Why Firesheep’s Time Has Come

This is what it takes to effect change…Sharable Shortlink

At Noon on Sunday, October 24th, 2010, during the final day of the 12th annual Toorcon Security Conference held in San Diego, two Seattle, Washington-based hackers, Eric Butler and Ian Gallagher, brought web session hijacking to the masses with their release of “Firesheep” … and the world was changed forever.

In case you’ve been somewhere off the grid, and have somehow missed the news, Firesheep is an incredibly easy to use add-on for the Firefox web browser that, when invoked while connected to any open and unencrypted WiFi hotspot, lists every active web session being conducted by anyone sharing the hotspot, and allows a snooping user to hijack any other user’s online web session logon with a simple double-click of the mouse. The snooper, then logged on and impersonating the victim, can do anything the original logged on user/victim might do.

Firesheep’s creators will be the first to tell you that what it is doing is not rocket science. The hacking capability to do this has been known and freely available within the hacking community for many years while the security community has been screaming into deaf ears about the need to fix the easily remedied configuration problems that make this possible. But thanks to Firesheep, reports are now coming in of people seeing other people using Firesheep in public WiFi hotspot settings.

Foreseeably, we will soon be hearing reports — many reports — of all sorts of mischief befalling the accounts of innocent users after they logged onto their accounts from open and unencrypted WiFi hotspots. At that point the implications of these long-standing security issues will finally hit home… and loud end-user complaints will drive the long-awaited changes the security community has been seeking for years.

The ease and simplicity of using Firesheep has transformed web session hijacking from a mysterious command-line driven black art into something for the masses. This is huge.

To get some sense for just how huge this is, check out the current download count of Firesheep at its download page: http://github.com/codebutler/firesheep/downloads After half a minute, press your browser’s page refresh to see how many more copies were downloaded just while you were looking at that first count.

I said above “the world was changed forever” because I can’t see how it could remain the way it has been in the face of point-and-click web session hijacking.

What needs to change? … Exactly two things:

  • 1. WiFi hotspots must encrypt. Period. They can still remain free and open, but they must use WPA encryption to protect their users from casual eavesdropping. As I wrote in my previous blog posting, this is not difficult. The hotspot’s WPA password does not need to be secret in order for all of the hotspot’s users to be protected from casual passive eavesdropping by each other and any other outsiders. For example, Starbucks could simply adopt the password “starbucks” throughout their entire coffee shop chain and have it known to all users. Users get the benefit of knowing that their traffic is encrypted in return for the minor one time burden of entering the “starbucks” password when prompted by their computers.

    Is this perfect protection? No. Because robust endpoint authentication will always be missing from any public-access WiFi system, complex active “man in the middle” attacks can still be mounted, but simply switching to encrypted WPA protocol raises the attack bar very much higher with near zero effort. And, importantly, switching to WPA encryption can be done immediately to offer significant protection to ALL users of such encrypted hotspots, not only just those who might be targeted by Firesheep. It’s just the right thing to do, and it’s SO simple.

  • 2. The bigger change that must also be made is for all vendors of web services to switch their connections over to using the SSL/TLS protocol exclusively. Only inertia and laziness has prevented this from being done long ago. It is my hope that the appearance of a tool as popular and easy-to-use as Firesheep will provide the incentive that has been missing for so long. The mischief it will cause should cause end users to demand this enhanced security from their web service vendors.

    Even when a user is not in the process of logging on, they have a reasonable expectation that their interactions with a remote server will be relatively private, not literally broadcast to anyone with an antenna … like a passing Google mapping car. And when those interactions contain the user’s logged on state cookies, as they must for the user to be recognized as currently logged on, a user’s unencrypted session becomes readily hijackable and hackable, making the situation even worse.

Isn’t switching over to SSL/TLS difficult and expensive?

No. The belief that switching to using pure SSL/TLS is any burden was obsoleted years ago with the addition of SSL/TLS Session Resume. Session Resume allows a particular client and server to perform the high-overhead public key negotiation just once (which they always need to do during the secure SSL/TLS logon anyway) and to then reuse those negotiated credentials for all future SSL/TLS connections being made. Since the credential reuse duration is typically 24 hours, very little additional burden is placed upon either the client or the server as a consequence of using SSL/TLS pervasively across a web site … always and for everything.

ALWAYS Authenticated & Encrypted – It’s WAY past time.

The idea of using SSL/TLS pervasively has been growing slowly but has, until now, been slow to catch on due to inertia more than anything else. Various client-side add-ons, such as the Electronic Frontier Foundation’s (EFF) HTTPS-Everywhere add-on, or Force-TLS, attempt to induce the client to push for SSL/TLS from its end. And the emerging HTTP Strict Transport Security (HTTP-STS) extension would allow web sites to enforce their own intention to only accept secure connection from clients.

This is all good, but someone needs to light a fire under the WiFi hotspot providers and web service vendors to make this happen … which is precisely why I am so pleased that “Firesheep” has finally happened.

The ground has already been prepared for the move to pervasive authentication and encryption. Let’s hope that the user, press, and provider communities will become upset enough over the appearance of Firesheep that these long-awaited security changes will finally be made. If that could happen, the world wide web be a far better and more secure place to hang out and play.

Steve's Sig

Posted in Uncategorized | 73 Comments

Instant Hotspot Protection from “FireSheep”

What any open hotspot can do to protect its usersSharable Shortlink

Amid all the fury over the release of Firesheep, no one else seems to have noticed, or at least mentioned, that the only thing any WiFi hotspot needs to do to protect its users is activate WPA encryption using any simple publicly-known password.

For example, Starbucks could simply set their password to “starbucks”, Peets Coffee to “peets”, Panera Bread to “panera” … and every user of those free wireless hotspots would be protected from the Firesheep threat … and from much more. Or, by general agreement, all free and open WiFi access points could simply use the password “free”, which would work just as well.

As long as the universally supported WPA encryption protocol is used, each individual user receives their own private “session key” that absolutely prevents eavesdropping between users, even through they are all using the same WiFi password.  It’s just that simple.

Hotspots only need to switch from “no encryption” to WPA and post or publish any static WPA password … and a large part of the problem, and more, is solved.

I have posted a following-up to this blog posting with a detailed look at Firesheep, and why I think it is such a fantastic thing to have happened. But before I wrote that I wanted to quickly publish the idea of simply encrypting with WPA under any simple static password, since that will instantly lock down any public WiFi hotspot.

Steve's Sig

Posted in Uncategorized | 112 Comments

iPhone 4 External Antenna Problem

What the evidence indicates is going onSharable Shortlink

On Friday, June 25th, I tweeted a link to a YouTube video created and posted by one of my Twitter followers — @antio — whom I have every reason to believe is legitimate and well meaning. In this brief (53 second) video we see a convincing and rather horrifying demonstration of what appears to be a serious design flaw in the brand new iPhone. For your reference, here’s the YouTube video link:

iPhone External Antenna ProblemiPhone 4 Antenna Problem is Caused By a Design Flaw, Not Signal Blockage

Mentions back to me from new iPhone 4 owners were mixed, with some confirming Anthony’s demo and others unable to confirm it and being suspicious of the results.

However, as an engineer I can propose a useful theory to explain what everyone is seeing, and not seeing — and even why Apple shipped the iPhone as it is — as follows:

Simply stated, Apple’s “5-bars” cellular signal strength display is not showing the full range of possible, or even typical, received cellular signal strength. It is only showing the BOTTOM END of the full range of possible reception strength.

In other words, say for example that the iPhone is able to deliver a good clear conversation when receiving only 5% of the signal strength that you might have when standing in the shadow of a cell tower. Even though 5% signal strength is far less than 100%, if it delivers a strong and clear conversation, it’s enough. So Apple’s engineers calibrated their digital “5-bars” digital display to show all 5-bars at any signal strength from 100% all the way down to 5%. It’s only when the received signal strength begins to drop below 5% that conversations suffer, calls get dropped, and Apple starts to take bars away from their 5-bar display.

Now imagine that “bridging” the cellular and WiFi antennas by placing one’s hand across the black insulating antenna gap causes a 5% drop in received signal strength.  If you initially had, say, 80% strength, now you would be down to 75%… and you’d still have all five bars, since you still have way more than the 5% required for clear calls.  Thus, you would see and hear no effect from either deliberate or inadvertent antenna bridging.  But if you only had 5% incoming signal strength with the antenna completely in the clear — thus no remaining signal strength margin even though you were seeing 5-bars — and you then bridged the antenna, dropping the signal strength by 5% down to 0% … you would see exactly what Anthony’s video demonstrates.

It’s unfortunate that we don’t have a useful “full range” signal strength display showing us the true received power throughout its entire possible range from 100% all the way to 0% — because I believe there would be much less confusion if people could see what was actually going on.  But for now we don’t.

Whatever the case, it does appear that Apple’s latest phone, with its externalized and perhaps too accessible antennas, should be wrapped in an insulating case of some sort in order to not only keep it safe from bumps and bruises, but also to allow its antennas to operate without the attenuation created by direct contact with the phone’s owner’s body.

UPDATE: Don’t miss the comment to this posting by Simon Byrnand who adds some great real world numbers and confirms my engineering theory.

Steve's Sig

Posted in Uncategorized | 1,593 Comments

HCP 0-Day Quick Fix

ONLY NECESSARY for Windows XP and Server 2003Sharable Shortlink

UPDATES:

  • As predicted, very soon after news of this new vulnerability became public, exploits began appearing on the Internet. We have no way of knowing how long Microsoft will take to fix this through their automatic update system, especially considering that news of this unfortunately coincided with their most recent “patch Tuesday.” So fixing this yourself is even more important.
  • Microsoft has produced one of their quick “FixIt” buttons that will perform the Help Center neutering functions (originally described below) automatically. We recommend doing this sooner rather than later: Help Center Vulnerability FixIt.

A bit of background:
On Saturday, June 5th, Tavis Ormandy, a security researcher employed by Google, provided acknowledged proof to Microsoft of a previously unpublished and unknown vulnerability affecting the XP and Server 2003 versions of Windows (neither Vista nor Windows 7.)

Then, five days later, breaking from the “Responsible Disclosure” tradition of providing a software publisher time to research and repair the problem prior to disclosing its existence to the world, Tavis did just that in a high visibility posting on Thursday, June 10th.

A predictable fracas has arisen because Tavis’ employer, Google, and Microsoft are increasingly seen as competitors in “the race to the cloud” as personal and corporate computing move from the desktop and into “the cloud” of the Internet and the Web.

For his part, Tavis appears to be no big fan of the Responsible Disclosure paradigm, preferring the “Full Disclosure” approach. Tavis suggests that anyone interested consider the published opinion of the much-respected security researcher and cryptographer, Bruce Schneier:
http://www.schneier.com/essay-146.html
http://www.schneier.com/crypto-gram-0111.html#1

Tavis attempts to explain that he performed this research — and made this disclosure — on his own behalf and not under the auspices of his employer, Google. But neither he nor Google are getting off so easily. (It occurs to me that he could have easily made the disclosure anonymously if he had wanted the information out there without dragging Google into the controversy. But, for whatever reason, he chose to employ his public persona.) Microsoft has also gone public with their unhappiness, making it clear that Tavis is a Google security researcher.

Why does any of this matter to us?
Unfortunately, the surprising amount of noise created by the details of this disclosure have lifted “just another 0-day vulnerability” (which would be bad enough all by itself) well into the spotlight, making it all the more likely to be exploited. Google News (note the irony) currently finds 207 separate articles on this topic! How can malicious hackers resist this one? They won’t.

And the second bit of bad news is that this is the worst sort of vulnerability: Trivial to cause malicious code to run on the users’ computer, with a public, very complete and thorough description including sample code. Since Microsoft was given very little notice, and since their monthly “Patch Tuesday” occurred just two days before the vulnerability disclosure, it’s unclear whether the world of XP users will need to wait a month, more than a month, or less … But it could be a while.

Therefore, XP users may wish (and would probably be well advised) to immediately disable their system’s “hcp” protocol handler simply by renaming its Key in the Windows registry. (I prefer renaming, Microsoft offers several more complex workarounds. See the link under “Workarounds”.)

If you choose to follow my simple renaming suggestion, do the following:

  1. Run XP’s “Regedit” registry editor by clicking on “Start” then choose “Run”, enter “regedit” in the Open field, then click “Ok.”
  2. Find the “HCP” protocol key by searching the registry: Using the Regedit application, select “Edit” from the menu, then “Find…” As shown in the sample below, enter “HCP” into the “Find what:” field, then uncheck “Values” and “Data” and check “Match whole string only”. With the “Find” dialog set as shown below, click the “Find Next” button…

    Find the HCP Key…some time will pass while Windows searches through the registry to locate the “HCP” key…

  3. Once the search stops, you should see the “HCP” key highlighted as shown below:

    Found the HCP Key

    Verify that the correct “HCP” is highlighted by checking the lower-left status line which should show “My Computer\HKEY_CLASSES_ROOT\HCP” just like the sample above.

  4. Right-click on the “HCP” key, choose “Rename” from the pop-up menu, then change the key’s name to “HCP-OFFLINE” (or whatever you like other than “HCP”).

Following the simple instructions above will immediately (no reboot required) eliminate your system’s ability to launch the vulnerable and defective Help Center application in response to an “hcp://” style URL link — now you’re safe. That’s what you want until Microsoft updates and repairs the newly public vulnerability in Windows Help Center.

You can test it too!
If you’re a belt & suspenders sort of person (as I am) you can test your system’s vulnerability to the exploit both with the “HCP” key named “HCP” and also “HCP-OFFLINE” (or whatever you may have named it). Under the “Consequences” section of Tavis’ original posting to seclists.org, he provides proof-of-concept links for users having IE7 and IE8 (and the IE8 link was effective with my Firefox system).

But please remember!, this is admittedly a horrendous kludge that you will need to remember to “undo” — by restoring the renamed HCP key back to “HCP” once Microsoft repairs their code. Still, it’s all we have for now and it’s arguably better than having our machines taken over remotely.

Steve's Sig

Posted in Uncategorized | 76 Comments

FLASH Adobe Forward to v10.1

Consider immediately upgrading to Adobe Flash v10.1.Sharable Shortlink

June 10th, 2010 UPDATE:
Adobe dealt with the recent problems in v10.0.x.x of their always-troubled FLASH player by dropping it in favor of releasing v10.1 (Get v10.1 Here). Since this page had recommended doing exactly that four days earlier, anyone following this advice is already protected.
Note, also, that Adobe now says that the troubles with Reader and Acrobat will be allowed to persist until June 29th. So you should follow the recommendations below about Reader and Acrobat if you wish to protect yourself until those are updated.

Flash Broken AgainSECURITY ALERT: The threat posed by the new zero-day (no warning, discovered by its active exploitation “in the wild” against users) flaw in all released versions of Adobe’s FLASH player — on all OS platforms — which can also be vectored through malicious PDF files to invoke FLASH, appears to be growing rapidly.

The bad guys are jumping on this one hard and fast.

Given that Adobe first learned of this problem a little after 10 AM Friday morning, June 4th, and that their quickest previous response to a similar threat was 15 days, the world may be waiting several weeks for a fix from Adobe.

Two things must be done for you to be safe:

• First: The good news is that the next major release of FLASH, version 10.1, is reportedly NOT vulnerable to this attack. Although v10.1’s release is not yet official, it has had seven release candidates and is currently very stable and usable. Therefore, anyone whose Internet usage might subject their machines to malicious FLASH content (depending upon how widely you surf the web) would be well advised to install the next major release of Adobe’s FLASH player, version 10.1, immediately. You can find additional information, and everything you’ll need at the following Abode Labs link:
http://labs.adobe.com/technologies/flashplayer10/

• Second: (Windows ONLY) Both Adobe’s Reader and Acrobat contain their own built-in and equally vulnerable copies of FLASH in a file called “authplay.dll” (and most people have Adobe’s free Reader installed.) This allows PDF documents to contain and “play” embedded FLASH content — even though only malicious hackers ever do that. If by any chance you are still using version 8 of Reader or Acrobat, you are safe. But any 9.x and later versions are vulnerable. Therefore, the best thing to do would be to rename any copies of “authplay.dll” on your system to “authplay.xxx” so that your system won’t be able to find them. Once new versions of Reader and Acrobat are available they will bring a repaired copy of “authplay.dll” and all will be fine (at least until the next vulnerability is found). The “authplay.dll”s are typically found at:
C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
You may also wish to search your system drive for any files of that name and rename them. Adobe’s vulnerability advisory is available here:
http://www.adobe.com/support/security/advisories/apsa10-01.html

Steve's Sig

Posted in Uncategorized | 120 Comments

Pads ARE Next

They’re being called “Media Tablets,” I call them the future.Post’s Permalink

Announcing my new “Pad-oriented” Twitter Account: @SGpad
I am splitting my Twitter Tweeting into two separate accounts: @SGgrc for non-Pad notes, thoughts, comments, observations and news… and a new account: @SGpad for Pad-specific content — And I don’t mean only “iPads,” I mean ALL pads. If the industry’s new “media tablet” computing phenomenon leaves you cold, please do not follow me at @SGpad — I don’t want to worry that I’m annoying you with endless drivel about which you couldn’t care less. But if you ARE as interested in the birthing of this truly significant new computing paradigm as I am, please DO follow me at @SGpad — and I won’t worry about pad oversharing. :)

It is so rare for us to be present to witness the birth of a major new computing paradigm. But we are at the beginning of one today. “Pads” are no more a passing fad than the Internet. A portable, long battery life, instant-on, color, responsive personal tablet that’s always connected to the Internet makes so much sense. Apple has demonstrated a new product category and most of the world has “gotten it” instantly.

Whether you’re a staunch Apple advocate who waited in line to be among the first to acquire an early iPad, or if you are holding out to see what’s next from Google with Android, RIM’s Blackberry pad, Hewlett Packard’s WebOS pad, or who knows what … pads are happening.

My previous posting “The Obvious Genius of iPad” outlined why I believe the “pad” paradigm represents a major breakthrough for the personal computing industry. You have likely heard by now that Apple sold more than 2 Million iPads in less than the first two months of the device’s availability. Analysts are now scurrying around revising their “numbers” (way upward) in the wake of that news. And we’re seeing a stream of articles by people who, after using their iPads somewhat skeptically at first, have confessed their conversion (much as I did after a few hours).

(I initially purchased the cheapest iPad since “Jobs was not going to get me.” But after playing with it for three hours, I jumped online to pre-order the most expensive one since… “this thing rocks!”)

Again, note that when I say “pad” I am deliberately NOT saying “iPad.” My intention is to use the generic term “pad” to refer to any long battery life (all day), instant on (very long standby), cellular connected, thin (pad-like) portable device which is more oriented toward consuming Internet media than producing it.

Although Apple showed the way with their iPad, this new product category will be getting very crowded very quickly. There will inevitably be many failures along the way, with companies throwing anything they can cook up against the wall to see what sticks. (And, believe me, there will be some real stinkers.) But don’t let the many failures confuse you; this is a bona fide new personal computing category that everyone wants in on, and there will be room for as many players as there have been for laptops … if not more.

I have spoken my peace on the topic for the time being, so I won’t be belaboring the point endlessly here. You know what I believe. If you do want to follow along with my future discoveries and observations, my new Twitter account @SGpad, will make that easy.

Whatever happens, and however it all shakes out, I know we’re in for some great fun!

Steve's Sig

Posted in Uncategorized | 41 Comments

The Obvious Genius of iPad

Thank goodness Apple can’t patent what it got right…Post’s Permalink

…because now the entire world “gets it” and we’re off to the races. In plenty of time for Christmas 2010, Apple’s iPad will only be one among many successful tablet devices.

Why? Because although no one else saw what to do beforehand, everyone can see what to do now. Now it’s obvious. Apple deserves genius-level credit for showing the way, but has no means for preventing everyone else from following. And follow they will. As many as 40 me-too pads are already in the works. They won’t all acquire critical mass, but many will. And many will dramatically undercut the cost of Apple’s higher-end iPads while offering significant additional features.

Pads, “i” or otherwise, can obviously succeed merely by up-sizing a touch-based smartphone OS — just as Apple did. Today we have Google’s already successful Android OS with deployment in smartphones now exceeding that of the iPhone. And we have the might of Hewlett-Packard to bring Palm’s WebOS to market. Both alternatives are ready-to-scale touch-based operating platforms capable of driving any non-Apple pad. And that’s precisely what they’re going to do.

Apple’s biggest problem is that the iPad was only incredible until the first moment of its existence. This explains why the world was instantly split in its opinion of the device. Yes, it’s spectacular, and also … No, it’s not.

Do I love my two iPads? Absolutely — more than any other gadget I can remember. But that’s only because, today, the iPad is the only pad available. A year from now I may well be more in love with an Android- or WebOS-based pad — because it’s the “Padness” that’s the point. And the likelihood of my disaffection from the iPad is increased dramatically by Apple’s self-defeating decisions, such as its obvious war with Adobe creating serious product deficiencies. Steve Jobs exaggerated when he said the iPad gives us the whole Internet. Without Flash, parts of the Internet everyone else has are offline and out of reach. And, of course, Apple’s famously horrible single-carrier (U.S.) choice of AT&T demonstrates just how much pain, and how high a price, the world is willing to pay to have Apple’s goodness. But that undeniable hubris only succeeds in the absence of alternatives.

There can be no denying that Apple does may things right. But in return for delivering world-class fit and finish Apple extracts a steep price from the consumer. And it’s not just the one-time cost of the device at retail, but the ongoing cost of having an important piece of highly used technology locked up behind the wall of iTunes. This operational model made sense when iTunes only provided DRM (digital rights management, i.e. copy-protection) for iPod music. And it still mostly worked after the iPhone and the App store were added. But for a device that is trying so hard to be a computer, locking up the iPad behind iTunes really starts to chafe.

So for the record, to help all of the me-too pads also get it right, exactly what did Apple get right?

• More than any other single thing, what Apple got right about the iPad is its more than twelve-hour battery life. People feeling the heft of the iPad for the first time are often a bit surprised by its weight. It weighs what it does because the iPad is best described as “a large flat battery with a screen.” If you’ve seen photos of the iPad’s innards you’ll have noticed that the entire interior, except for a small processor board, is filled by two batteries. That all-day-sucker battery life, coupled with cellular connectivity, dramatically increases the device’s value and utility.

• Long-term standby or “Instant On” [I added this 6/1/2010 since I forgot it initially!]
Just the thought of waiting to boot a Windows laptop is enough to squelch quick and casual connection to the Internet. So the importance of the iPad’s “instant on” always-ready-to-go availability cannot be overstated.

• The stunning In-Plane Switching (IPS) LCD display is another of those subtle things that Apple’s engineers got right. The color-faithful wide viewing angle of the iPad’s display lends a great deal to the feeling that this isn’t like other screens.

• And the “central committee” design of the iPad’s user interface delivers a uniquely coherent, highly usable, largely discoverable, and infrequently frustrating user experience. This is very important, and it is where the me-too wanna be pads are most likely to suffer: Android based pads, being inherently open and highly ad-hoc, are likely to be, like the Android phones, sort of a mess.

Regardless, non-Apple pads will be here very soon. They will be much less expensive, much less restrictive, loaded with many more features, and could arguably be called the pads for the rest of us. Until then, I’ll be using and loving my Apple iPads, not because they are from Apple, but because Apple was absolutely right about the previously unappreciated need for a large-screen, long battery life, touch-based Internet-connected appliance. That’s all the iPad is; nothing more, nothing less. Not magic, but a touch of obvious genius that everyone else now sees.

Steve's Sig

Posted in Uncategorized | 82 Comments