The Yahoo! Breach: What it means to you

Steps you should take after the Yahoo! breach.

yahooYesterday, Yahoo! announced that at least 500 million accounts have been breached.  This means that information you gave Yahoo! may be in the hands of hackers, but it could also mean a lot more. The New York Times has an excellent interactive tool today that demonstrates how much of your information may have leaked, not just from Yahoo! but from other breaches.

Not only should people change their Yahoo! passwords, but it is also important for people to review all passwords and information shared with Yahoo!  In particular:

  1. Many people use the same password across multiple accounts.  If you did this, you should change passwords on all systems where that password was used.  When you do, you should see to it that no passwords are shared between two systems.
  2. Hackers are smart.  If you only tweak the same password just a little bit for use on multiple systems, a determined hacker or more likely a determined script may well break into other accounts.  For example, if your Yahoo! password was DogCatY! and your E-Bay Password were DogCatEBay, you should assume the E-Bay account is broken as well.
  3. This means you should keep a secure record of what passwords are used where, for just this sort of eventuality.  By “secure” I mean encrypted and local.  Having two pristine USB keys (one for backup) is ideal, where the contents are encrypted at the application layer.  I also make use of Firefox’s password manager.  That in itself is a risk, because if Firefox is hacked your passwords may be gone as well.
  4. Unfortunately passwords may not be the only information hackers have. Yahoo! has previously made use of so-called “backup security questions”.  Not only is it important to disable those questions, but it is important to first review them to see where else you may have used them.  Security questions are a horrible idea for many reasons: they may reveal private aspects of your life, much of which might be discovered anyway.  Sites like United Airlines recently implemented security questions.  My recommendation: choose random answers and record them in a secure place that is separate from your passwords.
  5. It is possible that hackers may have read any email you received on Yahoo!  In particular, one should review any financial accounts where information is transmitted to Yahoo!
  6. Use of cloud-based storage as a backup for your passwords should be viewed with great suspicion.  There have been a number of such tools that themselves have been found to be vulnerable.
  7. Hackers may have your cell phone number, for those who use SMS as secondary authentication.  While SMS is not secure communication, the chances of it being hacked are relatively low.  The safest practice is not to rely solely on SMS for authentication.  My bank uses both a secret and an SMS message, relying on the tried and true two-factor authentication approach of something you have and something you know.  A better solution is a secret and an app with a secure push notification.  This is what MasterCard has done in Europe.

These suggestions are good for the sort of mass breach that we are seeing with Yahoo!  In addition, one has to be careful with the amount of trust placed in a cell phone.  If the phone is lost, you should assume that hackers will be able to get into it.  Keeping a record of the applications you use, particularly those that have financial or security implications, will help you recover from the loss.

These suggestions are written with the notion that Yahoo! is not going to be the only site that will have had this problem.  Although not to this scale, we’ve seen this sort of thing before, and we will see it again.  I’ll have more to say about this from an industry perspective in a while.

Yahoo picture by Sebastian Bergmann – originally posted to Flickr as Yahoo!, CC BY-SA 2.0

Comey and Adult Conversations About Encryption

What does an adult conversation over encryption look like? To start we need to understand what Mr. Comey is seeking. Then we can talk about the risks.

AP and others are reporting that FBI director James Comey has asked for “an adult conversation about encryption.” As I’ve previously opined, we need just such a dialog between policy makers, the technical community, and the law enforcement community, so that the technical community has a clear understanding of what it is that investigators really want, and policy makers and law enforcement have a clear understanding of the limits of technology.  At the moment, however, it cannot be about give and take.  Just as no one cannot legislate that π = 3, no one can legislate that lawful intercept can be done in a perfectly secure way.  Mr. Comey’s comments do not quite seem to grasp that notion.  At the same time, some in the technical community do not want to give policy makers to even evaluate the risks for themselves.  We have recently seen stories of the government stockpiling malware kits.  This should not be too surprising, given that at the moment there are few alternatives to accomplish their goals (whatever they are).

So where to start?  It would be helpful to have from Mr. Comey and friends a concise statement as to what access they believe they need, and what problem they think they are solving with that access.  Throughout All of This, such a statement has been conspicuous in its absence.  In its place we have seen sweeping assertions about grand bargains involving the Fourth Amendment.  We need to be specific about what the actual demand from the LI community is before we can have those sorts of debates.  Does Mr. Comey want to be able to crack traffic on the wire?  Does he want access to end user devices?  Does he want access to data that has been encrypted in the cloud?  It would be helpful for him to clarify.

Once we have such a statement, the technical community can provide a view as to what the risks of various mechanisms to accomplish policy goals are.  We’ve assuredly been around the block on this a few times.  The law enforcement community will never obtain a perfect solution.  They may not need perfection.  So what’s good enough for them and what is safe enough for the Internet?  How can we implement such a mechanism in a global context?  And how would the mechanism be abused by adversaries?

The devil is assuredly in the details.

Court Order to Apple to Unlock San Bernardino iPhone May Unlock Hackers

A judge’s order that Apple cooperate with federal authorities in the San Bernardino bombing investigation may have serious unintended consequences. There are no easy answers. Once more, a broad dialog is required.

Scales of JusticePreviously I opined about how a dialog should occur between policy makers and the technical community over encryption.  The debate has moved on.  Now, the New York Times reports that federal magistrate judge Sheri Pym has ordered Apple to facilitate access to the iPhone of Syed Rizwan Farook, one of the San Bernardino bombers.  The Electronic Frontier Foundation is joining Apple in fight against the order.

The San Bernardino fight raises both technical and policy questions.

Can Apple retrieve data off the phone?

Apparently not.  According to the order, Apple is required to install an operating system that would allow FBI technicians to make as many password attempts as they can without the device delaying them or otherwise deleting any information.  iPhones have the capability of deleting all personal information after a certain number of authentication failures.

You may ask: why doesn’t the judge just order Apple to create an operating system that doesn’t require a password?  According to Apple,  the password used to access the device is itself a key encrypting key (KEK) that is used to gain access to decrypt the key that itself then decrypts stored information.  Thus, bypassing the password check doesn’t get you any of the data.  Thus, the FBI needs the password.

What Apple can do is install a new operating system without the permission of the owner.  There are good reasons for them to have this ability.  For one, it is possible that a previous installation failed or that the copy of the operating system stored on a phone has been corrupted in some way.  If technicians couldn’t install a new version, then the phone itself would become useless.  This actually happened to me, personally, as it happens.

The FBI can’t build such a version of the operating system on their own.  As is best practice, iPhones validate that all operating systems are properly digitally signed by Apple.  Only Apple has the keys necessary to sign imagines.

With a new version of software on the iPhone 5c, FBI technicians would be able to effect a brute force attack, trying all passwords, until they found the right one.  This won’t be effective on later model iPhones because their hardware slows down queries, as detailed in this blog.

Would such a capability amount to malware?

Kevin S. Bankston, director of New Americas Open Technology Institute has claimed that the court is asking Apple to create malware for  the FBI to use on Mr. Farook’s device.  There’s no single clean definition of malware, but a good test as to whether the O/S the FBI is asking for is in fact malware is this: if this special copy of the O/S leaked from the FBI, could “bad guys” (for some value of “bad guys”) also use the software against the “good guys” (for some value of “good guys”)?  Apple has the ability to write into the O/S a check to determine the serial number of the device.  It would not be possible for bad guys to modify that number without invalidating the signature the phone would check before loading.  Thus, by this definition, the software would not amount to malware.  But I wouldn’t call it goodware, either.

Is a back door capability desirable?

Unfortunately, here there are no easy answers, but trade-offs.  On the one hand, one must agree that the FBI’s investigation is impeded by the lack of access to Mr. Farook’s iPhone, and as other articles show, this case is neither the first, nor will it be the last, of its kind.  As a result, agents may not be able to trace leads to other possible co-conspirators.  A  Berkman Center study claims that law enforcement has sufficient access to metadata to determine those links, and there’s some reason to believe that.  When someone sends an email, email servers between the sender and recipient keep a log that a message was sent from one person to another.  A record of phone calls is kept by the phone company.  But does Apple keep a record of FaceTime calls?  Why would they if it meant a constant administrative burden, not to mention additional liability and embarrassment, when (not if) they suffer a breach?  More to the point, having access to the content on the phone provides investigators clues as to what metadata to look for, based on what applications were installed and used on the phone.

If Apple had the capability to access Mr. Farook’s iPhone, the question would then turn to how it would be overseen.  The rules about how companies  handle customer data vary from one jurisdiction to another.  In Europe, the Data Privacy Directive is quite explicit, for instance.  The rules are looser in the United States.  Many are worried that if U.S. authorities have access to data, so will other countries, such as China or Russia.  Those worries are not unfounded: a technical capability knows nothing of politics.  Businesses fear that if they accede to U.S. demands, they must also accede to others if they wish to sell products and services in those countries.  This means that there’s billions of dollars at stake.  Worse, other countries may demand more intrusive mechanisms.  As bad as that is, and it’s very bad, there is worse.

The Scary Part

If governments start ordering Apple to insert or create malware, what other technology will also come under these rules?  It is plain as day that any rules that apply to Apple iPhones would also apply to Android-based cell phones.  But what about other devices, such as  televisions?  How about  Refrigerators?  Cars?  Home security systems?  Baby monitoring devices?  Children’s Toys?  And this is where it gets really scary.  Apple has one of the most competent security organizations in the world.  They probably understand device protection better than most government clandestine agencies.  The same cannot be said for other device manufacturers.  If governments require these other manufacturers to provide back door access to them, it would be tantamount to handing the keys to all our home to criminals.

To limit this sort of damage, there needs to be a broad consensus as to what sorts of devices governments should be able to access, under what circumstances that access should happen, and how that access will be overseen to avert abuse.  This is not an easy conversation.  That’s the conversation Apple CEO Tim Cook is seeking.  I agree.

Who owns your identity?

“On the Internet, nobody knows you’re a dog.”  Right?  Not if you are known at all.  Those days are gone.  As if to prove the point, one of my favorite web sites is on the wrong side of this issue.  An actress unsuccessfully sued for lost wages for having included her age on their site.  There is a well known axiom in Hollywood that starlets have a half-life, and age is something that is best kept secret.  IMDB countered that what matters is not an actress’ age but her ability to play a certain age.

My point is this: she sued and was unable to have information about her removed.  Is age something that you believe should be private?  I do.  I especially do for people born after 1989 where a birthday and a home city can lead to someone guessing your Social Security Number.

But what about other physical attributes one might consider private?  “He has a mole that you can only see if he’s naked.”  How about illness?  “This actor cannot lift his arm due to a stroke.”  Once the information is out there, there’s no way to get rid of it.   And this in the UK, which is subject to the European Data Privacy Directive.  The situation is considerably bleaker for your personal information in the United States.

Related to this is The Right To Be Forgotten.  In Europe they are considering new rules that say that you have a right to have information about you removed.  This has some American firms in an uproar, arguing that a lack of transparency only increases risk and inefficiency.  But what are the limits?  What about this actress who doesn’t want her age known?  How did her age provide for market efficiency?

Smart Watches and wristbands: who is watching the watches?

Over the last few weeks a number of stories have appeared about new “wearable” technology that has the means to track you and your children.  NBC News has a comparison of several “Smart Watches” that are either on the market or could soon be.  Think Dick Tracy.  Some have phones built in, while others can send and receive email.  These things don’t replace smartphones or other PDAs in general because their screen size is so small.  They’re likely not to have much of an Internet browser for that reason, and they may only support a few simultaneous applications on board.

Still, smart watches may find their own nitch.  For instance, a smart watch can carry an RFID that that could be used to control access to garage doors, or perhaps even your front door.  A smart watch might be ideal for certain types medical monitoring, because of its size.  In all likelihood these devices would have limited storage, and would take advantage of various cloud services.  It’s this point that concerns me.

Any time data about you is stored somewhere, you have to know what others are using it for, and what damage can be done if that data falls into the wrong hands.  And so, now let’s consider some of the examples we discussed above in that light:

  1. Voice communications: as one large vendor recently discovered, anything that can be used as a phone can be used as a bug, to listen into conversations.  Having access to a large aggregations of smart watches through the cloud would provide an entire market for attackers, especially if the information is linked to specific individuals.
  2. Medical monitoring: similarly, if you are using a smart watch or any other device for medical monitoring, consider who else might want to act on that information.  Insurance companies and employers immediately leap to mind, but then perhaps so do pharmaceutical companies who might want to market their wares directly to you.
  3. RFID and location-based services.  There have already been instances of people being tracked electronically and murdered.  Children wearing this or a similar device could be kidnapped if the cloud-based services associated with the device is broken into.

This is what concerns me about Disney’s MagicBand.  Disney makes a strong case that having such a band can actually improve service.  But should their information systems be broken into by a hacker, how much might a deranged estranged parent pay that criminal to find out where the child is?

It is the linkage of various attributes that must be considered.  Add location to a name and all of a sudden, a hacked cloud-based service can really do someone damage.  We give away a lot of this information already with many smartphone applications and other devices we carry.  Before we give away more, perhaps we should stop and think about our privacy in broader terms and what is necessary to protect it.  In Europe, the Data Privacy Directive covers a lot of this ground.  But America and other countries are far behind that level of protection.  Further, every new service on a smart device is going to want to monetize every last bit of data they can get.