Archive for category: Security Trends

You are here: Home » Blog » Security Trends
January 14, 2014
14 Jan 2014

On Gag Orders and Swedish Law

Recently we have all, thanks to Edward Snowden, become aware of the security issues inherent in software from US companies. The Government of the United States of America have legal instruments to force vendors to comply with state orders, e.g. install back doors, and make it illegal for them to reveal this to their customers.

In practice, any government can try to persuade any company to do anything by using bribes or threats, but only in a few countries can the government legally prevent companies and their employees from talking publicly about it. The USA is one such country, and from the leaked information available it seems that they employ it liberally.

Take for example Lavabit, a US company that provided encrypted email services to its customers. It, supposedly like many others, was approached by US authorities and required to install a back door for them. Unlike most other companies, the owner of the company, Ladar Levison, chose to close down Lavabit rather than betray his customers, and he may now face prosecution for this decision. We know about this only because Levison took great personal loss and risk instead of complying. We do not know about all the other companies that simply complied, and they all risk prosecution if they resist or go public. Levison says that he would “strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” [infoworld.com]

In Sweden it works differently. Here the government is also involved in massspying through the FRA and the Swedish police demands automated access to all telecommunication data, but we know this, not through anonymous leaks or heroic whistle-blowing, but by the government passing overt legislation permitting it, or from the people involved raising their voices and speaking out, e.g. by recording private talks with the security police and releasing it to the public. However, when this happens there are no legal instruments the government can use to retaliate. This allows Swedish companies to uphold their customers’ privacy without risk. If approached by government agencies, Swedish companies risk nothing by refusing to comply and/or going public.

 

Protect your data
If you have data that needs protection, you can rest assured that products from BlockMaster will contain no back doors. It is not in our interest, and our government cannot force us. We offer managed hardware-encrypted USB devices that will protect your data on the go, and ShieldShare that will allow you to securely share files with end-to-end encryption where only the clients hold the encryption keys.

 

 

0 Tweets/in Breach, News, Security Trends, Threat Landscape, Uncategorized, USB Security
May 24, 2013
24 May 2013

SkypeGate - Skype Security Issues Can Expose Your Communications

This week Ars Technica reported that a hired expert had exposed that Skype communication passes unencrypted to Microsoft servers, even when it is advertised as end-to-end secure communication. Not only is the traffic monitored, Microsoft is actively analyzing the contents.

reboot-skypegate

As Ars reports, and I can concur, there is a widely held belief that Skype for some reason is more secure and offers end-to-end encryption. Ongoing product placements also tell this story. In the high tech TV series Homeland, all conferences are handled over Skype at the CIA. Of course,  they would only be listening to themselves perhaps. But Big Brother is just part of the problem and mostly a problem for shady characters.

That Skype was secure may once have been the case but since Microsoft bought Skype they have effectively wiped away any smart client side security concept that once existed. Today the traffic passes through a network of 10.000 Linux servers hosted by Microsoft.

Microsoft has now taken up to extensively analyze the traffic. Allegedly as a measure to limit spam and phishing on Skype. Ars engineer used fresh web links and monitored the traffic to the site. After having skyped the link, the site got a visitor from a Microsoft server. Of course,  this is shocking. What is even more shocking is that Microsoft has squeezed a paragraph in the privacy policy that not only allows them to monitor all traffic but also to store it indefinitely. This truly is SkypeGate.

Why is SkypeGate a Problem?

Microsoft monitors all Skype communication and stores that data indefinitely. This combined with the perception of security, and you have a serious problem. Predominantly in these three categories:

1. Insider threat is a real, especially at large companies

You may trust Microsoft the brand and the company, they seem friendly enough. But do you trust that they have all the systems in place to control their 100.000 employees, many of them super engineers that could probably bypass any system, even from the outside.

2. Big Brother is listening, and Microsoft can’t tell you

Microsoft must under law hand over any information requested from them under FISAAA (part of the Patriot Act). Casper Bowden, former Chief Privacy Adviser at Microsoft, exposed the details of this practice in January this year saying that it provided blanket authorization and that there was no individual warrant needed. Microsoft is prevented by law, as a US company, to say anything to the affected users.

Most people are OK with the terrorist hunt which is the commonly used scape goat, but there is no way of knowing what use agencies are making of the all-the-information-you-can-eat buffet that Skype is. The latest scandal where the I.R.S seemed to have targeted the minority Tea Party movement raises a lot of questions. Did they skype-tap their way to that information?

3. Hackers for hire ready to get at the Skype servers

If there is a server on the Internet that gets access to peoples and companies’ private communication, there will be people motivated to hack it. It is a common business practice to host video conferences on Skype and often have sensitive discussions during these calls. It is an understatement that there would be people motivated to listen in. People wanting to affect stock prices, competitors on large deals and potential black mailers are but a few examples of criminal behavior that can be enabled by this.

 So what should Skype be used for?

Skype should be considered a semi-private communication tool. It can be used to share a lot of information but should be avoided if stakes are and the consequences are immense. It is frightening to read that the International Crime Tribunal in Haag received testimony through a Skype call. That is the highest risk, but there are many others that should revise their Skype usage.

Looking for secure file sharing?

BlockMaster produces the secure file sharing software ShieldShare that truly offers end-to-end protection using client-side encryption. It isn’t Skype, but it can help with transferring files, with only the intended recipient getting the information.

 

 

 

 

1 Comment/0 Tweets/in Security Trends, Threat Landscape
April 29, 2013
29 Apr 2013

Lost USB Drive Involved In Death – ICO Fines Powerless

Reports link the loss of an unsecure USB drive which contained details about over 1000 police formants to the violent death of one of the suspects in the alleged theft.

The information went missing just weeks ago from the Greater Manchester Police after an officer brought the data home for work on an unsecure USB flash drive. This was in contradiction to a policy at the police force that mandated that all portable data be protected with encryption and passwords. This policy came in place after a similar data loss incident just ten months prior. This new incident involved the loss of the sensitive data that tracked the details of 1.075 police informants. The first incident prompted the ICO in the UK to issue a £120.000 fine which we reported about back then. The first loss prompted us to advocate a general ban of unsecure USB drives for government use.

The Daily Mail has published an article1 which provide more details on the current case.
One of the main targets of the police operation that involved over 100 officers seemed to have been to recapture the unsecure USB drive that contained the data. It is unclear what the purpose of reclaiming the unsecure USB drive was as the data could be copied off the device to a second source at any point. Regular USB drives contain no record of who has copied data, it does not even trace if such an event ever took place.

There are many aspects to this tragic story, and many other are better suited to tell about it in all its facets. The IT security perspective is not the most important one, but it may be the one that holds the answers on how prevent events like these. It is tragic for all involved: victims, police officers and tech staff that something like this should take place. Especially when there are solutions readily available.

What also comes into question is the effectiveness of the ICO fines. The police force had already been fined £120.000 less than a year ago and still there seemed to be no signed of improvement. The only visible action is toothless paper tiger policy that says that data needed to be encrypted and password protected. The ICO forces there to be signs of improvement to avoid further fines. The policy was all that was needed to get of the radar of the ICO.

One thought might be to assign part of the fine as a mandatory purchase to avoid the problem to reoccur. The sensible thing to do is to ban the use of unsecure USB drives and unencrypted portable data for government use. There is no practical use for unsecure storage that cannot be replaced by encrypted storage. The costs involved in making the switch to a secure solution is not great.

0 Comments/0 Tweets/in Breach, News, Security Trends, Threat Landscape, USB Security
March 27, 2013
27 Mar 2013

Regular USB Drives - A Spy’s Best Friend

News in the Nordic countries have featured heads of military and policy intelligence issuing stark warnings on the usage of unknown unsecure USB drives used for industrial espionage and foreign intelligence services.

Both PST in Norway and MUST in Sweden have on separate occasions in 2013 highlighted the threat of these dangerous USB drives. The data and warnings correlate both with our own surveys here at BlockMaster and also with the famous drop test that Homeland Security did in the US.

The current threat that is highlighted is giveaway USB drives or simply USB drives found on the street or laying around. Several incidents have been reported in Sweden and Norway where these drives have been plugged into computers and infected networks using malicious software. At the Swedish military intelligence branch, Klas Eklund also points out that a regular USB drives can load more data than used to be stored in one of the old secure data centers back in the day.

But when it comes to the drop-and-infect, the method to make someone plug the infected drives follows is simply to give a free USB drive to and employee or to drop it outside their office. Human curiosity takes care of the rest. BlockMaster’s survey showed that 76% would plug and unknown device in. And in the Homeland Security droptest in the parking lot of the Pentagon they achieved a 90% plug in rate by having an official looking logo printed on the device.

Given that the Homeland Security test is from 2011 little has changed in user behaviour, it is simply not a problem that will be solved without a technical solution. The solution is to lock down the network and not allow unknown USB drives and instead rely on secure USB drives for data transport. The SafeConsoleReady secure USB drives that we at BlockMaster power are all hardened against infections. Furthermore BlockMaster offers a low-price USB port control that locks out the dangerous drives.

Sources:

http://www.expressen.se/nyheter/dokument/spionchefen-som-jagar-usb-stickor/

http://www.gsnmagazine.com/article/23705/usb_ploy_dhs_exposes_curiosity_security_flaw

2 Comments/0 Tweets/in Breach, Security Trends, Threat Landscape
November 23, 2011
23 Nov 2011

Institutional USB Awareness Increasing, But Not Quite There…

Encrypted flash drives are just a piece of the USB management puzzle. To ensure granular protection of every ‘piece’ within your USB management puzzle, you need the peace offered by SafeConsole. Read more

0 Tweets/in Security Trends, Threat Landscape
August 24, 2011
24 Aug 2011

Productivity Trend In IT Security

We don’t need to weave you a fantastic tale for you to understand why it is important, in this day and age, to rely solely on USB flash drives that offer automatic encryption and password-strength protection. Read more

1 Comment/0 Tweets/in Security Trends, USB Security

BlockMaster Products

ShieldShare Secure File Sharing
Secure USB Drives managed by SafeConsole
SafeConsole Secure USB Management
© Copyright BlockMaster 2004-2013