Category Archives: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

The Normalization of Deviance

Reality update: Normalization of Deviance – Flight Safety Foundation … :

“The LOSA Collaborative and an Airbus study show that the industry’s average stabilized approach rate is about 96 to 97 percent. … If you are at the top of the industry in this regard, your unstabilized approach rate may be as low as about 1.5 percent, which is even more remarkable. … The studies show that somewhere between 1.5 and 3 percent of [crews flying] unstabilized approaches do the right thing and execute a go-around.”

Biometry. Mockery and Security Theatre from the start.

#sigh. Use fingerprints as passwords, they said, you have ten of them. And you leave them everywhere. And so many of the sheeps did, because they trusted.  

Major breach found in biometrics system used by banks, UK police and defence firms | Technology | The Guardian

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

One year from Tokyo 2020 Olympics, they still have no clue about Fukushima. But it gets worse.

Radioactive Glass Beads May Tell the Terrible Tale of How the Fukushima Meltdown Unfolded – Scientific American … :

The beads are “the only direct evidence of the debris remaining inside the reactor. That’s the only clue,”

 “It was initially thought all the radioactive cesium released in the Fukushima plumes was in a water-soluble form, and would disperse more or less evenly throughout the environment. But when aerosol specialist Yasuhito Igarashi, then of the University of Tsukuba, and his colleagues examined an air filter from the Meteorological Research Institute in Tsukuba, 170 kilometers southwest of Fukushima, they noticed the filter contained radioactive hotspots. Using specialized imaging techniques they detected high concentrations of radioactive cesium as well as bits of iron and zinc, packed into particles just a couple of microns in diameter (about the size of the average Escherichia coli bacterium).

Although less radioactive cesium fell on Tokyo than closer to the plant, a bigger proportion of the total was packed into the microparticles, the team’s findings suggest. However, publication of the full study describing those findings, initially slated for 2017 in Scientific Reports, was postponed after researchers with the Tokyo Metropolitan Industrial Technology Research Institute (TIRI)—which had provided an air filter sample to one of the study’s authors—objected to the study over the sample’s use by the other co-authors. A 2017 investigation by several institutions in Japan found no evidence of wrongdoing by the co-authors—and “there’s never, in any of the discussion, been concern about our scientific results,” says Ewing, the Stanford nuclear materials expert who is also a study co-author.

… Honi soit qui mal y pense …

Researchers say a picture of the unusual beads is coming into focus against a backdrop of the Japanese public’s general nuclear wariness, and the government’s desire to put the Fukushima incident behind it—particularly with Tokyo poised to host the 2020 Olympics. “I think, unfortunately, the reaction to this discovery [of the beads] has been not very welcomed in Japan,” says Rod Ewing, a mineralogist and nuclear materials expert who co-directs the Center for International Security and Cooperation at Stanford University.

Oh Really? Who would have thought that…? 

Oh what a bad week for *APPLE & MAC* Security …

Reality update: Apple-Hacker Patrick Wardle: Ein Mac ist leicht zu hacken – SPIEGEL ONLINE … :

Schon immer störte sich Wardle an “dieser Mentalität, dass Macs sicher sind, geradezu unhackbar”. Apple selbst habe das so dargestellt, und weil es lange Zeit nur wenig Mac-spezifische Malware gab, hätten es die Nutzer geglaubt. Manche tun es seiner Ansicht nach bis heute. Er will mit diesem Mythos aufräumen, denn die Zeiten haben sich geändert.

 I couldn’t agree more. Fun fact:I can’t find any US or other English news on that? Am I blind? Feel free to tweet or mail them to me. Isn’t it bitter – he says Windows 10 (sic!) is safer than Apple iOS today. Wow. That’s blasphemy. 

Here’s Wardle’s website: Objective-See … : 

Mac Malware Warning: this page contains malware & adware! By downloading malware from this site, you waive all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.

Bonus Addon: 

Apple: US-Luftverkehrsbehörde verbietet MacBook Pro in Flugzeugen | ZEIT ONLINE

Aus Angst vor Bränden haben bereits vier weitere Fluggesellschaften Anfang der Woche die Mitnahme bestimmter Macbook-Pro-Modelle verboten. Medienberichten zufolge sollen Fluggesellschaften der TUI Group Airlines, Thomas Cook Airlines, Air Italy und Air Transa derzeit die Mitnahme der Laptops sowohl im Handgepäck als auch im aufgegebenen Gepäck untersagt haben.

Oh what a bad week for *WINDOWS* Security …

Reality update – Tavis Ormandy auf Twitter:

I’m publishing some research today, a major design flaw in Windows that’s existed for almost *two decades*. I wrote a blog post on the story of the discovery all the way through to exploitation. https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html …

His Blog is here and very well worth a read, although it’s long and horrifying: Project Zero: Down the Rabbit-Hole… … : 

The obvious attack is an unprivileged user injecting commands into an Administrator’s console session, or reading passwords as users log in. Even sandboxed AppContainer processes can perform the same attack. Another interesting attack is taking control of the UAC consent dialog, which runs as NT AUTHORITY\SYSTEM. An unprivileged standard user can cause consent.exe to spawn using the “runas” verb with ShellExecute(), then simply become SYSTEM.

After Spectre and Meltdown, … there’s SWAPS

 Bitdefender SWAPGS Attack Mitigations Solution … :

Bitdefender researchers have identified and demonstrated a new side-channel attack. The attack builds on previous research which led to the Spectre and Meltdown attacks. This newly disclosed attack bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown. Bitdefender Hypervisor Introspection renders Windows systems impervious to this new attack. The SWAPGS Attack affects newer Intel CPUs that use speculative execution.

Randomly stalling 20 % of autonomous cars is enough… to stall cities.

Hackers Could Use Connected Cars to Gridlock Whole Cities | Research Horizons | Georgia Tech’s Research News … :

Randomly stalling 20 percent of cars during rush hour would mean total traffic freeze. At 20 percent, the city has been broken up into small islands, where you may be able to inch around a few blocks, but no one would be able to move across town,” said David Yanni, a graduate research assistant in Yunker’s lab.

Biblis 1988 – das deutsche Beinahe-Tschernobyl.

„Wir haben sagenhaftes Glück gehabt“ Fast ein Jahr lang hielten – DER SPIEGEL 50/1988

Das waghalsige Manöver der Reaktormannschaft in Biblis, eine der schwersten Störungen in der Geschichte der bundesdeutschen Kernkraftwerke, offenbart aufs neue, wie nahe am Abgrund einer großen nuklearen Katastrophe auch die bundesdeutschen Atomzentralen operieren.

(…)

So kam die Bedienungsmannschaft in Biblis mit dem Schrecken davon – aber mit einem Schlag geriet dabei auch die gesamte Sicherheitsphilosophie der Kerntechnik durcheinander. Denn ausgerechnet diese Art von Zwischenfall war von Konstrukteuren, Betreibern und ihren wissenschaftlichen Helfern stets als extrem unwahrscheinlich bezeichnet und folglich dem hinnehmbaren Restrisiko zugeschrieben worden.

(…)

Daß der Vorfall dennoch ans Licht kam, verdanken die Bundesdeutschen nur den Recherchen einiger Mitarbeiter des amerikanischen Fachblattes “Nucleonics Week”. Nüchtern, aber präzise enthüllten sie, daß die Reaktorfahrer von Biblis genau jene Art von Leck riskiert hatten, von der es in der schon 1975 erstellten großen Reaktorsicherheitsstudie der US-Atombehörde NRC (Nuclear Regulatory Commission) hieß, daß das betroffene System “wegen des Überdrucks versagen” könnte, “was die Kernschmelze und den Austritt von Radioaktivität außerhalb des Containments auslösen würde”. Zugleich berichtete das Blatt von der Verwunderung der NRC-Experten über den laschen Umgang der deutschen Behörden mit dem Vorfall. “Wenn es in einem US-Kraftwerk passiert wäre”, so ein NRC-Kontrolleur, “hätten wir ohne Zweifel innerhalb von Stunden ein Inspektionsteam vor Ort gehabt.” Die Anlage wäre sicher “für eine lange Zeit abgeschaltet geblieben”.

(…)

Nahtlos, geradeso, als habe es die Katastrophe von Tschernobyl und den Hanauer Atomskandal niemals gegeben, setzten so die Herren des Atomstroms und ihre Kontrolleure in den Ministerien die Tradition der “systembedingten Verschleierung” (“Süddeutsche Zeitung”) fort, wie sie der bundesdeutschen Atomwirtschaft seit je eigen ist.

(…)

Und stets war der Betreiber RWE bemüht, nicht allzuviel davon an die Öffentlichkeit gelangen zu lassen. Kritiker sprechen von “planvoller Informationsverweigerung”.

(…)

Daß ebendiese unvermeidbare Einstellung des Personals in Atomanlagen alle Sicherheitsphilosophien im Kern haltlos macht, quälte auch den führenden sowjetischen Fachmann für Reaktorsicherheit, Valerij Legassow.

“Es wuchs”, schrieb er in seinen Memoiren, “eine Generation von Ingenieuren heran, die ihre Arbeit fachmännisch beherrschten, die sich aber gegenüber den Apparaten und den Sicherheitssystemen unkritisch verhielten.”

Deshalb, so gestand Legassow nach der Tschernobyl-Katastrophe, “quälte mich der Wurm des Zweifels, weil mir aus meiner Sicht des Fachmannes schien, daß etwas Neues unternommen werden muß, daß man beiseite treten muß und die Dinge anders machen”.

Daß ihm das nicht rechtzeitig gelang, hat er wohl nicht verwinden können. Legassow, so teilte die “Prawda” im April dieses Jahres lapidar mit, sei “aus dem Leben gegangen”. Er hatte sich erhängt.

 

Legassow, da war doch erst kürzlich was: 

EvilGnome… Desktop malware for Linux. Finally. Or…?

 Intezer – EvilGnome: Rare Malware Spying on Desktop Users … :

Consequently, the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers. This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.

Highlights from Facebook’s Libra Senate hearing | TechCrunch

Disgusting.

Perhaps the most worrying moment of the hearing was when Senator Sinema brought up TechCrunch’s article citing that “The real risk of Libra is crooked developers.” There I wrote that Facebook’s VP of product Kevin Weil told me that “There are no plans for the Libra Association to take a role in actively vetting [developers],” which I believe leaves the door open to a crypto Cambridge Analytica situation where shady developers steal users money, not just their data.

https://techcrunch.com/2019/07/16/libra-in-messenger-whatsapp/?guccounter=1

Nein! Doch! Oooh! Office 365 verstößt gegen Europäischen Datenschutz!

Reality update: Datenschützer: Einsatz von Microsoft Office 365 an Schulen ist unzulässig | heise online … :

Microsoft Office 365 darf in der Standardkonfiguration an Schulen wegen Problemen für die Privatsphäre der Nutzer derzeit nicht verwendet werden. Zu diesem Schluss ist der hessische Datenschutzbeauftragter Michael Ronellenfitsch gekommen, weil personenbezogene Daten von Kindern und Lehrern in der Cloud gespeichert würden. Auch wenn die zugehörigen Server in Europa stünden, seien die Informationen “einem möglichen Zugriff US-amerikanischer Behörden ausgesetzt”.

Online Censorship Is Coming–Here’s How to Stop It | Linux Journal

https://www.linuxjournal.com/content/online-censorship-coming-heres-how-stop-it

That’s important, because the concerns and beliefs of that “novel alliance” are closely aligned with those of the Free Software community. The new-found interest in hitherto obscure aspects of the online world and its software are an opportunity for the Open Source world to increase awareness of what it does, and to garner support for its activities. The potential for spreading the word is huge: over five million people signed an EU petition against upload filters, and 200,000 took to the streets to protest. Where new digital rights initiatives are set up to harness the recent mobilization of “digital natives”, free software coders can help people understand that open source is a key part of the solution to the problems they seek to address.

Switch your PGP keyserver, upload your key, this is important.

Reality update: Massive attacks on PGP-Keyservers, gazillion old and untrusted keys. Sorry, folks, but the web of trust didn’t work, not with that infrastructure. Here’s what you might want to do, what might help: 

Goto keys.openpgp.org and upload and confirm your key(s) – I took the liberty to highlight the important facts…:

Launching a new keyserver!

From a community effort by Enigmail, OpenKeychain, and Sequoia PGP, we are pleased to announce the launch of the new public OpenPGP keyserver keys.openpgp.org!

Hurray!

Give me the short story!

Fast and reliable. No wait times, no downtimes, no inconsistencies. Precise. Searches return only a single key, which allows for easy key discovery. Validating. Identities are only published with consent, while non-identity information is freely distributed. Deletable. Users can delete personal information with a simple e-mail confirmation. Built on Rust, powered by Sequoia PGP – free and open source, running AGPLv3. Get started right now by uploading your key!