Entries Tagged "email"

Page 9 of 12

An Expectation of Online Privacy

If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail. Well, you and your ISP. And the sender’s ISP. And any backbone provider who happens to route that mail from the sender to you. And, if you read your personal mail from work, your company. And, if they have taps at the correct points, the NSA and any other sufficiently well-funded government intelligence organization—domestic and international.

You could encrypt your mail, of course, but few of us do that. Most of us now use webmail. The general problem is that, for the most part, your online data is not under your control. Cloud computing and software as a service exacerbate this problem even more.

Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you’re relying on that company to keep your data private. If you use Google Docs, you’re relying on Google. This is why the Electronic Privacy Information Center recently filed a complaint with the Federal Trade Commission: many of us are relying on Google’s security, but we don’t know what it is.

This is new. Twenty years ago, if someone wanted to look through your correspondence, he had to break into your house. Now, he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your office; now it’s on a computer owned by a telephone company. Your financial accounts are on remote websites protected only by passwords; your credit history is collected, stored, and sold by companies you don’t even know exist.

And more data is being generated. Lists of books you buy, as well as the books you look at, are stored in the computers of online booksellers. Your affinity card tells your supermarket what foods you like. What were cash transactions are now credit card transactions. What used to be an anonymous coin tossed into a toll booth is now an EZ Pass record of which highway you were on, and when. What used to be a face-to-face chat is now an e-mail, IM, or SMS conversation—or maybe a conversation inside Facebook.

Remember when Facebook recently changed its terms of service to take further control over your data? They can do that whenever they want, you know.

We have no choice but to trust these companies with our security and privacy, even though they have little incentive to protect them. Neither ChoicePoint, Lexis Nexis, Bank of America, nor T-Mobile bears the costs of privacy violations or any resultant identity theft.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. If the police want to read the e-mail on your computer, they need a warrant; but they don’t need one to read it from the backup tapes at your ISP.

This isn’t a technological problem; it’s a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don’t have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant—even though it occurred at the phone company switching office and not in the target’s home or office—the Supreme Court must recognize that reading personal e-mail at an ISP is no different.

This essay was originally published on the SearchSecurity.com website, as the second half of a point/counterpoint with Marcus Ranum.

Posted on May 5, 2009 at 6:06 AMView Comments

Sarah Palin's E-Mail

People have been asking me to comment about Sarah Palin’s Yahoo e-mail account being hacked. I’ve already written about the security problems with “secret questions” back in 2005:

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It’s a great idea from a customer service perspective—a user is less likely to forget his first pet’s name than some random password—but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I’ll bet the name of my family’s first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

EDITED TO ADD (9/25): Ed Felten on the issue.

Posted on September 24, 2008 at 4:01 PMView Comments

E-Mail After the Rapture

It’s easy to laugh at the You’ve Been Left Behind site, which purports to send automatic e-mails to your friends after the Rapture:

The unsaved will be ‘left behind’ on earth to go through the “tribulation period” after the “Rapture”…. We have made it possible for you to send them a letter of love and a plea to receive Christ one last time. You will also be able to give them some help in living out their remaining time. In the encrypted portion of your account you can give them access to your banking, brokerage, hidden valuables, and powers of attorneys’ (you won’t be needing them any more, and the gift will drive home the message of love). There won’t be any bodies, so probate court will take 7 years to clear your assets to your next of Kin. 7 years of course is all the time that will be left. So, basically the Government of the AntiChrist gets your stuff, unless you make it available in another way.

But what if the creator of this site isn’t as scrupulous as he implies he is? What if he uses all of that account information, passwords, safe combinations, and whatever before any rapture? And even if he is an honest true believer, this seems like a mighty juicy target for any would-be identity thief.

And—if you’re curious—this is how the triggering mechanism works:

We have set up a system to send documents by the email, to the addresses you provide, 6 days after the “Rapture” of the Church. This occurs when 3 of our 5 team members scattered around the U.S fail to log in over a 3 day period. Another 3 days are given to fail safe any false triggering of the system.

The site claims that the data can be encrypted, but it looks like the encryption key is stored on the server with the data.

EDITED TO ADD (6/14): Here’s a similar site, run by atheists so they can guarantee that they’ll be left behind to deliver all the messages.

Posted on June 2, 2008 at 1:09 PMView Comments

BlackBerry Giving Encryption Keys to Indian Government

RIM encrypts e-mail between BlackBerry devices and the server the server with 256-bit AES encryption. The Indian government doesn’t like this at all; they want to snoop on the data. RIM’s response was basically: That’s not possible. The Indian government’s counter was: Then we’ll ban BlackBerries. After months of threats, it looks like RIM is giving in to Indian demands and handing over the encryption keys.

EDITED TO ADD (5/27): News:

BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encrytion key to the government as its security structure does not allow any ‘third party’ or even the company to read the information transferred over its network.

EDITED TO ADD (7/2): Looks like they have resolved the impasse.

Posted on May 21, 2008 at 2:09 PMView Comments

Thoughts on the Security of qmail

Dan Bernstein wrote an interesting paper on the security lessons he’s learned from qmail.

My views of security have become increasingly ruthless over the years. I see a huge amount of money and effort being invested in security, and I have become convinced that most of that money and effort is being wasted. Most “security” efforts are designed to stop yesterday’s attacks but fail completely to stop tomorrow’s attacks and are of no use in building invulnerable software. These efforts are a distraction from work that does have long-term value.

Very interesting stuff, some counter to conventional security wisdom.

I have become convinced that this “principle of least privilege” is fundamentally wrong. Minimizing privilege might reduce the damage done by some security holes but almost never fixes the holes. Minimizing privilege is not the same as minimizing the amount of trusted code, does not have the same benefits as minimizing the amount of trusted code, and does not move us any closer to a secure computer system.

Posted on November 16, 2007 at 6:47 AMView Comments

The Storm Worm

The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: “230 dead as storm batters Europe.” Those who opened the attachment became infected, their computers joining an ever-growing botnet.

Although it’s most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example we have of a new breed of worm, and I’ve seen estimates that between 1 million and 50 million computers have been infected worldwide.

Old style worms—Sasser, Slammer, Nimda—were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

Worms like Storm are written by hackers looking for profit, and they’re different. These worms spread more subtly, without making noise. Symptoms don’t appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

Storm represents the future of malware. Let’s look at its behavior:

  1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
  2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
  3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.
  4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way.

    This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect.

    One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won’t work with Storm: An infected host may only know about a small fraction of infected hosts—25-30 at a time—and those hosts are an unknown number of hops away from the primary C2 servers.

    And even if a C2 node is taken down, the system doesn’t suffer. Like a hydra with many heads, Storm’s C2 structure is distributed.

  5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called “fast flux.” So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
  6. Storm’s payload—the code it uses to spread—morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
  7. Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites—anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.
  8. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: “A killer at 11, he’s free at 21 and …,” “football tracking program” on NFL opening weekend, and major storm and hurricane warnings. Storm’s programmers are very good at preying on human nature.
  9. Last month, Storm began attacking anti-spam sites focused on identifying it—spamhaus.org, 419eater and so on—and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.

Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can’t imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn’t work in any case: Storm’s creators could easily design another worm—and we know that users can’t keep themselves from clicking on enticing attachments and links.

Redesigning the Microsoft Windows operating system would work, but that’s ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it’s a really bad idea in real life. We simply don’t know how to stop Storm, except to find the people controlling it and arrest them.

Unfortunately we have no idea who controls Storm, although there’s some speculation that they’re Russian. The programmers are obviously very skilled, and they’re continuing to work on their creation.

Oddly enough, Storm isn’t doing much, so far, except gathering strength. Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing.

Personally, I’m worried about what Storm’s creators are planning for Phase II.

This essay originally appeared on Wired.com.

EDITED TO ADD (10/17): Storm is being partitioned, presumably so parts can be sold off. If that’s true, we should expect more malicious activitity out of Storm in the future; anyone buying a botnet will want to use it.

Slashdot thread on Storm.

EDITEDT TO ADD (10/22): Here’s research that suggests Storm is shinking.

EDITED T OADD (10/24): Another article about Storm striking back at security researchers.

Posted on October 4, 2007 at 6:00 AMView Comments

More on the German Terrorist Plot

This article is a detailed writeup of the actual investigation. While it seems that intercepted emails were instrumental at several points during the investigation, the article doesn’t explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.

The US intelligence agencies, the NSA and CIA, provided the most important information: copies of messages between German Islamists and their contacts in Pakistan. Three people in Germany were apparently the ones maintaining contact. The first was a man with the pseudonym “Muaz,” who investigators suspected was Islamist Attila S., 22. The second was a man named “Zafer,” from the town of Neunkirchen, who they believed was Zafer S., an old friend of Daniel S., one of the three men arrested last week. According to his father, Hizir S., Zafer is currently attending a language course in Istanbul. The third name that kept reappearing in the emails the NSA intercepted was “Abdul Malik,” a.k.a. Fritz Gelowicz, who prosecutors believe was the ringleader of the German cell, a man Deputy Secretary Hanning calls “cold-blooded and full of hate.”

[…]

While at the Pakistani camp in the spring of 2006, Adem Y. and Gelowicz probably discussed ways to secretly deliver messages from Pakistan to Germany. They used a Yahoo mailbox, but instead of sending messages directly, they would store them in a draft folder through which their fellow Islamists could then access the messages. But it turned out that the method they hit upon had long been known as an al-Qaida ploy. The CIA, NSA and BKA had no trouble monitoring the group’s communications. Two men who went by the aliases “Sule” or “Suley” and “Jaf” kept up the contact from the IJU side.

This is also interesting, given the many discussions on this blog and elsewhere about stopping people watching and photographing potential terrorist targets:

Early in the evening of Dec. 31, 2006, a car containing several passengers drove silently past the Hutier Barracks in Lamboy, a section of the western German city of Hanau. Hanau is known as the home of a major US military base, where thousands of US soldiers live and routinely look forward to celebrating New Year’s Eve in their home away from home. The BfV’s observation team later noted that the car drove back and forth in front of the barracks several times. When German agents finally stopped the car, they discovered that the passengers were Fritz Gelowicz, Attila S. from the southern city of Ulm, Ayhan T. from Langen near Frankfurt and Dana B., a German of Iranian descent from Frankfurt who, when asked what he and the others were doing there, claimed that they had just wanted to see “how the Americans celebrate New Year’s Eve.”

Posted on September 21, 2007 at 4:00 AMView Comments

Anonymity and the Tor Network

As the name implies, Alcoholics Anonymous meetings are anonymous. You don’t have to sign anything, show ID or even reveal your real name. But the meetings are not private. Anyone is free to attend. And anyone is free to recognize you: by your face, by your voice, by the stories you tell. Anonymity is not the same as privacy.

That’s obvious and uninteresting, but many of us seem to forget it when we’re on a computer. We think “it’s secure,” and forget that secure can mean many different things.

Tor is a free tool that allows people to use the internet anonymously. Basically, by joining Tor you join a network of computers around the world that pass internet traffic randomly amongst each other before sending it out to wherever it is going. Imagine a tight huddle of people passing letters around. Once in a while a letter leaves the huddle, sent off to some destination. If you can’t see what’s going on inside the huddle, you can’t tell who sent what letter based on watching letters leave the huddle.

I’ve left out a lot of details, but that’s basically how Tor works. It’s called “onion routing,” and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol—hence the onion analogy—but the traffic that leaves the Tor network is in the clear. It has to be.

If you want your Tor traffic to be private, you need to encrypt it. If you want it to be authenticated, you need to sign it as well. The Tor website even says:

Yes, the guy running the exit node can read the bytes that come in and out there. Tor anonymizes the origin of your traffic, and it makes sure to encrypt everything inside the Tor network, but it does not magically encrypt all traffic throughout the internet.

Tor anonymizes, nothing more.

Dan Egerstad is a Swedish security researcher; he ran five Tor nodes. Last month, he posted a list of 100 e-mail credentials—server IP addresses, e-mail accounts and the corresponding passwords—for
embassies and government ministries around the globe, all obtained by sniffing exit traffic for usernames and passwords of e-mail servers.

The list contains mostly third-world embassies: Kazakhstan, Uzbekistan, Tajikistan, India, Iran, Mongolia—but there’s a Japanese embassy on the list, as well as the UK Visa Application Center in Nepal, the Russian Embassy in Sweden, the Office of the Dalai Lama and several Hong Kong Human Rights Groups. And this is just the tip of the iceberg; Egerstad sniffed more than 1,000 corporate accounts this way, too. Scary stuff, indeed.

Presumably, most of these organizations are using Tor to hide their network traffic from their host countries’ spies. But because anyone can join the Tor network, Tor users necessarily pass their traffic to organizations they might not trust: various intelligence agencies, hacker groups, criminal organizations and so on.

It’s simply inconceivable that Egerstad is the first person to do this sort of eavesdropping; Len Sassaman published a paper on this attack earlier this year. The price you pay for anonymity is exposing your traffic to shady people.

We don’t really know whether the Tor users were the accounts’ legitimate owners, or if they were hackers who had broken into the accounts by other means and were now using Tor to avoid being caught. But certainly most of these users didn’t realize that anonymity doesn’t mean privacy. The fact that most of the accounts listed by Egerstad were from small nations is no surprise; that’s where you’d expect weaker security practices.

True anonymity is hard. Just as you could be recognized at an AA meeting, you can be recognized on the internet as well. There’s a lot of research on breaking anonymity in general—and Tor specifically—but sometimes it doesn’t even take much. Last year, AOL made 20,000 anonymous search queries public as a research tool. It wasn’t very hard to identify people from the data.

A research project called Dark Web, funded by the National Science Foundation, even tried to identify anonymous writers by their style:

One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating “anonymous” content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past.

And if your name or other identifying information is in just one of those writings, you can be identified.

Like all security tools, Tor is used by both good guys and bad guys. And perversely, the very fact that something is on the Tor network means that someone—for some reason—wants to hide the fact he’s doing it.

As long as Tor is a magnet for “interesting” traffic, Tor will also be a magnet for those who want to eavesdrop on that traffic—especially because more than 90 percent of Tor users don’t encrypt.

This essay previously appeared on Wired.com.

Posted on September 20, 2007 at 5:38 AMView Comments

1 7 8 9 10 11 12

Sidebar photo of Bruce Schneier by Joe MacInnis.