(Not) sharing your home network with guests

Could I ask what your solution is to this concern illustrated by +Troy Hunt​​​​​​​​​​​?

So far I've been running some insecure protocols in my home network, typically: NFS without authentication, I don't like this very much as a starting point, as a result I've shared this network over Wi-Fi with almost no-one.

For my next place, a larger apartment with very thick walls where I'll hopefully have more guests, I plan to use two Wi-Fi hot-spot with roaming to cover every room well.
For guests Wi-Fi, I'm thinking about a few approaches, like:

Option 1:
Using a (3rd) dedicated Wi-Fi router for guests: good thing is that I can plug it directly to my ISP Ethernet who generously assign another public IP address to every new MAC making a DHCP request.

Pros: complete isolation, ability to disable very easily.
Cons: no Wi-Fi roaming for guests, no access to Android TV Chromecast for casting.

Option 2:
Using a (3rd) dedicated Wi-Fi hot-spot, not acting as a router and connected to another Ethernet card to a Linux machine acting as NAT router for both the home and guests network.
Via ebtables (Linux Ethernet bridge management tool), allow each Android TV and Chromecast connected to the home network to appear on the guest network as well.

Pros: good isolation, ability to cast media from the guest network and connect to desired devices on the home network as well.
Cons: no Wi-Fi roaming for guests

Option 3:
Attributing an internal IP in to any unknown MAC address (guests) and for known (home network) MAC addresses. Wi-Fi is roaming between the two access points, sharing Wi-Fi password with guests.
Using a Linux machine as router, allow IPs to communicate with selected devices (Android TV and Chromecast) and not others using iptables filtering.

Pros: great Wi-Fi coverage via roaming, ability to cast media and connect devices between guests and home networks (needs verification if the cast protocol is happy with the routing situation)
Cons: no real network isolation, low security (can be overridden by setting the IP address manually), could break some broadcast/multicast discovery protocol and introduce weird behaviors, the Wi-Fi password is still being stolen and shared by Windows 10 Wi-Fi sense.

Option 4:
Same as previous, with Wi-Fi roaming over two access points, however sharing only a guest SSID terminated with _optout for Wi-Fi sense, and using a different password than the one I use myself.
Since even WPA2 sniffed Wi-Fi can be decrypted, provided you already have the password, it's not a good idea to share it with anyone.

Pros: same but solves Windows 10 Wi-Fi sense as well as captured Wi-Fi decryption issues.
Cons: same, and still no real network isolation or security.

What do you think?

#supercurioBlog #network #security #wifi

Troy Hunt: No, you can’t join my wifi network

Source post on Google+

2-step verification doesn't provide the security I expected

Today I went to the closest +Orange France​ shop in Chambéry, France to request a new SIM card, pre-cut to the nano size.

This SIM exchange was easy.
Too easy actually, and I'm coming back with serious doubts on the validity the 2-step auth or verification as we use it today.

Here's the story:

I enter the shop, a lady welcome me and ask the reason of my visit.
I'd like to request a new SIM card
The lady asked my name and my phone number
My name is François Simond, 0699XXXXXX
I'm told that it should be ready in 20 minutes, and I can wait here or run a few errands in the meantime, I choose the later
20 minutes later, I'm back and receive consequently an SMS telling my SIM card is ready.
5 minutes after, a gentleman call my name, we go sit at his desk, he confirms if it's about a new SIM
He goes to grab an envelope in another room and give it to me, announcing this is my new SIM:
When will it be activated ?
He answers "immediately" and indeed my phone just lost reception.
I thank him and leave the store, ready to get the new SIM in my phone and happy with the service.

Then I start to think a little:

– Did they really deactivated my SIM without any kind of confirmation that the owner requested to?

– Did they really gave a new SIM, with complete access to my phone line, the capability to receive and emit SMS/MMS, and unrestricted ability to send and receive internet packets that can be traced back to me… without knowing anything about who they were giving this to?

Then I thought that I felt confident before that my Google accounts were protected by the additional code generated by the app or sent by SMS as recovery, well: not anymore!
Anyone can gain access to my phone line, they just need to walk in a store, say my name, get a new SIM – disconnecting me in the process.

Bank account? Same thing!

I assumed that anyone capable of making and delivering a new SIM would do so after a careful identity check.
But apparently, it was merely wishful thinking.

Now I have questions:

1/ Does your wireless carrier give new SIM on demand to anyone walking in a store just like +Orange France​ did today?

2/ 2-step auth with SMS as recovery is a joke. Would you recommend disabling the SMS recovery? Is there a risk to be locked out that way?

And.. really.. the privacy and security implications of this simple stupid thing: ouch.
I won't dare listing the various abuses possible using the same operation as an attack.

#supercurioBlog #security #SIM #carrier


Source post on Google+

Online accounts creation safety

A few things to keep in mind for mandatory online accounts:

– never create an account if not required in the first place, avoid "surveys" and member cards as much as possible
– use temporary email addresses redirection if it's a one time thing, like from http://jetable.org
– if you have a VPN, enable it before the creation to avoid being geo-localized (you may choose an IP from the same country however)
– unless absolutely required like for shipping address, enter the least information possible.
– unless required to be valid like for warranty or shipping, never hesitate to enter fake name, fake address, fake age, fake everything. Against Terms Of Services? Don't care.
– if you have the ability to pay things with an unique and temporary credit-card, do that.

During your lifetime, you will have no control over the personal information you gave away on yourself.
Hopefully you'll live a fruitful and long life.
Who knows how many websites and services owning data on you will be breached during this lifetime.
That's why the only defense is least info & random fake info.

The VTech breach explained by +Troy Hunt​​​​​​​​​​​ is an excellent example of why you may apply similar rules to yourself (whatever works), your family and teach them as well to your kids since their whole life will be online.

This one is particularly bad because the unique identifier in this very verbose database allows to contact individually every kid on their capable connected toy, by sending messages, pictures.
VTech didn't inform anyone yet. Yes: That bad.

#supercurioBlog #security

Troy Hunt: When children are breached – inside the massive VTech hack

Source post on Google+

Vulnerable self-signed root certificates: how many out here?

Since Dell computers shipped with a vulnerable root certificate containing the private key which can be extracted, it is not impossible that other manufacturers do so as well.

And like me, you maybe wonder if it's the case for smartphones too.
Adding this to my TODO list 😊: is there a CTS test for that, do apps exist already to verify all certificates installed on your phone.

#supercurioBlog #security

Dell apologizes for HTTPS certificate fiasco, provides removal tool | Ars Technica
Meanwhile, credential that posed man-in-the-middle threat found on SCADA system.

Source post on Google+

Feature complete Android Malware

This article is an excellent description of "Banker", an Android app designed to use very straightforward and efficient ways to steal all sort of credentials.

It also explains why Google protected several features behind additional permissions in Marshmallow:

– Draw over other apps:
A malware overlays anything it wants on screen, including with a transparent window, invisible but intercepting any touch event: which can let a malware guess everything you touch and type.
Now needs to be activated from the Apps "Configure Apps" settings.

– Apps with usage access:
A malware runs a background service to monitor which application activity is shown in front to the user like every second, and launches an activity or starts an overlay emulating legitimate credential / banking / credit card information request dialog.
Now needs to be activated from the Security settings.

Discussion on Hacker News: https://news.ycombinator.com/item?id=10619675

#supercurioBlog #security

Android malware drops Banker from PNG file
Nowadays is malware trying to hide wherever it is possible to get under the radar of anti-virus companies. Lately I found Trojan dropper carrying malicious payload, encoded by base64, embedded inside an image file. It’s nothi…

Source post on Google+

Android high privileges exploit from Chrome

A Chinese security researcher presented an exploit leading to privilege escalation from simple website, through a V8 Javascript VM vulnerability.
This is the most critical type of vulnerability you can expect, since a payload can reach millions of users in very little time through a malicious ad, one thing the web appear to have the most difficulty avoiding even on reputable websites.

This presentation happened during the Japanse conference named PacSec, from a speaker named Guang Gong.
The page https://pacsec.jp/speakers.html lists his intervention as:

"Exploiting Heap Corruption due to Integer Overflow in Android libcutils — Escalate privilege by vulnerabilities in Android system services" Guang Gong, Qihoo 360,@oldfresher
How to exploit CVE20151528 to get system_server permission in Android.

You can wait until the patch reaches +Google Chrome stable at some point – and it will be worth tracking when since the disclosure was made responsibly.
If security is of high importance for you +Mozilla Firefox might be a strong alternative today.

The Register: I know, not the best source, feel free to suggest others on this one 😉

Via +Engadget

#supercurioBlog #security

Latest Android phones hijacked with tidy one-stop-Chrome-pop
Chinese researcher burns exploit for ski trip.

Source post on Google+

Misguided attacks against the Linux leader

I've just seen this article from the +Washington Post​​​ circulating, and it is worth questioning the real motivations behind it.

Lets start with the author: writes an article attacking +Linus Torvalds​​​ as a person and using fear regarding Linux security as a method to gain legitimacy.

But doesn't understand the difference between an OS and a Kernel, or at least has no issue confusing readers.

"Yet even among Linux’s many fans there is growing unease about vulnerabilities in the operating system’s most basic, foundational elements — housed in something called “the kernel"

And here's the type of stuff the security experts say:

"If you don’t treat security like a religious fanatic, you are going to be hurt like you can’t imagine."

Because we all known dogma and fanatism are the best answers – to any problems.. right?
Best of all, this is from a security expert associated to the NSA.

No wonder why Linus ends up saying fuck to this kind of crap.
Also, maybe he's not as vulnerable as some would like to initiatives to take control of the Linux project for the wrong reasons, using fear as justification.
I'm no conspiracy theorist, but curious elements are right here in the article already.

#supercurioBlog #security #critic

Meet the man who holds the future of the Internet in his hands — and thinks most security experts are “completely crazy”
Linus Torvalds created Linux, the operating system that dominates the online world. But a rift exists between Torvalds and security experts.

Source post on Google+

Dear UK, what are you doing?!

It might be time to throw out your current leaders.

In case anyone was ever doubting that adult content filters were just a first step for control freak authorities having no limit on how ready they are to violate any citizen privacy… here's your proof.

On the positive side if there is any, it will only encourage every site owner to switch to HTTPS, either with their own certificates with http://letsencrypt.org or via +CloudFlare​​​​ free solution, sufficient to avoid HTTP requests logging from ISPs in a few clicks.

I've activated that for my sites until http://letsencrypt.org is shipping. Unless you prefer to obtain full-fledged certificates, I would strongly encourage you to do that too given the current direction of things.

#supercurioBlog #security #encryption

Originally shared by +TNW

UK bill forcing ISPs to store users’ browsing history to be published today http://tnw.me/gzmimWk

UK bill forcing ISPs to store users’ browsing history on its way
New surveillance laws in the works will require broadband providers to store details of every site citizens visited in the past 12 months, reports the BBC.

Source post on Google+

Google Project Zero targeting Samsung

Project Zero made the news a few months ago by publishing unfixed vulnerabilities with their exploit in Microsoft operating systems before Redmond's company succeeded to ship patches.
A lot was written back then about the fact Google was attacking their competitor, accusing also this team to be irresponsible by operating following a fixed 90 days time-frame.

Well, this time they went against the worldwide leader Android manufacturer and its Galaxy 6 Edge, with the same rules and similar results which should address any bias concerns.

The report itself is fascinating and illustrates how additional software, like apps or support for more media formats natively (Samsung always has been good with that) increases the attack surface with more code, that might also not be as solid as AOSP's.
Then there is hardware drivers (like for the GPU) and you can't really skip shipping that.

How many vulnerabilities can be found in the phone you are using right now (any phone) with a few weeks of work from a dedicated team?
It's safe to assume quite a few. With sufficient resources it seems there will be ways to find a way in which is not reassuring given the amount of data our gadgets have access to – especially through Google account credentials.
Location history being the perfect example of over the top tracking yet required for Google Fit and probably enabled after tapping a Google Maps launch dialog without realizing the consequences by many.
This is why I highly recommend two factora authentication… Yet it doesn't change anything if a root vulnerability allows to escape the sandbox and steal credentials from the active device or access the data from there directly.

It is also difficult to know where to learn about manufacturers' security practices.
Do they have a security team like Project Zero evaluating their products internally continuously with fuzzing and more?
There are no guarantee of results and certainly no such thing as perfect security, but it's something it would be good to know.

#supercurioBlog #security

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge
Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post …

Source post on Google+

Looking at free SSL certificates options

While letsencrypt.org is still in beta phase, is StartSSL still the best option out here?

#supercurioBlog #web #security #encryption

Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.

Source post on Google+