Wednesday, December 13, 2017

Who Is Killing The Anonymizing VPNs?

The primary use for a VPN is to keep data encrypted from the point of origin to its destination. For corporations this means that when you start working on your emails on public WiFi at the airport, the data cannot be seen by people who are “sniffing” what is being sent across the network. Neither the corporation nor the users are trying to hide their location; it’s all about keeping that data private to the company. An anonymizing VPN serves the same purpose, however it is also used to hide the user’s location. When I use my anonymizing VPN it may look like I am in an entirely different state or country than I really at. In between the time data is sent through the anonymizing VPN to its destination, my IP address is effectively changed. I may be in Colorado, but to the websites I visit I’m in Tokyo. Well, I was until I decided to be in London. The only place I am not is where I am.

For the rest of this post I will generally refer to anonymizing VPNs simply as VPNs for simplicity, but not all VPNs are used for anonymity.

Ever since 9/11 encrypted communications by private citizens has been placed squarely in the crosshairs of the CIA, the FBI, the NSA, and probably the FDA too. FDA is a three letter acronym (TLA) so the FDA probably has to take a stand on encryption. Some laws and the interpretation of these laws require an innocent suspect (and guilty ones too) to provide passwords required to decrypt data that may be of interest to investigators, but so far encrypted data in transit through anonymizing VPNs has been relatively secure.

I’m not convinced that the biggest threat anonymizing VPNs face is the government though. I believe it is private industry and the reason may have more to do with security than disregard for privacy; and it is a pain in the @ss. But then so are the archaic password complexity requirements that most companies inflict upon their users. If security was painless only masochists would be insecure. Yes, advertisers and data aggregators despise privacy and hence hate these VPNs, but they probably are not the foe. The foe is security. A prime example of the situation involves Google – particularly Gmail. I access Gmail on my laptop as well as on my phone. I also have VPN clients on my laptop and on my phone. So here’s what happens. The email client on my laptop which appears to be in London, polls for new email at specified intervals. Polling for email requires my email client to automatically log into my Gmail account to check for new email, and it also tells Google that I am in London. My email client on my phone, which appears to be in Tokyo, polls for email five seconds later and tells Google that I am in Tokyo. What do you think that looks like to Google? I’ll show you.

I may not always be a big fan of Google, but they blocked the log in attempt because they are trying to protect me. It is annoying to get these messages multiple times a day, but giving credit where credit is due, Google no longer makes me change my password every time this happens. That’s nice, but what is really uncalled for is making me solve five captcha’s when I search for the meaning of the word “Omphaloskepsis.” Now when Google does that I just use Bing. Of course I only search using Google or Bing if I am not satisfied with the results from Usually DuckDuckGo finds what I need. I assume Google is forcing the captchas because of the anonymizing VPN I use, rather than the “suspicious activity” I am told was seen emanating from my computer. I can’t be sure that there was no suspicious activity though… I was using Lenovo laptops and we all know what happens when Lenovo pre-loads software.

Banks are not particularly fond of customers changing their locations frequently, or sometimes at all. For quite a while when I tried to access my account at a specific bank, I was told that I could not access my account at that time. Once I disabled my VPN I was granted access. The bank was not trying to force me to stop using the VPN, they just wanted to keep my account secure. Now I usually just have to answer challenge questions instead of being denied access. As a side note, I once discovered a bug (not a security bug) on my credit union’s website. In order to reproduce the issue I had to make it look as if I was in another location; but not just any location would work. If you want to set off alarms at a financial institution, where do you want them to think you are logging in from? Yes, Brazil. Banking Trojans seem to thrive in Brazil. They’re born there, they have their little bot kids there, and eventually retire in Brazil.

Typically I don’t try to sell anything on my blog, but I will make an exception this time because I can and I can loosely tie it to the subject. Anyone want to buy a rare, vintage, clear body Microsoft Mouse?

I decided to post this exact mouse for sale on Craigslist. Craigslist wouldn’t let me access their site until I turned off my VPN, or appeared to come from a different location. Appearing to come from a different location is an important point that I will get back to. Recently I tried to access one of my frequent flier accounts. Once again I had to turn off the VPN, or appear to come from a different location. Forced VPN relocation is becoming more and more common. The reason that changing the exit location makes a difference is that some of the IP addresses from exit points have been blacklisted.  In addition to using VPNs for good things, VPNs are used by cybercriminals too.

Once an IP address is identified as being associated with cybercrime it gets blacklisted. Craigslist, airlines, and most other companies do not care if I am in in Seattle, Texas, Denmark, Hong Kong, and so on, but they do care if IP addresses I use are also associated with criminal activity. Sometimes I have to try several different exit points before I am allowed to connect to a site. It can take 30 seconds or even a minute or more to do what should take a few milliseconds. That may not sound like a lot of time, but think about a single webpage taking a minute to load.

No, the anonymizing VPNs are not going to be killed by Google or Craigslist (although they might be beaten senseless by United Airlines), but I believe that users of anonymizing VPNs are finding an increasing number of problems when using them. The US government doesn’t need to do anything about the challenges that VPNs present; private enterprise will do it for them for free.

On a final note, regardless of its rarity it does not appear that I am going to get $150 for that mouse anytime soon.

Randy Abrams
Independent Security Analyst

Friday, December 1, 2017

RFID Tags in Clothing – What Could Go Wrong

Sometimes we need a break from all of the serious security issues we deal with and talk about. This blog is a break from breaches, sabotage, espionage and camouflage. If you want serious security today might I recommend Top 4 Reasons Why Hackers Plant Geolocation Malware on Websites, or some of my previous blogs such as Evasion and Regeneration; Decoys and Deception, or New Equifax Website Compromise.

Recently I had to shop for a washing machine. I had forgotten that now a days washing machines are part of the Internet of Things (IoT).  It was pretty easy to narrow down my choices of washing machines; if the washing machine listens and tells all to Google then I don’t want it, I have my Android phone for that. I would need to remember not to talk about confidential information when I am in the laundry room… Google hears all, Google sells all.

All of these high tech washing machines made me contemplate what other absurd things we can apply IoT technology to?  I decided that IoT clothes would be absurd… until I had my million dollar idea for a ground breaking application of the technology.

You see, I am really about function over form. My sense of fashion is only marginally better than most IoT vendor’s knowledge of the need for IoT security. I reason that if I could have RFID tags in my clothes, I could put my sports coat next to a shirt and then my mobile phone will tell me if the clothes work together. Next I put a tie with the shirt and sports coat and my phone tells me if it is business casual or a misdemeanor.

RFID tags would be solve my fashion impairment affliction. I could take pictures of my clothes to the store with me and know if something will pop before I buy it. It’s not just me, it’s a wonderful application for color blind people (who without exception have a better sense of color coordination than I do).

I could bring my clothes to the washing machine and it will TELL me which items can safely be washed with each other! The cost savings would be enormous. No more buying clothes that work together at the store and then inadvertently dyeing them to a color that no longer works with anything -including impressionist paintings.

There's also the problem that fashion changes. My app will be updated every time there is a new fashion (black is timeless). At last, if I buy on the first day of the cycle, my clothes can be fashionable for the full six months of their planned obsolescence. What's more, I could enter the name of an opera house or a burger joint and my phone will tell me if the clothes are acceptable for the dress code. Evidently sandals do not count as shoes at those fancy shmancy opera houses. I actually knew that and intentionally wore them when my ex-girlfriend tried to make me go to see the opera Lily.

So what could go wrong with putting RFID tags in clothes? Perhaps a manufacturing error puts the wrong chip in my clothes I'm wearing for an interview at T.J. Maxx. Suppose a hacker is able to hack the RFID chips and flash them to the 1970's fashion styles? If there is a manufacturing product recall for a defective RFID tag (the cheap ones are read only) is the shirt replaced with a refurbished shirt? Will the shirt be depreciated based on wear? If I am a clothing manufacturer would my competition hack into my system and sabotage my RFID tag stock?

Yes, there are potential security risks but still, if we nerds can finally go incognito in public it is a risk we are willing to take.

Randy Abrams
Independent Security Analyst