23 Nov 2015 – Week ind Security
Editors Note: It has been one week since the Paris attacks which swiftly dominated the news for the entirety of the week. During these times of turmoil I usually ask my kid to explain to me the significance of this to the past. It’s important to understand the past to understand exactly why things are happening and what they mean to the greater significance of life. I say this because I saw something disturbing yesterday. Dianne Feinstein, who I do admire, said on Face the Nation:
FEINSTEIN: I can say this. Director Comey and I think John Brennan would agree that the Achilles' heel in the Internet is encryption, because there are now -- it's a black Web and there's no way of piercing it. And it's even in commercial products. PlayStation, John, which our kids use, if the two ends communicate, that's encrypted. So, terrorists could use PlayStation to be able to communicate, and there's nothing that can be done about it.
As you can see she is worried about ‘Encryption’ on the internet and the fact that people can use it to ‘hide’ communications. The obvious answer of course comes later:
DICKERSON: The tech community says if you tried to do something, develop a backdoor that law enforcement could use, that that would open up all kinds of other communication. It would -- financial transactions, other sensitive information would then be at risk if what you're talking about would be put into place. FEINSTEIN: No, I don't think so. I think, with a court order, with good justification, all of that can be prevented. It can be prevented in Europe, because Europe has been a major driver for more encryption. And I think they are now seeing the results.
Unfortunately we have tried this before with encryption and when that was insufficient a few others attempted to implement the clipper chip to try to provide a more structured backdoors. Of course, the problem with Backdooring of Cryptography, and just backdoors in general is that it is all great until the people who you do not want using it, start to use it. I recommend if this is of interest to you, to read this paper.
My opinion? Implementation of such an encryption technology where there could be an escrow or backdoor mechanism would be doomed to potential flaws. We normally do not break crypto algorithms, because that requires a great deal of skill. Instead we break crypto implementations because there are flaws in them. This attack on France will further escalate these conversations.
Of course as you will also see this week sometimes, technology does not die, because in other French news, the Airport systems in france used Windows 3.1, which did support export control ciphers.
On to the news:
Editors Note: Wireshark 2.0.0 is released, it has come along way since Ethereal days. Even though it is riddled with massive security bugs, we all use it because it just works so well.
Editors note: Cindy Murphy of the Madison Police department and most notably the Co-Author of the SANS 585 course, published this great little slide deck on the Windows 8 phone was has been opaque for a quite a bit.
Editors note: Uhh patch now? Seriously however, think about this. This is an authentication bypass in all Windows devices that are not patched up to the latest version. Really, if you read this, its regardless of Windows Bitlocker. You are bypassing authentication pretty trivially in all Windows Domain Joined systems as long as you have physical access and know some really basic information.
Editors note: Alex Stamos gives a level-headed view of Security at Scale within the confines of Facebook. My frame of mind is more like his than most others. Because to give the most security you probably should cover the largest number of people. That is first, but secondly it is probably a good idea that we not be so stringent and fight usability. If it is not usable then no one will want it. We should know this by now…no?
Editors note: This week we feature reverse engineering Apple iOS Stuff. Yay!.