portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Zoom, web servers and silent updates

posted on Sunday 14th of July 2019 in ,

Just in case you have not caught the news: Zoom, a video conferencing solution, decided to put a web server on your system which let people remotely dial you into a call, video enabled. Now the ordinary user might think “that’s bad, let me uninstall Zoom”, and they would be right. But there is a catch! Zoom does not uninstall the web server when you uninstall the application. But do not worry, this is not a bug, it is a feature!

After some push back Zoom decided this actually is a big deal and pushed a patch which removes the web server. Well, if you happen to still have Zoom installed, otherwise it will just sit there. Apple decided to jump in and push a silent update – no user interaction required – to remove the web server.

What can we learn from this story?

Well, first of all: Do not use Zoom.

If you are using it, start evaluating alternatives. Not because they messed up, this happens to all. But because they simply disregarded a significant vulnerability, basically told us they do not care about the term “uninstall” doing what a user would expect – hey, it is a feature, right? – and forced third party action to keep users safe. This is simply unacceptable and shows a total lack of understanding when it comes to security.

We all knew that Apple can push silent updates, but I think we will see some discussions around OS ownership once again now that it is in the press. How much control should Apple have over your system without asking or notifying you about it? I am still okay with silent updates – for the vast majority of users this is the exactly the right solution to keep malware and things like Zoom in check. Some day this might change when the first questionable “business decision” is the reason for a silent update, this will be the day the narrative changes – in the end Apple is a business and businesses change leadership, which brings in new and different ideas. I would still hope for a very prominent notification in the form of “$x installed to do $y”.

Going beyond that I would imagine we will see some more similar news in future – I do not believe other video conferencing solutions are actually doing a lot better with all the little helpers, plugins and other crapware they force you to install.

One thing that often comes up in discussions around this incident is what users can do as of today to prevent things like this from happening in future. This is actually a tricky question. I would assume not all people effected by this chose to use Zoom, they were told to by their organisation.

If you have to (or want to) use Zoom or similar: Use a browser without plugins or local applications. Many tools are usable in a modern browser without the need for plugins. Some hide additional features like screen sharing behind a plugin, which many participants in a meeting likely will never need. Prefer plugins over dedicated applications you have to install. I would also suggest evaluating mobile applications – they are often feature complete, do not spin up the fans of your system, work quite well and do not force you to install anything on your workstation.

Lastly: Act. This incident should be enough reason for companies to reevaluate their choice of video conferencing software. Not because they had a vulnerability, again: this happens. But the disregard of it and the blatant ignorance they showed. In a business environment you often discuss critical information – do you really want to trust software and a company that handles security incidents this way?


One week with iPadOS

posted on Friday 5th of July 2019 in , ,

Last week we reached 40°C, or how some of you might call it: 104°F. Sadly the times where you could just go home around 11am because of temperatures approaching something over 30°C are long over. So I still had work to do. But powering on a Xeon system with 5k screens means a lot more heat in my office. So I did the only sensible thing after eyeing the iPadOS beta for some time… I put a beta software on my iPad and started using it exclusively for my daily work. Luckily it was mostly writing specs, reviewing code and doing some work on deploying a new software on an EC2 instance, so all within the realm of iOS capabilities.

While all of the above has been possible with iOS for a long time, iPadOS added so many awesome new features that it made a huge difference during daily usage. While the full set of new features is fairly well documented across the usual news sites and Apples developer page introducing iPadOS, there are a few that really stood out to me using them, especially since I did not consider them to be such a big deal.

Managing my inbox, which has the tendency to significantly fill up over time, became a lot more enjoyable and easy thanks to the new action menu. This seems like a pretty small thing when all you do is hitting reply and write a few lines, but the moment you need to flag, move and organize mails, this actually makes a difference.

The new share sheet also makes life a lot easier. Especially the quick access bar for most recent or relevant contacts – skillfully hidden with all my editing skills – helps a lot when browsing the Internet and finding something you quickly want to share with someone.

Safari is actually one of the biggest improvements, but also still subject to a few inconveniences. You really get a full desktop experience, including a desktop video player for example, which is horrible to use on a touchscreen device. I always preferred the iOS native one over lets say YouTubes bastardisation that did not even support proper fullscreen.

The preview including quick access to downloading, new windows, sharing,… really makes it pleasant to use and a lot easier when you are doing some research for example. The download option is also pretty neat when dealing with PDFs you have to edit anyway or want to read later, at least it feels a lot faster than opening the PDF and saving it to iBooks.

Siri suggestions are actually a lot smarter than I thought. When someone is sending you a link via iMessage it shows up when opening a new tab. This is, again, one of the small things you do not think about a lot, but once you start using it you really appreciate it. The screenshot is, well… I am sure Siri hat a reason for suggesting this link. When there is no special context going on the suggestions sometimes are a bit random.

Being able to resize the keyboard for one handed use is great, with swift typing it is amazing. This is likely the most buggy part of the whole OS right now. Sometimes there are rendering issues, swift typing is as bad as on other devices or third party keyboards when typing German or a mix of German and English and some input elements do not understand the floating keyboard pretty well and are simply hidden behind it – even Apples own ones like iMessage.

Is it ready yet?

As I mentioned I was using the iPad as my only device for a full work week. Media consumption is still amazing on it. Writing and drawing as well. But the rendering bugs can get a bit annoying. I did not have any crashes so far and all third party applications are working. Widgets on your regular home screen are awesome and one click to dial into a hangout or webex call is really nice, if the widgets do not forget to load and display data.

If you rely on less well maintained third party applications – some from banks for example, which constantly seem to cause problems – or want a fully polished experience you should definitely wait.

I did a quick experiment with an external screen connected via HDMI and an USB mouse via AssistiveTouch. It actually worked. It was usable and made the whole thing feel less like an iPad. Mouse input still could use some work as well as an option to use a cursor not designed for people with poor vision. And while I actually like typing on the iPad Smart Keyboard, the moment I had a real screen in front of me my first thought was to pair another Bluetooth keyboard.

All in all I am really happy with the direction of iPadOS and I hope they will iterate a lot more on iPad specific features where it makes sense.


Security 101: Know your threats

posted on Sunday 30th of June 2019 in ,

Engineers often know they have to take security seriously and improve the state their product is in. Non technical management is often worried about security, they know all the horror stories of data leaks and abuse and that this is not always well received by customers. What companies as a whole often do not know is what threats they actually face. Knowing what you try to do is usually a pretty good start.

Let us start our security series with figuring out what threats we should think about in various stages of the startup.

What we will be discussing can be considered threat modeling. Just keep in mind that this will not discuss your full and your specific threat model. We will also not discuss the infamous „nation state attacker“. First of all you will likely not be able to defend against a nation state attack in any way, secondly you would need dedicated professionals to make it a bit harder and thirdly it is likely never a nation state attacker, which is often just a very convenient excuse for “we messed up but want to make it sound like we could do nothing”.

The kid next door

The kid next door is actually a more relevant threat. They usually show up, together with some more serious “bug bounty hunters” or “security researchers” whenever your startup appears on some news portal. They often run an automated or semi automated set of tools like Metasploit, Burp Suite and depending on your marketing page wpscan. The more experienced ones also might play around with your mobile applications or take a look at the source code of your web application to see where assets are hosted and if there is other data they can access by modifying the URL (why you want access controls and no sequential IDs is a topic for another post).

If they find something they consider a vulnerability they likely send you an email asking for the existence of a bug bounty program and if you are willing to pay a few dollars if they disclose their finding. This is not necessarily bad by any means, it gives you an idea of potential attack vectors malicious third parties could actually use against your system.

Running some of those tools yourself is something you can learn. Having the experience to understand the scan results is a bit harder but also doable. But you have to be aware that this is basically a specialization within the whole field of information security, so doing it on the side will always put you at a disadvantage. If you feel like you cannot spend the time on this you should be able to hire an affordable consultant on an ongoing basis who is doing it for you and presents an actionable report.

Engineers

Engineers should appear on ever single list talking about threats. Companies usually trust their engineering department. In the end they are building the software, running the servers and taking care of the data – they surely know what they are doing, right?

In reality they are still humans, do not know every single thing in existence and make mistakes. Sometimes convenience is favored in the decision making process over best practices, other times people simply lack the full understanding of the consequences of certain actions.

Some classics I have seen is the lack of disc encryption while they carry a dump of the production database on their laptop, insufficient access controls and audit controls around production data, misconfiguration of production services and many more things that „should never happen“, but still do.

Engineering is also likely the easiest team to get in line with new security protocols and implementations. There is often the most understanding of the importance of security and more often than you would expect only some small fine tuning of processes and practices is required to get the team to the point you want them to be at.

Your team

Your team, all of your employees, leaders, contractors,…, are basically one big security risk. Again, not the bad one doing things out of bad intent or because they think they should not care, but most likely due to a lack of knowledge or usable solutions for their problems.

Thankfully, same as engineering, people usually understand the importance of security, latest after explaining it to them. Which is the key point, you have to explain to them what to do and more importantly what not to do. Without being arrogant. Or sarcastic. Or believing they are stupid. You know, things you see happening every single day when tech-savvy people with an ego explain something.

You also need to work on tooling. „You cannot share data via DropBox or upload it to Mega“ might be correct – but how are they supposed to share data? The alternative cannot include the words „download gpg“ and „create a key and send it to the key server“. Tools need to be intuitive, easy to use and preferably also look nice.

There will also be people who are upset and actually try to hurt your company in one way or another. Maybe someone gets laid off and is angry – how fast can you lock all their accounts and make sure they do not have access to any company data anymore?

Competitors

Competitors are often very interested in what you are doing, the health of your company and your data. While this is not something that usually happens in the very early stages of a startup, the more funding and traction you gain, the more people will have an interest in those things. Being able to target your customers directly, having an understanding of your finances and investors or simply copying internal parts of your code that differentiate your product are a huge competitive advantage.

Luckily most things we will discuss that prevent accidental data loss also guard against the cheap ways to get to your data – what is left to cover are the more expensive attacks. The moment someone is willing to spend money on getting your data one of the key elements is physical security. How easy is it to get into your network? Are your printers secure? Can people just walk into your office and out with some equipment? Believe me when I say that getting a call starting with „someone walked into the office, put five laptops in a trash bag and walked out“ is not as fun as it sounds years later – thankfully no data was lost this day.

The four horseman of data breaches are a very high level overview of threats you might be facing. Some of them more likely than others, some of them harder to guard against. I hope a bit more understanding of those different kinds of threats will help with the understanding of why some things that seem totally irrelevant are actually necessary and cannot be ignored, no matter in which stage your startup is.

If you want to follow this article series you can either subscribe to the general RSS feed or to the tag specific one if you only care about startup security posts.


Bye bye Jony Ive

posted on Friday 28th of June 2019 in ,

An era is coming to an end. Jony Ive is leaving Apple. He is starting his own company and will keep Apple as a client for exclusive projects. This actually opens up a whole lot of possibilities while keeping a connection with Jony for the things he really excelled at – interesting times ahead.

In the past years there was a lot critique when it came to design – especially functionality following design. And there are a lot examples for this, the two most prominent the trash can iMac and the butterfly keyboard. (Obviously I also have to mention the way you charge the Magic Mouse.)

I have absolutely no insight into the exact inner workings of Apple, so some of the following might not be totally accurate – please let me know if I got something wrong.

One thing I think a lot of people forget is that those decisions were not made by one single individual. Obviously Ive had tons of influence and could likely push his ideas through if he really wanted. For the sake of the whiny crowd we could assume all the bad design choices were exclusively made by Ive.

What can we expect now? Likely no dramatic changes in near future. Product development takes time and Apple surely is not sitting down after releasing a device and start planning its next iteration. I also do not believe all design decisions people love to complain about are going away. Especially because a lot of people actually like them – shocking, right? TouchBar? Butterfly keyboard? All USB-C? It is not as black and white as the whiny crowd wants you to believe. There will not be another 2015 MacBook Pro either, and there should not be.

That being said, I think we will see some change. And I also think it is necessary. There clearly was a trend of „function follows form“, which is a horrible way to design things that primarily should follow a function. It felt like Jobs was needed to keep Ive in check and after he was gone no one really did. Some reorientation to the good, old „form follows function“ would surely be nice. I would not want a full 180° shift though – I would hate to see design innovation fade away.

After all: „form follows function“, but a beautiful form is still very much appreciated.


Startup Security 101 – Introduction

posted on Saturday 22nd of June 2019 in ,

Earlier this week I gave a talk about security in the startup world. While working on the presentation and trying to figure out which content I want to cover I ran into a very simple problem: security is hard and the field is quite large.

I think this is not a well kept secret, but something most people working in information security know and are fully aware of. Nevertheless I had to figure something out and received some good feedback in the end. But instead of calling it a day and celebrating myself I decided to work on some articles outlining the foundations of things nearly any company should do.

Introducing: Startup Security 101 (the absolute basics).

Talking about any infosec related topic usually brings out people who like to start their sentences with “actually…”. And there will be a lot of chances to “well, actually…” me while reading through the upcoming articles. Consider this post my general disclaimer to not treat those articles as the ultimate, final truth. It’s supposed to be a starting point.

Some people believe security is an absolute. You either are doing everything known to humankind or everything you actually do is worthless. Some people believe security is the only thing a company must care about until they “get it right”. Others will argue that “theoretically” something better than whatever you do exists. Or that there are still holes and potential attack vectors that you missed. And there is a very good chance that some of those people are correct.

But here’s the thing: If you look at most security breaches and data leaks, they are not sophisticated attacks involving three zero day attacks. They are likely based on some very simple bug which in hindsight is so obvious that you question how this could have ever happened with a competent team working on the project. Truth be told the most talented engineers sometimes make mistakes – we all do. Sometimes the system crashes, sometimes the whole database leaks (but one of those two is obviously worse than the other).

What I will be focusing on in the startup security 101 series is covering as many basics as possible to reduce the chance of those kinds of bugs. Will you be 100% safe and absolutely unhackable? No. If I could offer this kind of knowledge I would be writing a book right now and plan which island I am going to buy to park my Bugatti Chiron on.

As you might have noticed by now is that I am always prefixing security with “startup”. This is actually intentional (not only because it increases the word count of this post). For startups there are three things which are nearly always true, no matter at which stage they are (except some specific domains):

So all advices have to follow a few very specific criteria:

Focusing on the basics that cover the most common problems means that there will be gaps in your security concept. Therefore you have to treat security the same as your product and your company. It will evolve over time, it will need more attention and it will require you to think about problems you have not had at an earlier stage – but it has to be there from the beginning for this to happen. This is a very good problem to have, but it also means you will require additional, specialised engineers later on.

The articles will not follow any specific order. Most of them, except some which will focus on outlining a more general problem, will have actionable advice for a specific topic and hopefully allow you to jump into an implementation phase with minimal additional research. I will also try to provide guidance on how to obtain additional resources and information leading from the bare minimum coverage you should have to an industry best practice version – if something like this actually exists is a topic for another post.

Security is a process. Doing it right is often expensive and time consuming. But this should not discourage you from doing smaller pieces and going for easy wins. They will accumulate and will make sure you are in a better spot than without them. And in a way better spot than many of your competitors who do not think about security at all.

If you want to follow this article series you can either subscribe to the general RSS feed or to the tag specific one if you only care about startup security posts.