Sunday, April 21, 2019

Programming languages infosec professionals should learn

Code is an essential skill of the infosec professional, but there are so many languages to choose from. What language should you learn? As a heavy coder, I thought I'd answer that question, or at least give some perspective.

The tl;dr is JavaScript. Whatever other language you learn, you'll also need to learn JavaScript. It's the language of browsers, Word macros, JSON, NodeJS server side, scripting on the command-line, and Electron apps. You'll also need to a bit of bash and/or PowerShell scripting skills, SQL for database queries, and regex for extracting data from text files. Other languages are important as well, Python is very popular for example. Actively avoid C++ and PHP as they are obsolete.

Was it a Chinese spy or confused tourist?

Politico has an article from a former spy analyzing whether the "spy" they caught at Mar-a-lago (Trump's Florida vacation spot) was actually a "spy". I thought I'd add to it from a technical perspective about her malware, USB drives, phones, cash, and so on.

The part that has gotten the most press is that she had a USB drive with evil malware. We've belittled the Secret Service agents who infected themselves, and we've used this as the most important reason to suspect she was a spy.

But it's nonsense.

It could be something significant, but we can't know that based on the details that have been reported. What the Secret Service reported was that it "started installing software". That's a symptom of a USB device installing drivers, not malware. Common USB devices, such as WiFi adapters, Bluetooth adapters, microSD readers, and 2FA keys look identical to flash drives, and when inserted into a computer, cause Windows to install drivers.

Visual "installing files" is not a symptom of malware. When malware does its job right, there are no symptoms. It installs invisibly in the background. Thats the entire point of malware, that you don't know it's there. It's not to say there would be no visible evidence. A popular way of hacking desktops with USB drives is by emulating a keyboard/mouse that quickly types commands, which will cause some visual artifacts on the screen. It's just that "installing files" does not lend itself to malware as being the most likely explanation.

That it was "malware" instead of something normal is just the standard trope that anything unexplained is proof of hackers/viruses. We have no evidence it was actually malware, and the evidence we do have suggests something other than malware.

Lots of travelers carry wads of cash. I carry ten $100 bills with me, hidden in my luggage, for emergencies. I've been caught before when the credit card company fraud detection triggers in a foreign country leaving me with nothing. It's very distressing, hence cash.

The Politico story mentioned the "spy" also has a U.S. bank account, and thus cash wasn't needed. Well, I carry that cash, too, for domestic travel. It's just not for international travel. In any case, the U.S. may have been just one stop on a multi-country itinerary. I've taken several "round the world" trips where I've just flown one direction, such as east, before getting back home. $8k is in the range of cash that such travelers carry.

The same is true of phones and SIMs. Different countries have different frequencies and technologies. In the past, I've traveled with as many as three phones (US, Japan, Europe). It's gotten better with modern 4G phones, where my iPhone Xs should work everywhere. (Though it's likely going to diverge again with 5G, as the U.S. goes on a different path from the rest of the world.)

The same is true with SIMs. In the past, you pretty much needed a different SIM for each country. Arrival in the airport meant going to the kiosk to get a SIM for $10. At the end of a long itinerary, I'd arrive home with several SIMs. These days, however, with so many "MVNOs", such as Google Fi, this is radically less necessary. However, the fact that the latest high-end phones all support dual-SIMs proves it's still an issue.

Thus, the evidence so far is that of a normal traveler. If these SIMs/phones are indeed because of spying, we would need additional evidence. A quick analysis of the accounts associated with the SIMs and the of the contents of the phones should tells us if she's a traveler or spy.

Normal travelers may be concerned about hidden cameras. There's this story from about Korean hotels filming guests, and this other one about AirBNB problems.

Again we are missing salient details. In the old days, such detectors were analog devices, because secret spy cameras were analog. These days, new equipment is almost always WiFi based. You'd detect more running software on your laptop looking for MAC addresses of camera makers than you would with those older analog devices. Or, there are tricks that look for glinting light off lenses.

Thus, the "hidden camera detector" sounds to me more like a paranoid traveler than a spy.

One of the frequently discussed things is her English language skills. As the Politico story above, her "constant lies" can be explained by difficulties speaking English. In other stories, the agents claim that she both understood and spoke English well.

Both can be true. The ability to speak foreign languages isn't binary, on or off. I speak French and German in this middle skill level. In some cases, I can hold a conversation with apparent fluency, while in other cases I'm at a complete loss.

One issue is how understanding different speakers varies wildly. I can understand French news broadcasts with little difficulty, with nearly 100% comprehension. On the other hand, watching non-news French TV, like sitcoms, my comprehension goes to near 0%. The same is true of individuals, I many understand nearly everything one person says while understanding nearly nothing another person says.

99% comprehension is still far from 100%. I frequently understand large sections except for one essential key word. Like listening to French news, I understand everything the news story about some event that happened in that country, but I missed the country's name at the start. Yes, I know there were storms, mudslides, floods, 100,000 without power, 300 deaths -- I just haven't a clue where in the world that happened.

Diplomats around the world recognize this. They often speak English well, use English daily, and yet in formal functions they still use translators, because there's always a little bit they won't understand.

Thus, we know any claim by the Secret Service that her language skills were adequate are false.

So in conclusion, we don't see evidence pointing to a spy. Instead, we see a careful curation of evidence by the secret service and reporters to push the spying story. We haven't seen any reporter question what other USB devices can cause software to load other than malware. She may be a spy, of course, but so far, there's no evidence of anything other than a confused/crazy tourist.

Thursday, April 11, 2019

Assange indicted for breaking a password

In today's news, after 9 years holed up in the Ecuadorian embassy, Julian Assange has finally been arrested. The US DoJ accuses Assange for trying to break a password. I thought I'd write up a technical explainer what this means.

Tuesday, March 12, 2019

Some notes on the Raspberry Pi

I keep seeing this article in my timeline today about the Raspberry Pi. I thought I'd write up some notes about it.

The Raspberry Pi costs $35 for the board, but to achieve a fully functional system, you'll need to add a power supply, storage, and heatsink, which ends up costing around $70 for the full system. At that price range, there are lots of alternatives. For example, you can get a fully function $99 Windows x86 PC, that's just as small and consumes less electrical power.

There are a ton of Raspberry Pi competitors, often cheaper with better hardware, such as a Odroid-C2, Rock64, Nano Pi, Orange Pi, and so on. There are also a bunch of "Android TV boxes" running roughly the same hardware for cheaper prices, that you can wipe and reinstall Linux on. You can also acquire Android phones for $40.

However, while "better" technically, the alternatives all suffer from the fact that the Raspberry Pi is better supported -- vastly better supported. The ecosystem of ARM products focuses on getting Android to work, and does poorly at getting generic Linux working. The Raspberry Pi has the worst, most out-of-date hardware, of any of its competitors, but I'm not sure I can wholly recommend any competitor, as they simply don't have the level of support the Raspberry Pi does.

The defining feature of the Raspberry Pi isn't that it's a small/cheap computer, but that it's a computer with a bunch of GPIO pins. When you look at the board, it doesn't just have the recognizable HDMI, Ethernet, and USB connectors, but also has 40 raw pins strung out across the top of the board. There's also a couple extra connectors for cameras.

The concept wasn't simply that of a generic computer, but a maker device, for robot servos, temperature and weather measurements, cameras for a telescope, controlling christmas light displays, and so on.

I think this is underemphasized in the above story. The reason it finds use in the factories is because they have the same sorts of needs for controlling things that maker kids do. A lot of industrial needs can be satisfied by a teenager buying $50 of hardware off Adafruit and writing a few Python scripts.

On the other hand, support for industrial uses is nearly non-existant. The reason commercial products cost $1000 is because somebody will answer your phone call, unlike the teenager whose currently out at the movies with their friends. However, with more and more people having experience with the Raspberry Pi, presumably you'll be able to hire generic consultants soon that can maintain these juryrigged solutions.

One thing that's interesting is how much that 40 pin GPIO interface has become a standard. There are a ton of competing devices that support that same standard, even with Intel x86 Windows computers. The Raspberry Pi foundation has three boards that support this standard, the RPi Zero, the Model A, and the Model B. Competitors have both smaller, more efficient boards to choose from, as well as larger, more powerful boards. But as I said, nothing is as well supported as Raspberry Pi boards themselves.

Raspberry Pi class machines are overpowered for a lot of maker projects. There are competing systems, like the Arduino, ESP32, and Micro:Bit. As a hacker, I love the ESP32 class devices. They come with a full WiFi stack and can be placed anywhere.

If you are buying a Raspberry Pi, I recommend Adafruit. Not only do they have the devices cheap ($35), they'll have a lot of support for maker hardware that you may want to add to the device.

After buying the board, you have to choose the accessories to get it working.

Your first choice will be a power supply. You'll be tempted to use the USB chargers and cables you have lying around the house, and it'll appear to work at first, but will cause CPU throttling problems and file corruption. You need to get either the $8 "official" power supply, or one of those fast charging devices, like those from Anker. Remember that it's not just a matter of the power supply providing enough current/amps, but also cables with 20 AWG wires that can handle the current.

Your next choice will be the flash drive for booting the computer. One choice is micro SD cards. You should choose cards with the "A1" rating, which are faster at random file access. Most other microSD cards are optimized for large sequential transfers, and are painfully slow at random accesses. If you write a lot of data to the device, you may need to get a card rated for "endurance" instead -- micro SD cards wear out quickly.

Or, you may consider a real SSD connected to the USB port. You can get a $20 120-gig SSD and a $8 USB-to-SATA adapter. This will perform much faster, and not have the data corruption issues that micro SD cards have. You need an independent power supply for the drive, as it can't be powered wholly from the USB port.

Your next decision will be a heatsink. The Raspberry Pi generates a lot of heat at full load. People assume ARM is efficient, but it's not, and the Broadcom ARM CPU used by the RPi is very bad. Unless you have a heatsink, instead of running at 1.4-GHz, it'll spend most of it's time throttled back to 600-MHz. Because of their size, your choice of heatsink and fan depends upon your choice of case. There are some nice aluminum cases that act as a heatsink. You can also get combo kits on for $15 that include the case, heatsink, and fan together.

If looking at a competing device (e.g. Odroid-C2, Rock64), get one that supports eMMC. It's much faster and more reliable than micro SD cards. For home server applications, its worth getting a lesser supported platform in order to get eMMC. It makes a huge difference. I stopped using Raspberry Pi's for home server applications and went with Odroid-C2 machines instead, mostly because of the eMMC, but also because they have more RAM and faster Ethernet. I may switch to the Rock64 device in the future because of its support for USB 3.0. I have one on-order, but it's taking (so far) more than a month to arrive.

As for the ARM ecosystem, there seems to be a lot of misunderstanding about "power efficiency". People keep claiming they are more efficient. They aren't. They consume less power by being slower. Scaled to the same performance, ARM CPUs use the same amount of power as Intel CPUs. Now that ARM has more powerful CPUs close to Intel in speed, and Intel now has their low speed "Atom" processors, we see that indeed they have roughly the same efficiency. The Raspberry Pi's Broadcom CPU is extremely inefficient. It uses the decade old 40nm manufacturing process, which means it consumes a lot of power. Intel's latest Atom processors built on 22nm or 14nm technology consume a lot less power. There are things that impact efficiency, but the least important of which is whether it's ARM or Intel x86, or RISC vs. CISC.

For hackers, there's a lot you can do with a Raspberry Pi (or competitor). We are surrounded by things that we can hack. For example, you can use it to hack the CEC feature of HDMI to control your TV. You can attach a cheap RTL-SDR device and monitor radio frequencies. You can connect it to the CAN bus of your car. You can connect it to your ZigBee devices in your home and control your lights. If there's a wire or radio wave around you, it's something you can start hacking with the RPi.


A feel the above article does the subject a disservice. It's less "industrial IoT" and more "crossover between maker culture and industry".

Every geek should get a Raspberry Pi and play with it, even if it's only as simple as a Owncloud/Nextcloud backup server sitting in a closet. Don't skimp on the power supply, as people who do get frustrated, you need a charger rated for at least 2.4 amps and a charging cable with thicker 20 AWG wires. If going the micro SD route, choose "A1" or "endurance" rated cards. Consider going a USB SSD route instead.

Saturday, March 09, 2019

A quick lesson in confirmation bias

In my experience, hacking investigations are driven by ignorance and confirmation bias. We regularly see things we cannot explain. We respond by coming up with a story where our pet theory explains it. Since there is no alternative explanation, this then becomes evidence of our theory, where this otherwise inexplicable thing becomes proof.

Monday, February 25, 2019

A basic question about TCP

So on Twitter, somebody asked this question:
I have a very basic computer networking question: when sending a TCP packet, is the packet ACK'ed at every node in the route between the sender and the recipient, or just by the final recipient?
This isn't just a basic question, it is the basic question, the defining aspect of TCP/IP that makes the Internet different from the telephone network that predated it.

Friday, February 08, 2019

How Bezo's dick pics might've been exposed

In the news, the National Enquirer has extorted Amazon CEO Jeff Bezos by threatening to publish the sext-messages/dick-pics he sent to his mistress. How did the National Enquirer get them? There are rumors that maybe Trump's government agents or the "deep state" were involved in this sordid mess. The more likely explanation is that it was a simple hack. Teenage hackers regularly do such hacks -- they aren't hard.

This post is a description of how such hacks might've been done.

Monday, January 28, 2019

Passwords in a file

My dad is on some sort of committee for his local home owners association. He asked about saving all the passwords in a file stored on Microsoft's cloud OneDrive, along with policy/procedures for the association. I assumed he called because I'm an internationally recognized cyberexpert. Or maybe he just wanted to chat with me*. Anyway, I thought I'd write up a response.

The most important rule of cybersecurity is that it depends upon the risks/costs. That means if what you want to do is write down the procedures for operating a garden pump, including the passwords, then that's fine. This is because there's not much danger of hackers exploiting this. On the other hand, if the question is passwords for the association's bank account, then DON'T DO THIS. Such passwords should never be online. Instead, write them down and store the pieces of paper in a secure place.

OneDrive is secure, as much as anything is. The problem is that people aren't secure. There's probably one member of the home owner's association who is constantly infecting themselves with viruses or falling victim to scams. This is the person who you are giving OneDrive access to. This is fine for the meaningless passwords, but very much not fine for bank accounts.

OneDrive also has some useful backup features. Thus, when one of your members infects themselves with ransomware, which will encrypt all the OneDrive's contents, you can retrieve the old versions of the documents. I highly recommend groups like the home owner's association use OneDrive. I use it as part of my Office 365 subscription for $99/year.

Just don't do this for banking passwords. In fact, not only should you not store such a password online, you should strongly consider getting "two factor authentication" setup for the account. This is a system where you need an additional hardware device/token in addition to a password (in some cases, your phone can be used as the additional device). This may not work if multiple people need to access a common account, but then, you should have multiple passwords, for each individual, in such cases. Your bank should have descriptions of how to set this up. If your bank doesn't offer two factor authentication for its websites, then you really need to switch banks.

For individuals, write your passwords down on paper. For elderly parents, write down a copy and give it to your kids. It should go without saying: store that paper in a safe place, ideally a safe, not a post-it note glued to your monitor. Again, this is for your important passwords, like for bank accounts and e-mail. For your Spotify or Pandora accounts (music services), then security really doesn't matter.

Lastly, the way hackers most often break into things like bank accounts is because people use the same password everywhere. When one site gets hacked, those passwords are then used to hack accounts on other websites. Thus, for important accounts, don't reuse passwords, make them unique for just that account. Since you can't remember unique passwords for every account, write them down.

You can check if your password has been hacked this way by checking and entering your email address. Entering my dad's email address, I find that his accounts at Adobe, LinkedIn, and Disqus has been discovered by hackers (due to hacks of those websites) and published. I sure hope whatever these passwords were that they are not the same or similar to his passwords for GMail or his bank account.

* the lame joke at the top was my dad's, so don't blame me :-)