In a variety of ways, experts at this weekend’s ToorCon Conference warned that the tidal wave of new devices and Web based services is straining an already aging Internet infrastructure, with privacy and security as the first victims.
Call it the ‘schizophrenia of now’: a tidal wave of new applications and mobile devices promise to connect and enable us in ways we only dreamed of a decade ago. At the same, the Internet itself strains under the demands of hundreds of millions of new users, and aging protocols that offer only the barest security and privacy protections.
That was the picture that emerged from two days of sessions at the ToorCon Conference in San Diego. An eclectic event, discussions at ToorCon ran the gamut – from social engineering, to the moral and ethical implications of zero day vulnerabilities, to the evolutionary impact of technology. But in talk after talk, top security experts returned to a common theme: that fast evolution of new applications and platforms, and the glacial pace of change for the decades old protocols and infrastructure to support them.
Setting the tone for the event, security researcher Dan Kaminsky lamented the lack of progress in securing e-mail communications and verifying the identities of legitimate senders – an endeavor now in its second decade. With the vast majority of e-mail communications still ‘in the clear’ and without the benefit of encryption or other data security, Kaminsky extolled the virtues of Domain Key Infrastructure (DKI) technology for proving the identity and authenticity of e-mail communications.
Existing, user-driven options like SMIME require individual management of public keys and accompanying certificates for message authentication and non-repudiation, have proven too complicated for all but the most technical users to manage, Kaminsky said.
“We’ve created a self licking ice cream cone,” Kaminsky said of current, user driven e-mail security options. “There’s too much technical detail in certificates and users can parse all that information. We’ve go to do better.”
That was the message from security researchers Ian Gallagher of Security Innovation and Eric Butler, an independent security consultant. The researchers talked about the threat to privacy posed by modern social networking applications like Twitter and Facebook, as well as Web e-mail, which run on unencrypted HTTP, leaving users susceptible to various forms of session hijacking that could allow malicious hackers to view their personal details. The fix, according to the two, is for more Web 2.0 providers to deploy end to end encryption using SSL, but concerns about the cost and impact on performance have kept that needed change from happening. In an effort to turn up the heat around vulnerable Web apps, the two used ToorCon to release a Firefox browser plugin, FireSheep, that allows users to canvas and then hijack Web 2.0 sessions from users on the same wireless network.
If decades old tools like the Web and e-mail are problems, the situation is no better – and possibly worse – in the burgeoning world of mobile devices, as numerous ToorCon presentations illustrated.
Researcher David Kane Parry used his talk to talk about the security implications of popular location based services such as FourSquare and Facebook Places, which allow mobile users to report their location to their followers. Such services have an obvious appeal and utility, but too little time has been spent to discuss the security implications, while developers have few tools to secure such transmissions or allow granular application of GPS data for applications, Kane Parry said. Geocoding APIs, he notes, don’t yet use SSL encryption, while GPS data can easily be spoofed on mobile devices, complicating repudiation, he said.
Eric Monti, a Senior Security Researcher with TrustWave’s Spider Labs, raised similar concerns about the security of applications for mobile devices like iPhone and Android. Monti developed a stripped down rootkit for iPhones, leveraging work done by the Jailbreakme team over the Summer. Modern mobile devices are “just as complicated as desktops and laptops or servers,” Monti warned. And, rather than being a special case, the operating systems that manage these devices are variants of modern operating systems – OS X, Linux and Windows – about which much is known, he said. That’s a problem, as third parties rush to design all manner of applications for these platforms, including those handling sensitive data, such as credit card processing and SCADA control tools, he said.
And, without proper protections, even seemingly innocuous devices can potentially be leveraged for users well afield of that for which they were designed. Researchers Travis Goodspeed and Michael Ossmann proved this with the IM-Me wireless text messaging toy from Girl Tech – a little recognized mobile device that has suddenly become very popular amongst hardware hackers for its flexibility, powerful radio (and cute, pink case). The two showed how, with a modicum of effort, IM ME could be transferred into a spectrum analyzer, garage door opener, keyless entry device or TV remote.
Experts and speakers at the show were generally pessimistic about the ability of the industry to avoid the painful mistakes made in earlier generations, when the lure of cool functionality and the growth of the global Internet led to covulsive waves of virus and worm attacks and, ultimately, organized cyber crime and state sponsored hacking.
