Tuesday, April 15, 2014

Is That Little Black Box on Your Desk Bleeding Your Confidential Data?

Every so often, vulnerabilities are found which turn the information security industry upside down, both from a positive and negative sense. The recent OpenSSL vulnerability is no exception. Having surfaced a short time back, it sent social media into a spin, websites and toolsets having being updated to explain, dissect and help exploit the vulnerability have popped-up everywhere. As have the theories that governments may have been using this vulnerability since as early as 2011.

Heartbleed, so aptly named because it is the Heartbeat functionality in OpenSSL that “bleeds” sensitive information, has launched itself into the limelight. Raising concerns amongst professionals, business persons and the general public alike.

One avenue that has not however been focused on too greatly (although mentioned before) is how many “embedded” and/or “appliance” devices are running the vulnerable version of OpenSSL? These usually have much longer and more fragmented patch updates than commercial web-servers and operating systems, especially when firmware is only obtainable from the manufacturer.

We conducted research into an avenue that is not often mentioned as a risk for the Heartbleed vulnerability –ADSL/DSL users. Using legitimate and non-intrusive means of identifying hosts with the Heartbleed vulnerability, we ascertained that there are many such devices, falling into the following categories:

Network-Attached Storage Devices (multiple brands)
Routers/UTM Devices (multiple brands)
CCTV Camera NVRs (multiple brands)
Small-Business Firewalls (multiple brands)
Voice-Over-IP (VOICE) Devices (multiple brands)

(it was not in the scope of this article to name the manufacturers of these devices)

The devices above are not estimated to be available and vulnerable – they are online, and are vulnerable. This raises much concern around the data that is exposed to would-be attackers trying to compromise these systems.

Keep in mind that the Heartbleed vulnerability allows one to obtain pieces of memory from the SSL process that may contain usernames, passwords and authentication cookies. In our internal lab experiments, we found this to be easily obtainable in almost 90% of the tests done.

It’s a disquieting thought, not only that so many devices with sensitive data (even hard disks!) are exposed to the Internet, but also it becomes even more important when we consider that these devices are now vulnerable – most without even new firmware on their manufacturers websites.

Embedded and appliance-like devices may be the answer for out-of-the-box and affordable solutions for many services, but in the case of this article one has to ask – Is your internet-connected appliance bleeding your confidential data?


Tuesday, April 1, 2014

The iPhone on trial

Recent local events have dramatically highlighted security issues among users of the iPhone. There have been reports of high-tech equipment used to recover data and crack phone encryption – as well as obtaining login details of websites used to manage the phone – and these have raised concerns that personal data is simply not safe.

So how much can someone who has your phone and / or the right tools learn about you?

A common question among Apple users is whether the phone manufacturer pre-installs ‘backdoors’ or some kind of ‘hidden access’ into the handset to be used to gather information for law enforcement.

To answer that, we need to consider what security the iPhone has, and why it has it. When Apple designed the phone’s built-in security (locking, securing data etc.), they did so under the premise that the user requires his/her data protected in the event of loss or theft. Apple would not operate under the impression that its users would need to hide something from law enforcement, or not have their phone used as evidence in a court of law. Regardless, Apple has used high levels of encryption on the iPhone, improving it with each new version of its operating system (iOS).

Various experts in the industry (such as Charlie Miller) have often reiterated that they do not believe Apple actually keeps your passcode on their servers. Apple themselves states the same thing.

Whether or not this is true, we don’t know for sure. But it appears, given the time and effort required by law enforcement officials (even in other countries) to crack encryption on an iPhone, that they are not working with a passcode simply handed to them by Apple.

The fancy tools available to extract data from iPhones rely on well-known exploits, default configurations or other entry points into the phone. Some can try to brute-force passwords on the phone using methods that do not trigger the built-in protection, or that simply cater for such. Law enforcement officials also rely on simple user mistakes or inexperience to gain access. How many people use their birthday as their iPhone pin? Or use 1234 or 1111 because its easy to type in?

Encryption

With regards to data encryption on the iPhone, keep in mind that not all data is encrypted. Due in part to the access required by certain applications, it can be deduced that some photos, for instance, are not encrypted. Chat programs such as WhatsApp can also implement their own encryption – in which case Apple may have no insight into how this data is protected, nor who has the keys used for decryption.

Could Touch ID, a fingerprint recognition feature devised by Apple, solve these issues? Probably not. Touch ID adds convenience but not necessarily extra strength in cryptography. Remember you still need to enter a PIN code to enable Touch ID, and therefore its highly likely the iPhone is still using the PIN code as part of the key generation for encryption – much like iPhones without Touch ID.

Apple would not have relied solely only on a fingerprint to generate encryption keys because if the print stops working, access to data is lost. Besides, users can simply enter their PIN to bypass the Touch ID requirement. Keep in mind, this is not a failure on Apple’s part since they do not sell Touch ID as an upgrade to your phone’s encryption capabilities.

Solution

Should we be worried then? Yes and no. Apple has put a lot of work and research into iOS and the iPhone itself. Compared to other operating systems, iOS also maintains a relatively good stance on security and lack of critical security flaws.

However, there will always be a way around something, and given enough time and resources someone will find vulnerabilities, a flaw, or an “undocumented feature”.

Switching to Android, BlackberryOS or Windows will not make you any more secure against law enforcement officials, or highly skilled malicious users.

There are, however, some steps you can take to make it more difficult to do so:


  1. Set a random, and strong PIN. Avoid duplicate digits and sequences and definitely avoid anything personal such as your postal code, birthday etc.
  2. Set your iPhone to auto-lock after a reasonably short time. If it is stolen or lands up in unwanted hands you want it to be locked before it can be accessed.
  3. Activate the find-my-iPhone feature on the device. Not only is this useful to know where  it is if you lose it, but you can also request the device to wipe itself remotely as well.  Remember however, the phone keeps a track of where you’ve been, and this info can be  retrieved from the device via the right tools.
  4. If your phone is lost/stolen or in the hands of a malicious person, immediately change  any e-mail, Facebook, and other passwords on the applicable websites. That way, no  further updates can make their way to the phone.
  5. Finally, as a general rule, if you don’t want something to ever be used against you –  don’t say it via text or e-mail. That not only applies to anything related to the law but  even in general life circumstances. Remember, you can’t take back what you typed.

By Dimitri Fousekis, Security Analyst / Team Lead, Telspace Systems