Acoustic Eavesdropping on Keystrokes in Voice-Over-IP Calls

Using audio recordings to later determine what someone was typing has been previously demonstrated, but a group of security researchers recently published a paper analyzing the feasibility of doing so over a voice-over-IP call, such as a Skype call.

According to the abstract,

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.

I participate in quite a few conference calls and do two things to avoid issues like this: a) always mute the microphone except when I am actually talking, and b) limit typing as much as possible when my microphone is live (along with the potential security issues, it is annoying to hear people typing while on a call).

A bigger concern is still people recording and then decoding what someone is typing during a physical meeting. One of the advantages of many physical meetings is there are often multiple people typing on laptop keyboards. Switching to a low noise keyboard, like the sort of keyboards used with the iPad Pro or the Surface Pro, are also a way of minimizing how much data can be captured.

(Of course, I’m typing this on a Unicomp mechanical keyboard which I assume would be trivial to eavesdrop on from down the street).

Decline in WordPress Wow Factor? I’d Be Happy for a Duh Factor

WP Tavern has an article–now with dozens of comments–arguing that the wow factor in major WordPress release is getting few and far between.

Because of WordPress’ maturity and the short development cycle, major features are getting few and far between. By looking at the Beta tab on the WordPress plugin directory, visitors can view projects that may end up in future versions of WordPress. The only project on the page that excites me is the Front-end Editor but based on how long it’s been in development, I’m not holding my breath.

Please excuse me while I throw up in my mouth. The self-hosted version of WordPress is one of the most widely deployed pieces of software on the web, and yet in 2016 users still have to track down a plugin if they want to do something as basic as rate limit logins to prevent brute force password attacks.

At this point, the lack of such a basic feature has to be put down to extremely poor leadership and vision. WordPress is deployed by a lot of novices, and not only should there be a rate-limit feature, but it should be enabled by default.

But hey, what’s minimal security features in a world where the admin UI needs to be redesigned repeatedly or basic features in the editor need to be removed for no good reason?

AirVPN 6th Anniversary

AirVPN recently celebrated its sixth birthday,

From a two servers service located in one tiny country providing a handful of Mbit/s in 2010, the baby has grown up to a wide infrastructure in 16 countries in three continents with 165 VPN dedicated servers and several secondary servers aimed to additional services, providing now up to 156900 Mbit/s to tens of thousands persons around the world. The number of available VPN servers since the last birthday has almost doubled. An outstanding growth that makes us very proud!

I have been using AirVPN since 2011 and route all of the Internet traffic on my two personal laptops through their service (other than times when I’m playing online games where the lowest possible latency is a must).

Based on what I’ve read, AirVPN is the best VPN for when you don’t want your ISP or other network provider monitoring what you’re doing over the Internet. I appreciate things like their client’s “Network Lock” feature, which prevents any Internet traffic that doesn’t traverse the AirVPN network so as to prevent any leakage which might allow my ISP or others to monitor what I’m connecting to.

As I’ve written on my blog before, if I were engaged in activities where I was worried about a state actor and where connection speed isn’t important, I would use something like Tor. But for keeping the MPAA and my ISP’s monitors at bay, AirVPN does the trick.

Finally, the price for AirVPN has stayed fairly stable–a one year subscription costs roughly $59 (the company bills in Euros)–while the company has expanded the number of concurrent connections it allows to three, so that I can have both of my laptops and occasionally my phone connected simultaneously.

Seedboxes

I had never heard of seedboxes until recently, but Wikipedia informs me that they are,

…a remote server hosted in a high-bandwidth data center used for the safe uploading and downloading of digital files. These speeds range from 100Mbit/s (12.5MB/s) to 10Gbit/s (1250MB/s). Persons with access to a seedbox can download these files to their personal computers anonymously.

So you rent a box sitting out in some server farm that runs BitTorrent. Files are downloaded to the seedbox.

Once they are downloaded, then you VPN into the seedbox and grab the files to your personal computer.

Along with the additional step between you and the torrent, a seedbox may be on a network that has faster bandwidth than a local machine that a user has access to. And, as Wikipedia notes,

Seedboxes are also used to circumvent bandwidth throttling by Internet service providers or to evade laws such as the HADOPI law in France.

I checked out prices over at RapidSeedbox.com, and a server with 2.8TB of storage and a 1Gbps port will run you $61/month, while one with 1.4TB of storage will run $34/month (all plans feature unlimited taffic). On the low end, $17/month will get you 500gb of storage.

You’d still want to pay for and connect to a seedbox while over a VPN, so that RapidSeedbox can’t directly report on your IP to law enforcement (if illegally downloading files is your thing, that is).

Squarespace–Support SSL Already

So one day my wife wanted a website to highlight her award-winning pottery. She finds WordPress a bit cumbersome to use and after looking at a number of hosting sites settled on Squarespace. After purchasing a site there, I registered a domain name for the site and we sat down and took a look at what needed to be done to point the domain to the site.

And that’s where things got weird. Because I figured while I was reading Squarespace’s documentation about where to point the domain DNS, I’d also see what the process was for adding an SSL certificate. And the answer was shocking–there is no option to for individuals to use SSL on Squarespace sites.

When you login to Squarespace or set up an e-commerce area, Squarespace sends you to a Squarespace.com area that use Squarespace’s SSL certificate. But those are the only times that users will see SSL related to a site they have set up. As Squarespace explains (emphasis added),

Some areas of Squarespace sites are protected by SSL, including checkout for Commerce transactions and wherever you log into your site. However, SSL isn’t currently available for other pages.

We don’t offer the ability to install custom SSL certificates at this time.

This is crazy, and potentially dangerous. Without SSL, browsing Squarespace sites is subject to snooping by third parties. Attackers could potentially perform man-in-the-middle style attacks by intercepting the non-encrypted traffic and injecting malicious code.

One of Squarespace’s competitors, WordPress.com not only supports SSL for the millions of blogs/sites it hosts, but just announced it was using Let’s Encrypt to offer free SSL to every single custom domain on its network.

That Squarespace continues to expose both its visitors and its customers to these sort of risks is inexcusable.

LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.