Internet Security – It’s on the User

Published: Sep 3, 2020   |   4858 words with about 26 minutes reading time   |   ©2022 by Bob Smith
Category: Technology   |   Tags: Black hat Pentest Pineapple

Internet security and privacy go hand in hand. Privacy means keeping information secret until disclosing only necessary pieces as required by law or choice, like an allergy when seeking medical treatment or entering a 4-digit code into an ATM to retrieve money. Security is the collection of ways physical, like a safe, and digital, like a password, to safeguard against privacy breaches.

Trustees hold private information for convenience like governments, banks and doctors to provide services. Laws require disclosure when trustees collect, store or transfer private information to a third party. The recent Equifax credit reporting agency breach astonished many, not because of the breach, but the lack of awareness that they were a trustee of private information. Most do not read the disclosure upon receiving the credit card on the reporting relationship.

This paper discuses progressive policy and laws increasing information owner privacy controls. These welcomed advances require higher levels of security knowledge and vigilance. Current security flaws and techniques will also be covered.

Balanced Security

Securing privacy is in an eternal struggle to balance convenience and expediency. Certain mathematic based processes can absolutely secure any digitized information. However, a human capable access processes, like passwords on yellow stickie notes, becomes the weak link.

Effective security practice balances this struggle against the risk and cost of information breach. Four-digit ATM codes are effective for banks balanced by these and other factors:

Amazon’s security practices are perfectly balanced to maximize shopping against actual costs of loss. Amazon could certainly reduce the cost of fraud, but it would be at the cost of encumbering the user with additional steps and effort resulting in less likelihood to shop.

In a more conventional sense, Walmart could reduce inventory shrinkage to near zero by escorting each customer through the store but at a cost many times more than the theft and immeasurably impacting customer loyalty. Based on industrial psychology and testing, they did cost justify deploying greeters every store entrance. Intuitively looking like a customer loyalty play, patrons don’t even realize being greeted significantly reduces casual theft.

Leaking Privacy

Carefully disclosed by law, participating and using Facebook and other “free” applications surrenders privacy many regret but many more will regret in the future. Every user agrees that all inputs, observations, locations and millions of other data points become forever property of the service and whomever they may share or sell the data to. Known as meta data, most of this will remain dormant as computer analytics evolve driving deeper data mining delivering new insights for commercial and possibly sinister use.

Progressive European law recognizes this dystopian future providing legal protections for consumers. By June 2018, a law, EU Data Protection Directive (EUDPD) [1] more popularly known as the “Right to be Forgotten Law” or just GDPR makes it a crime to deviate from the following consumer protections:

Technical and legal personal data protections continue to evolve but personal vigilance has and will be the critical factor. Making informed decisions regarding what level of security is traded for convenience. The easiest ATM pin numbers are the easiest to guess.

Over time, many will discover that the detailed chronical of their life left as personal meta data bread crumbs only serves as product fueling commercial enterprises. Continual breaches because of sloppy data mishandling by these businesses are wake up calls signaling a relook at the proposition of free service. Unfortunately, the internet doesn’t present itself the way a jungle or the Amazon does kicking off our innate feeling of danger increasing vigilance. Lurking behind the very friendly free Xfinity WiFi could be malicious activity.

A small amount of knowledge of these potential hazards prevents a lifetime of unwinding an identify theft.

Hacking

The digital economy continues to drive everywhere demand for WiFi access. Users demand convenience features that automatically connect them to these networks using stored passwords. Among these requirements lurks serious personal security threats. Basic awareness of the hazards and vigilance are all required to avoid entanglements. Untrusted or open networks don’t require usernames or passwords, credentials, or are given freely to anyone. All that’s needed to get network access is usually accepting an online agreement. Meaning insufficient control as to who is on the network.

Trusted or closed networks restrict access to only known users with individualized credentials. When only user credentials are required, this is called single-factor authentication. But just because a network looks official asking for credentials does not guarantee it’s authentic or safe.

A Pineapple You Can Trust

Beware of public single-factor WiFi networks. Access points with authentic looking sign-on screens are easy and inexpensive to duplicate. These rogue devices, known as Pineapples, are named for the traditional sign of hospitality. They impersonate legitimate networks luring unsuspecting WiFi seekers into giving up their credentials. Since most use the same online credentials everywhere, the bandits also get the Amazon account, the bank account and more.

Often, the rogue device will pass the user onto the Internet providing the expected experience but with a man in the middle capturing every byte the user sends and receives.

Laptop and mobile device convenience features used to remember and automatically enter WiFi access single-factor credentials puts users in harm’s way without their knowledge.

Identity theft isn’t a good trade for convenience

A better way to assure security, for both parties, is an additional authentication step.  Multi-factor authentication requires additional challenges beyond single-factor authentication entry.

A common two-factor system challenges unrecognized computers to further authenticate by entering a code sent to another device like a mobile phone designated by the user. While the additional layer is better, if both devices are compromised, it’s useless.

More secure is a challenge of information known only to both parties. A user selected image presented for verification after initial authentication is impossible for a Pineapple to know.

Lastly, life and work styles that require frequent use of open networks should inoculate with a live virus checking application that scans network traffic real-time for sinister activity and quarantines potential damage.

User Best Practices

White is the New Black

Effective cyber security agents, whether exploiting or defending, are hackers using the same skills and tools to further their objectives. The security industry refers to White Hats as those who work to recognize and mitigate electronic threats. Black Hats work to detect and exploit electronic threats for social, political or profit motivations.
Network infiltration happens for three reasons.

  1. Retrieve digital assets like emails and credit card numbers;
  2. Deposit digital assets, like a small well-hidden program, bot, with a mission;
  3. Create mischief to cause damage or service interruption.

A prime example is luring unsuspecting users to download virus bots from legitimate looking websites. At a pre-set time, all devices activate and begin streaming random data to a specific site. Called Distributed Denial of Service (DDoS) attacks, they live up to their name by using many computers (distributed) to overwhelm (deny) a resource (service) to impede commerce or other activity for protest or ransom. DDoS attacks have been a favorite exploit since the beginning of the Internet because the devastation leveled is significant against the simplicity of execution.

A new variant, DDoS to Bitcoin (DDoS2B), leverages an unregulated international currency for certain and untraceable ransom attacks. Previously, Black Hats had to enter the international cat and mouse game of using PayPal to get their ransom demands.

Attacks aren’t limited to big corporations. Black Hats target smaller businesses by infiltrating and locking down every document it can find. An unlock key is offered, usually five Bitcoins (~$3,500) and up. A time bomb will permanently destroy all files if they take too long to pay the ransom.

Many attacks retrieve information or press trusted devices into creating trouble. Nothing prevents Black Hats from depositing potentially damaging files like kiddie porn onto unsuspecting computers.

Hacking Through the Wall

The more recognized form of security breaches popularized by Matthew Broderick in Ferris Bueller’s Day off (changing grades) and War Games (activating the game Thermonuclear War) involves gaining access to a trusted network from outside over the Internet. The corporate perimeter is protected by systems designed to allow only authentic and credentialed access, known as firewalls. The Black Hat probes the edge looking for defects to exploit allowing them to enter. Free and sophisticated programs have been freely available on the Internet since 1995.

Socially Engineered Breaches

Often, non-electronic methods are simpler and less time-consuming. Small hard to detect devices smaller than a pack of cigarettes costing less than $35 placed inside a corporate location on the network can cause a ruckus.

Unsophisticated social engineering gets the rogue device onto the network. Posing as a copier serviceman, they enter the business on the excuse of a routine inspection and attach the device to the back of a copier. Few would notice it. After running for some period, the serviceman returns and retrieves their device now full of valuable information. The less outgoing may just have the appliance phone home the collected information at a pre-programmed time.

Get Ready for A Much Larger Picture

The Internet of Things (IoT) will add another 20-billion devices to the Internet by 2020 (Gartner - 2015). These devices will slip into beneficial and crucial parts of our lives. Inexpensive, low powered, single purpose and many, these devices are an ideal platform for sinister activity to infiltrate and exploit.

A DDoS attack in October 2016 used Samsung smart refrigerators as unwitting accomplices. Thousands of refrigerators were programmed to join forces simultaneously and overwhelm key Internet address resolvers slowing down network performance for many.

Western Digital cloud-connected backup hard drives recently created an inadvertent attack. All their drives, upwards of 100,000, had a bad line of code. Simultaneously, they all went to work trying to connect to a mistyped web address overrunning key Internet functions in the process. As discussed, threat awareness is key to not being a mark for Black Hats. Common sense vigilance not succumbing to sketch WiFi networks or allowing convenience to outwit your identity will make you a less attractive target.

Domain Name System

Internet locations use numeric labels, an IP address, just like phone numbers to route and establish communications. To make ‘dialing’ web locations easier, browsers pass domain names (e.g. www.google.com) to a server called the Domain Name System (DNS). Within the internet configuration of every device lies the DNS server address usually provided by the internet provider and automatically configured. DNS transparently translates the easy to remember domain name into the IP address (e.g. 173.194.219.113). DNS is the World Wide Web’s Yellow Pages just working in reverse.

Processing millions of queries per minute, internet performance relies on the global network of over 30,476 DNS servers across 192 countries [2] to be easily accessible with ultra-fast service.

As with all digital resources, accessibility and performance are in delicate opposition to security risk. For example, a popular and technically light-lift to cause a ruckus, popular with anarchists, involves overwhelming DNS with fake queries slowing or outright denying service.

Well architected internet networks place DNS servers geographically close to the user. This allows Governments to exercise eminent domain compelling DNS changes on servers located within their borders. During a coup in July 2016, the Turkish government ordered all sovereign DNS server entries for Facebook, Twitter and YouTube removed. This action effectively blocked the service unless the IP addresses were known. Other countries and corporate networks routinely use the same process to limit access to certain websites.

Another DNS exploit thankfully requiring more expertise is hacking the server and replacing legitimate address entries with evil destinations. The rerouted user often lands on a site impersonating the real one, like a bank, Amazon or even Google. Frequently, the bandit site will forward transactions to the legitimate site while scraping key personal information. This leaves the user unaware of the breach and more time for the bandits to profit from their caper.

Key and Tunnels

Progressive improvements continue to isolate and counter digital security threats such as these. Secure Sockets Layer (SSL) technology available since 1995 established website authenticity. Trusted third parties known as Certificate Authorities (CA) (RSA and GeoTrust) issue unique key signatures (certificates) only to the verified web site owner. Browsers recognize up to 1,000 popular CA instruction sets that verify the certificate offered up by the target web site. The burden is on the user to recognize or head warnings that the intended site is not secure.

SSL uses a cryptographic standard called X.509 public key infrastructure (PKI). The key is a randomized difficult to crack code unique to each website certificate the browser verifies with the CA. To hack the key exchange, bandits would just wait until the SSL exchange occurred then hijack the session. To mitigate this threat, further improvement came in 1999 upgrading SSL to Transport Layer Security (TLS) extending cryptographic encryption to the entire transaction. SSL/TLS ensures 100% reliability in transactions if all three parties (user’s browser, CA, website) are legitimate foreshadowing if any party is hacked the integrity for all is at risk. And this has happened numerous times based party on sloppy management or technical defects.

Sloppy Management

CAs have been compromised forcing 1000’s of sites to reissue certificates that were silently redirecting browsers to rogue sites and other hacks like these:

This transactional vulnerability is compounded with the exposure of a single point of trust, the CA. The CA may be trustworthy but placing all trust in a single, third party entity is risky as they can be breached, spoofed or otherwise compromised.

The problem is too large for browser side vigilance. The industry was informed and a patch for Heartbleed was issued on April 7, 2014. Six weeks later, 800,000 servers (about 8%) were still not patched.

There are solutions but they rely on establishing verified relationships with every device and application. PKI keys are created for each device and application creating formal 1:1 relationships. The CA provides the key generation and protocol so the devices can communicate with each other. While highly secure, this just doesn’t scale beyond tightly controlled ecosystems such as an enterprise where every device and user identity can be authenticated and managed. Therefore, identity based on trusted third parties is scalable but has unacceptable vulnerabilities only addressable with impractical 1:1 unique key exchanges.

OAUTH

A group of digital authentication resource use credentials from a parent site acting as trusted third party to sing-on to and exchange information with other sites without revealing the user credentials. The following specifications used together form the most common platform.

Convenience makes this function very popular. For instance, a Google account holder uses their credentials to log into OpenTable reservation site. When a reservation is set, the reservation flows back to the user’s Google calendar and emails it to the rest of the party. The benefit to OpenTable is leveraging Google as a trusted third party and eliminating the risk of maintaining customer credentials. The benefit to the consumer is one set of credentials to remember and the unilateral ability to revoke or limit OpenTable functions at any time from the Google platform. The benefit to Google is deeper usage of their platform from enhanced applications.

Here are the steps taken to establish an OA link:

  1. OpenTable registers with Google to activate site to site OA functionality
  2. User establishes desire to link Google and OpenTable with permitted functions
  3. Google distributes user specific keys to OpenTable and User for security handshake and data transfer

There’s no dispute that improper OA implementation is insecure and credible opinions cite that, regardless of implementation, OA has risks. This prompted a 71-page paper detailing over 90 risks and concerns from Deutsche Telekom, IBM, Oracle Corporation and other concerned IETF members. [4]

User Best Practices

Secure sites and transactions are indicated in browsers in various ways mainly the URL starting with HTTPS and a key or lock icon. Check your browser and sites regarded as secure using free tools from Semantic and Qualys SSL Labs

Provider Best Practices

All transmissions involving sensitive information exchange including end-user credentials, authorization codes, access tokens and refresh tokens must transmit over encrypted TLS tunnels.

For maximal security and interoperability, servers must use only the latest widely deployed version of TLS with cipher suites as recommended by NIST (example) FIPS SP 140-2, Annex A. [5]

When load balancing resources terminate the tunnel leaving a gap, IETF’s draft OAuth 2.0 Security: Going Beyond Bearer Tokens recommends application-to-application encryption in this case. [6]

-The OAuth 2.0 Authorization Framework (RFC 6749), defines four types of “authorization grants” clients exchange for access tokens and recommends Authorization Code Grant Model (sec 4.1)_ [7]

1. enables user to authentication directly with authorization server avoiding client credential share. 2. enables authorization server to transmit access token directly to the client, avoiding browser exposure. 3. Supports access token and refresh token exchange.

The requesting client must be registered and then signed JSON Web Tokens for transmitting the authorization request and authentication information, as recommended in RFC7523 will work.

To reduce brute force exposure, authorization servers should limit invalid requests to exchange for an access token.

Limit access token lifetime.

Operationally Excellent Trust

Constant corporate and government data breaches are reminders that private information in the care of trustees isn’t safe.

When asked about emerging competitive technology and products, Equifax (EFX), like many other legacy companies, cites operational-excellence and size as able to take on any disruptive category threat once proven to be a risk. They prefer to allow others to take the investment risk relying on being a fast-follower with pockets deep enough to vanquish any threat startup. If they claim operational-excellence, they need to be operationally-excellent. Information management is EFX’s business. More digital transactions now take place on the large variety of mobile devices and tablets. To increase usability and efficiency, frameworks like Apache Struts facilitate writing one application that renders across any mobile device or tablet. Reducing time to market, the exchange to alert Struts as to which device type to render creates another attack plane for hackers.

In 2017 EFX compounding mismanagement resulted in exploitation of their Struts framework resulting in a privacy breach affecting millions as detailed below.

Top EFX officials resigned. Congress will update laws and fortify regulatory agencies the Consumer Financial Protection Bureau and Department of Justice with new law and criminal teeth. State Attorney Generals and the class-action suit industry will address EFX with deserved civil forfeitures in the courts.

3/17/17 Day -57 Apache patches Struts security vulnerability CVE-2017-5638
5/13/17 BREACH Day 0 Unauthorized EFX access starts [see finding below]
7/29/17 BREACH Day +77 Observes suspicious activity - blocked it
7/30/17 BREACH Day +78 Observes more suspicious activity - turned down server
8/2/17 BREACH Day +81 Engages cybersecurity firm Mandiant to conduct forensic review

Findings

8/22/17 Day +101 DNStination Inc. registers www.equifaxsecurity2017.com
9/7/17 Breach Day +117 35 days after audit began Publicly discloses breach
9/10/17 Breach Day +120 Domain Registrant name changed to EFX and vulnerabilities fixed

IT as the Product

Instead of supporting products, e-commerce makes IT the product. Many leaders have deliberately leveraged their domain over all things digital recasting their departments in part or whole as profit-centers. More closely aligned with revenue, this elevates IT departments to the main finance table prioritizing resources to the profit centers first addressing growth opportunities.

When IT focus must compete between new widgets and maintenance, the profit-center culture usually prevails. Where this imbalance exists, IT needs a thoughtful recalibration to the cost-center side of the equation, resourced first to perform the job securing information privacy from breach especially when acting as a trustee.

Replace Trustees with Self-Sovereignty

Without corresponding identity, personal information has no meaning. This makes identity the prime attack surface of hackers aspiring to leverage account functions like bank, email and credit cards.

New disruptive crypto-currency based technologies will profoundly reshape identity.

The concept of self-sovereign disconnects the need for third parties to manage and protect identity. A self-sovereign identity by its own nature positively identifies the user without any third-party verification. Self-sovereign identities coronate individuals as the sole rulers over the domain of their identity defeating the trusted third-party vulnerability.

Emerging standards and technologies provide the solution with these attributes:

Deterministic Individuals control the creation, existence and security of their identity
Impenetrable Cryptographically unbreakable
Transparent System based on open source examinable by all
Independent Governments or third parties not required to issue or manage
Ubiquitous Available anywhere Internet accessible or by authentic device
Anonymous Personal attributes not required to authenticate identity
Extensible Usable by any device like Internet of Things (IoT)
Permanent No expiration or revocation
Decentralized Widespread redundancy drives high availability
Distributed Transcends geography and governments
Provenance Built in audit tracking creating additional authenticity

Trust Based Identity Flaws - The Analog World

Documents like these issued by trusted third parties provide identity for specific situations:

Some identities act beyond their intended purpose as trusted authenticators when identity is required between unknown parties. For example, a driver permit presented to enter bars or cash checks. This identity system has served society efficiently and securely well for hundreds of years. However, trusted third party identity strength relies on personal details on file with the issuing authority. This creates entanglements like.

Digital theft of stored personal details has become a significant threat.

Trust Based Identity Flaws - The Digital World

With digital exchange and data storage, identity vulnerabilities magnify geometrically. Since the beginning, Internet facilities and software have been hacker exploit targets.
Distributed Ledgers (a.k.a Blockchain)

This technology is the foundation for making self-sovereign identities.

Cryptocurrency, a.k.a. bitcoin, is the application most associated with blockchain. After all, the original blockchain was created and is sustained across 5,000+ globally distributed nodes run by individuals (miners) compensated in bitcoins (BTC) for solving new blocks about every 10 minutes (mining). Bitcoin is proof-of-concept that blockchain and child technologies can have significant impact beyond cryptocurrency. Alternative blockchains are available containing the same security absolutes as the bitcoin blockchain with evolved features. Whatever blockchain(s) prevail long term, they will have the following capabilities.

Security Through Cryptographically Unbreakable Arithmetic

Like Certificate Authorities, blockchains generate 2 cryptographic codes:

  1. The public key stored in the blockchain represents the related asset (BTC)
  2. The private key is held by the owner of the related asset (BTC)

This 35-character key is an example representing a bitcoin.

3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy

To guess any key requires 2,000,000,000,000,000,000,000,000 (2**32) guesses, hardly a practical exercise.

Security Through Distributed Proof-of-Work

The steps to a bitcoin transaction:

The transaction blocks become highly distributed ledgers residing on thousands of unaffiliated nodes across ninety-three different countries. Attack and breach requires tremendous coordination and resources to overwhelm the system within the ten-minute designed consensus window. Known as proof-of-work [9], the costs necessary to profit from program legitimately are far less than needed to successfully breach the system.

Security Through Transparency

Blockchains are open source meaning no back doors. No one owns the code and anyone can contribute to the effort which encourages massive crowd contributions. Just about every key technology in the last 30 years has come from open source groups.

Security Through Incentive Based Crowd Operations

Miners run nodes competing to solve the proof of work necessary to chain to the next block. Solution difficulty was designed to generate new blocks about every 10 minutes. Miners who win the proof-of-work are paid. On the bitcoin blockchain, miners have collected US$1.8B value since the start. Miners also process bitcoin transactions taking a fee. For a sense of size, a typical 24 hours shows:

Miners running these nodes competing globally creates a level of diversity making cooperation impossible. Compromising the system requires an impossibly larger and much more coordinated mob of “dark” miners to overwhelm a system that reinvents itself every ten minutes.

Interesting features are emerging in new blockchain offerings like Ethereum. In addition to public keys, Ethereum transactions hold a few lines of code associated to each key that is executed with each transaction. Called smart contracts, these instructions execute without delay, interpretation fraud or third-party interference.

DNS Facilities as Primary Distribution Mechanism

SSL even with its flaws is too pervasive to change overnight.

okTurtles Foundation has done significant open-source development on decentralization technologies. They created DNSChain, a blockchain-based DNS and HTTP server that claims to “fix HTTPS security.”

With DNSChain, the blockchain replaces the X.509 PKI based CA. CAs, as trusted third parties, the weak link, go away. A 1:1 secure connection is created from the browser to DNSChain. DNSChain then links to the target web site. No tampering or redirecting can take place.

Legitimate site owners publish their own self-sovereign signed certificates to the distributed ledger with their private key certifying authenticity.

DNSChain is proof of concept that applying distributed ledger capabilities solves problems that will require addressing with security based on distributed math, rather than the current faith-based system and no one to attack.

End Notes [1] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016
[2] Public DNS Server List
[3] Internet Engineering Task Force (IETF) The OAuth 2.0 Authorization Framework 2012 RFC-6749 [4] Internet Engineering Task Force (IETF) OAuth 2.0 Threat Model and Security Considerations JAN2013 RFC-6819 [5] Security Requirements for Cryptographic Modules
[6] Internet Engineering Task Force (IETF) OAuth 2.0 Security: Going Beyond Bearer Tokens
[7] Internet Engineering Task Force (IETF) The OAuth 2.0 Authorization Framework 2019 RFC-6749
[8] NIST NATIONAL VULNERABILITY DATABASE
[9] Dr. Adam Back, 1997 proposal to use distributed computing to combat denial of service (DoS) attacks and curb spam email. First coined and formalized in a 1999 paper by Markus Jakobsson and Ari Juels

Latest Content