post

You’re in Danger on Public Wifi!

wifi-publicIllustration by Kristina Collantes

If you ever connect to a public Wifi hotspot, you owe it to yourself to spend 4-5 minutes and read this article by Maurits Martijn called, “Maybe It’s Better If You Don’t Read This Story on Public WiFiWe took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

I want to make thousands of copies of that article and give them to every single person I see in every public Wifi location everywhere!

Let me say it as emphatically as I can if you’ve read this far: You are an idiot if you connect to any public Wifi without running a virtual private network (VPN) connection (like the one I use, Private Internet Access for $39.99/year for 5 devices). If you don’t it’s not “if” you will get hacked, but rather “when” it will happen to you.

To show you how pervasive and simple it is to hack your laptop, smartphone or tablet when you connect willy-nilly to some public Wifi hotspot, let me give you a glimpse at what I can only describes as a…

HACKER’S DREAM MACHINE
The Wifi Pineapple, a $99.99 black box

The Wifi Pineapple, a $99.99 black box
which makes it trivial for a hacker to steal you!

Because I’ve technically known the risks for nearly ten years, I’ve been paranoid about public Wifi locations since 2005 and wrote about being “naked in a coffee shop” here, here and here. But to show you how brain-dead-simple it has become to BE a hacker, wait until you read about a black box called the Wifi Pineapple you can buy, for $99.99, which lets anyone who has one:

  • Run a man-in-the-middle attack, essentially spoofing a public Wifi connection and even impersonating the actual, real network connection (whether open or secured). How many times have you connected to Wifi that said “Coffee Shop Guest” or “Free Public Wifi”? Sometimes they’re real, mostly they are not. You can almost never be certain.
  • The attacker can monitor all network traffic flowing between an Internet gateway and the connected clients (like your laptop, smartphone or tablet!) as well as manipulate this data in transit such as through captive portals, DNS spoofing, IP redirection and even the substitution of executables in transit (so that file you’re downloading might be coming off of the attacker’s laptop!).

There’s alot more you can do with this device and Hak5, the group that makes it, is certainly gleeful about all the rogue crap it can do:

“…the WiFi Pineapple is more than a platform – it’s a community for creativity. Rickrolling clients, powering off WiFi drones mid-flight, tracking commercial airliners and logging WiFi connections are only some of the creative things being done within the WiFi Pineapple community.”

On the Hak5 forums they even have a section entitled, “WiFi Pineapple University” to help users teach users about this ‘fun’ little box.

The good news? If you run a VPN and inadvertently connect to “Coffee Shop Guest” and it’s actually a spoofed connection through one of these black boxes, the hacker would only see encrypted traffic! Everyone else’s internet traffic—Facebook login, bank password, credit card data—would mostly be going in the clear. (Note: I know that an actual SSL connection would encrypt traffic in the browser, and so do most smartphone and tablet apps, but more sophisticated hackers can even spoof SSL connections so that your browser thinks it is securely connecting…but it is not).

I must admit that, even though I’m more appalled by the activities of our government and mass surveillance of U.S. citizens in what I believe is a direct violation of our Constitution, boxes like this one target individuals with a lot to lose. It’s not right and not fair and I hope I never catch someone using one in a public place or…

post

Privacy Does Matter

Glenn Greenwald was one of the first reporters to see — and write about — the Edward Snowden files, with their revelations about the United States’ extensive surveillance of private citizens. In this searing talk, Greenwald makes the case for why you need to care about privacy, even if you’re “not doing anything you need to hide.”

post

Thank you, Apple, for iPhone Encryption

ip6-under-the-hoodThough our national security is an absolute imperative, the Edward Snowden revelations about mass NSA surveillance—and what most of us see as a direct violation of our Constitution by them (as well as their practice of passing that data to the DEA, FBI, IRS and local law enforcement)—the intelligence community made their bed…and now they have to lie in it.

From Wired’s article called Apple’s iPhone Encryption Is a Godsend, Even if Cops Hate It:

It took the upheaval of the Edward Snowden revelations to make clear to everyone that we need protection from snooping, governmental and otherwise. Snowden illustrated the capabilities of determined spies, and said what security experts have preached for years: Strong encryption of our data is a basic necessity, not a luxury.

And now Apple, that quintessential mass-market supplier of technology, seems to have gotten the message. With an eye to market demand, the company has taken a bold step to the side of privacy, making strong crypto the default for the wealth of personal information stored on the iPhone. And the backlash has been as swift and fevered as it is wrongheaded.

Though this is clearly the right thing for Apple’s business—especially if they continue to hope to sell in countries like China (see Apple iPhone a danger to China national security)—I still want to say, “Thank you Apple…seriously.

post

NSA Files Decoded

guardian-nsa-files-decodedThe Edward Snowden revelations about the U.S. National Security Agency (NSA) and its vacuum surveillance, sadly seems to be fading from the public consciousness. Undoubtedly this is viewed as a positive by the intelligence community since they are continuing to accelerate their programs now seemingly unabated.

Awareness is one reason I was pleased to see this article that The Guardian wins an Emmy for coverage of NSA revelations. Their multimedia piece NSA Files Decoded is one of the best, most comprehensive and informative (dare I say “entertaining?”) pieces I’ve seen yet. Congratulations to The Guardian team!

If you care at all about the world our children and grandchildren will inherit, then you owe it to yourself to watch the videos or read articles at NSA Files Decoded. You might also consider paying attention to a relatively new website, The Intercept, so that you can stay aware, stay informed, and not be one of those who are naive about the unprecedented and growing power of the intelligence community and its surveillance of all U.S. citizens.

post

Frontline’s United States of Secrets

frontline-ussecrets

Last night was part two of the PBS Frontline program called United States of Secrets. It was one of the best, most thorough overviews of what is going on with the NSA’s vacuum surveillance that I’ve ever seen.

You owe it to yourself, and the future of our children, to be aware of what’s going on.

NSA Finally In The Light

nsa-logoI’ve been deeply concerned about the massive, sweeping surveillance going on for over TEN YEARS! Whenever I bring up this topic (and online security in general) too many of my family and friends just shrug and say, “Oh well.” Frankly, I just don’t understand why most people don’t seem all that concerned about our fundamental erosion of liberty caused by the NSA’s mass surveillance.

Thankfully the Edward Snowden whistleblowing finally shined a light on what I intrinsically knew was going on shortly after 9/11 (see Snowden’s revelations and the overall controversy at The Guardian’s NSA Files website section). Yes, I feel vindicated for my paranoia but that attestation is not something I longed for…instead I hoped the government’s drive to classify their constitutional violations and illegal activities as “keeping America safe from terrorism” would stop.

Unfortunately that whistleblowing has made it increasingly hard for companies who sell their technology outside of the United States. For example, the NSA was inserting hardware in Cisco routers which caused CEO John Chambers to write a letter to President Obama asking for it to cease…now.

We’ve only seen the beginning of the backlash and erosion of our competitiveness around the world since no one trusts us anymore.  [Read more...]

post

Skype to be renamed “Scrape”?

skype-backdoorSomething happened four and a half years ago that made me stop and wonder what the hell really happened: Skype was mysteriously taken offline so I dashed off this post: Skype. How big *is* the back door?

Confirmation of my paranoia back then has become clearer with articles about how Microsoft has setup Skype to be “scraped” by the National Security Agency like this one Skype: Reportedly Funneling Your Calls To PRISM Since 2011:

Skype, long thought to be a privacy haven for its encrypted communication, reportedly began integrating its systems into the NSA’s PRISM program as early as November of 2010, nearly a year prior to joining Microsoft in the fall of 2011, according to a new report from the Guardian

Skype reportedly began sending audio and text messages to the NSA, which shared the data with the FBI and CIA. The Guardian also reported that Skype, under the helm of Microsoft, worked closely with the NSA to enable the collection of video calls starting in July 2012.

Or this one Microsoft Hints Skype Calls May Be Fair Game for NSA:

Microsoft indirectly hinted that Skype communications can be intercepted and handed over to the National Security Agency, according to two privacy and security researchers’ interpretation of the latest statement by the company regarding NSA surveillance.

For security experts, that means Skype calls are at the mercy of NSA requests, just like traditional phone calls made with landlines or cellphones. In other words, the U.S. government, through its PRISM program, can legally compel Microsoft to hand over Skype communications, something that the company previously denied was even possible at a technical level.

I always try to leverage my strengths and use them to see what’s coming next. Rarely do I take on face value any announcement, strategic move or even terrorist ‘attack’ since I’ve been wrong every single time I did so. Only when I try to read between the lines or do a smell test on whether something feels right — all while taking in to consideration the facts I’ve been sticking in my brain through all my research and knowledge — that I become paranoid enough to take action and one action is to move off of Skype. More on that to come…

Good discussion from a quite varied group of folks on This Week on ABC:

post

The Ends Justify The Means?

TEJTM101Was at two high school grad parties yesterday and found myself having disheartening conversations with several young people who had just graduated high school. We talked about what they’d be doing post-high school, their visions about their future lives and whether they thought what they wanted to do was achievable, and what kind of world they thought they were inheriting from those of us were close to passing it on to them.

I was not prepared to hear their sense of sadness, fear, pessimism and, especially, their true befuddlement that the BIG lesson they had been taught by those in power was that:

  1. It was OK to lie to the world to start a war and no one is held accountable
  2. If you are a huge financial institution and instrumental in facilitating a global economic meltdown, not only will you not go to jail but your company is saved and it’s back to business (and bonuses) as usual within a year or two and no one is held accountable
  3. That a “terrorism Pearl Harbor” is excuse enough to spend trillions abroad while at home our infrastructure fails and our country embarks on the largest runup in mass surveillance while trampling on our Constitution’s Fourth Amendment and no one is held accountable (at least not yet)
  4. The richest and most powerful nation on earth has the highest incarceration rate in the world, while many of the crimes (especially ironic compared to no jail time for those in #2 above) are petty in nature.

While I tried to continually steer the conversations toward a more positive note—and part of their funk might have been partially attributable to our crappy, rainy weather yesterday—they continued to be gloom-and-doomsters about the state of our country and how uncertain they felt about the future.

gordon-gekkomother-theresaThe lessons taught to (and learned by) these young people? The ends justify the means. Makes me wonder if the next several decades may make many of these young people look more like a Gordon Gekko character than a Mother Theresa, and that our country’s ethical decline is now systemic and most of the skids-are-greased to make it easier for the United States to become a totalitarian country.

post

Google Chrome: Why I Said, “No thanks”

chrome-iconThough I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.

The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.

Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensionsGoogle says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:

Chrome Remote Desktop 'agreement'

Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?

Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.

Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).

I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.

post

@SendInc Sends Stuff Securely

Snagging your insecure email!Never, never, never send sensitive or private information through email. Doesn’t matter if you’re at home or work on a secure network when you see how email really works.

Please don’t even get me started on why you are just asking for trouble if you send anything secure over email while you are naked in a coffee shop on Wifi.

This all came to a head today as a client’s accountant asked me to complete a Form W9 for payments last year and get it to her within five days. Since this person didn’t have a local fax machine which she had control over…that was not an option. Yes, I could have filled it out and printed it off and snail-mailed it, but I resisted that with all my being since doing so runs counter to my increasingly paperless life and just seemed inefficient and dumb. 

I’m well aware of all sorts of email encryption solutions out there to secure email: PGP; Hushmail; encrypting a Zip file; but all of these solutions require someone to be reasonably tech-savvy in order to use them or to adopt a solution like Hushmail as a primary service. Let me tell you that — after supporting family, friends and setting up support infrastructure for my company and others — the vast majority of people are NOT tech-savvy and I just want to be able to send stuff securely and digitally without having the recipient match my technoweenie skill-set!

So that made me wonder: Why couldn’t sending a non-techie a secure file(s) be easier? Fortunately I was pointed to a great solution.  [Read more...]

post

Encrypt Your Communications with Silent Circle

Millions of us are always on, always connected and accelerating our use of the internet for everything from tweeting a LOLCat video to banking, stock trading, or sending private emails. As such you’d better believe that the crackers and hackers are trying to figure out any possible way to vacuum data you would rather keep private for their own nefarious purposes…

…and the number of attacks will continue to grow, especially as more people globally have faster internet access and powerful connected devices brimming over with all sorts of personal data like credit cards, social security numbers, bank and stock account information, and those photos you took of yourself you probably shouldn’t have. 

Phil Zimmerman photo

Phil Zimmerman

Today is the debut of Silent Circle, the brainchild of cryptography and encryption expert Phil Zimmerman, and they offer a number of encrypted services for voice, text, video, email and more.

Is secure communications necessary? Since virtually everyone I meet is completely clueless about the insecurity of coffee shop wifi, sending private stuff by email, or how trivial it is to track everything they do online, then yes. If I receive one more email from someone in my social circle which contains usernames and passwords, a PDF with their social security number in it, or a reply to one of our email offers with the customer’s credit card information in the email — all of which are in-the-clear and ready to be harvested by anyone with access to email or email relay servers around the internet — I’m going to blow a gasket.

Phil Zimmerman is a guy who made a name for himself when he released Pretty Good Privacy (PGP) back in 1991, a technology which inadvertently was released by him in a Usenet news group (he thought the “U.S.” Usenet designation meant postings weren’t accessible offshore). Turns out the code found its way on to the internet since all of Usenet was available to anyone, anywhere they were connected. The U.S. Customs service went after him for allegedly violating the Arms Export Control Act (the U.S. government long considered cryptography a munition) but, after three years, all charges were dropped. I became aware of Zimmerman in the early 1990s because of that and watched what happened to see if this guy would get thrown in to federal prison.

But wait…isn’t technology like Silent Circle the National Security Agency’s (NSA) worst nightmare?

[Read more...]