Earlier this week Kaspersky Lab posted a press release elucidating a sophisticated attack their labs discovered last Fall. Kaspersky has dubbed the attack "Darkhotel". It is a fascinating tale of a modern espionage ring that sounds like something out of the seminal cyberpunk novel Neuromancer. It is hard to tell who is behind these attacks targeting globe-trotting corporate executives and government agents. It seems likely that it is both organized crime and government sponsored spy rings that are behind these attacks. The sophistication gives me pause because I could see myself falling into their trap.
the “Darkhotel” espionage campaign, which has lurked in the shadows for at least four years while stealing sensitive data from selected corporate executives travelling abroad. Darkhotel hits its targets while they are staying in luxury hotels. The crew never goes after the same target twice; they operation with surgical precision, obtaining all the valuable data they can from the first contact, deleting traces of their work and fading into the background to await the next high-profile target.
The attackers infect and utilize hotel wi-fi networks, which is nothing new, but they then infect the target's computer via what appears to be a standard software update using a real but cracked authentication certificate. So, you get something like click to update Adobe Acrobat, etc. and if you check the authentication certificate, it looks to be valid. There are a couple of real good lessons we can all learn from this.
- Use a Virtual Private Network (VPN).
- Do NOT install apps on an untrusted network.
The US Government just released an alert about a vulnerability on iOS (iPhones) in which a user installs a third-party app, i.e. not from the iOS App Store, and then utilizing a security weakness, the malware app replaces a legitimate app with full access to the legitimate app's data.
Stuxnet is a computer worm that was discovered in 2010. Stuxnet is considered the first cyber weapon after it damaged Iranian uranium enrichment equipment. It is generally considered that the Stuxnet attack was far too complex to be developed by anyone other than a State sponsored effort. Most likely involving the United States and Israel. While the Iranian enrichment facilities were the original target, Stuxnet has since evolved and escaped into the wild.
As the cyber world becomes more and more enmeshed upon our reality the stakes become higher and higher. This has brought many new players into cyber warfare. What was once the exclusive realm of the curious hacker has become one in which organized crime and Nation States must invest in.
Just this morning the Wall Street Journal posted an article about how the US Government is using airplanes that pretend to be cell phone towers in order to intercept cell phone data. The US Government is reportedly using the information to locate persons of interest without the need to go through your cell phone provider or obtain a warrant. In another disturbing report, the EFF is reporting that ISPs are removing email encryption from their users emails without their knowledge and for no known good reason.
An integral part of computer security is assessing the value of potential targets. The higher the value, the more likely attackers will pour more resources into the attack, and the greater the security measures need to be to defend against such attacks. But what about the average user?
Most of us are not trying to protect State or corporate secrets. Our value is typically financial, i.e. credit cards, identity theft, bank accounts, etc. However, protecting ourselves and our children from sextortion has become a sad reality. There are a couple of major things that we can do to protect ourselves. One is to use a properly implemented VPN. Another is to use properly implemented strong encryption on our sensitive data.
A VPN encrypts the information traveling from your computer to the VPN server. If you are on a wireless network, odds are that your information is being broadcast in the open. Which means that anyone with a little technical know how can capture and read your information. A VPN will encrypt this open data, making it virtually useless to capture. But you need to have a well trusted VPN service, because the operator of the VPN service has the ability to view and capture your unencrypted traffic. Another nice aspect of a VPN is it usually will mask your IP with that of the VPN server, offering you even more protection. So, if you are surfing from your favorite coffee shop, laundry mat, airport, hotel, etc. and you are not using a VPN you are vulnerable to prying eyes. But just like your ISP can disable security features, as some appear to have with encrypted email, your VPN provider can also fail to protect you. However, a reputable VPN provider is risking their business if they do.
Strong encryption is a bit more under the end user's control. Yet, the user still has to have a certain amount of faith that the encryption software is truly working as intended. There have long been rumors of a back door existing in PGP. The creator of PGP, Phil Zimmerman, has responded to these accusations repeatedly over the years. PGP and GPG source code is available to the public. Like Open Source software, this makes the software more secure in that anyone can find a vulnerability and gain fame and possibly fortune by doing so.
These days most operating systems come with some sort of filesystem encryption options. Encrypting your filesystem has its advantages. For example if you encrypt your laptop drive and your laptop is stolen, encryption will make it much more difficult to retrieve the data off your laptop. Yet again, the more secure you make your system the harder it will be to use. In order to make the encryption on my laptop very secure, I would store the key on a USB stick, and have a very complicated passphrase. Now, every time I boot the laptop, I will need my key (USB stick) and have to enter my complicated passphrase. And of course, once I am logged in my data is still vulnerable to remote attacks. And should I ever lose my encryption key, I would no longer be able to access my own data!
Most filesystem or disk encryption stores the key on the drive itself. So, you won't lose your encryption key, but that also means the thief will have your key. At that point, it just comes down to how good of a passphrase you used. Another option is to encrypt only your sensitive files. Perhaps you have a master password list, and since you are using unique strong passwords and usernames on all your accounts, there is little chance that you can remember all these credentials. However, you can encrypt your master password list with a strong passphrase to keep it secure. Then all you have to remember is your passphrase. Even if someone is remotely attacking your computer they will only be able to read your encrypted file when you have it unencrypted. Even if they steal your encrypted file, they will need your key and passphrase to decrypt it.
All of these are great examples of usability vs. security. See my blog Data, Data, Everywhere for more on this.
I realize that all of this can be a bit complicated, but it is my job to help figure out what the right solution is for you and to help you implement it. After all, attacks are only going to gain in prevalance and sophistication.