A couple of weeks ago I was asked a question around the disposal of SSDs. The question went along the lines of “In the old days we could just overwrite the disk many times (eg with DBAN). What should we do, now, with SSDs?”
Recently, a bunch of Infineon TPMs were found to have a flaw that generated weak RSA keys. This could have lots of impact, including Bitlocker disk encryption.
Around the same time, KRACK flaws were found in WPA2, the mechanism used to secure WiFi networks.
Earlier this year, flaws in how mobile networks work (“SS7”) allowed hackers to steal money from banks by stealing 2FA passcodes sent by SMS.
I can keep going on. But what do all these completely different things have to do with each other?
Their impact is different, depending on who you are.
Disk data destruction
Since that’s what got me thinking about this, let’s start here. How should you destroy the data on your SSDs? Now I could go into some depth on how the old methods didn’t really do a complete erase (eg due to bad block reallocation), and the wear leveling on SSDs makes it even harder. But this really missed the point.
Ask the question; who was going to do a low level forensics analysis of the disk? If you’re an average “John Smith” then the answer will be different than if you’re a bank storing credit card numbers.
Another question; is this my biggest risk? If you are using a laptop (or phone) or carrying about portable media (USB drives) then a bigger risk is losing the laptop, or having it stolen. This means you should really encrypt your data on these devices (eg with Bitlocker, on Windows).
If you’re a businessman with the laptop then you might also want to have a BIOS password to prevent Evil Maid attacks for industrial espionage.
So how do you clean a disk? If it’s encrypted, just destroy the encryption key! If you’re in a bank’s datacenter you might want to physically shred the disk. If you’re recycling your old home computer to give to your local charity then a full format (not quick format) followed by reinstalling the OS will probably be good enough.
There’s no one solution.
We can ask similar issues about the other issues; let’s take the Infineon one… this has some people worried because the TPM RSA key may be the whole root of trust for an environment. In particular, Bitlocker encryption may use this key (and we’ve just said that laptops should be encrypted!). So we should be panicking, right? Well, it’s estimated that it would take 1000 Amazon instances 17 days and cost $40,000 to break this.
Is your data worth $40k to an attacker? Or, rather, do they think it may be worth that much money? My personal laptop? Nope, not at all. A laptop used by SAs to login for support work? Probably not. A laptop holding personal banking details, or medical records, or mergers/acquisitions? That’s more likely.
As an individual, this issue doesn’t really impact me and I probably won’t update the firmware to fix this. As a security person for my company we risk-rated and created a priority fix.
If you’re using Starbucks then you better be using VPNs or only visiting SSL protected sites, anyway, because MITM attacks are easily possible. KRACK doesn’t change this.
Your home network? Most people only use home WiFi to connect to the internet, eg for mail, browsing, streaming. This is normally SSL as well. Maybe you have a wireless printer? Or some unprotected “Internet of Things” device? In theory these may be vulnerable to KRACK… but who is going to attack you? What will they learn?
At work, though… many places have an employee WiFi network that’s behind the perimeter firewalls. Ah, now we have a risk that may need to be addressed. It may be that we should re-architect our WiFi designs and only allow VPN access from this network. Effectively treat it as being outside the perimeter and don’t trust it.
SS7 flaws in SMS
This one always causes fights. NIST has deprecated SMS as an authentication factor. So we should stop using it, right?
Well, once again, it depends. We all know passwords are terrible, and people pick bad passwords. Now the attack the average person cares about isn’t an attack on them, but an attack against the server; for example, an attack on the bank. This attack just randomly throws usernames and passwords at the server, and some may work! Our average person has their money taken. The defense is some form of 2FA, and even SMS is better than no 2FA.
If you work in the bank though, then your logins to the VPN gateway may well be targeted. For that SMS may not be good enough.
And if you’re the CEO of the bank worth a gazillion dollars then you may, personally, be targeted.
I just picked a random handful of attacks and risks, and demonstrated how these risks are different, depending on the scenario you are in.
As security professionals we have a habit of “absolutism”; if something is known to be weak then it’s considered bad. But this is a perfect example of “the best being the enemy of the good”.
For your average home user, a password manager is better than using the same password everywhere (heck, even a password book is better than using the same password everywhere!). SMS 2FA is better than just a standard password.
For a person at risk (e.g. vengeful ex; targeted by trolls; abusive partner; a high wealth individual; a famous name) the risks change; you may have your phone stolen, your laptop hacked, your email accounts targeted. Is someone willing to spend $40000 to decrypt your hard disk? If so, update your TPM and change the encryption keys!
An organisation (and the employees working at the organisation) have another set of challenges, and this may depend on the industry they’re in. We’ve heard stories of laptops being found in taxis with large databases on them.
We need to move away from the “one size fits all” mentality, and start looking at a “good enough” solution. Even “poor” 2FA is better than no 2FA.
Most people don’t need perfect security; they just need “good enough” security. If you’re in a risky situation then this XKCD may actually describe your biggest risk!