Monday, September 26, 2022

Phishing Is Too Easy - 3

Last week I received another traditional phishing email; apologies for the lack of images because my email account is setup not to load externally attached pictures. Here it is, with my address removed:

Phishign email disguised as an invoice with attached PDF pretending to come from Norton

Yes, this is pretty much a variation of the last one I commented on months ago, namely:

  • It is an invoice for some product, in this case it implies to be some kind of Norton product.
  • It creates a veil of credibility by alluding itself (blue box) in a rather half-ass way to be related a real company. Note it claims to be "Norton Support LLC," which I have no idea who it may be. Since the average person probably heard of Norton, who sells an antivirus and other security products, it is easy for said person to associate both.
  • Still on the credibility standpoint, the sender address is supposedly from quickbooks (I did not bother to check the header). Yes, a large company right Norton would not be using quickbooks to send its bills. However, if you have to deal with purchasing you probably have seen invoices from smaller business which use the online quickbooks site; when they send their invoices, their invoices will have "<quickbooks@notification.intuit.com>" as the email. But, we hope they will look more like "Something Of Doom LLC <quickbooks@notification.intuit.com>" instead of "Intuit E-Commerce Service <quickbooks@notification.intuit.com>"; I think the later is not the default value, but it sounds credible enough.
  • To create the urgency, the invoice is for $800. That will make someone's heart beat a bit faster and immediately want to open the attached PDF file (red box) to find what this invoice is all about. This is a bit lazier than the last phishing email we posted about as some mail services will disable attachments with macros in hope to block malicious payloads. However, most of the mail services do not do that; mine could not be bothered and told me if I want to see it, and be properly infected, I need to have Adobe Acrobat Reader (green box). Since my mail service does not automagically open anything, I have some extra time to read the email and decide what I want to do next.
  • It provides a number which may be tied to the phisher (VoIP?) so if the frantic recipient of the email calls, the phisher (we called him Peggy in the last phishing post) can then social engineer his way into the victim's computer.
  • The return address is a typical quasi-randomly created Gmail one; they could not be bothered with making it sound like it came from a billing department as it claims to be.

How effective it is? I think it depends on where people will focus on. The phishers hope their marks will see the value of the invoice -- $800 -- and immediately open the pdf to find out what is going on. The best thing to do here is stop -- but not stop/drop/roll as you are not on fire -- whenever you see something suspicious, specially when it claims to be urgent. Then ask yourself if you expected an invoice from Norton. Then look at the email addresses and see if they are not overly suspicious.

Remember: phishers are lazy, and they hope you are equally lazy!

Saturday, September 17, 2022

There and Back again: DEFCON 30

Second slide in the workshop reminds the audience we had put instructions on github for what to do before attending the event.

No, I did not postpone posting about my trip to DEFCON30 until now because I did not have anything to post this month. The truth is I was slacking. There, I said it.

This will be a bit of a post morten of our workshop. Will this post have any useful info? Don't hold your breath; what I can promise is there will be many opportunities to laugh at our expense.

The Plan

For those who read the announcement for our workshop at the Crypto and Privacy Village, you know that there are two authors -- Matt and yours truly -- who put together the mess without killing each other; the fact we had half a continent between us probably helped.

Originally, the plan was to start with an explanation of why this phone privacy thing was so important and then get show how to do it. Ideally people would have read the announcement, followed our instructions, and show up with a phone ready to be configured. While one of us would be on the podium, the other would then be helping the audience.

After we had the entire workshop done and did a few dry runs, we started thinking: how many people will bring a phone that meets the requirements? Probably not many -- not many people have spare phones that can take CalyxOS or LineageOS in their kitchen drawer -- and we will not be able to bring enough loaners as all the resources in the workshop are coming out of our own pockets. We could just shrug it off and tell people "Hey you did not bring a phone, so we will bore you with screenshots."

Thing is, we had taken a lot of screenshots of everything we would be showing in the phone, in case we would not be able to share the phone screen or point a camera at it. So, this was an option but we felt that would detract from the workshop; instead of being something interactive it would be no better than watching a video.

We needed a plan B.

What if we provided an emulator? It will not do everything a real phone can but it will allow the audience to follow along on their laptops. Since we were going to focus on CalyxOS (we had only an hour to run the entire workshop; compromises had to be made), we then decided to create that image, make it available somewhere, and then update the wiki with instructions on how to use it. We also asked the Crypto and Privacy Village (CPV) people to add a single line in the workshop announcement, indicated with a green line in the picture below, to tell people they should install Android Studio in their laptop.

Wrokshop announcement, with the line 'Alternatively, a laptop with Android Studio installed' added to it, indicating you may want to install it if you do not have a phone to use in the hands-on bit

The plan was to have everything finished two weeks before the event and then take the last week to practice, and ensure we had a reliable way to hand out the emulator images.

Things did not happen according to the plan.

Matt was able to go to DEFCON from the beginning of the event; I do not know if he also was able to stop by BSidesLV. I, on the other hand, was a bit more time constrained: I flew the first flight on Friday and was going to return on Saturday after the workshop. In any case, we were going to try to attend as many events and talks as possible, and meet up with people we have not seen in ages. I also planned on volunteer to the CPV.

What really happened?

  1. Building the CalyxOS phone image was not as smooth as we hope for. In plain English, I could not make it work. I had no issues building LineageOS ones in my docker build environment -- if someone reminds me I can post instructions on how to do that later -- but CalyxOS was fighting me all the way. Fortunately we were working in parallel and Matt was able to make it work.

    I will let Matt post how to create the CalyxOS image with all the apps already installed in his blog, as he is the one that made it work. In fact, it worked so well, he used that instead of a real phone during the hands-on part of the workshop.

  2. We spent too much time trying to come up with a clever way to deploy the phone image. After days of frustration we came up with a simpler way to do that, wrote the docs that worked whether you had a Linux, Mac, or Windows laptop, and put it with the image.
  3. The emulator stopped working. I do not know why but it went on strike. More frustration ensued. Was it the emulator itself or the image? Once again Matt rose to the occasion and made it work.
  4. We also found out it would take too long to download the image we built using the DEFCON public network. Fortunately we had a bunch of USB drives and decided to put in each, formatted in some Windows file system so all 3 OS could mount them, the image and instructions.

There are probably more things that went wrong, but I cannot think of them right now. Bottom line is we spent most of the time that week working on these bugs. And, we made it work.

Showtime

The CPV people did a great job. Everything was working smoothly on their side. I did most of the overview and then Matt took over for the technical part:

Matt Nash presenting the hands-on part of the workshop. Audience is spaced out following the social distancing requirements

You will note on the above picture the audience (picture was taken from the back out of respect) has set some chairs apart for social distancing's sake. I then came back from the podium sporting one of my favourite shirts (bonus points if you recognize it) with the final comments and we then took questions. After it ended, Matt was surrounded on the podium with members of the audience for a long while until the Defcon Goons kicked us out.

Mauricio Tavares on the podium spreading lies and misinformation while sporting the classic Oregon Trail shirt.

Thank you for all the fish

  • Avi Zajac and the rest of the Crypto and Privacy Village crew for not only having us there but making the event possible. And the badge. And the shirt (I am afraid of wearing it out because it is nice). And keeping the Goons at bay. And the sticker!
  • The NCC Group for mentioning us in its August announcement.
  • DEFCON for, well, being defcon. I do with I had more time to see it all this year instead of being in a hotel room trying to get all working. But, it was all worth in the end.
  • CalyxOS for trying to make a more secure and private Android distro easier to install. There is more around this line item, but I am getting ahead of myself.

Wednesday, August 31, 2022

Good Cookies, Bad Cookies, and Privacy

Cookies "banners" are a particular pet peeve of me. As in don't get me started or I will be on it for hours if not days on end. So, I will struggle a bit to get this short enough so not to kill any reader of boredom. I am not claiming I will accomplish this goal, so you have been warned.

I should also warn this article has been in the making for months; I collected a lot of real samples I need to cover the names of the companies to protect the guilty. If you recognize the site by looking at the cookie policy form, smirk and keep it to yourself.

So, are cookies bad?

That is an oversimplified question. Cookies are used to track what users are doing in a website, and that may mean storing some personal data no t only of site users but also visitors. Some of which have very valid and important applications, like ensuring users can authenticate and are the right people to access a given resource, like their bank accounts, or repository of cat videos. Then we have the ones companies are interested on, such as:

  • Which pages users are going to and spending most of the time on. That may help them figure out which content -- primarily cat videos -- their audience seek and which ones they are avoiding. Or find out whether a given page is too convoluted, causing visitors to spend too much time and frustration in them. I can see why anyone wants to provide a website that does not suck.
  • Which products or keywords they search for. This may tell the product lines the websites need to be providing and which ones may be taken down.

None of these are really needed to provide a service to users, so GDPR would say you must ask the visitors if they give you consent (Articles 6, 7, and Recital 32) to collect said data, and provide a way for them to remove their consent. CCPA and CPRA are less restrictive, having a set of thresholds (selling personal information of more than 50,000 Californian households, or making more than half of its annual revenue selling that data) before they are applicable and providing a the get-out-of-jail-free card (Art.9(2),e).

The Good

  • Let's start with a nice bright example of someone who respects the privacy of its website visitors.
    It is written in plain language, gives a quick blurb on what it is being used for, and allows the user the choice to accept all the cookies, deny all of them, or do something in between (which leads to a more itemized list you can enable item by item).
  • The next one, from one of the European Union's official websites, is not as nice but at least they are trying.
    Why am I not impressed with their banner? Because it is an all-or-nothing, without a proper explanation, and mentions these "essential cookies" (is this like "essential oils?") without explaining them. Yes, if you click the link explaining how they use the cookies you realize they are not out to suck you dry of your private info, which is why it is listed here. But, I think they could do a better job given the resources they have.

The Bad

This list is but a tiny sample of my fun collection. Still, get the popcorn.

  • First we will start with one that is on the slippery slope as far as GDPR is concerned. It mentions collected data with "trusted third parties." Who are they? Google Analytics? We have talked before that you can no longer use it on a site that is accessed by European residents.
  • We really should just get serious and look at an example of conning the user. For convenience, I highlighted the relevant wording in their privacy note.
    First we have "This information might be about you" (red), which uses the "might" word to imply that it is ok because maybe the information is really not about you. Well, knowing your IP (considered by GDPR personal data), OS, browser, and other facts that we will not go over here (username?) suffice to uniquely identify you. If you use the same computer without bothering to run VPN later, they will know you are back... specially if from home as your external/public IP rarely changes if at all. But then they smother your worries claiming that "the information does not usually directly identify you" (blue). It is personal data already, sunshine.
  • Here is one from a bank that prides itself to have branches in many countries across the world.
    At first I thought the following cookie banner was just for the American market, but when connecting from Japan and Europe I still was "welcomed" by the very same banner; I do not need to say what that means. I have a ton of other examples following the same pattern, but I think we only need one to get the idea.
  • This one is a variation of the bank banner we saw earlier seen in the website of a professional society. I would not have posted it if it did not have one single word: consent.

    I must assume the reason this specific term was used is because of the language in GDPR, specifically article 7 states that if you do not have a legal reason to collect personal data, you must obtain consent from the user, who must freely give it. They seem to beleive that by having the word "consent" in the banner, they satisfied this GDPR article. However, if the only option is to surrender your private data, this consent is not freely given. Or can be easily revoked.

    "But," one can argue, "you did not consider they are probably an American-based society which does not cross the CCPA requirements by keeping the number of Californian households under the limit." How would that work? Geolocating may be hard: one of the VPN services I use has servers in California; there might be other services with servers somewhere else in the US being used by Californian citizens. Given the banner you are seeing, how would you distiguish the two cases? And besides, if this is an international (they hope they are, as one of the letters in their name stands for that) professional society, GDPR, LGDP, and APPI just to name a few are bound to be triggered. I did my Westen Europe test, and it did not switch to a GDPR-compliant cookie banner.

The Sleazy

Now we get to the really special ones, the ones that decided laughing at the privacy rights of individuals was not enough; they had to make a point.

  • First jewel is what I call a BannerWall: you cannot use the website until you click on the only option ("Accept"), so site owners can then say "here! User consented to use collecting all personal info. We have the log showing the Accept button was clicked!" Hopefully you do not need to use this site, so you can just close your browser and find some other place with similar information but more privacy conscious.
    Looking at the screen capture, do you know if "Privacy Policy" and "Terms of Service" are links? No? You are not alone. Can you say hiding in plain sight?
  • But, what if you have to use the website? For instance, what if you need to log into the site to pay your utilities or rent, and they do not offer another way (mail or in person) to make said payment? Can you say coercion?

Don't Be That Guy

  • Instead of having you site collect personal data based on the location of the site visitor, assume they are all coming from the EU and build it for that, as it is one of the more restrictive ones. Make your life easier, be your website a commercial or educational/research one; we covered that a while ago.
  • What is wrong with asking users if it is ok to collect their data and tell them how you are going to use it without vague words? And by that, ask properly, not like the no-real-option seen in some of the examples above.
  • Document everything, logs included, because the world is changing and you may be audited or even fined for non-compliance. Remember, you do not need to have suffered a personal data breach before a GDPR Data Protection Authority takes legal action against you. Don't believe me? We commented on some cases earlier this year. All is needed to get that avalance running is for someone to file a complaint.

Wednesday, August 24, 2022

Measuring Company Reputation

One of the bullet buttons in the (ISC)2 Security Domain 1 (security and risk management) is risk analysis (yes, you with the beard on the back row, that would be under NIST 800-53r5 Security Domain 14). There are many ways to define it but I will be lazy and steal the defition of it from NIST 800-160 because it is short and to the point:

Risk Analysis is the process to comprehend the nature of risk and to determine the level of risk.

We can subdivide this analysis into two groups based on the criteria we use in the decision process: quantitative and qualitative analysis. Without going over the details, the bottom line is a lot of people ignore qualitative analysis because it does not directly tie into money: how can you ask for fundings to executives if you cannot provide a proper cost-benefit analysis? For instance, if you are asked to measure and tie to the yearly budget, say, your company reputation (a topic picked out of blue which has absolutely nothing to do with the title of this article), what would you do? After all, this is the typical topic qualitative risk analysis is built for.

The answer is we can quatify it if we look at it in a non-direct way. If you think about it, company reputation can be "itemized" by the things that affect it:

  • Your cyber insurance, which is affected by how the insurers think you are about protecting your assets. So you can say "since we have not been breached in X years and we have great security policy which is enforced and audited, our insurance is lower than from our competitors." Can you see how close this narrative now is to that associated with the Annualized Loss Expectancy (ALE)? You may be able to ask the insurers to explain how a recent loss of personal data will affect the premium. There is no guarantees they will talk, but there is a compelling argument to work together to decrease their risk.
  • Customer confidence, which is affected by how many data breaches you had, how you handled them, and how you deal with the customer's data. This can be estimated by investigating the decrease of sales of other companies due to loss of personal data including credit card info. People vote with their wallets, and their letters to elected officials.
  • Your suppliers confidence on you, which leads to whether they will provide you with discounts, less interest, and longer times to pay your orders. If they do not trust you, they may say any bill is due on receipt. That affects cashflow in a very definite way.
Each of these in the end of the day affects the bottom line ($), which is what matters to upper management.

Sunday, July 31, 2022

Phone Privacy at DEFCON 30!

So our workshop on smart (I will keep a straight face here, just saying) phone privacy was accepted by the Crypto and Privacy village at DEFCON 30. If you are there, we will be presenting it on Saturday Aug 13th. As it will be only one hour, we strongly recommend to first to folow the instructions in the co-author's github-based wiki; this link is also in the official DEFCON accouncement, but it is so important we would rather mention it a few times.

So, what is it all about?

Short version: how to make your smart phone more private and why you should care. I could elaborate on that, but this post is not about the contents of the workshop: go watch it and find out!

Anything useful you want to tell us?

People have told me I have some kind of fixation with bullet points; let's not disappoint them, shall we?

  • No pictures will be taken with my phone; I will be bringing a camera -- ancient but trusty Canon ELF -- to take some pictures of the event. Yes, compared to modern smart phones its resolution is pathetic. But, it has a real zoom, using real lenses, has no understanding of wireless file transfer (great during DEFCON), and does not keep you up at night when vendor stopped creating patches for it. As this will be a real camera, not smart phone, they will not be posted in real time.
  • I was comparing our abstract with the other presenters' and realized ours is gigantic by comparison! This is not a size competition, and I realized it may e nd up being a bit of a turnoff. But, there is some logic behind the madness: we really wanted to make sure people knew what to expect and that they need to prep are for the workshop. Which leads to...
  • The "talk" part of this workshop will be rather short because the main dish is the hands-on part.
  • If you to get your hands dirty, bring an Android phone. It's two main requirements are
    • A phone you are fine if it is bricked. That can happen. And, you can find out if it does brick before attending the event because we put the setup instructions in the wiki.
    • Ideally, you want to have a phone such as Google Pixel (3 and above), OnePlus, or Fairphone. Main reason is because a lot of Android phones have a closed source "blob" of code that is only updated for a brief period of time (a year? A week?), until not longer after replacement hit the shelves. However, we are not saying "for best experience you should have bought the latest $1000 phone" (bonus point if you know where I took that from). We do think everyone should be able to strive for a private focused phone (sounds like a tag line for a product, eh?). In fact, we will have a Pixel 4 to show things, but a Pixel 3 will work just fine and can be found for around $50 if you look hard enough. When I checked this morning, an used Pixel 4 was hoving around $100.
    • FYI, I have issues with the Google Pixel phones, primarily how hard it is to repair it.
  • I would love if we could make the phone fully private from a GDPR (we tend to mention it a lot in this blog?) standpoint, but that won't happen. Compounding that, some countries do not take your efforts to protect your privacy in your phone very kindly.
  • I really would like to thank the Crypto and Privacy village for having us. This may sound the typical fake message you associate with Facebook and LinkedIn, but for a change it is real. One of the hints is that I am not starting this thread with "I am excited that;" the truth is that we have been working hard and long hours on this and the CPV crowd have put up with all of our stupid questions and rewrites and whatnots. And have not tried to strangle us!

Dude, I have an iPhone! What should I do?

Dude, I have no clue; I do not have an iPhone to research on!

Saturday, July 30, 2022

The private life of a privacy screen

Let's say you have a laptop which you take to libraries, coffee places, and other public locations to get fresh air and inspiration while you write away a new article or piece of code. How do you keep what you are doing to yourself?

You on the corner who said "VPN" (when you think aloud, you do think aloud), you are right. That helps with the network connection. But what about keeping the prying and curious eyes off other customers of the same establishment you are in? Yes, this time the answer is the privacy screen, which has not only been around for decades but also is the name of this post.

How good is a privacy screen

Some are really useless. I remember when I was in college one that was so bad the person using the computer could barely see what she was doing. It was just a step above bolting a steel plate to the front of the monitor; I guess if you the user cannot see what you are done, the same happens to the potential attacker, who then has to rely on keylogging and scanning the screen contents using software.

Others work well enough to be useful within some limitations. Case in point is the one I will be test driving today. It's brand is... well, I have no idea. I found it besides the trash can in an office once. It is one of the common polarized ones and had no scratches nor too many fingerprints on its surface. As it was larger than the (old) laptop monitor I wanted to use, I grabbed it. And then cut it to size and secured it using Scotch tape (I am calling the brand out here because that is the roll I have).

It is one of those garden-variety polazided screens, which blocks the light if you move too far from being perpendicular to it. How far must you move from looking straight at it before the privacy part of the privacy screen is "engaged"? It depends on the make. Let see how it works by simulating the kind of situation that can happen anywhere.

  • Here is a picture of it installed in the test laptop, which is currently setup to replicate that of Mort Villanous, an aspiring supervillain who is in some public library writing his current world domination plot. In fact, this would be the point of view of our evildoer in-the-making. Note the tape on the corners of the privacy screen.

    From his point of view, he can clearly see the screen and, as a result, work on his important and secret document. The eagle-eyed members of the audience may have seen my exclusive and expensive camera cover; I will try to provide a link to it later on. But if you have to ask how much, you can't afford it.

  • Next let's pretend we are the Tom Goodfellow, secret agent tasked to observe what villanous things our villanous villain, Villanous, is up to. Wearing his trademark 30 gallon white hat, chaps, and 7 Gold Chains or Virtue, he discretely approaches Mort from the right, this is what Tom sees.
    From his current point of view, the laptop looks as if it is turned off, as the surrounding background is reflected on its back screen. That won't do.
  • Knowing Mort has not noticed him yet, Tom heroically slides a bit closer to the aspiring villain. This time the privacy screen proves no match to the hero's eyes, as at this angle it exposes a hint of an evil deed in the making, namely a document is open and being worked on: he can see there are words written using different font sizes, but he still can't read them. These clues tell Tom he is dealing with a polarized privacy screen!
  • Embolded with confidence and knowledge of how this kind of screen works, our hero inches even closer to the villain. And he is rewarded with being able to finally begin read the contents of the document!
    Unfortunately, the secret agent made the typical hero's mistake. Being a bit myoptic, he leaned too much towards the computer. As a result Mort Villanous not only heard the gently clanking of the secret agent's gold chain as it touched the table, but also felt it crushing his arm. Aware now of the presence of his enemy, Mort immediately closed the laptop, shouted "do you mind?" ignoring proper library ethiquette, and walked away.

Moral of the Story

Whether you are plotting to rule the world, or just trying to read email in peace at a public location, getting a privacy screen is not a bad idea. However, test it first to see how large is its "non-private" region so you can plan where you will be seating and what will be behind you.

Thursday, June 30, 2022

You may Unsubscribe, but give me your Personal Data

I signed up for some online three-hour class two weeks ago. It was good, and the instructor did end it with the usual upsale you expect in some of these classes. I cheefully turned it down.

Also as expected, I started receiving emails from this instructor about new classes and programs. I ignored them for a week until last Monday I decided I was getting too many sales emails from him and wanted to cut it down. So I clicked on the "click here to unsubscribe to this list," which is a trackable link as expected: I would expect the link to know I am the one who want to be removed from that list.

Well, the link led me to the following page; I did remove the top banner identifying the 3rd party company being used and my name and email, which were automagically autofilled. But below is what the form looks in all of its glory:

This form caused a few questions to pop in my head:

  1. Why is there no reference to the instructor, his business, or something that refers to the mailing list? It is not like I erased that before posting. This sure looks like a great phishing page, but what do I know?
  2. Note that it asks for my address and phone number. Why does it need that? I mean, when I signed up for the class I did not need to provide either; so why now?
  3. Who is collecting this information: the instructor or this third party?
  4. Why is it called Update Information? I am here to unsubscribe to a mailing list!
  5. Why is a button called Update Information the default choice in a page you supposedly use to leave a mailing list? This is a classic example of Dark Pattern in use, steering the user to select a less privacy conscious option.
  6. Why would I want to update personal information to unsubscribe to a mailing list? In fact, let me put my GDPR hat and say there is no lawful case for this form to collect (and process) personal data beyond email (Articles 5 and 6, and recital 39). I have belonged to many mailing lists that either require just the email or an username/password pair to leave them.
  7. Given there is no lawful case to collect the personal data mentioned in the previous question, the only other option is consent. GDPR Article 7 is very particular about how consent should be given and taken away. Does this form's request for consent is presented in a clear manner, distiguishing it from other items in the same form (Art 7.2)? And, does it indicates a way to withdraw this consent in a manner that is easy to do so (Art 7.3)? Finally, is it freely given (Art 7.4)? Looking at the form I have no idea if I am freely giving it or I am required to, so the answer is no.
  8. Besides the company's banner, which is not a link to their website, and the buttons below, is there a way to interact with this website (say, to contact someone) and its owner? As far as I can see, none.

Given all the questions raised above, it seems that the safest and most privacy-conscious way to leave this mailing list is to tell my mail client to label amy future email from that list as spam.

Moral of the Story

If you are going to provide some kind of mechanism for people to unsubscribe to your newsletters, please keep it simple, clear, and transparent. If it also doubles as a way for users to update their info, label what is required for unsubscribing and what is used for updating profile/account info. And, do not try to sneak collecting of personal data in.