winter November 16, 2021 4:01 AM

I would add to the discussion on the dangers of using a smartphone another point.

Indeed smartphones are never “safe”. And the only safe way to use a smartphoen is not use a smartphone. Is this useful advice? No.

Take another appliance, the automobile. Can you drive a care safely? No, there is no way you can be immune to accidents. Even if you do not ride a car yourself.

In 2019, about 27,000 people riding a car, truck or motorcycle were killed in the US. About 4.4 million Americans were seriously injured by car crashes.

So, what is the safe way to travel? Do not travel. Is this useful advise? No.

Winter November 16, 2021 5:54 AM

@Ted
“@SpaceLifeForm, Clive

Re: Password Managers”

The real question is: Is using a Password manager worse than not using a Password manager?

That comes down to either using or not using a mobile device for logging into a service, any service. If you do log into services using your smartphone, e.g., accessing your bank account, you better use a password manager or revert to using weak passwords.

As for not using your phone to log into your bank account, that has severe downsides too. For instance, you should stay at home, at least at walking distance.

Clive Robinson November 16, 2021 6:12 AM

@ Ted, Winter, ALL,

One account per one device?

Err no it’s,

“Just one password manager, on one device with no connectivity and no backups anywhere.”

The reason is,

“The master password is very much the weakest link in the chain due to the failings of the human brain. Made worse by lazyness and similar.”

It your password DB uses very strong encryption on near random password strings, most people will tell you that is “secure” there are even mathmatical proofs of that…

But it all falls apart when the master key is say a four digit pin. It only takes a few seconds to go through 9999 paswords so guarenteeing you can then unlock the Data Base in moments. Because in reality whilst the encryption algorithm could have 2^256 or ~10e80 actual keys, the use of a four digit pin takes that very large keyspace down to just a very tiny 10e4 or 10,000 pins.

So logically to prevent someone getting access to the DB and it’s contents, you need to have only one and keep it both secure and with you at all times…

Oh and having it on any device with “connectivity” is the same as making it available to all…

As @Winter points out,

“Indeed smartphones are never “safe”. And the only safe way to use a smartphoen is not use a smartphone. Is this useful advice? No.”

It also applies to all other technologies, if you want the perceived benifits then you must accept the inherant risks.

So two important measures you have to compare,

1, Perceived benifits.
2, Inherant risks.

They are in effect unique to you, but as a rough rule of thumb, the more benifits or greater utility, the greater the risks.

I see so little benifits in the current “social networking” offerings that no matter what the risk I would not use them.

But there is a flip side. If you use a technology your risk goes up, not just due to it’s utility, but in some cases due to how others perceive it’s use.

It’s the reason I don’t have anything to do with secure messaging apps,

Firstly because they are not secure in the overall system.

Secondly people think they are and do not behave discreetly.

Thirdly your use of them is obvious to others…

It’s that third reason why you hear,

“If you do that, then you are painting a target on your back”

Or the older,

“All nails that stick up get banged down”.

You obviously do not want to look like an “uppity nail” so,

“If you blend in with the crowd you are down in the noise floor”

Thus the ultimate solution is to find a way to take a technology and it’s benifits, and blend them in, in such away that they stay beneath the noise floor.

Surprisingly for quite a bit of Privacy technology this is actually workable provided you accept the inherent limitations (sorry no free lunch).

Ted November 16, 2021 10:04 AM

@Clive, Winter, ALL

Re: Password Managers

@Clive

Err no it’s,

“Just one password manager, on one device with no connectivity and no backups anywhere.”

I like how you provide the spectrum of security options and implementations. I am walking along side your words in baby steps. I don’t do secure messaging apps either. But I still try to be somewhat aware when I text anyone that I don’t make any kinds of looney tunes remarks.

What do they say, send it if you’d be okay with anyone reading it? I’m sure lots of people, especially in less free places, really do explore those secure messaging platforms though.

@Winter

You’ve had some great comments, especially about cars and the practical trade offs we all make.

There was something I had a question about though:

As for not using your phone to log into your bank account, that has severe downsides too. For instance, you should stay at home, at least at walking distance.

Do you mean someone can be overly cautious?

Winter November 16, 2021 10:23 AM

@Ted
“Do you mean someone can be overly cautious?”

Yes, you can. The obvious cases are those with phobia’s. Mobile banking is a case in point. It has its risks. But so have credit cards (and costs) as well as being unable to pay bills or check your accounts. (that is in most of the world. Not sure whether mobile banking is useful in the US).

Never using a smartphone might be more secure. But not being in contact with your relatives and friends creates risks too.

Ted November 16, 2021 10:36 AM

@Winter

Never using a smartphone might be more secure. But not being in contact with your relatives and friends creates risks too…

100%

Not sure whether mobile banking is useful in the US

I don’t know all the in’s and out’s of this. But it seems like, at least with my financial institutions, they strongly error on the side of protecting the customer in a fraud or loss situation. It would be very interesting to read about times when they did put the burden on the customer. At least then I might know what pitfalls to really watch out for.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.