Wednesday, May 18, 2016

Technology betrays everyone

Kelly Jackson Higgins has a story about how I hacked her 10 years ago, by sniffing her email password via WiFi and displaying it on screen. It wasn't her fault -- it was technology's fault. Sooner or later, it will betray you.

The same thing happened to me at CanSecWest around the year 2001, for pretty much exactly the same reasons. I think it was HD Moore who sniffed my email password. The thing is, I'm an expert, who writes tools that sniff these passwords, so it wasn't like I was an innocent party here. Instead, simply opening my laptop with Outlook running the background was enough for it to automatically connect to WiFi, then connect to a POP3 server across the Internet. I thought I was in control of the evil technology -- but this incident proved I wasn't.

By 2006, though, major email services were now supporting email wholly across SSL, so that this would no longer happen -- in theory. In practice, they still left the old non-encrypted ports open. Users could secure themselves, if they tried hard, but they usually weren't secured.

Today, in 2016, the situation is much better. If you use Yahoo! Mail or GMail, you don't even have the option to not encrypt -- even if you wanted to. Unfortunately, many people are using old services that haven't upgraded, like EarthLink or Network Solutions. These were popular services during the dot-com era 20 years ago, but haven't evolved since. They spend enough to keep the lights on, but not enough to keep up with the times. Indeed, EarthLink doesn't even allow for encryption even if you wanted it, as an earlier story this year showed.

My presentation in 2006 wasn't about email passwords, but about all the other junk that leaks private information. Specifically, I discussed WiFi MAC addresses, and how they can be used to track mobile devices. Only in the last couple years have mobile phone vendors done something to change this. The latest version of iOS 9 will now randomize the MAC address, so that "they" can no longer easily track you by it.

The point of this post is this. If you are thinking "surely my tech won't harm me in stupid ways", you are wrong. It will. Even if it says on the box "100% secure", it's not secure. Indeed, those who promise the most often deliver the least. Those on the forefront of innovation (Apple, Google, and Facebook), but even they must be treated with a health dose of skepticism.

So what's the answer? Paranoia and knowledge. First, never put too much faith in the tech. It's not enough, for example, for encryption to be an option -- you want encryption enforced so that unencrypted is not an option. Second, learn how things work. Learn why SSL works the way it does, why it's POP3S and not POP3, and why "certificate warnings" are a thing. The more important security is to you, the more conservative your paranoia and the more extensive your knowledge should become.

Appendix: Early this year, the EFF (Electronic Freedom Foundation) had a chart of various chat applications and their features (end-to-end, open-source, etc.). On one hand, it was good information. On the other hand, it was bad, in that it still wasn't enough for the non-knowledgeable to make a good decision. They could easily pick a chat app that had all the right features (green check-marks across the board), but still be one that could easily be defeated.

Likewise, recommendations to use "Tor" are perilous. Tor is indeed a good thing, but if you blindly trust it without understanding it, it will quickly betray you. If your adversary is the secret police of your country cracking down on dissidents, then you need to learn a lot more about how Tor works before you can trust it.

Notes: I'm sorta required to write this post, since I can't let it go unremarked that the same thing happened to me -- even though I know better.


Allen D. (aka: MultiMode) said...

Even with modern email encryption technology still betrays us.

Many mobile applications fail to verify the servers certificate allowing seamless man in the middle interception of data even an informed user would assume was safely encrypted.

Qx said...

It frustrates the hell out of me when I go to set up an account on some site and their password "requirements" are piss poor. Like they have a short maximum length or they don't support special characters. There's only so much you can do even when you know what is out there and best practices. I just had to set a password for a work-related benefit, someone that has my SSN and all my medical information aaaaand no special characters and 12 character max length. Of course, all these betrayals are really the result of decisions made by the people we trust to protect our information. Poor implementations, mis-configuration, and security as a second or third thought to implementing the latest features. Technology is morally neutral, people betray us.