* Posts by canthinkofagoodname

14 posts • joined 28 Nov 2018

India releases data-use protocols for its contact-tracing app... after five weeks and 100 million downloads



From the article:

"Data collected includes the user's name, mobile number, *age, gender, and profession*, as well as which users they have been in contact with, for how long, and where they were." (emphasis added)

I understand the use case for the name / Mob / and the contact variables, but how does knowing their age, gender, and profession assist in contact tracing? My first thought would be maybe something related to behavioral patterns based on those points, but why use patterns when the app itself should tell them exactly where the user has been and for how long?

Americans should have strong privacy-protecting encryption ...that the Feds and cops can break, say senators


Re: So I watched the Hearing...

I am not sure I agree with you. The system you refer to would be a deliberate weakness which needs to be maintained by vendors (be it key escrow etc), specifically for the government / law enforcement's use.

I think the exploitation route is (marginally) better as the vulnerabilities being exploited will, over time, be discovered and disclosed allowing Apple et alia to patch them. Law Enforcement / the TLA community will need to keep working at it to keep getting access.

To be clear, I am not a fan of the exploit option either; I just think if the government is already hoarding exploits for a variety of reasons, then they would be better off getting broader usage out of that over introducing a systemic weakness to consumer security.


So I watched the Hearing...

All of it. Do not recommend.

There were a variety of questions, some repeated but reframed, but for the most part the theme was two brick walls talking at each other. The Senators had laser focus on "kiddie porn is still a thing, you aren't doing enough, why don't you have a (procedural) solution?", where as the tech rep for Apple's position was "We can't see any (practical) solution to give law enforcement access without weakening encryption for all". The rep for Facebook didn't really have much to add on the subject of encryption at rest (the main focus of the hearing) as FB doesn't manufacture phones.

It boils down to competing priorities, and it's incredibly frustrating to listen to. Apple et alia don't think the cost to end user security is worth weakening encryption for law enforcement access (fair), and the Senators are framing it as an issue of principle, being protection of children (also fair, although a little dishonest in this context).

There were some interesting points raised though; Vance pointed out that most law enforcement agencies / departments don't have the funding to pay for 0-day's and custom tools to break into these devices, which I think is probably something that the Senate and Congress can do something about. Namely, funding and resourcing as a start. As for the custom tools to get access, bulk expensive yes, but there are also a handful of TLA Agencies on that side of the pond who have teams of people dedicated to developing exploits (thank you Snowden et alia for bringing that stuff to light); are we expected to believe that it is impossible for law enforcement and the intel community to leverage their resources between them? Is that really less reasonable than expecting tech companies to compromise the security of their customers?

Beyond that, same shit different day; Senators and other non tech types don't understand the subject matter (with the exception of Mr Lee for this hearing), Round and round and round and round and round and round....

Adjacent but related thoughts:

- A lawman who openly claims to not be a technologist but insists that claims there is no practical solution to accommodate law enforcement without weakening security for all as false (para 7 of the opening statement in his written testimony) should be viewed with skepticism

- Same lawman repeatedly asserting that Apple had keys to decrypt stuff before iOS 8, even after the Apple rep clarified 4 or more times that there was never any unlocking (data provided by apple under warrant at that time was not encrypted) indicates lack of basic comprehension skills (yelled at my computer and called the dude a fucking neanderthal at one point)

- And again repeatedly framing the release of iOS 8 as an effort to undermine law enforcement / government at large.

- Prof. Matt Tait asserting that a legislative solution is possible without outlining what those solutions would be is irritating; I would love to hear what these possible solutions are, else how are we all going to look at them and see if they are genuinely useful??? Having said that, I think he's right on the subject of E2E encryption for data in transit (but again, how to implement).

- Senator Whitehouse (approx 1hr15m mark) inferring that companies like Apple introducing full disk encryption etc are somehow morally liable for the harm caused to victims of child abuse is fucking outrageous, and I am baffled that no-one at the hearing had anything to say about that - the parallels to vicarious liability in other industries like automotive, alcohol and firearms are pretty obvious, would have thought at least some of the R's in the room would have said something

- Hearing briefly diverting to "Facebook blah blah data blah blah" is annoying. The points raised are correct, but not relevant to the hearing; waste of time.

- Sen. Mike Lee was by far the voice of reason in the hearing. His first round of questioning was good, but he requested a second round and I think he really delivered there (2hr12m50s to the end of the hearing). Worth a watch if you have the time.

I think the only other point was made firstly by Sen. Graham, but by others too, and that's the "Find a solution off your own back, or we'll do it for you". With respect to the Senator, I think the senate and congress would have as much success doing that as legislating that the sun won't rise on Tuesdays. Unless they can legislate business priorities and consumer concerns under the same power, and guarentee that any process implemented will not be abused by the US government, or indeed any government / malicious actor (re: IG FISA report to see why that's bullshit), they are really toothless in this space.

anyway, just my 2 cents.

Any finger will do? Samsung Galaxy S10 with a screen protector reportedly easy to fool

Thumb Up

What's the match-score threshold?

Most fingerprint scanners (capacitive, optical etc.) still operate on match scoring based on the fingerprint and stored match points from initial enrollment of the users print. Maybe Ultra-sonic scanning uses a different comparison method, but if not it sounds like the score threshold was too low, or the initial enrollment allowed for a data set small enough that more than one print could successfully authenticate.

Either way, bravo to Mrs Neilson for the find :)

Google sounds the alarm over Android flaw being exploited in the wild, possibly by NSO


Regression - just a thought / observation

I recall reading about a vulnerability in iOS 12.4 a couple of weeks ago (jailbreak/rooting vuln) which came about due to regression (patch code introduced in 12.3 was inadvertently removed). Two occurrences is hardly a trend, I get that, but I would be curious to see if a trend develops from this...

Main thing I am focused on here is regression = LPE to root / other privileged account vulnerability, with POC / Exploit available soon after, if not before, disclosure. I would be curious to see how often this happens, and if it's purely coincidence that the regressions have resulted in very similar weaknesses being introduced or exposed.

I don't think a CWE entry exists for Security Regressions; maybe one should be created so we can track this sort of stuff (or if one exists and someone knows of it, please correct me).

*Microsoft taps your shoulder* Hi sorry yeah, we're still suing US govt for right to tell people when they are spied on


Re: Classic misdirection and virtue signalling

That may be the case, but if the desired outcome for everyone involved is protection of their data and privacy from overly-broad access and disclosure requests from Government, does Redmond's motivation matter?

MIT boffins turn black up to 11 with carbon nanotubes that absorb 99.995% of light


...Blackest Material Yet...

(in the voice of Nathan Explosion)


From pen-test to penitentiary: Infosec duo cuffed after physically breaking into courthouse during IT security assessment


More info required

Pen-testers usually have a solid understanding of their scope before starting an engagement, and won't stray beyond it unless there is a formal change of scope, or permission in writing (anything to CYA). SwiftOnSecurity said it well; this doesn't sound like over-eagerness on the pen-testers part.

Guess we'll see what the courts have to say; hope these guys don't get a criminal record out of this...

Swiss electronic voting system like... wait for it, wait for it... Swiss cheese: Hole found amid public source code audit


Potentially unpopular opinion

Does voting actually need to be electronic?

Admittedly, not something I have given a whole lot of thought, so feel free to tear this to shreds, but I don't fully get the need for voting to be electronic (operative word here being "need").

Will it enable speedy vote counts, reduce paper waste, all that guff? Sure. But in the context of "[insert foreign nation here] is meddling with our election", why would you want to move to a solution that would, in some way, be more susceptible to remote manipulation?

I get that manual counting has its flaws, and people can be compromised just like systems, but I am thinking that in the case of voting maybe staying with an analogue solution is better? At least until something better comes along, that's been thoroughly tested and has a very slim risk factor associated with it?

I dunno, need to think about it more, just seems silly to me.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints


Re: Isn't there any logging in Windows?

Powershell v5 supports enhanced logging beyond the normal logging "PS Engine started / Stopped", or "PS Shell opened / closed". Enhanced logging includes stuff like script tracing (kind of like a key logger, but for powershell, also includes logging for spawned or called processes), module logging (triggers events if certain cmdlets or combinations of are executed) etc.

Trouble is, as with any comprehensive logging strategy, it requires a lot of storage to maintain any useful timeframe of logs (and potential costs with implementing something like Splunk or ELK to ingest and index those logs), and company's still shy away from spending buckets of cash on security solutions and strategies which might be needed (i.e. cannot guarantee the need or ROI).

There are other issues at play though too; previous versions of the PS engine can still be present on a system which don't support enhanced logging.

PS v2/3 are perfect examples; they don't provide the same level of support for modern cmdlets, but they also don't support enhanced logging, and are still directly integrated into the .Net Framework. An attacker would still have a massive range of effects using the old engines, and a much lower likelihood of detection.

Haven't read IBM's reporting direct yet, but I would be curious to see what version of PS they typically see actors using...


Re: Ironic that...

Sure, but allowing access to PS for all non-privileged users on the basis that a small percentage of folk might have a use case for it isn't the best approach either.

I agree the "zero-need" is incorrect, but it's a pedantic issue to take; the intent behind the whole comment is that non-priv users should not have access to PS. Nothing wrong with that assertion.

If there is a use case, then allow controlled access to the shell on a case-by-case basis.

Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative


Cool find and all, but for the all the bad scenarios...

Should be fairly straight forward:

- Identify risks / threats

- Assess risks / threats (inc. existing mitigations, and predisposing conditions for risk realisation)

- Accept and/or mitigate risks / threats

- Manage risks / threats

It's what we do for just about any other vulnerability or flaw in a system, why should this finding be any different?

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs



You may be confusing someone attempting a Brute Force / Dictionary / Guess attack with Password Cracking.

As you describe it, the process of throwing multiple of variations of passwords at a login page, with the hope of getting the right combination of username and password is generally referred to as a Brute Force attack. The methods vary, like using a simple password list (dictionary) or using a tool which creates variations of different passwords by substituting letters with numbers, special characters etc. Could also be a case of someone sitting at your computer and manually trying different passwords. Doing this against a system that gradually increases lock out times with each unsuccessful login attempt does make this difficult.

What they are referring to in the article is Password Cracking. The specific example in the article speaks to taking a password hash (the result of using a specific algorithim to turn a normal password into gibberish) and using a tool to brute force it (try every hash combination for the size of the password), or use a rainbow table (a list of precomputed hashes) and simply compare the results until they get a match.

Doing it this way is a much faster way of getting someone's password, but requires either capturing the password hash in transit (like capturing the authentication traffic while you log into El Reg for example), or in AD environments (for example) dumping the password store for offline cracking.

The crux of the article is that an 8 character password hash, hashed by NTLM, can be cracked very quickly, and affordably.

Hope that helps

Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'


Re: It's not really about the laptop.

Interesting point, particularly when a good portion (my experience, don't have any data to support claim) of folk working in IT (security or otherwise), if not clinically diagnosed, do show at least some of the behavioral characteristics of someone on the spectrum.

I think assuming NCC would know is a bit of a stretch though. In my last job we had a team of high functioning autists come to work with us; goal of the group who organised it was to help people who are on the spectrum to find and keep work (good cause IMO). Before the group came to the workplace though we had their 'handlers', for lack of a better term, come in to brief us on some of the unique challenges that people on the spectrum, and the people who manage them face.

Turns out that individual managers, and the companies they work for, not knowing how to identify and successfully manage / utilise people on the spectrum is fairly common. That stretches beyond IT though too. I dare say most courses or management programs don't have dedicated learning outcomes for managing people on the spectrum, and if people in management/HR/Recruitment positions have no training or experience in identifying or managing people like that, can't really blame them for getting it wrong either.

As you said, we don't know if this woman has aspergers or some other "on the spectrum" condition, but if she does and NCC didn't manage her well, that would be a fairly typical sort of story.


Biting the hand that feeds IT © 1998–2020