Some Security Bits

We’ve known for a while that China has a big computer security hacking and backdoor operation against, well, against everyone. The USA. The Rest Of World. Their own people. So no big surprise when bits of it get uncovered. Here’s an older bit:

http://www.theregister.co.uk/2013/07/19/huawei_cia_boss_accuses_spying/

So a couple of years back a Chinese company named Huawei caught with a bit of fingers in the electronic cookie jar:

Former CIA and NSA head says Huawei spies for China

Only chap to head both spook agencies rates company ‘unambiguous national security threat’

9 Jul 2013 at 06:03, Phil Muncaster

Michael Hayden, a former head of the CIA and the NSA, has openly accused Chinese networking giant Huawei of spying for China in a move likely to further inflame tensions between the US and China over state-sponsored hacking.

Retired four star general Hayden told the Australian Financial Review that “at a minimum, Huawei would have shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with. I think that goes without saying.”

Asked “Does Huawei represent an unambiguous national security threat to the US and Australia?” General Hayden replied “Yes, I believe it does.”

Now just to be fair, we also know that the likes of AT&T, Cisco, Microsoft, Juniper and others have their own big pipes installed for the NSA et. al. and that the US Government just loves having gear pre-hacked for it. (See the Snowden leaks for details). So it isn’t like China is doing anything it didn’t learn from watching how the USA was trying to hack them…

“Two or three years ago Huawei was trying to establish a pretty significant footprint here [in America]. And they were trying to get people like me to endorse their presence in the US,” he told the Aussie paper.

“I reviewed Huawei’s briefing paper. But God did not make enough slides on Huawei to convince me that having them involved in our critical communications infrastructure was going to be OK. This was my considered view, based on a four-decade career as an intelligence officer.”

Hayden, who headed up the NSA from ’99 to ’05 and was in charge at Langley from 2006 to ’09, isn’t exactly deviating from the US line on Huawei although he is the first high profile official, or former official, to publically accuse the Shenzhen firm of spying.

A US House of Representatives committee famously branded the handset and telecoms kit maker, along with its near neighbour ZTE, a national security risk in a high profile report in October 2012.

Aussie politicians responded by banning Huawei from bidding on the National Broadband Network (NBN) project.

The UK, on the other hand, has welcomed the firm with open arms, prime minister David Cameron even hosting founder Ren Zhengfei at Downing Street after he announced a £1.2bn investment in the country.

Though it looks like the U.K. has likely “cut a deal” for information sharing… just my opinion, of course…

But time passes. A bit later on:

http://www.theregister.co.uk/2014/03/23/nsa_huawei_hacking_snowden_report/

US saves self from Huawei spying by spying on Huawei spying

Snowdenistas say NSA hacked Chinese company, accessed source code

23 Mar 2014 at 22:24, Simon Sharwood

Oddly, despite being a year later, it has the same picture for the graphic element…

Maybe this is why the US government is so certain Huawei is bad news: Snowdenistas at The New York Times and Der Spiegel have reported another communiqué from their source-in-exile – this time to the effect that the United States National Security Agency penetrated Chinese networking equipment vendor Huawei and monitored its communications.

The reports suggest an operation called “Shotgiant” tried to access Huawei source code with the intention of installing back doors the NSA could use.

Putting back doors in place was seen as a good idea because some NSA targets used Huawei kit. NSA officials also liked the idea of a back door as a way to determine if Huawei kit was sending any information back to China.

The NSA’s attacks on Huawei are reported to have also yielded a tap on communications among senior executives.
[…]

That the USA seems to have decided the best way to protect itself from the threat of state surveillance posed by Huawei by using state surveillance to compromise Huawei is, however, a rich irony.

Quis Hackiat Ipsos Hack-es?

And folks wonder why I have my “overly cautious” attitude about equipment and spying…

Then there’s this bit of fluff that basically says “be afraid, be very afraid” no matter what the spy vs spy story really is:

http://www.wired.com/2012/10/spies-or-no-spies-u-s-companies-should-fear-huawei/

AUTHOR: MARCUS WOHLSEN. MARCUS WOHLSEN BUSINESS DATE OF PUBLICATION: 10.08.12.
10.08.12

SPIES OR NO SPIES, U.S. COMPANIES SHOULD FEAR HUAWEI

Though it is from before the above “evidence”, so maybe just a bit prescient…

Think maybe it’s only one obscure Chinese telecom company? Think your IBM / Lenovo Laptop is OK?

http://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/

Western spooks banned Lenovo PCs after finding back doors
Report suggests ‘Five Eyes’ alliance won’t work with Chinese PCs

29 Jul 2013 at 03:45, Phil Muncaster

Chinese PC giant Lenovo has been banned from supplying kit for the top secret networks of western intelligence agencies after security concerns emerged when backdoor vulnerabilities were detected, according to a new report.

Unnamed intelligence and defence “sources” in the UK and Australia confirmed to the Australian Financial Review that a written ban was slapped on the firm almost a decade ago in the mid-2000s. The timeframe offered matches Lenovo’s 2005 acquisition of IBM’s PC business.

Serious backdoor vulnerabilities in hardware and firmware were apparently discovered during the tests which could allow attackers to remotely access devices without the knowledge of the owner.

The ban applies to various agencies in the Five Eyes alliance (UK, US, Canada, New Zealand and Australia) where such rules are normally implemented across the board given the interconnected nature of some of their classified networks, AFR said.

So, did you “get the memo” from YOUR government that you were hacked, bagged and tagged if YOU bought a Lenovo laptop? No? Gee… I wonder why…

“A backdoor for one is a backdoor for ALL! – E.M.Smith”

Why would any security agency EVER want to make public a nice big fat back door into all sorts of equipment? Just a little bit of router jiggery pokery and it routes the access to The Agency…

So the warning dates to 2005 ish, was published in that magazine in 2013, and in 2016 we have precisely Crickets at the local laptop sales store and shipments of Lenovo equipment never even slowed down. Just not allowed into sites that actually expect to have some security, that’s all. But no, their charter does not include protecting YOU from being hacked, silly person…

GCHQ, MI5, MI6, the Australian Security Intelligence Organisation, the Australian Secret Intelligence Service, and the NSA were all named as participating in the Lenovo ban. However, it only applies to the most highly restricted networks and the Chinese firm remains a significant government IT provider to other government agencies in these countries.

The revelations will be a concern for private businesses just as the US Congressional report on Huawei and ZTE last year which branded these Chinese firms a national security risk.

It’s unclear whether the results of the government testing of Lenovo kit were ever shared with the private sector, although Lenovo’s position as the leader of the global PC market would seem to suggest not.
[…]

Then there is the simple home WiFi Router class equipment:

http://thehackernews.com/2014/08/hardcoded-backdoor-found-in-china-made_27.html

HardCoded Backdoor Found in China-made Netis, Netcore Routers
Wednesday, August 27, 2014 Swati Khandelwal

Routers manufactured and sold by Chinese security vendor have a hard-coded password that leaves users with a wide-open backdoor that could easily be exploited by attackers to monitor the Internet traffic.

The routers are sold under the brand name Netcore in China, and Netis in other parts of the world, including South Korea, Taiwan, Israel and United States.

According to Trend Micro, the backdoor — a semi-secret way to access the device — allows cybercriminals the possibility to bypass device security and to easily run malicious code on routers and change settings.
[…]
The Netcore and Netis routers have an open UDP port listening at port 53413, which can be accessed from the Internet side of the router. The password needed to open up this backdoor is hardcoded into the router’s firmware.

All of the routers – sold under the Netcore brand in China and as Netis outside of the country – appear to have the same password, Tim Yeh, threat researcher at the security firm, says warning that the backdoor cannot be changed or disable, essentially offering a way in to any attacker who knows the “secret” string.

Using the backdoor, hackers could upload or download hostile code and even modify the settings on vulnerable routers in order to to monitor a person’s Internet traffic as part of a so-called man-in-the-middle (MitM) attack.

Anyone with a network sniffer on that router will see the password go by if it is accessed, then they, too, can use it. More hard core folks can just de-compile the firmware and go string hunting…

The researchers scanned the Internet and had indicated that millions of devices worldwide are potentially vulnerable.

“Using ZMap to scan vulnerable routers, we found more than two million IP addresses with the open UDP port,” Yeh wrote in a blog post. “Almost all of these routers are in China, with much smaller numbers in other countries, including but not limited to South Korea, Taiwan, Israel, and the United States.”

Exploiting this flaw is not too difficult, as a simple port scan can reveal the open UDP ports to anyone using such an online tool.

In addition, Trend Micro also found that a configuration file containing a username and password for the web-based administration panel on the router is stored with no encryption protection, allowing an attacker to download it.

Though by now it ought to be posted on hacker boards and free for all (or at most a couple of dollars).

All in all, enough to cause a fellow to start hacking together his own WiFi routers and DNS servers and such from boards like the Raspberry Pi that are too dumb to be backdoored effectively. (I.e. it only knows how to boot the bootloader you hand to it… and you can examine the source code for that bootloader and / or recompile it yourself if desired).

Phones, btw, are in the same basic boat.

Which is why there is this small ray of hope:

A Secure Phone?

Though I tend to choke up just a bit at the potential oxymoron of “Secure Android”, in theory it IS possible, but would take a LOT of work. Still, it might be true…

http://www.zdnet.com/product/silent-circle-blackphone-2/#!

By Zack Whittaker | September 28, 2015 — 05:00 GMT (22:00 PDT)

There are two things certain in life — death and taxes. But you can take a bet on a third: there’s almost nothing that’s unhackable.

In the wake of revelations of government surveillance and a nearly endless stream of reports of hacks and data breaches, there’s a reason to be paranoid. All too often hackers or spy agencies find a way into the most popular devices, but that’s where Geneva-based secure phone maker Silent Circle wants to make it almost impossible.

Blackphone 2, the company’s second generation security phone, builds on the successes of its debut incarnation by bolstering privacy and security features, while not compromising on what many want in a modern smartphone. It’s available to buy now globally for $799 (which equates to about or £525 or AU$1,140).

I like the source. I like the idea. Under “cons” they list no support for secure encrypted email, but I’m OK with NOT using my phone for email. Separation of tasks means both are more secure and one hack does not compromise both.

Is this a hack-proof phone? It’s not and it doesn’t pretend to be, said Javier Aguera, Silent Circle chief scientist, at a meeting in London. But by patching up the conventional ways that a hacker (or government spy) can attack, the Blackphone 2 goes far above and beyond in securing your data than any other smartphone on the market today.

SECURE TO THE CORE

By far the most important feature of the phone is its security — through and through. The Blackphone 2 acts like any other Android phone, but with a twist: it also runs Silent OS, an enhanced version of Android 5.1.1 Lollipop operating system, which adds a number of additional security features to the device. (Silent OS is the renamed successor to the “PrivatOS” used on the previous Blackphone.)

This second-generation phone also includes for the first time Google’s own services, like Drive, Gmail, Photos, and even the Play app store — meaning you can download all manner of mainstream third-party apps. That might have some heads scratching: An unfortunate truth is that many of the apps and services you use are not working in your favor, by containing security flaws or sucking up your valuable data to better serve ads. So how can Google’s services, which collect vast sums of data on its users, coexist with a privacy-based phone?

The key to the Blackphone 2’s success is a security umbrella feature, which combines a series of granular controls without compromising the overall experience.

OK, so it comes with Google Pre-Hacked “all your data are belong to us” Apps. You don’t NEED to use them…

AND these folks have thought of that and provide a little bit of hand holding for the novice in the world of spy vs spy:

Take the new (and aptly-named) Security Center, which sits in the bottom-right of the home screen, ready to take orders from the user — not the individual app, which has for all too long called the shots. It’s goal of this central port-of-call is twofold: to help users separate and compartmentalize apps and services, while offering an overarching and comprehensive set of controls over your phone’s features and functionality, superseding all other options buried deep in the phone’s settings.

There’s also the new Spaces feature, which allows users to build isolated, secure areas. Similar to setting up a new user profile on a computer, the Blackphone 2 has a bevy of finely-tuned options that customize the space’s apps, settings, and even networks to connect to, and the space’s lock-screen passcodes. The feature physically cuts off your data from other spaces, meaning if an app (which all too often can come with backdoors or malware) is compromised, it can’t get access to anything else outside that space. That means you can have a dedicated space for that sketchy game you downloaded and make sure it doesn’t touch those mission-critical apps, such as your bank, mobile wallets, or email accounts. If you’re particularly averse to Google’s data collection, you can create a walled-off space away from the stock Android or Google apps. Think of it as the incognito mode in the Chrome browser that’s extended to other apps as well.

All in all, I like it. I like it alot. It’s the kind of thing that makes me feel all warm and fuzzy that somewhere else in the world is some other person who actually thinks privacy matters.

Yes, it is still up to YOU to configure things so as to stay secure, and it is still up to YOU to not use all sorts of GPS beacons and blab everything onto Facebook. But with a tiny bit of self control, it at least gives you the tools to have things secure against the constant onslaught of crap.

I’d been planning on making my own phone as the personal “next step”, but these folks are already a couple of years of work ahead of me on securing the phone. At this point, I’m more likely to buy one of theirs and spend my time locking down the WiFi Routers / compute servers / desktops that I use day to day.

As I send email from them (and from a dedicated card / PC anyway) I’m not too bothered by their lack of an encrypted Email client. Besides, “there’s an app for that”, or will be soon from someone…

With that, I now return you to your slightly more paranoid computer user life… and remember:

“Chinese Computers and Routers? Just Say NO!!”…

and the same thing to PRISM program members like Microsoft, Cisco, etc.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , . Bookmark the permalink.

12 Responses to Some Security Bits

  1. Larry Ledwick says:

    Plenty more where those items came from. I have already posted this in tips a while back but it will be easier to find here in a security related post.

    http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

    I also balk when I find critical network hardware is made in China. Too bad there is no trustworthy 3rd party who validates hardware, something like consumer reports but implemented by EFF (Electronic Frontier Foundation) or someone similar who would poke and probe stuff and then publish how to lock down guides for various bits and pieces.

    Perhaps we need an opensource effort to establish secure devices and publish results of hack attack contests on the equipment (after appropriate prenotification to the manufactures to close the holes.)

    Some of that is covered by CERT and Wired and similar sources but you would have to pretty much live on line doing nothing but keeping up with that stuff to get the cut to the chase executive summary on what piece to use and if it has any issues.

  2. John Howard says:

    Brings to mind the SETI Institute, and the unsuccessful search…

  3. E.M.Smith says:

    @Larry:

    Yeah, loved the subtlety of the Eliptical Curve weakness… rather like the Microsoft broken 3DES where the last bits were all zeros and the crack difficulty essentially was single DES. Just hard enough to keep amatures out and let Agencies in…

    The problem with a rating group is the difficulty of finding that kind of hidden fault in the binary code in less than years… which is why PRISM is so horrific… it destroyes vendor credibility and trust. Thus the move to Linux and BSD where the public sees the source. And why an open source SMALL bios is now important too.

    @John Howard:

    Glad to see someone else wondering if all those computes are really looking for ETs… or signals hidden in more terrestrial sources…

  4. Larry Ledwick says:

    And now the debate over encryption back doors goes both public and big money as Apple contests order to assist FBI break encryption lock out protection on its phones.

    http://www.theguardian.com/technology/2016/feb/17/apple-fbi-encryption-san-bernardino-russia-china

  5. p.g.sharrow says:

    Hammer the OS 10 times. Problem solved! No information is found. Actually we can surmise that there is nothing of value on that phone. It was provided by a government agency, so no “trained” operative would have used it for anything nefarious as it would be suspect. They did destroy all their other devices and not that one, HELLO! get a clue. There is nothing there! This is a fishing expedition to game the system and crack the built in security. Government has proven they can not keep a lid on information they hold. We need to keep that door CLOSED…pg

  6. Larry Ledwick says:

    Just a side comment here, I have noticed that quite a few commentaries seem to be presenting unbreakable encryption as a new threat. It is not intelligence agencies and law enforcement have been dealing with unbreakable encryption methods for centuries. The Soviets used one time pad systems which if properly used absolutely unbreakable. We managed to break a few of them because they got lazy and broke the rules by re-using some code series. Likewise we broke enigma because some of their operators got careless, and used poor technique like using standard headers and footers on messages so we had a constant value to work back to but while we were working the problem the encryption was unbreakable. Same goes for Usama Bin Laden who shifted to trusted couriers to handle sensitive messages and completely dropped out of the digital and electronic spectrum domain.

    If that hack on the Apple phones is ever done, its simple existence is a risk. It would literally be priceless to both organized crime and national intelligence agencies. That means if it exists sooner or later someone will leak it then everyone’s phone data is at risk. It may be convenient to crack a bad guy’s phone but is not the only way to solve the puzzle and the risk is too high to go there.

  7. p.g.sharrow says:

    As usual Bureaucrats want citizens to do their work and pay them. The more you pay or co-operate with Bureaucrats, the more they will take advantage and the less they do their own job. They don’t care about our digital security or their own. They just want to force digital security to be compromised for their own use, NOW! and make Apple do it at their, Apple’s cost. Far too many people are foolish enough to think that this will be easy,. cheap, and with no long term cost to them. Apple’s Cook seems to be saying No, even Hell No! I would suspect that the Justice Department will create a criminal prosecution on some pretext and then settle, Apple will agree to the FBI demands. Our freedom from government is being sucked away by ever increasing demands of overbearing government employees…pg

  8. Pingback: Apple vs. FBI vs. Spy vs. Spy | Musings from the Chiefio

Comments are closed.