security

I want a drink and it’s not even 0700 yet

On this here blog I use a few things to help secure everything down and avoid issues, namely, nginx location blocks disallowing access to resources, fail2ban tracking nginx logs to prevent people hammering server or trying to do improper things, and the “Limit Login Attempts” WP plugin.

A combination of all these broke access with the wordpress mobile app. Ended up having to disable the wordpress fail2ban jail and altering some of the nginx directives.

This is going to be a pain in the ass to debug cos the wordpress app doesn’t have any kind of proper error messaging, urgh.

“you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both.”

Cryptography engineers have been tearing their hair out over PGP’s deficiencies for (literally) decades. When other kinds of engineers get wind of this, they’re shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away.

Source: Latacora – The PGP Problem

I knew PGP was bad and had avoided it cos I knew of its eldritch complexity of integration but I didn’t know about the rest.

Figures that Thunderbird is planning on integrating it as a built-in function.

They should probably use something else, methinks.

Locked out? Good luck

Let’s build and configure a minimal SSH bastion host (jump box) from scratch, using Ubuntu 20.04 LTS.

Source: DIY SSH Bastion Host

This is all well and good except for the bit where the author is clearly invested in using the cloud (i.e. other people’s computers) to run your own infrastructure.

What happens when google locks you out? Or when amazon decides to do the same. Same concern goes for Azure, or any other cloud provider.

Good luck fixing any of that without having to tear down a lot of your own work just to be able to be useful again. I get it, from a developer point of view setting it like this means it’s easy to plug into projects, but from a sysadmin point of view it means you’re going to shoot yourself in the foot sooner rather than later, specially if you missed a little onfiguration detail that lets your server wide open for takeover.

TikTok Security: An Opinionated Explainer

There is a post on reddit was written by someone who claims they reverse-engineered the app that is, they set about deconstructing the app to see how its internal components function and interact with each other, with the rest of the phone, and with the servers that conform the service itself.

The app

These are the main points made by analysis of the app itself.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

The app will try to learn everything it can about the phone hardware itself, going from the big things like if it’s running on a phone or a tablet, who the manufacturer is, make and model; to the small, like how many megapixels the front camera is.

What you can do about it: Nothing. This is a function done by the app on its own.

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

The app will check what else is installed on the device regardless whether it’s a competing social media app or not. This also applies to the clipboard (the function to copy and paste), as TikTok was caught red-handed accessing its contents. As users we use this function to copy/paste everything, from emojis to phone numbers to credit card numbers to social security numbers.

What you can do about it: Nothing. This is a function done by the app on its own.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

The app will log:

  • The MAC addresses of all network interfaces on the device (cellular, wifi, bluetooth, nfc, etc). A MAC address is a unique hardware identifier for network hardware.
  • Whether those interfaces are connected to anything. If they are, the name and of the cellular network, wifi network, and MAC addresses of that hardware.
  • Then, if they are connected, the IP address used for that connection at both Local Area Network (LAN) and Wide Area Network (WAN).

Taken all together, TikTok will find out what kind of network the device lives in, what other devices are on it, how it moves within the LAN. This also means the WAN IP address revealed, allowing them to use GeoIP databases to try and determine the geographical location of a device.

What you can do about it: Nothing. This is a function done by the app on its own. You could limit the app’s network access but this requires deep expertise in networking and the operating system being used at the time.

Whether or not you’re rooted/jailbroken

Jailbreaking refers to “breaking out” of the limitations placed by Apple on iPhones and iPads to enable additional functions that were not available in either the hardware or the software. The same action in Android is referred to as [rooting](https://en.wikipedia.org/wiki/Rooting_(Android). Either one means you can do anything on the device and is a common goal of spyware/malware so they can operate with unfettered access and without the user knowing.

A common example in the past it was used to enable tethering when it was disabled by cellular carriers trying to force you to pay an extra charge to enable the function.

What you can do about it: You could limit what the app sees if you’re jailbroken/rooted, but requires deep expertise in the operating system.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

As most smartphones and tables now have GPS, TikTok will check for the current GPS data as often as it can, enabling them to follow a device as it moves through a geographical area. Coupling this with the network data, they can determine with lots of accuracy where a device is. Both Google and Apple have this information but keep in mind they are the entities making the operating systems themselves. TikTok is just an app.

What you can do about it: Both Google and Apple let you limit if an app has access to GPS. Be aware TikTok will limit its own functionality if it cannot access GPS, though.

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

TikTok sets up a special kind of server to help with converting videos from one format to another (transcoding) with a minimum of configuration on the part of the app developers or the users. The problem is that it doesn’t check whether anything connecting to that server is actually allowed to both connect and use the server (i.e. it doesn’t ask for a username or a password); this means other apps could potentially connect to that server and use or abuse its resources.

What you can do about it: Nothing. This is very much one of the core functions of the app itself since most device manufacturers have their own ways of saving video on a device and the app needs to be able to deal with all of them.

Potential for remote configurations

The scariest part of all of this is that much of the logging they’re doing is remotely configurable

Every time the app downloads an update they can change what information is logged, how often, where to send it, etc, and you as an user have no way to stop it.

What you can do about it: Nothing. This is a function done by the app on its own.

The people coding the app consciously obfuscate how the code works and what specific functions and tasks it performs.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

TikTok developers are purposely hiding how the app itself operates. You can determine this if you have the know-how and the experience to do it but you will not like the experience of it.

What you can do about it: Nothing.

The app will monitor its environment and change its behavior if it detects someone is trying to analyze it.

They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

TikTok will monitor the device and if it detects any attempt to analyze any of its internal functions and configuration it will try to change its own behavior to prevent that. Failing that it will try to present behavior that is deemed more acceptable to the person doing this work.

This is how the Volkswagen emissions scandal came to be:

  1. Cars were programmed at the factory to detect whether they were being tested for emissions at a laboratory or government facility.
  2. If they were, they would enable emissions control in order to be able to pass those tests.
  3. At any time they were not being tested, emissions control was reduced or disabled entirely, leading the vehicle to emit far more than the allowed legal limit of greenhouse gases.

TikTok is doing essentially the same but it’s all in software.

What you can do about it: Nothing. This is a function done by the app on its own.

File downloads without user interaction.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

TikTok can download a file, extract its contents, then run its contents without needing user interaction or without having to be updated from the App Store or the Play Store. Both Apple and Google forbid this kind of functionality in any app.

What you can do about it: Nothing. This is a function done by the app on its own.

Lax security standards

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

This is something that has been reported about TikTok in the past:

Basically, the TikTok devs won’t implement basic security standards to protect the user, the account, or any of the media the app stores and transmits. This allows intelligence agencies, corporations, anyone who cares to look, to surveil and hack users of the service.

What you can do about it: Nothing.

The Company

All of the previous points point to the one overarching theme of the app: it sucks up as much information as possible, then sends it to the servers that actually run the service (aka “the backend”). There are a of of shady practices on that side of things and the only people who know what’s going on are the people working for TikTok itself. Here are but a few examples:

The company is performing data collection on a level that far surpasses what Facebook, Twitter, Instagram, Snapchat, or most other social media companies have done so far. Only the Big Four (Microsoft, Apple, Google, Amazon) could obtain so much information but that’s because they control both the platforms their operating systems work with; if governments even thought they were doing what TikTok is doing they would face major fines, lawsuits, and antitrust enforcement.

The Combination of Both

When you add what the app does (again, suck up as much information about the user and their devices) with what the company is doing (actively avoiding answering questions of its practices) it all means one thing:

TikTok is combination spyware/malware with the backing of a corporation valued in billions of US dollars.

Most entities that write malware and spyware are:

  • A single person with technical knowledge, like the person who created the ILOVEYOU virus.
  • Nation-states and their various intelligence agencies using software vulnerabilities like BlueKeep or creating their own malware like Stuxnet
  • Organized crime, like the creators of the Conficker worm.

Having a corporation create this kind of software and for users to willingly install that software is something new. I am also leaving out all the advertising practices of the company, as that is how TikTok entices companies to buy into the platform.

What is there to do, then?

It amounts to

  • If you have not installed the app, do not install the app on any device you own.
  • If you have installed the app, remove it immediately from any and all devices you own.
  • Don’t let friends and family use the app, and push for them to remove it if they have used it.

Bleh

A new sign of the digital apocalypse is the new Equifax breach. I’m not sure if I’m affected but the company is certainly not making any effort whatsoever to help anyone out. The other two credit bureaus, Experian and TransUnion are probably savoring this and will keep doing so until they get hit.

So for the cleanup, there’s this post written by someone with experience in the matter. Not a lawyer, but knows enough to help one on the way.

And just like techdirt say… it will get worse.

The default of your credit identity starting from now on is “stolen”.

This is really scary stuff

Source: The Short Life of a Vulnerable DVR Connected to the Internet – SANS Internet Storm Center

I’ve set up DVRs and the UX/UI on most of them is appalling, along with the entire setup and configuration process. Then to find out the moment you connect them to your network they just become another attack vector, one that cannot be easily closed off.

These are pretty pricey devices that I believe can be replaced with a Raspberry Pi to obtain more flexibility and better recording quality. It’s just the software that’s needed.

Router Security

This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration changes to make a router more secure, and, picking a router that is more secure out of the box.

Failing to choose your new password

So Evernote got cracked into and they’re having everyone reset their passwords. It works well, except when it doesn’t:

Screenshot - 03022013 - 11:40:51 PM

They’re telling me I can use letters and numbers and punctuation characters but then I enter a nice complex passphrase (not password!) and I just get that little error message. No help mouseovers, no links to a FAQ or blog post.

Then I entered a passphrase with all space characters removed soyouendupwithsomethinglikethis and it worked. Got account access back. It could be helpful to tell people they cannot use spaces at all, specially after punctuation characters.

Evernote is doing many things right, but password resetting is not one of them.

Oh, Skype…

For the past two years or thereabouts, every time I’ve attempted to change my password in Skype I’m greeted with the following error:

Skype character error

No matter what OS, browser, or client I use, I still get it.

If memory serves (and I might be mistaken) Skype itself suggested you use special characters like !, @, #, $, %, ^, &, *, (, ), _, etc, to make your passwords more complex and help increase the security of your account. They wanted you to use the sort of password that is bloody hard to remember and easy for a computer to steal or crack or for another human to guess.

My guess is at some point (probably after being acquired by Microsoft), they updated their password code to disallow such characters. Which means I am now screwed as their systems literally don’t know what to do with my current password.

Maybe at some point I’ll be able to change my password, but with the migration from Live Messenger to Skype, it’s unlikely.

Oh, before I forget. If you want to use a password, it’ll have to be less than 20 characters in length. You know, for teh future lulz.

Hacked! – Magazine – The Atlantic

As email, documents, and almost every aspect of our professional and personal lives moves onto the “cloud”—remote servers we rely on to store, guard, and make available all of our data whenever and from wherever we want them, all the time and into eternity—a brush with disaster reminds the author and his wife just how vulnerable those data can be. A trip to the inner fortress of Gmail, where Google developers recovered six years’ worth of hacked and deleted e‑mail, provides specific advice on protecting and backing up data now—and gives a picture both consoling and unsettling of the vulnerabilities we can all expect to face in the future..

Now I’m getting all itchy about changing my passwords.

Security in WordPress

I’m not saying WordPress isn’t secure, but the perception seems to be

“WordPress is not secure”

It’s said in TechCrunch, it’s called out to Matt, JD of Get Rich Slowly had big trouble, and there are a lot of tips and tutorials. The Codex entry on Hardening WordPress is missing some stuff… but the perception keeps turning more and more negative. If it keeps up like this some other platform will come along claiming to everyone to be more secure than everyone else and a lot of people will migrate just because of that.

I feel to avoid this the focus of WordPress 2.7 should be security. We already have a stable and flexible platform to establish and maintain blogs, so now it must become a secure platform.