Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2020
Doug Lhotka

Archives for February 2016

Apple and FBI

By

Ok, Apple vs FBI.

I might as well write about a third rail, but I’ve gotten so many questions about what’s going on that it’s simpler to chime in.

Let me begin by saying that I’ve worked with a lot of law enforcement professionals over the years, and have the highest respect for their integrity and professionalism.  They have a tough job, and take their duty to stand between us and the bad guys very seriously.  I do not remotely, condemn them for making the request of Apple – in their role, with their charter, I’d probably do the same thing.  Likewise, Apple is acting on their own good character – this is not a marketing stunt as some have suggested, I believe it’s an honest principled position.

That’s not a cop out, this simply is one of those times when people of good conscience and character disagree.  Balancing security, privacy and liberty is very hard in the digital age.

Couple of things to start:  First, Apple is not being asked to break their encryption.  They’re being asked to create a special version of iOS that bypasses the protections against brute force attacks, so the FBI can break the encryption the hard way – by trying every PIN until it unlocks.   Right now, iOS has an escalating timeout on wrong passwords – after 9 it locks for an hour, and after 10, it wipes the phone (assuming that feature is turned on).  It’s those two features that they’re being asked to bypass (and to allow electronic passcode testing instead of tapping with fingers, but that’s less impactful).  A version of iOS that does that would to be digitally signed (validated as real) by Apple in order to be loaded on a device.  Once that code is created, it’s about 2 minutes work to enable it to be loaded on different devices, or to be loaded on any device at all.    This is not a universal back door –  it removes the barriers that protect the door against someone battering it down, which is still a significant reduction in security.

As an aside, it’s unfortunate that county that issued the phone failed to install basic MDM (mobile device management) software, which could have unlocked it remotely.  That’s a best practice.  It’s also unfortunate that this is an option – Apple allows loading of new iOS versions on locked devices without wiping memory.  I see reports today they’re working on closing that gap, so this whole thing may be a moot point going forward.

But let’s set that aside – this was always going to come to a head.

We can also set aside some wilder speculation:  ABC reports a rather esoteric means to extract the data directly from the chips.  I’ve seen some commentary that the chips could be removed intact, and the memory read out using the standard pinouts, loaded onto a separate machine, and brute forced external to iOS (I’m far removed from my soldering iron days, so I don’t know if that’s possible).  If that capability existed, it’d be something that would probably be a highly protected capability.  Conspiracy theories abound that the suit is a smokescreen to protect such a capability by unnamed three letter agencies.  Let’s leave that for the movie plots.

So the net is that Apple can do what’s being asked, though at a significant cost (they’d have to pull engineers off their commercial development activities), and at significant risk – both of precedent, and of the software leaking.   The question is should they do it?

I believe that such a question needs to be decided through the legislative process, with full public debate, by Congress.  Not by individual states, and especially not by the judiciary.  Apple is doing us all a service by forcing that debate to happen.

 

Adblock-blocking done right – almost

By

While there are good security reasons to block ads, I’ll be honest and admit that I detest advertising – particularly intrusive, annoying animated ads on websites.   That’s why you’ll never see an ad here, and why I run adblockers.  Traditional ads (newspapers, televisions, etc), were one thing – I could ignore them, and remain anonymous.  Mail ads suck because they take up space in my tiny USPS issued mailbox.  But online ads are another beast, filled with trackers, cookies, and all too often offensive ads, or even malware.

There’s a recent trend of sites blocking visitors using adblockers.  That’s perfectly fine – it’s their business, and I don’t begrudge them making money.  Some sites have an ad-only revenue model, and have taken a hard line, Forbes among them.  I simply don’t visit that site anymore.

Others, like the Wall Street Journal, have a subscription+advertising model, and live behind a paywall.  I don’t try to get behind those paywalls because that’s their chosen business model.  I don’t subscribe, but if I did, I’d block the ads – and if they started blocking adblockers, I’d cancel my subscription.

A few months ago Wired.com started displaying graphics related to adblocking.  Something about doing a ‘solid’, but I never could figure out what solid they wanted: Sphere? Cone? Cube?

Eventually they posted a more straightforward note:  They’re going to block adblocking customers, but are providing an alternative:  $1/week for an ad and tracking free experience.

That’s the right way to do adblocker blocking: Have compelling content worth paying for, and price it relatively cheap.  Now, I suspect they don’t make $1/week/visitor on ads, but it’s not too bad, and their content is worth it.

So I signed up – they converted a non-revenue customer into a revenue one, by letting me get the good stuff without all the junk.

Well done Wired!

[edited – not quite well done]  They almost had it right.  It seems that the temptation to track is too strong.  Even the subscription version still has social media, adobe and chart beat trackers, among others.  Very disappointed that they’re not providing a clean option – and now I have to think about subscribing – because even if I block those cookies, they can capture my activity on the back end.    How hard is it to just simply let us subscribe without any – and I mean any – tracking, monitoring, or spying on what we do?  Let me be your customer, not your product!

United’s New Security Questions

By

When I logged into United’s site to check in for a flight this week, I discovered that they’ve changed their user security approach. There’s been some chatter on flyertalk, twitter, and a couple of other places about the changes, and I thought I’d chime in.

First, let’s take a look at what United’s trying to protect. Obviously, they want to avoid mischief with cancelled reservations, fake reservations and other annoyances.   They’re also working to protect user identity information – they’re right up there with doctors and financial institutions in holding PII. From passport numbers, global entry and/or TSA redress numbers, it’s all information that we want held in confidence. Obviously they deal with credit card numbers and are subject to PCI-DSS requirements.  Even the travel information itself is sensitive – if a corporate officer is consistently traveling to a competitor’s headquarters, that’s valuable insider information about a pending merger. They also hold in trust billions of air miles worth hundreds of millions of dollars – essentially a virtual currency. And that’s probably one of their crown jewels.

Major airlines have some unique challenges in their user base. They have to support access worldwide – which makes two factor very difficult (SMS and phones don’t work overseas reliably). They have a large population that doesn’t speak English (for United, particularly in Asia and Latin America).  And they have a mobile user population, who (contrary to good practice), probably use untrusted devices on a regular basis.  Airlines need to have pretty good security, and it appears United is trying to up their game.

The first change is the elimination of the PIN as a login option, a long-overdue and essential change.   Good for them.

Now on to the security questions. These have a mixed reputation in the security community, and can often degrade security rather than improve it.  The strongest (in potential) option is to enter both the question and answer, but that only works if you provide good questions and good answers. Unfortunately, users are generally terrible at doing that.

So most typical security questions are prescriptive – you’re either given the questions, or allowed to choose them from a short list of common ones. Once that’s done, in most implementations you’re allowed to enter free form text as a response.

And that’s where the problems start. With social media, the majority of ‘security question’ answers can be easily discovered – the celebrity breaches over the past few years all resulted from that kind of attack.  In those cases, I always recommend that folks, well, lie – pick random words (diceware is excellent for that), and record those fake answers in a secure repository (like 1Password as notes in the login entry), with appropriate backups in a secure location.

In most cases, the worst option, is a prescriptive question with restricted answers. So a question like ‘When is your parent’s wedding anniversary?’ and a system that requires a valid date is terrible.   By forcing a real date with a restricted range, the site leads users to enter real information, and a date that’s likely on social media. Terrible design.

My initial reaction to United’s system was not very complimentary – but it’s mandatory, I have to fly, so I did it (using false answers at least).   Now after I did my account, my wife did hers – and received a different set of questions. Interesting. So I asked around, and sure enough, it looks like there’s a fairly large population of questions available. Something’s going on here.

So let’s look at the questions themselves. They’re fairly odd. While some of the answers may be on social media, not all of them will be. There’s also a fairly large number of pre-selected answers – much larger than most prescribed systems I’ve seen, and many answers you would normally expect are missing.  Something’s definitely up.

What I think is going on here is that United is doing some pretty serious math behind the scenes. Multiple questions, with a large number of answers, adds up to a decent amount of entropy (a measure of security strength) – not as much as a robust password, but far more than most security questions. I haven’t been through the re-authentication process with the questions yet, but if they only ask for a subset, that’d be more information pointing in that direction.

Now why would United choose this system? Well, let’s look at a couple of ways people use and access their accounts. Aside from their own trusted machines, the most common, and the dumbest was possible, is using a public kiosk in a hotel, business center, rental car hub or similar location. I’ve told folks for years to never, ever use one of those – miss your flight first.  Most are infected with malware and keyloggers designed to capture credentials, steal information, and then infect your own machine if you’re careless enough to use a thumb drive in both.  If a machine’s in public, assume it’s compromised – using one is the digital equivalent of visiting a kissing booth in a mononucleosis ward at a hospital.

dreamstime_6843020-2
Using a public computer is like kissing a mononucleosis patient.

But even though my wife’s horse stall is cleaner than a machine in a hotel business center, every trip I see someone logging in and printing boarding passes. Want to bet that’s a major threat vector for the airlines?

So what happens if someone has a momentary mental lapse and uses United’s new system from an infected kiosk? It’ll grab the password – no way around that. But by not entering the answers on the keyboard, it’s much harder to capture the security questions. I suppose malware could evolve to scrape the screen, but that’s much harder to do – and even if it did, if United only presents a subset of answers, the account is unlikely to be completely compromised.

The other use case for those answers is phone transactions. Right now, if you want to redeem miles over the phone, you have to provide a PIN number. So that means that the call center representative now has a PIN that can login to my account. Don’t get me wrong – I think United has amazing people (they work in a tough situation, but the new CEO is improving that). But any organization is going to have some bad eggs get through the screening process. From a security standpoint, again, the most they can capture is a subset of answers, so the account is still secure.

A colleague recently pointed out something I hadn’t considered: some folks use profanity or vulgarity in free form answers, so this protects the call center reps from having to deal with that. Many years ago I built a marketing system for a large restaurant chain based on delivery records. You wouldn’t believe what I saw entered into the ‘comments’ field. Comcast has had recent problems in this area too, so its an additional benefit.

I do have some open questions:

  • Do they really only ask a subset of questions?
  • How do they deal with indicators of compromise (consistently getting one or two questions right, but others consistently wrong)?
  • How do you gain access back if you’ve forgotten all the questions?
  • Do they treat untrusted computers differently?
  • Do they have a threat feed that monitors known compromised machines (probably via IP addresses) and deny them access completely?

Not to feed conspiracy theories, but I did wonder if they’d had an incident that triggered this change. I don’t think so: United would have had to disclose a breach, so it looks like this is just an upgrade. If we continue to see additional features in this area, it’s probably a broad strategy to improve their security posture.

United gets a lot of grief these days. Some is deserved – I’d like to see them install the slim-line seats in their board room and executive suites, and their operations folks need to add slack back into the system for when things go wrong. Some isn’t – the customer facing people I’ve dealt with will do their best to make things right when something goes wrong. They’ve just been working in a really tough operational environment.

So which category do these changes fall in? My first, off the cuff reaction, wasn’t promising. Yet, after a deeper look, the system appears subtly robust. It’s clearly designed to be unobtrusive, and if what I’ve outlined above is correct, it’s about as secure a ‘security question’ solution as I’ve seen. It’s far better than most – mother’s maiden name? Last four of SSN? Please.
So kudos to United, for working to make the skies both more friendly and more secure.