Perpetual IT

Keren Elazari is a cybersecurity analyst and senior researcher at the Tel Aviv University Interdisciplinary Cyber Research Center. She focuses on hackers and technology, and their social implications.

Keren believes, just like Neo in The Matrix, that the cybersecurity industry is facing a simple choice.

Keep doing the same things, and thinking the same ways… or take the red pill.

Wake up to a new reality, and learn to think like a hacker.

At the recent Sophos Evolve Cybersecurity summit, Keren delivered an urgent dissection of cybersecurity in the age of COVID-19.

If you missed out, watch the recording and check out our key takeaways below:

A cybercriminal renaissance

Keren shared that the pandemic has created a ‘cybercriminal renaissance’, as highly organized attackers take advantage of the increasingly sophisticated, collaborative nature of the malware ecosystem.

We all remember the flood of malicious emails released by criminals as the world went into lockdown.

Mimicking genuine correspondence from trusted bodies – including the US Department of State and the UK Government – attackers tried to trick readers into parting with personal and financial information, or opening malicious documents. Often these emails were just the first step in a sophisticated, multi-stage attack.

But if cybercrime has thrived during the pandemic, it’s not just because criminals have been able to capitalize on confusion and concern. COVID-19 has also created more potential attack vectors, by effectively dissolving the line between our personal and working lives.

Keren shared the sobering results of a recent survey of remote employees. It found that:

• 77% use insecure, unmanaged personal devices to access corporate systems.
• Nearly all have reused passwords across applications and devices.
• 29% of parents working from home admit to letting other family members use their corporate devices.

In this new world of ‘hybrid work’, personal laptops access corporate networks, corporate devices help educate children, and the old-school cybersecurity perimeter has vanished.

Our ‘personal digital republics’ – the online services, devices, and connectivity options we use as individuals – have become part of the extended enterprise network.

The new cybersecurity reality

For organisations facing up to this complex challenge, Keren shared some practical advice.

In the short term, it would be a very good idea to re-educate your employees on cyberhygiene – including the basics, like using different passwords, and putting up with the extra friction of multi-factor authentication.

Keren also recommended that organisations reflect and prepare. They should ask where effective security controls can be located – and how they can create a future-proof defence strategy that functions at an ecosystem level, not at the level of point solutions.

Finally, Keren urged organisations to look to what she calls the friendly hacker community for a better understanding of the tactics used by their attackers, as well as for support.

Use the hacking community

Today, many leading brands – from Google to GitHub, and Samsung to Starbucks [Editor’s note: and Sophos] – run bug bounty programs, rewarding friendly hackers for finding and reporting security issues.

Since the pandemic began, many bug bounty programs have reported more vulnerability submissions, from more hackers, than ever. As Keren put it, “It turns out that being locked down at home is actually very productive for friendly hackers.”

These friendly hackers already provide an invaluable resource for organizations as diverse as Tesla and The Pentagon. Both challenge top hackers to test their systems, and reward them with ‘challenge coins’ in recognition of their skills.

One friendly hacker, Jack Cable, collected all three of The Pentagon’s challenge coins while still at high school. He now teaches at California’s Stanford University, showing students how to find vulnerabilities, collect bug bounties, and generally be a hacker ‘hero’.

Keren also highlighted how friendly hackers have been performing plenty of heroics during the pandemic – not least by reporting vulnerabilities in French and British COVID-19 apps.

As the cybersecurity industry continues to contend with a serious skills gap, Keren believes friendly hackers are set to play a vital role in its development.

When I go to DEF CON, I don’t see 30,000 criminals. I see 30,000 passionate, creative, clever individuals that can help us build a safer future.

In closing, Keren left us with that simple question, addressed to the cybersecurity industry as a whole:

Is now the time to keep calm and carry on, and continue doing the same things we did last year, or two years ago?

Keren’s own answer?

I think it’s time to step up to the challenge. It’s time to take the red pill, wake up to this new reality, and use the friendly hacker mindset to build our immunity, together.

---

---

Here’s our latest Naked Security Live talk, where we talk about the difference between online “secrets” that aren’t really secret but were hidden away to be found as a bit of fun…

…and genuine secrets, such as passwords and encryption keys, that get “hidden” away in apps or websites in the hope that they won’t be found and abused.

Hardwired passwords and encryption backdoors can never be considered secure, in much the same way that leaving your house key under the doormat isn’t secure.

Once someone figures out the “secret”, everyone knows it and anyone can abuse it:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

---

Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious.

One of the most famous easter eggs in commercial software history – if not the most complex – was the hidden flight simulator (really!) in Microsoft Excel 97.

How to fly in Excel 97. Open New workbook. Hit F5. Type in L97:X97 [Enter][Tab]. Ctrl-Shift-Click on the Chart Wizard icon. Fly using mouse. Hit [Esc] to end.

Sometimes, amusingly, it wasn’t games hidden in business apps, but business apps hidden in games.

One of the most famous computer games in software history, the first IBM PC version of Tetris, had a hidden spreadsheet as its easter egg, or more accurately as its boss mode.

Boss mode, activated with the boss key, often Ctrl-B or Alt-B so it was quick to type, popped up a more dubious sort of easter egg intended as a decoy.

Boss screens were meant to cover the display instantly with what might just about look like real work if your boss suddenly appeared on the horizon.

As you can imagine, hidden and undocumented code of this sort is not as common these days, because it’s not a terribly good cybersecurity look.

After all, if there’s a whole flight simulator hidden behind some sort of esoteric incantation involving the keyboard and the mouse (in Word 97, the easter egg was a pinball game), how well was it tested?

How thoroughly was the code reviewed? How official was the process by which the code was added to the source tree? What else was snuck in there by developers and never noticed at all? Did the person who approved the digital signing of the shipped software even know that easter egg code existed? Are customers entitled to official support and patches for the easter egg? If not, why not?

Having said that, even the very latest version of Microsoft Edge contains an openly secret surfing game that you can access by visiting the special URL edge://surf:

Likewise, many websites contain harmless jokes and messages, often inserted into the HTTP headers added to the reply, rather than in the body of the HTML data itself.

Marvel’s website adds a header to tell you which comic book hero the server you visited is named after.

In this HTTP connection, it was She-Hulk who replied to us:

WordPress tells you where to find job openings:

Well, it turns out that the new 2021 White House website added a job ad, too, presumably hoping to get some publicity and to attract job applicants to the US Digital Service (USDS).

The USDS describes itself as a part of the public service that aims to use “design and technology to deliver better services to the American people”, and its goal is to attract at least some of those technophiles that might otherwise be lured to join the fast-paced, dollar-sign world of commercial cloud-based products and services.

After all, today’s technology business juggernauts are in a position to offer eye-watering starting salaries and the promise of fast-paced, ever-changing coding challenges based on the very latest hardware platforms and programming languages.

Even the processes and procedures they use feel cooler and more progressive than anything you might expect in a “government job” (you’d be wrong, but it’s a perception we’ve heard often enough).

It’s astonishing how much cooler terms like methodology and paradigm (or rules and regulations) sound when you replace them with funkier contemporary nouns and epithets instead.

Who wants to use the tired-and-turgid waterfall metholodolgy when they could be using extreme devops techniques with continuous integration, and seeing their code shipping in days or weeks rather than in months, years, decades or never?

Who wants to work on ancient code decks (decks! the word itaelf harks right back to punched cards!) written in all-caps COBOL when they could be learning and using the new darling language of the programming world, Rust?

Heck, Rust’s logo is a stylised bicycle chainring, and it’s a funked-up chainring, too, like the sort of front sprocket you’d put on a trendy fixie and not on a conventional bicycle.

Note to hipster Rust fans. That chainring is a bit too small for a practical road-going bike, assuming you could get fixie cranks it would fit onto, and even if you were to use it with the dubious choice of 12T at the rear; the teeth are quite the wrong shape to carry a roller chain; and its unbalanced design suggests an inherent structural weakness that would surely lead to potentially catastrophic failure during a critical braking manouevre on a hillbombing run. But perhaps those are all metaphors that were deliberately hidden in the logo right from the start, as a sort of easter meta-egg?

Of course, the cool life of a commercial coder isn’t for everyone.

For some techies, that sort of job isn’t so much cool as cold; isn’t so much meaningful as mechanical; and isn’t so much about building for the future as it is about delivering ROI right now.

Presumbly, that’s the sort of person that the USDS was hoping to appeal to with its latest job advertisement…

…which was embedded as an HTML comment at the top of every web page on the new administration’s White House website:

What can we learn?

Easter eggs of this sort are good fun, given that they’re ultimately meant to be found and don’t contain any information that’s supposed to be confidential.

But they do teach us an important cybersecurity lesson about embedding genuine secrets such as hardwired passwords and backdoors: DON’T DO IT!

As this case makes abundantly clear, given how quickly it was noticed and publicised, trying to keep digital secrets by relying merely on them “not being noticed” will not protect you at all.

Once your backdoor is discovered, you’re not only stuck with it, but also have to assume that the whole world knows about it.

Indeed, this easter egg proves how quickly hidden news can become common knowledge.

It’s less that 48 hours since the ad first appeared, but the link in the “hidden” comment has already been changed so that it takes you to the USDS home page instead of specifially to the job application page.

We’re assuming that’s because the USDS very quickly received way more applications than it planned for.

PS. If you know of any other 2021 website easter eggs you think our readers would enjoy (SFW only, please!), let us know in the comments below.

---

Anonymous and private, yet busted – we explain how darkweb sites sometimes keep your secrets… and sometimes don’t. We help you improve your cybersecurity at home. And we tell you the tale of a company with a cool name but allegedly with creepy habits coded into its browser extensions.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music: Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Remember Apple’s TouchID sensor, which created quite a stir way back in 2013 when the iPhone 5s came out with a home button that could also read your fingerprint?

It wasn’t that having a fingerprint scanner was a new thing, even in 2013, but that the integration of the home button and the biometric sensor was a neat move by Apple.

After all, the first thing iPhone users typically did in 2013 was to click the home button to wake up their phone, popping up the unlock screen if they had been diligent enough to set a lock code.

But lots of users – notably including Marissa Mayer, then CEO of Yahoo! – didn’t set lock codes, because just pressing the home button was time-consuming enough.

So making the home button double up as a biometric authentication device was a handy way of bypassing the resistance of users who were determined to resist the use of lock codes…

…because it gave them a way to have their cybersecurity cake without having to take the time to eat it too.

Of course, not everyone was delighted at the idea, for several intriguing reasons, including:

• What if a court compelled you to unlock your phone with your fingerprint? In the USA, for example, would fingerprint unlock “codes” enjoy the same Fifth Amendment protection against self-incrimination as numeric or alphabetic lock codes? Would “something you have” be protected under the right to silence in the same way as “something you know”?
• What if your fingerprint data were stolen? Lock codes and passphrases can easily be changed if you think someone else has phished or stolen them. In the USA, even social security numbers – once regarded as immutable unless you entered a witness protection program – can now be reissued after a cybersecurity compromise. But how would you get new fingerprints?
• What if someone cut off your finger to unlock your phone? The good news here is that dead fingers don’t work for electrical reasons, so there’s not much point in taking such a desperate step. But what if the criminals don’t know that it doesn’t work and try it anyway?
• What if someone were to copy your fingerprint? After all, even though we now know how to do DNA matching, fingerprint evidence is still a handy investigative technique in law enforcement for the very simple reason that we leave copies of our fingerprints quite literally on everything we touch. Gloves might help, but how would you unlock and use your phone then?

Interestingly, the last concern turned out to be well-founded, given that just one week after writing about the launch of the iPhone 5s and its biometric home button, we wrote about how the Chaos Computer Club (CCC) in Germany had announced a way to make fake fingerprints that would fool Apple’s sensor.

Despite the CCC’s widely publicised hack, however, locking your phone with a fingerprint was certainly better than not locking it at all, and the TouchID feature quickly caught on.

How the CCC hack worked. Photograph a fingerprint, e.g. from the glass surface of the phone itself. Invert image to swap round black and white so the valleys are dark and the raised parts are light. Print on laser printer with the toner setting turned right up so the maximum amount of powder gets deposited to form a sort of 2.5-dimensional mould. Cover with wood glue and allow to dry fully. Carefully peel rubbery “fingerprint” off the “mould”. Place fake “fingerprint” on end of real finger. Breathe onto glue so the moisture makes it a tiny bit conductive. Swipe to unlock phone (maybe).

Plus ça change…

But TouchID didn’t last long, except on low-end Apple devices.

The problem was not so much that users fell out with the idea of using fingerprints as a shortcut to unlock their devices, but that they fell out with the idea of having a pesky home button at all, right where there could otherwise be more screen space.

So TouchID morphed into FaceID, using the front-facing camera, now integrated into a notch at the top of the screen.

Instead of matching some kind of digital hash of your fingerprint, the phone matched up a post-processed image of your face instead.

Swipe on the screen instead of pressing home, look into the camera instead of positioning your finger, and “boop,” you’re in.

…plus c’est la même chose

So we were surprised to see the rumour mill going into overdrive recently to claim that this year’s new iPhone models, presumably the “iPhone 13” (assuming that’s not considered unlucky in the North American market, where hotel elevators always seem to skip from level 12 to level 14), will be going back to TouchID.

Why, you might ask?

Well, the explanatory rumours behind the product rumours are surprisingly believable: even though FaceID seems to manage OK if you’re wearing things like hats, headscarves, headphones or hoodies (specatacles, too)…

…it doesn’t deal well with facemasks, which are commonplace these days as a sensible precaution against accidentally coughing or sneezing out coronavirus germs all over other people or products.

The humble blue paper facemask, it seems, is a great leveller, making us look all-too-similar as far as computer “vision” is concerned.

(Human brains, apparently, have a special section dedicated entirely to distinguishing faces, which is why babies can recognise their mothers long before they can focus their eyes fully.)

Presumably, if the rumours are true, FaceID will not go away (because which mobile phone vendor would ever consider introducing a new device without a front-facing selfie camera?), but Touch ID will be back.

You won’t have to use it

Frankly, we prefer typed-in lock codes anyway – long enough that every digit is used at least once so that the grease-spots on the screen don’t give away which numbers aren’t in the passcode.

We find it easier to tap in the passcode with one hand while the phone is sitting flat on our desk next to our laptop, than needing to angle the phone towards us, or lean over the camera, in order to line up our dial with its dial so it can figure out who we are.

It also means we can put duct tape over the selfie camera if we feel like it. (To be honest, we’ve never bothered, but we could if we wanted!)

---