Category Archives: Security

LADA Registration Unlocks GRU Database

Researchers looking into the recent GRU arrests have uncovered a trove of information because sloppy Russian spycraft. Speculation already is that GRU is severely breached.

In the course of researching the authenticity of the personal data of the four individuals, Bellingcat was able to locate one of the four GRU officers identified by the MIVD in a Russian automobile ownership database. As of 2011, Alexey Morenets was the registered user and/or owner of a Lada (VAZ 21093) car. […] By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address.[…] The database contains their full names and passport numbers, as well as — in most cases — mobile telephone numbers.

That’s a GRU-some breach with a LADA data!

LADA VAZ 21093, named after the goddess of beauty in Slavic mythology

I used to give talks about medical data (zipcodes of doctors) being connected in this way to de-anonymize people using big data. This new example is superior in so many ways, not least of all because it highlights Russian experts at actively poisoning information, let alone people, haphazardly failing at their own game.

Password Safe (psafe3) and Password Gorilla Import to KeePass

Password managers have become something of a religion, which is a very good sign in theory. People getting passionate about protecting their stored secrets sounds like a win for infosec management. On the other hand, discussions may get heated about an exact password manager one should worship. Imagine office rules soon may be updated to say it is inappropriate to discuss politics, sports and password databases.

Of course for those who see all the religions as roughly equivalent in spirit, none of them being perfect and all having some virtues, they may seek easy conversion paths to embrace options. Come along and don your pope robe, grab a yarmulke, put on your tilak, etc. and covert your belief secret tomes by sliding easily between password databases.

For example, just a few years ago a couple of computer science researchers credited PasswordSafe as the most…

Wait for it…safe implementation.

It seems fair to require that a password manager that asks users to authenticate themselves with a password, at least provides secrecy and data authenticity. This is currently only achieved by a single password database format, namely PasswordSafe v3. As a general rule, a password manager should be explicit about the security offered by the underlying database format.

Thus in 2015 one might rightly be expected to worship the psafe3 scriptures as holier than thou. Now that we are in 2018, however, others have rightly pointed out that PasswordSafe and the cross-platform version PasswordGorilla have seen few updates. As other password managers are iterating more rapidly, the believers wonder when will PasswordGorilla 1.6 drop and can their faith last until such prophecy comes true?

KeePass in particular has been developing a large following, and I’ve been told there’s an entire plugin movement devoted to the art of bringing other faiths under their big tent. This makes it one of the better examples for those looking into multi-platform solutions with flexible options. Apparently the conversion steps are simple.

Prerequisite: This conversion presumes you have a psafe3 file on a running Windows system, such as PasswordSafe installed on a virtual machine easily downloaded from Microsoft.

A) Conversion from psafe3 (version 1, 2, or 3) to kdb (version 1)

  1. Download the old version 1.09 zip file of KeePass (max supported conversion version)
  2. Download the PwSafeDBImport plugin zip file
  3. Extract the KeePass 1.09 zipfile to a new directory
  4. Extract the PwSafeDBImport.dll to the same directory
  5. Start KeePass.exe
  6. Select the Tools drop-down and then Plugins
  7. Right-click on the PwSafeDbImport plugin and choose Enable
  8. Exit KeePass
  9. Start KeePass (to load the PwSafeDBImport plugin)
  10. Click on the New Database icon and set a strong master key (KeePass recommends 96 bits or more)
  11. Select the File drop-down, then choose Import from and select PwSafe database (option at bottom, do not select psafe2 TXT file)
  12. Select the psafe3 database you want to import from
  13. Enter your psafe3 database password
  14. Review KeePass folders to verify integrity of imported secrets
  15. Click on the Save icon and set a kdb filename

B) Conversion from kdb (version 1) to kdbx (version 2)

  1. Start KeePass
  2. Select Database drop-down and then select Import KeePass 1 Database
  3. Select kdb file and enter master key
  4. Click on the Save icon and set a kdbx filename

Can I get an Amen?

In my next post on this topic, we will discuss hosted databases and why nobody expects the cloud inquisition.

This Day in History: Munich Agreement

Ondřej Matějka, the deputy director of the Institute for the Study of Totalitarian Regimes (ÚSTR) provides a fascinating interview on the 80th anniversary of the infamous Munich Agreement:

…the problem wasn’t that the Czechoslovak state couldn’t hold the borders. The problem was more within the society living there, where the pressure from the Sudetendeutsche Partei towards our citizens and people who were sympathetic towards other political parties, especially social democrats and communists, was big. I think the Sudetenland is an extraordinary example of the making of a totalitarian society, where one power, through terror and social pressure, is taking over power in the society

The agreement led to annexation of Czechoslovakian border territory by an expansionist Nazi regime, and the designation of this area as “Sudetenland”.

It also setback plans to overthrow the fascist dictator of Nazi Germany.

Opponents of the Nazi regime leader, such as the head of the German Army, perceived the Munich agreement as foreign states having weak appetite for more permanently ending the Nazi terror and social pressure.

$1.63 Billion Breach Fine Discussed As Facebook CSO Legacy

At Blackhat this year people sometimes asked me if I was familiar with the “Charlatan Security Officer” situation at Facebook. I was not sure what they meant, and then they showed me threads online and invited me to meetings where this was the topic. Screenshots like the following one about ex-Yahoo CSO and current Facebook CSO Alex Stamos were aplenty, often with titles like “someone is having a bad day”:

Apparently the keynote intro this year was a harsh retribution of last year’s keynote by Stamos. I can’t say I hear that, but many people after the keynote were discussing it with me because they said they had seen my recent posts:

In one group conversation I was told by several people Alex Stamos had written his own biography in the third person and posted to wikipedia, then convinced them to lock his words to prevent his detractors in the community from editing what he thought about himself. Sounds crazy yet several people confirmed this and showed me what looked like a Russian-style ruler waving flags of his face in a parade he threw himself.

It was in such a context, after several days of hearing and seeing this kind of strange report from several groups, I was implored to consider writing another blog post about the Trump-ish man working in infosec. So here we are.

Clearly I have been a vocal critic of the Yahoo and Facebook breaches, based on how security has been handled. They stem directly from the fact Stamos never had been a CSO in his life, let alone having any experience managing any large organization or working within a CSO office. He abruptly donned a big title, the way any monarch or patronage member might, and failed at it spectacularly.

People at Blackhat were nudging me to accept the CSO acronym now starts with “Charlatan” thanks to Alex Stamos, the crest-fallen attempted Chief.

Stamos stands by his “flair” startup, where he tried to sell vanity domains as proof of care about online security. Nobody bought it, so he tried to be a CSO instead

I think I can see the acronym shift now for a post-Stamos CSO, and here’s why:

It is no secret as the CSO of Facebook that Stamos carried a libertarian anti-governance anti-regulatory hubris. He hated representative government in a similar way to his hatred of security vendors. It wasn’t that he thought they were all shit and should be evaporated as much as he thought they all should be replaced by his superior intellect and ideas.

This angered many principals of international relations who saw him as a reckless and naive dictator. The theory became that his self-serving speeches and impatient approaches to data protection (he pre-announced in 2014 he would deliver end-to-end encryption with Yahoo mail by hiring a new team, but failed to do either) was fueling a backlash. Widespread concerns among privacy experts and seasoned safety professionals ultimately meant new drafts started for old laws designed to protect the vulnerable from giant anti-privacy bullies like Facebook.

Well, some of this backlash theory bubbled over into reality this weekend as yet another massive breach is said to have been announced. Shortly after the infamous fog of Stamos was lifted from Facebook, news came out that users had become less safe during his tenure. A failed attempt to be a CSO at Yahoo in 2014 seems like old news. Yet his second attempt to be a CSO at Facebook took a similarly dark turn; and this brings right back to mind how increasingly terrible things get revealed after he leaves a job. His only two CSO attempts, ever, have ended with stories of massive harm to users right under his nose, and revealed not by him but others or much later.

History books someday may link the massive disasters under this single CSO’s brief career directly to the sobering topic of GDPR fines:

Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.

The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.

In other words, the massive GDPR fine that Facebook faces today was the predictable outcome of Stamos’ arguing with EU regulators that he wanted to end privacy in order to protect it. This really is an excellent time to look back at why Blackhat months ago had been so abuzz about whether Facebook had a charlatan in charge.

Let us examine, for example, how as CSO he floated a snarky thought piece that he is the one who cares about “real” privacy, and not the EU regulators that Facebook “of course” agreed to comply with…

Earlier this month, the court issued an interim ruling, and today we received the order from the BPC impacting how we can use the datr cookie in Belgium. Our legal team plans to appeal this ruling. […] I met recently with the Belgian Privacy Commission to share these details…. As the organization that’s responsible for safeguarding the data of Belgian citizens, we hoped they would appreciate the real privacy and security benefits that tools like the datr cookie provide. We also explained that when these requirements are applied to other websites in Belgium, people may lose access to useful features such as maps, videos, and share buttons…. In the absence of the datr cookie, we will have to treat any visit to Facebook from an unrecognized browser in Belgium as potentially malicious.

Yes, he actually said “we hoped they would appreciate the real privacy and security benefits” as if the BPC privacy order was not based in reality, and then gave “maps, videos, and share buttons” as some kind of serious weight to the decision. It’s a lot like saying people need to lose their privacy just to look at a map or watch a video. Crazy talk.

This stuff is neither new nor rocket science and Stamos wasn’t doing himself or the infosec industry any favors by trying to argue that tracking everyone is the future for EU privacy. Come on man.

And his argument for treating unrecognized browsers as malicious? That is just naive Trump-like talk. He literally was responding to requests for privacy from the government with the opposite, that everyone who doesn’t surrender privacy to Facebook and submit to being tracked will be treated as an outsider threat.

And so…infosec experts at Blackhat were telling me that the infosec industry now should refer to him as the:

Charlatan. Security. Officer.

His comments to the BPC were from December 2015, only months after he naively asked the US government if he should sooner work with Russia, China…and then ran away from the Yahoo breaches rather than disclose them. Anybody and everybody familiar with the Yahoo! CEO testimony to Congress knows how oddly uninformed Stamos sounded for asking the US government whether they want him to treat all countries the morally equivalent and work with the Chinese more.

The NSA wasn’t going to push back openly, but Stamos was making the kind of fundamental mistake in attacking governments that soon would come back around.

Russian media gleefully reports NSA is under attack by the guy who soon will let them run propaganda campaigns

So after Stamos’ pushy post of December 2015 the European Parliament moved to adopt GDPR in April 2016. Was it a response? I don’t think anyone has the kind of evidence to say there was a direct connection from Facebook CSO hubris to privacy-law, given how Google had already been generating heat, only that there was overall a temperature increase and Stamos’ hot air arguments definitely contributed to distrust in Facebook.

Distrust in Stamos’ vision of safety turned out to be wise as regulators had set the scene for his reputation to be cemented as a someone who doesn’t disclose harm in a timely manner, let alone prevent it. I’ve been told the Russians didn’t overlook his behavior (see above RT news) and typically only need to drop a few coin in operating such a person towards their objectives.

Around this time there were giant glaring integrity breaches that Stamos apparently did not believe constituted a serious enough security concern to disclose:

Facebook has been roundly criticized for being slow to acknowledge a vast disinformation campaign run by Russian operatives on its platform and other social media outlets before the 2016 presidential election.

[…]

Outside the United States, the impact of disinformation appearing on Facebook and the popular messaging service it owns, WhatsApp, has been severe. In countries such as Myanmar and India, false rumors spread on social media are believed to have led to widespread killing.

This is verging on crimes against humanity. And so…social science experts at Blackhat were telling me that the geopolitical security industry now should refer to him as the:

Charlatan. Security. Officer.

Now Facebook’s latest vulnerability in the news was said to have been introduced July 2017, under the Stamos fog.

Was it potentially exploited through low-and-slow methods? That is unclear of course, because of the fog. If it was known it was never disclosed (similar to how Stamos did not disclose the breach at Yahoo). We do know that a Product Manager, and not even an officer or security role, is the one who disclosed the breach based on evidence of a sudden spike on September 16th, 2018 (a month after Stamos was pushed out and took a role at Stanford to redirect naive students into venture-backed get-rich schemes instead of graduating).

It is important to remember in this context that Stamos had continued his leave-it-to-me mindset long past the vulnerability and even through 2018, arguing that unauthorized access to Facebook user data did not constitute a breach because any “reasonable” definition.

“The recent Cambridge Analytica stories by the NY Times and The Guardian are important and powerful, but it is incorrect to call this a ‘breach’ under any reasonable definition of the term,” Stamos says in one screenshot. “We can condemn this behavior while being accurate in our description of it.”

Yeah, that kind of stupid really burns. It suggests things would be worse now if he still was CSO. I mean Facebook at that time was handed a whopping £500,000 for lack of transparency and failing to protect users’ information. Stamos was way off base. His legacy potentially will be a fine in the billions, but the company at least may feel better about removing the Yahoo who probably would be claiming no breach happened, or that he is the only one with a real and reasonable sense of what privacy means. Facebook investors might take comfort in the fact Stamos has been booted, but if Yahoo is any guide the survival of the entire company becomes ever less certain as more breaches are revealed to have happened under his fog.

Charlatan. Security. Officer.

One might say Facebook health warning signs were there since the middle of 2015, when a certain person with no CSO experience other than a short stint at Yahoo, suddenly popped-up spouting all kinds of strange self-promotional ideas about what is “real” and “reasonable” to people who know better. In other words, regulators realized the time is now for the kind of fines that would hopefully prevent any Charlatan Security Officer from causing widespread harm to public safety from massive-scale data privacy breaches. And for some reason a lot of people think I should blog about this…again.