In DPRK, Linux Watches You

He might actually be looking at something here…

A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression.  Case in point – the DPRK’s Red Star Linux distribution.  In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines.  One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data.  The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.

The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.

Watch here…

 

In DPRK, Linux Watches You

more details – microsoft’s deal with the nsa

This article from the Guardian claims that our friends in Redmond are cooperating with the NSA to give the spying agency access to all sorts of cloud based comms and data as part of their 1984-esque PRISM collection program.   The haul includes Skype audio, video, and chat messages, which were until recently thought to be resistant to eavesdropping.

more details – microsoft’s deal with the nsa

in which i dare disagree with security industry luminary bruce schneier

It’s not often that I disagree with Bruce Schneier, one of the leading lights of the security world… however, I do have a teensy weensy bone to pick with him regarding one of his recent blog postings.  A recent test conducted by the Department of Homeland Security on its employees found (to no one’s surprise) that people are prone to pick up unidentified USB drives and pop them into their computers with abandon, providing nefarious personages the ability to infect their systems with malware.  Schneier took issue with the following quote from a security expert regarding the study:

Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”

In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances.  This is where I disagree.

While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports.  Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats.  There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance.  I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:

  • Don’t open links or files from strangers
  • Don’t open unexpected/strange links or files (that seem to be) from friends
  • Don’t take USB candy from strangers

Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.

So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.

Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language.  I would have said “boneheaded” or “Homer Simpson-like” instead.  This is why I am beloved at my workplace.

in which i dare disagree with security industry luminary bruce schneier

here… have a pill… what’s the worst that could happen?

What's the worst that could happen?

Spear phishing has been in the news quite a bit lately – it seems like just about all of the recent high profile hacks began with someone clicking on a link or opening a document.  Here’s a data point which seems to corroborate the innate sense of trust that leads people to do really stupid things. According to an entry in Bruce Schneier’s blog… in Istanbul, police dressed up as doctors, knocking on doors unannounced, were able to persuade 86% of subjects to take a pill.  And this is after a rash of crimes in which people who are not police did the same thing, using powerful sedatives to disable victims and ransack their homes.  My belief in knowledge of human psychology as the most powerful hacking tool remains strong.  Or maybe there is something in the water in Istanbul…

 

 

They Might Be Giants – Istanbul (Not Constantinople) from They Might Be Giants on Vimeo.

here… have a pill… what’s the worst that could happen?

a post mortem tribute to (less than) mediocrity

He may look like Inspector Clouseau, but... oh, wait...

I love the obituaries in UK newspapers… none of that namby pamby covering up of the dearly departed’s foibles or less than stellar achievements.  This past week, the Telegraph ran a (sort of) tribute to Colonel Albert Bachmann who in the words of the of the obit writer, “had reduced the Swiss military intelligence agency, in which he had mysteriously managed to rise to a senior role, to a state bordering on chaos, not to mention bankruptcy. So catastrophic was his impact that, when he was finally unmasked, many assumed he must be a double agent. He was not.”

Read all about it here…

 

a post mortem tribute to (less than) mediocrity

truecrypt (and good passwords) 1, fbi 0

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil.   The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes.  In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success.  They then turned to the US FBI, who ran dictionary attacks against the encryption for another year.  No joy.  As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information.  First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice.  Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program  is a good and cost effective choice for protecting personal data as well as in small business environments.  The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

truecrypt (and good passwords) 1, fbi 0