Archive

Category Archives for "Security"

What the Yahoo NSA might’ve looked for

The vague story about Yahoo searching emails for the NSA was cleared up today with various stories from other outlets [1]. It seems clear a FISA court order was used to compel Yahoo to search all their customer's email for a pattern (or patterns). But there's an important detail still missing: what specifically were they searching for? In this post, I give an example.

The NYTimes article explains the search thusly:
Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the officials said.
What they are likely referring it is software like "Mujahideen Secrets", which terrorists have been using for about a decade to encrypt messages. It includes a unique fingerprint/signature that can easily be searched for, as shown below.

In the screenshot below, I use this software to type in a secret message:


I then hit the "encrypt" button, and get the following, a chunk of random looking text:


This software encrypts, but does not send/receive messages. You have to do that manually yourself. Continue reading

The Yahoo-email-search story is garbage

Joseph Menn (Reuters) is reporting that Yahoo! searched emails for the NSA. The details of the story are so mangled that it's impossible to say what's actually going on.

The first paragraph says this:
Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails
The second paragraph says this:
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts
Well? Which is it? Did they "search incoming emails" or did they "scan mail accounts"? Whether we are dealing with emails in transmit, or stored on the servers, is a BFD (Big Fucking Detail) that you can't gloss over and confuse in a story like this. Whether searches are done indiscriminately across all emails, or only for specific accounts, is another BFD.

The third paragraph seems to resolve this, but it doesn't:
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
Who are these "some surveillance experts"? Why is the Continue reading

No, Trump’s losses doesn’t allow tax avoidance

The New York Times is reporting that Tump lost nearly a billion dollars in 1995, and this would enable tax avoidance for 18 years. No, it doesn't allow "avoidance". This is not how taxes work.

Let's do a little story problem:

  • You invest in a broad basket of stocks for $100,000
  • You later sell them for $110,000
  • Capital gains rate on this is 20%
  • How much taxes do you owe?

Obviously, since you gained $10,000 net, and tax rate is 20%, you then owe $2,000 in taxes.

But this is only because losses offset gains. All the stocks in your basket didn't go up 10%. Some went up more, some actually lost money. It's not unusual that the losing stocks might go down $50,000, while the gainers go up $60,000, thus giving you the 10% net return, if you are investing in high-risk/high-reward stocks.

What if instead we change the tax code to only count the winners, ignoring the losing stocks. Now, instead of owing taxes on $10,000, you owe taxes on $60,000. At 20% tax rate, this comes out to $12,000 in taxes -- which is actually more than you earned on your investments.

Taxing only investments that Continue reading

Some technical notes on the PlayPen case

In March of 2015, the FBI took control of a Tor onion childporn website ("PlayPen"), then used an 0day exploit to upload malware to visitors's computers, to identify them. There is some controversy over the warrant they used, and government mass hacking in general. However, much of the discussion misses some technical details, which I thought I'd discuss here.

IP address

In a post on the case, Orin Kerr claims:
retrieving IP addresses is clearly a search
He is wrong, at least, in the general case. Uploading malware to gather other things (hostname, username, MAC address) is clearly a search. But discovering the IP address is a different thing.

Today's homes contain many devices behind a single router. The home has only one public IP address, that of the router. All the other devices have local IP addresses. The router then does network address translation (NAT) in order to convert outgoing traffic to all use the public IP address.

The FBI sought the public IP address of the NAT/router, not the local IP address of the perp's computer. The malware ("NIT") didn't search the computer for the IP address. Instead the NIT generated network traffic, destined to the FBI's computers. Continue reading

Beware: Attribution & Politics

tl;dr - Digital location data can be inherently wrong and it can be spoofed. Blindly assuming that it is accurate can make an ass out of you on twitter and when regulating drones.    

Guest contributor and friend of Errata Security Elizabeth Wharton (@LawyerLiz) is an attorney and host of the technology-focused weekly radio show "Buzz Off with Lawyer Liz" on America's Web Radio (listen live  each Wednesday, 2-3:00pm eastern; find  prior podcasts here or via iTunes - Lawyer Liz) This post is merely her musings and not legal advice.

Filtering through various campaign and debate analysis on social media, a tweet caught my eye. The message itself was not the concern and the underlying image has since been determined to be fake.  Rather, I was stopped by the140 character tweet's absolute certainty that internet user location data is infallible.  The author presented a data map as proof without question, caveat, or other investigation.  Boom, mic drop - attribution!

According to the tweeting pundit, "Russian trollbots" are behind the #TrumpWon hashtag trending on Twitter.
The proof? The twitter post claims that the Trendsmap showed the initial hashtag tweets as originating from accounts located in Russia. Continue reading

Industry First Micro-segmentation Cybersecurity Benchmark Released

microsegmentationThe VMware NSX Micro-segmentation Cybersecurity Benchmark report has been released! As previewed in part six of the Micro-segmentation Defined – NSX Securing Anywhere blog series , independent cyber risk management advisor and assessor Coalfire was sponsored by VMware to create an industry first Micro-segmentation Cybersecurity Benchmark report. Coalfire conducted an audit of the VMware NSX micro-segmentation capabilities to develop this benchmark report detailing the efficacy of NSX as a security platform through a detailed “micro-audit” process, testing NSX against simulated zero-day threats.

Testing included five different network design patterns, and demonstrated how NSX micro-segmentation can provide stateful, distributed,  policy-based protection in environments regardless of network topology. Topologies included –

  • Flat L2 network segments
  • L2 and L3 networks with centralized virtual or physical routers, representative of typical data center rack implementations built on hybrid physical and network virtualization platform / distributed virtual switch (dVS)
  • Networks with connection to other physical servers
  • Overlay-based networks using the Distributed Firewalls (DFW) and Distributed Logical Routers (DLR)
  • Physical VLAN and overlay-based networks using service insertion technologies running on dedicated VMs (in our case, Palo Alto Networks NextGen FW with Panorama)

five-micro-seg-design-patterns

Coalfire’s examination and testing of VMware NSX technology utilized simulated exploits that depict likely malware and Continue reading

1 135 136 137 138 139 177