Monday, 17 September 2012


U.S. president Barack Obama has been called upon to issue an executive order to improve the nation's computer and website security practices. Senate Intelligence Chairwoman Dianne Feinstein of California wrote an open letter to the president that expressed concerns over cybersecurity legislation efforts, predicting that effective legislation is not likely to pass within the next year.

"Therefore, I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack," Feinstein wrote. "While an Executive Order cannot convey protection from liability that private sector companies may face, your administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security. You can also direct the Intelligence Community and the Department of Homeland Security to provide as much information as possible to the private sector about cyber threats, including classified information."

A recent article from The New American pointed out this isn't the only time the Obama administration has been called to action. Senator Jay Rockefeller of West Virginia wrote a similar letter to the president earlier this month. White House representatives said that the administration considered issuing an executive order after the Cybersecurity Act of 2012 failed to pass in the Senate.

Although the U.S. government has made several attempts to pass legislation enhancing communication between the private and public sector, those efforts have come under heavy criticism from security experts. According to a CIO blog post written earlier this month, experts said previous cybersecurity bills did not address core issues.

The article highlighted comments from Jason Lewis, chief scientist at Lookingglass Cyber Solutions, who said the problem with the bill was accountability. Voluntary guidelines such as those outlined by CISPA are not enough to protect critical infrastructure, according to Lewis. An effective cybersecurity solution would be painful for everyone, legislators and businesses included.

"If the law stated that companies involved in security incidents had to shut down their business until they could prove they had addressed the issues, the number of breaches would be low and the level of security across all sectors would improve dramatically," Lewis said.

Lewis added that organizations responsible for managing critical infrastructure would need help upgrading their technology infrastructures and implementing best-practice solutions. Making improvements to these systems without hindering operations can be costly, but the first step would be to hold organizations accountable for security.


Tuesday, 4 September 2012

New Ways to Force Browsers to be Safe

HTTPS is old (it was devised in 1994 by Netscape for Navigator), but it has always been seen as optional for most sites. That is changing, as the number of real-world abuses of users on the web increases. Using HTTPS makes safe browsing much easier. 2 developments in web technology make it easier to use HTTPS more often. One is a client-side technology, the other a new server-client standard.

Many sites support HTTPS but don't default to it. In order to help users invoke HTTPS on the site, the EFF (Electronic Frontier Foundation) and the Tor Project created HTTPS Everywhere, a Firefox add-on which reviews all HTTP requests from the browser to sites on a whitelist and changes them to appropriate HTTPS requests. HTTPS Everywhere maintains rules for over 1000 sites on the whitelist.

There are some downsides to HTTPS Everywhere, starting with the fact that it only works with Firefox. Other browsers, such as Google Chrome, don't support the features (mainly request rewriting) that HTTPS Everywhere needs. This may change in the future. The other problem with the HTTPS Everywhere approach is that the maintainers of it need to keep up with the zillions of sites on the Internet as opposed to having a generic solution.

HSTS (HTTP Strict Transport Security) goes at the problem in a different way. It is a standard through which web sites can tell clients (mainly browsers) that they will only support HTTPS communications.
If a client makes an HTTP request and HSTS is enabled on the server, the server responds with a special header 'Strict-Transport-Security' and a 'max-age' parameter specifying the number of seconds during which the client may only reconnect over HTTPS. While the initial HTTP request is unprotected, the client should know to use only secure communications thereafter.

HSTS has been supported in Google Chrome and Firefox since version 4 of each browser. Many web sites, including PayPal and a number of Google subdomains (,, etc.), support it.

In the long run, standards like HSTS are a better solution than hacks like HTTPS Everywhere. Currently Internet Explorer has no support for either and I see no indication that Microsoft plans to support them (or that the EFF is interested in supporting Internet Explorer for that matter).


Lessons Learnt From FinFisher Mobile Spyware

FinFisher, a controversial spyware toolkit being used by oppressive regimes to track activists, can also take over smartphones, researchers unveiled on Wednesday.  

Earlier this year, Bahraini activists sent U.S.-based researchers samples of computer spyware that was being delivered through spoofed emails. When downloaded onto Windows systems, the spyware would record Skype calls, copy emails, take screenshots, capture keystrokes, and send the data to remote servers (command and control centers, or C&C). So far, with the help of Rapid7, C&Cs have been found in 15 countries across five continents, including the United States, Australia, Singapore, and Bahrain. For most cases it's unclear if the governments of these countries are manning the servers or if they're just intermediaries. 

The researchers, led by Citizen Lab, identified the spyware as part of the FinFisher toolkit sold by UK-based Gamma International. Gamma markets the products as software to help governments and law enforcement agencies capture criminals, but advocates say it is being used by oppressive governments to clamp down on activists without criminal records. 

"You're Carrying a Potential Wire Tap"
Shortly after Bloomberg broke the story about the PC version of Finfisher, samples of Gamma's mobile spyware, called FinSpy Mobile, were sent to researchers.

FinSpy Mobile has even more functionality: it monitors calls, texts, WhatsApp messages, and emails, captures keystrokes, steals contact lists, turns on the device microphone to record ambient sounds, and tracks owners by GPS. Citizen Lab posted a pretty thorough overview of how the Trojan works on iPhones, Androids, BlackBerries, Windows Mobiles, and Symbian devices. 

Like the PC variant, FinSpy Mobile requires some sort of human interaction to infect devices. Although Citizen Lab hasn't confirmed seeing actual delivery methods, most likely they are being distributed through Trojanized, legitimate-looking apps attached to text messages and emails. 

Bill Marczak, a computer science doctoral candidate at the University of California Berkeley who has been co-leading the research into Finfisher, is more worried about the mobile than the PC spyware. 

"What scares me more is the possibility of mobile phone Trojans," Marczak told Security Watch. "Sure I've got my computer in my room, but my mobile phone follows me everywhere I go. It always knows my location, it has my contacts, email addresses, texts, Whatsapp conversations. It has a mic," he said. "You carry your phone everywhere and don’t even realize you're carrying a potential wire tap."

The Takeaway For You and Me
For now, FinSpy Mobile isn't your every day consumer security concern, as it only appears to be used in highly-targeted attacks on activists living in oppressive regimes.

In a blog post on Thursday, ESET researcher Cameron Camp wrote that Finfisher hasn't been seen in large-scale industrial attacks, but rather, in limited, highly targeted attacks. "Obviously, if your company is doing business in the Middle East you are already on high alert for attacks of this type," he wrote. Bigger picture repercussions, like the potential spread of FinSpy Mobile to the masses, or who Gamma International should be allowed to sell its products to, are another discussion altogether. 

That said, the research does present some useful lessons for consumers. 

The first one is dead obvious for most security-conscious smartphone owners: don't install apps from untrusted sources.

Will installing an antivirus app help? Sort of. According to Marczak, "As we saw with respect to the desktop version of Finfisher, antivirus alone isn't enough, as it bypassed antivirus scans." By now most leading antivirus providers have updated their signatures to include FinSpy, but that wouldn't have helped you, say, last week. 

That's why Marczak advises taking a few additional precautions:
  1. Don't click on unknown links or download attachments if you aren't confident in the sender
  2. Don't give your device to untrusted people who might secretly install the malware on yor device
  3. For the same reason, password-protect your phone
  4. Keep your OSes and apps patched (yes, that's a problem for Android) 
  5. For Android owners, activate the built-in encryption, which requires a password to decrypt every time you turn on your device. 
Encrypted communication protocols are a good idea, but Marczak said they wouldn't protect you from this type of threat, since Finfisher infects devices before an encrypted call or text even leaves the device. "Skype likes to talk about how it encrypts communications, but Finspy intercepts calls before they even go out," he said.