Thursday, April 17, 2014

iOS clients not vulnerable to Heartbleed. What does the source say?



Apple's language in their assertion that they are not vulnerable to heartbleed on iOS are troubling as they specifically say (via ReCode), "IOS and OS X never incorporated the vulnerable software..."  However, not incorporating the vulnerable OpenSSL software is merely one way that their customers could have been made vulnerable.  What about the Apple SSL/TLS implementation?  Has anyone checked it?  Did they incorporate RFC 6520 for heartbeat support?  I couldn't find anything Google so figured I would share what I found.

Since the Apple SSL library code is open sourced, we can actually look at the code.  And based on my read of the code, Apple doesn’t even implement the heartbeat extension. http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshake.h doesn’t even define the heartbeat helloextension code 15 in the data structure:

/* Hello Extensions per RFC 3546 */
typedef enum
{
 SSL_HE_ServerName = 0,
 SSL_HE_MaxFragmentLength = 1,
 SSL_HE_ClientCertificateURL = 2,
 SSL_HE_TrustedCAKeys = 3,
 SSL_HE_TruncatedHMAC = 4,
 SSL_HE_StatusReguest = 5,

 /* ECDSA, RFC 4492 */
 SSL_HE_EllipticCurves  = 10,
 SSL_HE_EC_PointFormats = 11,

    /* TLS 1.2 */
    SSL_HE_SignatureAlgorithms = 13,

    /* RFC 5746 */
    SSL_HE_SecureRenegotation = 0xff01,

 /*
  * This one is suggested but not formally defined in
  * I.D.salowey-tls-ticket-07
  */
 SSL_HE_SessionTicket = 35
} SSLHelloExtensionType;

Then in the implementation http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshakeHello.c, they actually only support one extension, SSL_HE_SecureRenegotation. All others return an error code.

     switch (extType) {
            case SSL_HE_SecureRenegotation:
                if(got_secure_renegotiation)
                    return errSSLProtocol;            /* Fail if we already processed one */
                got_secure_renegotiation = true;
                SSLProcessServerHelloExtension_SecureRenegotiation(ctx, extLen, p);
                break;
            default:
                /*
                 Do nothing for other extensions. Per RFC 5246, we should (MUST) error
                 if we received extensions we didnt specify in the Client Hello.
                 Client should also abort handshake if multiple extensions of the same
                 type are found
                 */
                break;
        }
So, it appears from the library code that they would not be vulnerable to this bug at all.

Sunday, April 13, 2014

Using VNC to securely connect to OSX without exposing an unlocked console

I couldn't believe how supremely difficult it is to securely use VNC to access an OSX mac remotely.  Turns out that by default, using a standard VNC client (as opposed to an Apple Remote Desktop client) does not afford you an option to have the physical console lock when someone connects to the VNC server.  Some third-party clients make this an option, but all that I could find were paid VNC clients that support it.  It is somewhat ridiculous that this setting is left to the client rather than enforced on the server, but I digress...

I tried a few things suggested, such as enabling the screen saver or screen blanker, but those did not solve the problem as they did not differentiate between the VNC session and the physical desktop session so applied equally (the only states that were valid were either both unlocked or both locked).  Other options people suggested were to just turn the screen brightness all the way down.  This is security through obscurity though (the display is still unlocked and anyone who can get to your mouse/keyboard could mess with your computer, they just would be blind to what's on the screen).  It also seems problematic for usability (imagine you turn the brightness down and then come into the office the next day; how are you supposed to see the screen when you login if the brightness is still forced to the minimum?)

The solution I found that had the right security and usability properties was to use fast user switching + the Vine VNC Server.  This enables you to have a different set of content on the physical display from what you see remotely on VNC.  Unfortunately, fast user switching with the Apple VNC "Screen sharing" server doesn't work.  It mirrors your display exactly to the VNC display so does not allow you to have separate physical and remote displays.  I presume that's why it has a name like "Screen sharing".  It's also not surprising that this doesn't quite work as well outside of the Apple monoculture.
  1. Download and install Vine VNC Server
  2. Enable Fast User Switching on the mac
  3. Enable fast user switching on OSX Mavericks
  4. Connect to Vine VNC Server on OSX with any VNC client (e.g. on port 5901).  I configure Vine to require SSH so it doesn't listen to any remote port and requires SSH port tunneling to use it.  Less attack surface.
  5. Go to the fast user switching menu and select "Login Window..."  When you do this, the physical display will change to the login screen but the VNC window will remain unlocked and functional, as desired.
Switch to login screen


I get an IRS scam voice-mail

Had to share this hilarious voice-mail I received from an IRS scammer (happened to come in with Unknown caller ID -- I read online that others had been spoofing US phone numbers for caller ID in the past). The transcript does not do it justice.  I laughed out loud when I heard the phrase, "and you get arrested" as that is precisely what one would expect to hear from the IRS.


They actually tried calling me back and I got to talk to one of the people that afternoon, but my crummy cell service in my office resulted in the call dropping before I could chat with them too much. I told them that I didn't believe them that they were from the IRS. Maybe they'll call back again this week?

I plan on reporting it, as suggested.  Head over to the IRS Tax Fraud Alerts page.  Perhaps the best channel will be via their Phishing page.  The IRS warning regarding this scam provides some information but there is of course no direct links to report the issue.  I wonder if the 20,000 that reported it are a small fraction of those victimized since it's so difficult to find a way to report it?  They also suggest lodging a complaint with the FTC as well, but that is also somewhat difficult to determine how to categorize it for reporting.

See also: "IRS monitor: $1 million phone scam 'largest ever' - Mar. 20, 2014 ." Last modified 04/14/2014 05:10:31. http://money.cnn.com/2014/03/20/pf/taxes/irs-phone-scam/ (accessed 4/13/2014).


Transcript

Good morning. This is Willy ["Villy"] Mandersen, calling you from Internal Revenue Service...Crime Investigation Department.  The nature and the purpose of this call is just to let you know that....we have received...a legal petition notice...against your name...under your social security number. So, before this matter goes to the Federal claim court house...and you get arrested, kindly call us back at (866) 978-8320. I repeat (866) 978-8320.  Remember, don't disregard the message...as it is very important for you.  And if you don't return the call, then the situation will be worse. So take care about it, and call us back as soon as possible. Goodbye.

Tuesday, October 8, 2013

What's wrong with the Amazon mp3 store on Android?

First, I'm a big fan of amazon mp3.  They offer high-quality DRM-free music that plays on anything and often at very competitive prices.  And they make it very easy to spend a good amount of money and get some quality music.  Their suggestions and free content have also been where I've discovered lots of new artists, such as ZZ Ward.

But I absolutely abhor shopping for mp3s on my mobile phone on Amazon's mp3 app.  Their interface on mobile only gives you these features:
  • Search
  • Recommendations
  • Bestsellers
  • New Releases
  • Genres
  • And some individual highlights, such as a $0.69 song, Latin song, Hot Single, one Free Song, a $5 album, a Song of the week, and an Album of the week
Amazon mp3 store in Chrome on Android
Amazon mp3 Android UI
Amazon mp3 desktop website
All of the categories let you view by Album or Songs.  And one of the first annoying things is that there is an arbitrary limit of 100 items in each of the categories.  What song/album is the 101st New Release?  What if I want to keep shopping down the list?  What if I own or don't care about the top 100?

Grievance list:
  • 100 item arbitrary limit, regardless of the category, with no way to keep scrolling for more.  Although I do see that even the desktop site caps the list at this arbitrary number.  Lame x 2.
  • No way to view song/album reviews, other than a static star-list.  This is one of the highlights of the Amazon mp3 experience on the desktop that I find most useful (and often entertaining).
  • No way to rate songs/albums on mobile.  Oops, a prerequisite for contributing (or benefiting) from the crowdsourced content is that you must first go to Amazon and buy a PC.
  • No access to the sub-lists within the category.  One of my favorites has been the Top 100 Free lists.  Another fun one is their monthly $5 albums list.  I've found some great artists just perusing those lists.  But sadly, on mobile you have no inkling they even exist.  At least their HTML website on mobile has those (but even then the UI takes many cues from the mobile application).
  • No child lock.  At least Amazon VOD on my Roku has a PIN code that I need to enter before purchasing videos to keep my kids from draining my bank account.  Be careful who you give your phone to!
  • What you miss out on from the desktop site:
    • Hot New Releases
    • Movers & Shakers
    • Top Rated (another failure to enable social media to help drive sales)
    • Featured Albums, Editor's picks, Artists on the rise, etc. (no ability to take advantage of Amazon's music buyer curation, which is quite good.  I've found lots of good music that way)
    • Customers who viewed/purchased X also viewed/purchased Y
    • All of the "deals" lists.  You get only a light mist of them.  
  • No wish list integration.  Where's a list of the music on my wish list?  Can I add an item to my wish list rather than just buy it now?
  • Lack of a Play All button to play all samples.  The desktop site has it.  You somehow have to know that it will automatically play all (but this doesn't give you a choice to listen to one without listening to all)
  • Lack of larger cover art.
I gave their HTML website a whirl in Chrome on Android and, although better in a few areas, it still has some of the annoying limitations that drive me back to a PC (the most annoying is when the _functionality_ of the site is artificially pruned, so you don't even know it exists).  I would love to get rid of my PCs and have nothing but tablets, but all too often the mobile experience on apps is completely butchered and hobbled to the point where you often have no choice but to fake a desktop browser or just open up the laptop.  But I digress.

What they did right:
  • Long-press context menu on an item lets you "Shop album" or "Shop artist".  Nice way to explore "more"
  • Music previews good quality and have continuous play for sampling
  • Convenient to quickly purchase songs/albums you just heard.
I could rant about the cloud player annoyances, but they are far fewer.

Where Google Play Music Store on Android shines:
  • Clean, intuitive UI with swipe interaction model
  • Infinite scrolling lists of Top Albums, Top Songs, even Recommendations, etc.
  • Wish list integration
  • Free-music lists
  • Personalized recommendations right on the home screen based on genres and artists in your existing collection
  • Video integration
  • Clear Play All button to play all samples.
  • Larger thumbnails and ability to click and see a larger version you can actually see
  • You can read the reviews!!!  And contribute your own.  And moderate the reviews.
  • Integration with Google+ for sharing/liking content.  Would be nice if there were other options than Google+ though.
  • Integration with Android Share to send via twitter, email, etc.
  • Parity with the desktop site (it's the same thing, only with more real-estate)
Google Play Music Desktop site
Google Play Music App on Android
Google Play Music is rather annoying for purchases, especially forcing you to go through the same workflow for free songs as if you were "buying" them (really works to discourage "buying" multiple Free tracks, which may have been a business requirement -- I don't know).  Too many clicks (even on the desktop).

At this point, what I would wish for these things to be fixed:
  • Update the UI to take advantage of mobile capabilities and gestures.  Swipe from tab to tab to fluidly navigate
  • Remove the 100 item cap and make everything infinite scroll lists.
  • Abandon the "mobile crippleware" design strategy that so many have fallen in love with and maintain parity with the desktop site for accessing all of the same content.  If you are concerned about UI bloat, there are ways of handling that (just look at Google's approach for one).  I prefer to have the options available _somewhere_ even if hidden in another menu somewhere.
  • If you can't get the functionality into the mobile app, at least enable links into the mobile web version of the site from the Android app to allow for accessing the functionality
  • Remove the "mobile crippleware" design strategy on the mobile website to also maintain parity with the desktop site.
  • Take advantage of the curated content to drive sales!
  • Take advantage of user feedback and your preferences engine that works rather well on the desktop site to enable social exploration of other users who may have similar tastes to discover new music.  
  • Enable social integration.  I've often wanted to share a song I just heard or a playlist publicly but cannot
  • Push notifications could be employed in a limited way (ideally, fully user customizable) to notify when the new $5 list of albums are out, new free songs, highlighted curated content, etc.  I'd sign up for them.
  • Here's an idea, since you have access to the Android media list, you could maybe actually recognize in the UI when I've already purchased a given album/song (either from Amazon or elsewhere).  You don't even do that for stuff in my Cloud Player for some strange reason.

Wednesday, September 25, 2013

Seattle-area segregation

The Best Map Ever Made of America's Racial Segregation | Wired Design | Wired.com

White people seem to love them some waterfront property in Seattle.  This is fascinating.  Go check out your neighborhood on the map.  There are clearly pockets of similar ethnicity divided by street boundaries.


Humorous "Page Not Found" error page

This is great!

Wednesday, September 18, 2013

Information Warfare via URL shorteners

As I've used Twitter more, I've noticed how many of the shared URLs are shortened. And to think that the Library of Congress is archiving all US tweets, how many will actually be usable at some point in the future? Hopefully their process logs the resolved actual URL instead of the shortened one. When I restored my blog, it was amazing how many broken links I found. I stopped fixing them. That's just the regular web. Adding URL shortening is another level of indirection that is also another failure point.

As an information security guy, there's another downside and that is just how secure are the shortened URLs now and long into the future from malicious redirection, including information warfare? Shortened URLs give a single entity enormous power into the future to do some pretty bad stuff. And I was wondering about the choice of Top-Level Domains (TLDs) that are used for URL shortening services. Just how stable are those politically? What kind of information warfare opportunities are there? Which URL shorteners have better security properties given all of the possible attack vectors?  How powerful a political statement would it be if all of the shortened URLs were replaced by a political statement or terrorist threat for almost everything referenced on Twitter?  You'd be able to gather a lot of eyeballs and press by doing that to get your message out.
  • bit.ly and ow.ly - both very popular on Twitter (as well as several others using .ly). The LY top-level domain is controlled by Libya. I can't see a problem with them controlling where my links go now or sometime in the future, do you? Information warfare, anyone? Libya is on the US State Department's list of travel warnings, with this summary of the stability of the region, "The security situation in Libya remains unpredictable. Sporadic episodes of civil unrest have occurred throughout the country." 
  • su.pr - Stumbleupon's url shortener service. The PR TLD is Puerto Rico, an unincorporated US territory. So it probably would be more likely to have reasonable protection from information warfare except of course at the behest of our own US government
  • cli.gs - this shortener service got hacked in 2009.  The GS TLD is for South Georgia & South Sandwich Islands, which is a British territory, so presumably it is relatively stable and western-friendly.
  • goo.gl - a newer entrant, run by Google. The GL TLD is Greenland, which is part of the Kingdom of Denmark.  Interestingly, Denmark is "frequently ranked as the happiest country in the world in cross-national studies of happiness", Wikipedia
  • is.gd - A service that has an interesting terms of service about being an ethical URL shortener. The GD TLD is actually Grenada The world bank publishes XML data apparently that includes probability of political instability/terrorism for various countries, including Grenada. The current data shows a measure of the Political Stability and Absence of Violence (PV) – "capturing perceptions of the likelihood that the government will be destabilized or overthrown by unconstitutional or violent means, including politically-motivated violence and terrorism." of 0.44. However, the USA's data is continuing up and also has a 0.54. Earlier this year, the .gd domain and two others were also hijacked due to a dispute over control ov"er the TLDs. 
  • tr.im - a shortening service that shut down in 2009 (but appears to possibly be back?) 
Given these factors, I'd first suggest you run your own shortener service if you want full control and assurance of longevity (assuming you can build and operate such a thing securely).  But if you had to pick a service, I'd go with a service running on a stable TLD registrar not likely to be subject to political wills of the host country and hosted by a company not likely to be going anywhere for the next few decades.  Or just consider all communications using URL shorteners to be ephemeral and consider the likely non-functioning in the future a security precaution against future government snooping, perhaps.

On URL Shorteners is a discussion of the risks and issues with shorteners from 2009

Some other takes on them from around the web that summed up some of the general thoughts I had about them (if you care about your content being usable down the road and care about whether someone could take your visitors for a ride to malware-town)

An Unwelcome Reminder of the Nature of URL Shortening Services, "if you care about the long-term survival of your external links, steer clear of URL shortening services, no matter how convenient they may at first appear."

Why I'm creating my own URL shortening service "I suppose that one of the driving forces behind this is my training as an archaeologist (we don’t like throwing things away, generally, and that includes data). I can’t archive the pages I link to, but at least I can give folks in the future a better chance of finding what I’m linking to."