Category: security

As if they read my blog…

The Wall Street Journal has a follow-up today that talks about how police track our locations with our cell phones.  Now, answering one of my own questions, thanks to some discussion with my wife, what is the difference between using a GPS tracker and a cell phone?

First, of course you can always turn off your cell phone.  Because you know you are being tracked, you have a means to defend your privacy.  Is it a reasonable means?  I would argue “no”.  In addition, the feds do not own the data.  Instead they have to go to the phone companies to get it.  And they do that quite a bit more than using GPS trackers, according to the article.  And why not?  You pay for the cell phone and your carrier retains the data.  It’s darn cheap for the police to make use of all of that rather than have to pay for the tracker and manage it.

There’s another big difference that I alluded to.  Police in America do get a court order for cell phone location information.  This is why I believe the Obama administration should fail.  It is not an onerous task, judging by numbers, to get such an order, and since it isn’t, the onus falls on the administration to show why they shouldn’t make use of the exact same mechanism when the technology changes.

GPS and the 4th Amendment: Can police track you without your knowledge?

Does the government have the right to know where you are at all times?  This is a question that will be answered by the Supreme Court over the next year.  The Wall Street Journal reports that the Supreme Court will examine today a case in which the police and the FBI attached a GPS tracking device to the car of a night club owner who was suspected of dealing drugs.  At issue is whether this constituted an unreasonable search or seizure by the government, a violation of the Fourth Amendment of the U.S. Constitution.

As the article points out, the Fourth Amendment protects us only from the government eye when there is some reasonable expectation of privacy.  That which occurs on the street in plain view is not usually considered private.  However, in this case, the question is whether the body of evidence gathered by the police would be considerably more than just some onlooker happening to see you at a particular point in time.  Instead, it would be more like an concerted army of people following you 24 hours per day for as long as the GPS unit were in place.

From a technology perspective, while it may be possible to detect such tracking devices, it might prove very difficult.  For one thing, there’s no reason the device would need to signal to the police every moment of the day where it is.  Rather it could store the information and transmit it only periodically.

What’s more, we all carry tracking devices with us nearly 24 hours per day.  They’re called cell phones.  While some use GPS, the cell phone network knows where you are (or at least where your phone is), with or without GPS.

Here are my questions:

  1. Does the government need a warrant to receive cellular network location data?  If so, what is the difference between cellular network location data and GPS tracking data?
  2. If the government has the right to install a tracking device, assuming you could find the device, do you have the right to remove it?  After all, it is your vehicle.
  3. If the government has the right to track you via GPS, can others do the same?  What is to stop insurance companies, employers, or criminals from tracking you?

It’s the first question I find most profound, because if the government is allowed to attach these devices to you without a warrant, without any cause, they can follow anyone from anywhere to anywhere at any time, from birth to death.  In fact, they could create an enormous database to simply keep track of the location of everyone.

This is not to say that the government shouldn’t track people it reasonably believes to be criminals.  That is why the judiciary exists- to provide oversight over the process so that peoples’ rights can be balanced.

One final scary thought: such a database might already exist, and might be in the hands of criminals.  As I wrote above, cellular companies already know where you are.  If they’ve been hacked and don’t know it, who knows where that data resides?

 

Web (in)Security and What Can Be Done

We all like to think that web security is perfect, but we all know better.  You know about spam, phishing, and all manner of malware.  You probably run a virus scanner on your computer.  But what you don’t expect and shouldn’t expect is that the core of our security system would have a flaw.  It does, and has, from the beginning.  What’s more, it’s a known flaw.

How is it your browser decides to trust a site, or to show that lovely lock icon and perhaps a green URL bar when your communication is both encrypted and verified to be to a specific end point?  The simple answer is that your browser provider, Microsoft, Mozilla, Apple, or Google, has made a decision on your behalf that – at least as initially configured – your browser will trust a certain set of authorities– certificate authorities (CAs)– who will validate others.

One such certificate authority got hacked.  Badly.  And because they were trusted by your browser, so might you have been.  Here’s how it works.

  • When you access a URL that begins with “https”, a certificate is sent by that site that is signed by one of the trusted CAs, saying “yes, I agree that this is google.com,” (for example).  If someone gets in between you and Google, they won’t have the private key associated with that certificate, and they won’t be able to validate to your browser.
  • If someone breaks into a CA and gets a certificate for “google.com” (again, for example), and then gets between you and the real Google, they will be able to masquerade.  It doesn’t matter which CA it is, as long as your browser trusts it.  Google needn’t have any relationship with that CA.

This is what happened with DigiNotar.  Not only did they get hacked, but they didn’t notice.  They didn’t have sufficient controls in place to even spot the attack.  That they should have had.

But now there’s something else we can do.  In the Internet Engineering Task Force (IETF), a few folks led by a gentleman by the name of Paul Hoffman have developed an approach where sites like Google can effectively register which certificates are valid for them in an separate alternative authority that we largely trust, the Domain Name System (DNS).  You use DNS to convert site names like ofcourseimright.com to IP addresses like 10.1.1.1.

The group working on it is called “dane“.  Had the dane mechanism been in place in the browser, the attack on Diginotar and Google would have failed, even if Google was a customer of Diginotar (which they weren’t).

When we speak of security we always discuss defense in depth.  That is– never rely on exactly one mechanism to protect you, because at some point it will surely break.  In this case, the attacker needed to (a) compromise the CA and (b) get in between the service and the end user to succeed.  Had dane been in place, atop (a) and (b), the attacker would also have to have compromised Google’s DNS for the attack to succeed.  That’s likely even harder than compromising a CA.

Dane has another potential benefit: in the long run, it may get browsers completely out of the business of telling you who to trust, or it will extremely limit that trust.

This attack also demonstrates that as threats evolve our response to those threats evolves.  Here we understood the threat, but just didn’t get the work done fast enough before a CA was compromised.  I still call this a win, as I think we can expect to see dane even faster than we expected before the attack.

As if On Queue: Google accounts attacked from China

The BBC reports today how China is rejecting Google’s statement that attacks on its users originated from China.  It’s very fair for China to call into question from whence attacks originate.  The best Google can really authoritatively say is that they saw attacks coming from a particular set of IP addresses that happen to be registered to a network that resides in a particular location, in this case Jinan.

However, the attacks targeted individuals said to be Chinese dissidents or adversaries.  In this case, as the BBC writes, while it is very difficult to state with assurance that the attacks were made by the Chinese government, the technique used, spear phishing, leads one to believe that this attack was in fact paid for, in some way, by a government.  Spear phishing involves learning about a particular individual, and then crafting a message that that person would think came from someone they knew, and convincing that person to view an attachment that itself contains a virus.  That virus must be relatively unknown, or virus checkers will pick it up.  The cost of spear phishing is high, and the monetary pay-off tends to be low.  Therefore, it is a good fit for an intelligence organization.

In addition, as I wrote not long ago, Cambridge University investigated a break-in of the Office of His Holiness, The Dalai Lama.  Those attacks also seemed to originate from China, they were also targeted against an adversary, and worst of all, China apparently acted upon the information stolen by applying diplomatic pressure against those countries who invited the Dalai Lama.

At the very least, China bears some culpability for allowing the attack.  Here we have a government that does not believe in the free flow of information, and so they are known for monitoring everything.  How, then, did this attack escape their notice?

Is hacking Skype a human rights violation?

Not twenty four hours ago did I write about how the Pentagon is going to announce how cyber-attacks could be casus belli.  Now the Wall Street Journal reports that an Egyptian intelligence agency was monitoring Skype communications of dissidents.  Let’s first agree on a truth.  No one’s right to privacy is absolute or ever assured.  However, plotting the peaceful overthrow of a government (in America we call that an election) should not be subject to snooping.  If we can go to war over hacking, should we not then also stand up for people’s human rights to peacefully and privately express their views?  Ronald Reagan used to rail on how the Soviet Union wasn’t free.  He was right.  Now here we are in age of the Internet.  What do his words mean in today’s context?  The free flow of information is  a human right.  It’s not absolute if, for instance, you’re talking about robbing a bank.

By the way, the Egyptians did not break Skype’s encryption, but instead seem to have infected the system of the dissidents.  That’s something Skype can only partially control- that is, if the infection was spread by Skype’s Instant Messaging capability, then they do bear some responsibility.  But if it was spread by other means, then there’s really not much they can do.