z3r0trust Privacy Newsletter #4.20
*Note: This article was originally published by the author on April 2, 2020.
“If the mind is willing, the flesh could go on and on without many things.” — Sun Tzu
As an information security researcher, my research is multi-faceted but normally doesn’t stray too far from the central theme of privacy.
How should we define privacy? Privacy is one word that has different meanings for different people. The Merriam-Webster dictionary defines privacy as, “the quality or state of being apart from company or observation,” or “freedom from unauthorized intrusion” (Merriam-Webster, 2020). Is it a fundamental right that every one of us is born with? That depends on who you ask and what circumstances you were born into which is hugely unfair. If you were born in certain parts of the world, like the European Union (EU), for example, your privacy rights are at the time of writing, greater than those afforded to American citizens.
Your individual level of privacy also depends on numerous other factors such as how wealthy you are. For instance, if you can afford to own property and build a secluded house with tall fences or pay a company to sponge up as much of the publicly-available information about yourself then your level of personal privacy will be much higher than someone else’s. Most people are not wealthy enough to enjoy this level of privacy and instead, they have to rely on public laws passed by their respective governments to protect their privacy. Oftentimes, privacy is seen by government officials and especially business leaders as a commodity that can be collected, traded, sold, and profited from without the owner’s consent. I believe with every fiber of my being that this is wrong and it must stop.
Whereas many security researchers prefer to focus on finding bugs in software code or Internet protocols that can be exploited and publish white papers or proof of concept papers that serve to inform cybercriminals more so though than deter them, my interests are unique from my colleagues. I don’t write for money or notoriety, I prefer instead to focus on the fringe, obscure aspects of information security research such as side-channel hacks like steganography, privacy issues which are everywhere with technology, and lesser-known technical weaknesses like TCP Port 0 attacks that most people have never heard of before.
I read a ton of cybersecurity articles each week and well, let’s just say that I believe you can get plenty of run-of-the-mill cybersecurity articles at any number of sources which for the most point will all make the same points. Personally, I believe the world has enough cybersecurity pundits, reporters, and journalists giving their opinions and publishing stories. That is not my game and it really never has been. I tire of reading the same old mundane technical papers about the same topics with a slightly different twist this time! Thanks, but I’ll stick to writing about the genres I find the most fascinating and comment on topics as I feel so inclined.
I don’t believe obscurity by itself is an effective information security strategy, but I have seen it used very effectively when combined with a robust information security program. Similarly, I don’t believe in developing offensive security tools and then open-sourcing them to the public because there is a 100% chance they will be used against us at some point in the future. That’s not rocket science thinking, it’s just being smart. Vulnerability information should be more tightly controlled though I will admit that isn’t an easy task to accomplish either. Organizations need to know to protect themselves against known threats to the greatest extent, but often we see the opposite effect.
Many organizations fail to simply patch their systems regularly and make risk decisions to continue running legacy software that is far beyond End-of-Life, unsupported by the manufacturer, and highly vulnerable. Skilled adversaries will find those same vulnerabilities in due time, it is my belief that we in the security community should not be making the adversary’s job easier and further enabling unskilled script kiddies with sophisticated OffSec tools that anyone can download for free online. I don’t expect my opinion to be popular, but it is my belief nonetheless. A belief leveraged by two and a half decades of experience in the industry. Sometimes not being on the side of popularity is a good thing. Now, back to privacy…
No One Cares About Your Privacy The Way You Do
We find ourselves at a somewhat precarious position in human history, at a crossroads of sorts, where meets the proliferation of mass-produced, cheap internet technology, a deluge of new daily information, forces that seek to control the narrative for their own purposes, and last but certainly not least, our diminishing personal privacy in an ever-connected, overly tech-saturated world. Computer processor chips, WiFi routers, smartphones, drones, smart homes, personal home assistants, home security systems, smart thermostats and appliances, video game systems, smart cars, smartwatches, biomedical devices, you name it and I can show where it’s now been connected to the Internet.
There is a smart version of almost every modern technology now, most of which are trivially secure at best. There is a blossoming and emerging Internet of Things (IoT) industry that depends on unwitting, technologically unsavvy, fad gullible customers to buy their overpriced, insecure tech gadgets that will ultimately provide us with some “must-have” service that we can absolutely live without because we’ve done so thus far in life. Furthermore, these IoT devices will undoubtedly be used to spy on us and collect private data by the very companies whom we bought them from in the first place as part of their constantly changing Terms of Service and Privacy Policies.
The technology versus privacy debate is far from new, however. There has always been a technology and privacy imbalance that is still being defined as the technology matures and privacy evaporates between these forces that are being played out in Silicon Valley, around the world, in the domestic and international court systems, and amongst Internet users around the world. The reason this imbalance exists and will persist is that technology is created far faster than laws can be created to regulate it. It’s the reason we continue to see CEOs and Tech company founders like Facebook’s Mark Zuckerberg make frequent visits to Capitol Hill to change the user privacy narrative toward Facebook’s favor.
It is the nature of how the modern U.S. legal system works and other countries have similar court systems. The legal system is slow-moving and deliberative to ensure it arrives at the most well-educated and informed decision that will potentially have far-reaching impacts. This is good though. This is what we want as an intelligent society. We do not want knee-jerk reactionary laws that only serve to stymie technological innovation. Technology, like a Katana sword, is double-sided. Whether it is wielded for good or for bad purposes depends on who is using it.
The regulatory bodies and laws are pressured from time to time to apply course corrections to the Tech industry to steer it in a direction that is widely accepted by the public and government officials. On the contrary, what we’ve seen time and again from elected officials, who appoint the heads of regulatory agencies, is that the Constitutional rights of citizens are largely subject to partisan politics and lobbyists who throw money in the direction they want the laws to lean.
Organizations like the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) are much too small to advocate effectively for the public privacy interest though I believe they do great work. More help is needed. People like you and I have to write letters to our elected officials and advocate for privacy protections similar to what the European Union (EU) has passed for its citizens. Otherwise, companies like Facebook and Clearview AI will continue to collect and abuse your private data. Of that we are certain.
Through the Privacy Lens: 2020
In our haste to stop the spread of COVID-19, we must be careful not to voluntarily give away our Constitutional rights and what little privacy we have left to the authorities. Martial law has not been declared last I checked. You are not obligated to remain inside your home 24 hours a day though it is wise to do so for health reasons currently during this international health crisis. If you need to go out, however, then do so. It’s okay to do so, in fact, it is encouraged to get out and exercise if you can. Get some vitamin D sunshine! It will brighten your mood and make you feel better. Just please be smart and take the necessary precautions to avoid contracting and spreading the virus.
Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers
For at least a few thousand people, Zoom has treated their personal email addresses as if they all belong to the same…
In everyone’s haste to continue working from home, privacy is the unintentional victim that commonly gets trampled for the sake of being able to continue earning a living in these strange times much like security tends to a backseat to convenience. Security and privacy are very much intertwined. In fact, I tend to think of them as interlocking sectors of fire that are mutually supportive of one another. Essentially, you can’t have one without the other. It is also important to understand that no application or security measure is completely foolproof. There will always be flaws in software code and security or privacy aspects that we can improve upon. Zoom is a great example of a popular video-conferencing application that has some security and privacy bugs that need to be improved upon. It doesn’t mean you shouldn’t use the video-teleconferencing (VTC) application, it only means you need to know what the issues are and apply the security updates when Zoom releases them.
Back to Basics: Hardening Computers & Smartphones
Too often, I‘ve noticed that Information Security professionals write articles that target their own peers who already…
To protect your employers’ network and data, it is very important that you take measures to harden the computer that you’ll be using to work from home which is called an endpoint device. Of course, you should take these same actions to harden your personal computing devices as well. This may have already been done for you by your IT department if you’re accessing your employers’ network from a work laptop.
Secure Design Principles You Should Incorporate Into Your Daily Life
In these seemingly uncertain times that we live in, I can think of no better time to work on improving yourself while simultaneously attempting to become as self-sustainable as possible. Especially if you’ve been quarantined at home due to the COVID-19 pandemic. It is important to find productive endeavors that you can dump your time into if not working that will pay dividends for you well into the future. Otherwise, sitting around for too long with nothing to do expedites depression.
People often remark that martial arts and infosec have little in common but I beg to differ. As someone who has a long background in both disciplines, I can name many similarities between the two. Below are just a few secure design principles that you might consider incorporating into your personal life to harden yourself against all manner of threats, be they physical or digital.
Man or woman, young or old, each of us has weaknesses that can be exploited and probably also assets that we want to protect. For privacy reasons, you need to figure out what you want to protect and from whom? This is actually a great time to sit down at your desk and create an asset inventory of what you have. Be sure to include the value of each item, make, and model. You can videotape it also but ensure it gets backed up, preferably somewhere away from your home in case of fire. Perhaps you have valuables hidden inside your safe at home or research data on your computers that you’ve spent years working on.
Can you think of someone who would love to steal those things from you? To what lengths do you think someone would go to take it away from you? In general, it’s never a good idea to spend more on securing something than the value of the item you’re securing. Just keep that in mind. Everyone’s personal threat model is different but we all have things we want to protect. Some commonality is shared here, some risk can be transferred when multiple people join in to help protect someone or something.
When Aunt Margie visits your home do you want to let her use your account on your computer where she has access to all of your files, browser history, photos, videos, bookmarks, etc.? No, absolutely not, right? You create her a guest account or you give her your guest Wi-Fi password. That way what she can access on your computer and your network are limited. This is the principle of least privilege. Only give the minimum amount of access and permissions needed to your stuff, your data, your personal life. Never share passwords with other people, create separate accounts.
Someone stole your phone while you were out shopping, you only turned away for a split second and now it’s gone! No sweat, this is only a temporary inconvenience if you’ve got phone insurance, Full Disk Encryption (FDE) implemented on your phone, and remote wipe enabled. There’s very little that the thief will be able to get off your phone if you protect it properly. iPhones are FDE by default, but Androids have to be manually configured for FDE aftermarket. Don’t worry, it’s not difficult to set up. Hmm, what’s that? You don’t have any of these protections in place? Really? None? Whew…
Ok, well look, there’s nothing else that I can say except don’t do that. Never leave your phone unprotected in plain sight. Ever. Peoples’ smartphones are a gold mine of private information. Even if a thief wasn’t able to get any of your personal information off of the phone which is a best-case scenario, many smartphone models now retail for nearly $1,000 or more. So a thief will likely wipe it and try to resell it. You want to be able to wipe that device before criminals can crack into it and steal anything valuable. If you’ve got stored log-on credentials to a banking app on your device, you’re rolling the dice big time.
The same goes for any of the online accounts that you access via apps on your phone. Email, banking, entertainment apps, shopping (Amazon), and the list goes on. Let’s hope for your sake that you’re not one of those people who likes to save all your passwords in a note on your smartphone without any type of screen lock protection whatsoever. If you are, there’s time to take remedial action right now by implementing some of these security controls that help to provide the least functionality.
- Enable a screen lock (can be a fingerprint, other biometric authentication, but preferably an 8-digit PIN)
- Enable Full Disk Encryption on your device (Use a passphrase or minimum 8-digit PIN)
- Enable Remote Wipe functionality through your service provider
Frugal & Practical Privacy Hacks
The new reality in the face of the COVID-19 pandemic is that many workers now are forced to work from home for extended periods of time. A simple webcam cover and microphone port blocker are good investments toward ensuring your privacy. It is very basic but you might be surprised at how many people don’t use them. There is malware that will allow cybercriminals to silently enable your webcam (known as camfecting) and microphone on your computer and you won’t even know it is happening. This technique has been used before and used to blackmail or extort money from victims who were secretly recorded in compromising states of dress or personal activities. Whenever you are not using either your webcam or microphone, you should block them so that they cannot be used to record video or audio of you.
Perhaps you think I am being overly paranoid, and it’s ok if you do, but I still recommend storing your smartphone in a bedroom or somewhere it cannot pick up audio/video when you’re not using it. Not in the living room, where you spend the most time, or on the computer desk you’re probably almost always sitting at (like right now…). They make webcam covers for smartphones also. Fail secure by planning as if your device will eventually be compromised. If it were to happen, what physical mitigating controls could you implement to reduce the risk? But how would you even know if your smartphone was infected by a virus or compromised somehow by malware if you don’t install some type of anti-virus/malware software, right? Your phone is a mini-computer, treat it like one. It needs protection.
Set the environment to maximize privacy in your home wherever you decide to video-teleconference with others. For instance, wherever the webcam is going to point at you is going to be visible to anyone else who is connected. You may not want to broadcast to everyone your personal wall posters of Justin Bieber and pictures of grandma Spunkmeyer in the background. You get my drift, sanitize the broadcasting area to only reveal what you are comfortable showing others whom you work with. No one should be able to ascertain your home address or how sloppy your dwelling is simply from viewing your VTC feed.
Simply powering down your computer and devices makes them safer than if they are always on and connected to the Internet. I know it seems rather basic, but it’s true. It is a simple security and privacy hack which protects your devices and data. Your devices are unreachable by attackers and malware while they are in a powered down status. However, as soon as you turn them back on they are vulnerable again which is why virus scanning and firewalls are imperative. In the Windows operating system (OS), if you’ve enabled Remote Desktop access then you should disable that now. You’re leaving your computer and all the data it stores wide open for attackers. The same goes for Linux and Mac users but there are far fewer of those types of users than Windows users as statistics have repeatedly shown. There are still some risks if you’re networked and Wake-on-LAN (WoL) is enabled, a remote attacker could potentially power on your computer. If you’ve not enabled WoL on your Windows machine in the BIOS, don’t worry about it.
In conclusion, I leave you with this. Privacy is what you decide to make of it. You can be one of these people who gave up a long time ago and think they have nothing to lose or you can be proactive about your personal information and try to get ahead of it. You can be as public or private with your personal details, it’s totally your decision. You can also be the victim of identity theft or of a data breach or an unintentional data leak. Either way, when your personal banking information, employer pay stubs, performance evaluations, social security number, private health information (PHI), naughty photos, family photos, and passwords are dumped online for the entire world to see you might think about privacy differently at that point. It just might take on more significance to you then, perhaps. Let that sink in for a moment.
Lastly, be safe out there in the world my peeps. It is a scary time we’re living in. There’s never been a better time to practice social distancing, something introverts have been doing forever. We introverts don’t need a pandemic for that. Try not to let this pandemic stuff get your spirits down. Life will return to normal eventually, dig down deep, and have patience. I’ll be seeing you around the Web, but until then remember this little mantra:
***Trust No One. Verify Everything. Leave No Trace.***
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.