DEF CON 24: Bypassing Captive Portals and Limited Networks

I just presented a talk at DEF CON 24. This discusses “captive portals” — the websites that attempt to manage access to open WiFi and similar semi-public networks — and their flaws that allow bypassing them. For those of you who have been directed to the site from the talk, you can find the slides available for download here.

The slides are quite large (15 MB) as they contain two embedded videos. I will also link to the video recording on the DEF CON media server as soon as it is available, but historically that doesn’t happen until 3-6 months after the conference.

In other news, I will be renovating this site and bringing it back up as a more useful resource soon!


DEFCON 23: The Only Way to Be Sure: Obtaining and Detecting Domain Persistence

I presented a talk at the DEF CON 101 track of DEF CON 23 this year; for those of you who have been directed to the site from the talk, you can find the slides on this site here: DEF CON 23: The Only Way to Be Sure: Obtaining and Detecting Domain Persistence

Note that as the slides are mostly video demos, the deck is quite large and is only available in PowerPoint format.

attacks, mitigations, risk

DEFCON 22: Detecting Bluetooth Surveillance Systems

For anyone looking for my talks at DEF CON 22 and Thotcon 0x6 on the topic of detecting Bluetooth surveillance systems, the DEF CON slide deck is available for download here, or in PDF. The (abbreviated) Thotcon version is here.

Finally, you can stream or download the full DEF CON presentation video with slides from the DEF CON media server.


Fingerprint Login and Authentication

With Apple’s introduction of Touch ID for the new iPhone 5S, there’s been a lot of news coverage of their new fingerprint-based unlock system — and not just about its usefulness for cats. People want to know: is it secure? Can someone bypass it? Within moments of its release there was already a sizeable bounty being offered to someone who could “break” Touch ID. Of course, the Chaos Computer Club demonstrated a bypass in under a week.

But the thing about fingerprints is that they’ve been easy to bypass for more than 20 years. It’s not that hackers have figured it out “already”, rather spies figured it out decades ago. You dust the fingerprint, photograph the pattern, print it out with an impact printer (or, in a pinch, a laser printer with the toner on the heaviest setting to leave raised printing), pour plain old Elmer’s glue on it, let the glue dry until firm but not quite solid, and peel it off. Presto! Prosthetic fingerprint.

The problem with how fingerprints are being used is that fingerprints are a form of identification, not authentication. They quickly say who you are, but they don’t prove who you are — essentially, when trying to translate the traditional username/password paradigm to biometrics, a fingerprint is like a username, not like a password. Unfortunately, it’s being used as a password. It’s especially funny on the new iPhone because they’re using fingerprints to authenticate to a touchscreen device — that is, an object that has your fingerprints all over it! If someone wanted into such a phone it would be really easy to lift the user’s fingerprints off the screen, create a prosthetic, and unlock the device with the fingerprint reader. You can’t make a secure authentication method out of something that people leave everywhere.

On the other hand, I can’t bring myself to care that much. There’s a general rule in computer security: “If the adversary has unrestricted physical access to your computer, it’s not your computer.” If someone’s trying to bypass fingerprint lock on a phone, then they must have possession of the phone — and in that case there are many ways in, whether it’s locked with a fingerprint, a PIN, a password, or whatever. Fingerprint is more convenient than PIN and probably approximately as secure as a PIN. In either case, if the device storage isn’t encrypted getting access to it is trivial, and if it is encrypted the capability to perform an offline attack (a capability you have in a stolen-device scenario) means that bypassing a 4-digit PIN is equally trivial. You’re not really losing much, if any, security by going to a fingerprint.

The other problem with fingerprints as passwords — aside from the fact that you leave them everywhere — is that your fingerprint can’t be rotated. If your password gets stolen, you can change your password, but if your fingerprint is stolen, it’s stolen forever. There’s no way for you to change it. This is fine for an identifier (username), but not fine for an authenticator (password) — it puts you in the situation of “break once, break everywhere.” Once your fingerprint has been stolen by an adversary, they have it for the rest of your life. This also why fingerprints (or any biometrics) should never be used to generate cryptographic keys.

You’ll find fingerprint readers on a lot of enterprise-model laptop computers, too. On these, the fingerprint reader is just an alternate authenticator to Windows, so Windows will still let you log in with your password if the fingerprint reader doesn’t work. It does (by design) reduce your security a bit — but once again, not much, because if someone is trying to break in via the fingerprint reader then they must have physical possession of your computer, and they’re going to get in anyway. The only protection against that is to enable BitLocker in PIN mode — that is, full-disk encryption with a PIN code required at power-on to decrypt the hard disk, and even then you’re only really safe if your computer comes with a TPM (which most business laptops do, but most other PCs do not.) Most people don’t do this, which means fingerprint or password, your data is easily accessible to someone who has possession of your PC.

So all told, there’s not much reason not to use fingerprint unlock on a phone, since phone unlock is not normally a boundary where we expect much security (as our usual mechanisms — either “swipe to unlock” or a 4-digit PIN code with unlimited guesses allowed — provide very little security anyway.) But from a systems design perspective, if you want real security, fingerprint should not be treated as an authenticator, regardless of the technology being employed.

authentication, hardware, industry, risk

The Blade Itself Incites to Violence

First we find out Verizon has been essentially running a pen register on its entire customer base for three months, under a FISA court order. Then we find out it was a renewal – given that the FISA court has approved some 38,000 warrants and denied only around 130, I don’t believe there’s any reason not to believe that the FISA court approves a pen register on every US phone company every three months.

And then Edward Snowden turns the NSA’s terrible PowerPoint slides (seriously, could they put any more flag and eagle clip art in there if they tried?) over to the Guardian, and it looks like PRISM has direct access to every record of customer data in ten major Internet service companies. Quickly PRISM overtakes the Verizon scandal in attention.

What are we to make of this? A tempest in a teapot, or that the United States has already gone over the edge into a police state? The mainstream media certainly promulgates both views — and Congress has given them plenty of ammunition to do so, with Snowden called whistleblower, hero, criminal, or traitor depending on who’s giving the sound bite.

Of course, all the major Internet companies — Microsoft, Google, Facebook, etc. — have claimed to have no knowledge of PRISM, and not to be party to any worldwide NSA-led spy ring. As someone who works in security at a major Internet company, frankly, I believe them. Which is to say that I believe that spokesperson has no knowledge of PRISM and genuinely believes his employer is not party to any worldwide NSA-led spy ring. But these companies have criminal compliance teams — groups whose role is to liase with law enforcement around the world, and to determine which requests, subpoenas, and warrants to quietly obey and which to resist. These criminal compliance teams operate in secret, necessarily — it’s often outright illegal for them to share the requests they receive (the USA PATRIOT Act’s National Security Letters come with gag orders attached), and even if it’s not, it’s bad practice. Most of the time they’re assisting in the investigation of bona fide bad people, child pornographers and fugitive murderers and the like, and talking too much jeopardizes the investigation. Criminal compliance people are law enforcement people — they’re Lawful Good, they believe in what they’re doing, and generally rightfully so. They may care passionately about civil liberties, and they may push back on overreaching requests, but ultimately they believe in the power of government to do good, just as legislators do, or they wouldn’t be in that career — and that career requires a culture of secrecy. They don’t talk, and their managers don’t ask, because that’s their job. So the spokespeople at Microsoft and Google and Facebook and so on are telling the truth — they’ve never heard of PRISM, they don’t know about any NSA spy ring. And yet that means very little; they wouldn’t have heard of it, and they wouldn’t know about it, and the people who do won’t say. It’s their job not to say, and the great majority of the time, we as a society should be glad they’re doing their job. They put people like this guy in jail.

PRISM is probably not a spying system per se. It’s a glorified reporting layer — it presents to intelligence agents in usable form the intelligence the NSA has already collected, and allows them to easily request more. Those requests go through the usual due process, getting sent to some Internet company with an order from the FISA court. PRISM probably isn’t directly tied into the core systems of the Internet’s largest companies… but it indirectly is, by way of any number of other applications and processes, both technical and legal. Maybe even those criminal compliance teams have never heard of PRISM… they’ve heard of a few National Security Letters, and a few dozen warrants, and a few hundred subpoenas, and each one alone made sense, yet all of the data from all of them went into the NSA’s great oracle, and the whole is greater than the sum of its parts.

I will give the administration one thing: there’s no evidence that the data from PRISM is being abused. PRISM knows about your Google searches, it knows about your email’s contents, it knows all the little felonies and misdemeanors you’ve committed. And make no mistake, you have committed them: our legal code has become so labyrinthine, everyone is a felon — as Cardinal Richelieu said, “if you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.” When even copyright infringement is a criminal offense, when the Computer Fraud and Abuse Act makes violating website terms of service (you haven’t read them) a felony, a prosecutor with the will and the political support can prosecute anyone. Yet… they don’t. The NSA isn’t turning over everyone’s drug purchases and porn habits and music downloads to local district attorneys — it doesn’t look like they’re turning over anyone’s. They’re using it to look for terrorists, because that’s their charter, and nothing more. Obama’s not lying when he says the program has thorough oversight and is carefully targeted.

Allow me to take a digression here. The Transportation Security Agency was established to secure the nation’s transportation system against terrorism. Their charter is very clear: strengthen the security of the nationís transportation systems and ensure the freedom of movement for people and commerce. The TSA’s charter, notably, is not to wipe out drug trafficking, or to prevent smuggling, or to enforce customs laws, or to prevent illegal immigration. And thus it does not try to do these things: its rules are all regarding weapons and explosives, not drugs or contraband (those drug-sniffing dogs are CBP, not TSA), and its security measures aimed at that target. Sometimes they may be ridiculous — X-ray scanners that can’t detect objects placed at your sides, say, or the constant “preparing for the last war” of shoe removal and liquid bans — but their aim is clear even if the shots are wild. Thus, it was no surprise that they recently decided to stop screening for small knives, golf clubs, multi-tools, and other minor weaponry. These items are no threat to the security of an aircraft — any weapon that can’t threaten more than one person at a time isn’t. No one with a knife is going to get through a cockpit door, and even if they take a hostage they’re not likely to kill more than one person — tragic for that one person, to be sure, but no threat to the aircraft, much less the transportation system. The TSA wanted to focus on threats to the aircraft — bombs, guns, and the like.

Yet the flight attendant’s union objected (naturally — they’re the ones who will get stabbed with those small knives, hit with those golf clubs, etc. and the safety of the transportation system is, to them, little consolation), and some opportunistic members of Congress latched on and threw a fit. How dare the TSA not stop an obvious threat? It didn’t matter that it’s not the TSA’s mission to stop that threat. The TSA is beholden to Congress, Congress is driven by public opinion, public opinion is driven by the media, and the media is driven by fear, because fear gets ratings. Fear sells, so it owns the media, which owns the public, which owns Congress. So now the TSA has backed off from their threat — they can stop a drunkard with a pocket knife, so they must stop a drunkard with a pocket knife. Never mind that it’s not their charter, that it has nothing to do with the safety of the transportation system, that it’s unrelated to terrorism or homeland security.

Maybe Obama’s right — maybe PRISM isn’t really a threat, just a reporting system, and maybe the NSA, despite the fact that a random analyst “sitting at my desk certainly had the authorities to wiretap anyone from you or your accountant to a Federal judge to even the President” isn’t abusing that power. Like the criminal compliance employees at major Internet companies, people working for the NSA are by and large loyal American citizens who perform their role because they believe in it, and because they know they’re doing good for their country. They swear an oath to uphold the Constitution, and that includes the Fourth Amendment. In any case, NSA surveillance is absolutely inadmissible in court for domestic crimes; FISA orders are only valid for, as the name implies, foreign intelligence.

But what happens when the media turns its attention to something other than terrorism? What happens when public opinion gets incited against something else — something evil, of course, but nevertheless something outside the NSA’s purview? What happens when the public’s fear turns from terrorism to human trafficking, or child abduction, or illegal immigration, or foreign cyber-attacks, or “hackers,” or corrupt bankers? The NSA has the evidence to catch these people — Congress will demand action. We have a hundred thousand spies now: they have the capability, they have the information. The law will change; maybe not now, maybe not for a decade, but if don’t strangle this right now, it will change. Even if every word the President and General Alexander says is true, it cannot remain true as long as these capabilities continue to exist and grow — we know exactly where this road leads. They can do it, so they must: as Homer said, the blade itself incites to violence.

legal, privacy, society, terrorism