Jacob Appelbaum, the Tor Project; Alec Muffett, Facebook software engineer and internet security evangelist
In the near future, professors, journalists, or anyone who wants or needs to remain anonymous on the internet should thank Jacob Appelbaum and Alec Muffett for protecting their privacy.
Only they're not likely to have heard of the duo who were instrumental in carving out a private corner on the web by getting the Internet Engineering Task Force (IETF) to formally recognize .onion as a Special-use Domain Name.
It's an accomplishment that Appelbaum, a security researcher and developer, privacy expert and a core member of the Tor Project called “a small and important landmark in the movement to build privacy into the structure of the internet.”
Appelbaum and Muffett, a Facebook software engineer and internet security evangelist, began working to keep .onion from becoming a Top Level Domain (TLD) in 2013, or as Appelbaum calls it, the “Summer of Snowden.”
As a TLD, the domain could have been sold by The Internet Corporation for Assigned Names and Numbers (ICANN).
“Losing control of .onion had the potential to create confusion for all hidden services, not just Facebook,” Muffett says. “This is really about securing the way people connect to Facebook. With our .onion site on the TOR network, people can confidently connect to Facebook knowing their link is genuine and end-to-end secure.”
And Appelbaum adds that “end users now have the security and privacy they thought they had.”
But the designation came after two years of dogged work by Muffet and Appelbaum, who both have more than a passing acquaintance with privacy issues. Appelbaum now resides in Berlin after his own privacy was compromised following the U.S. Justice Department's push to obtain his email records from Google while investigating his work as a WikiLeaks volunteer. Google was slapped with a gag order forbidding the company from notifying Appelbaum of the government's request and prompting a slow-burning legal battle when the search engine company refused to turn over the information. [[Alec quote tk]]
As for Muffett, he wasn't long graduated from college when he wrote the first version of Crack, a Unix password-cracking program that helps systems administrators sniff out users' weak passwords. While at a later stint at Sun Microsystems, he eventually became principal engineer for security where he collaborated on the successful factorization of RSA-155 and his work in pluggable crypt was eventually used in the Sun MD5 hash algorithm, which used Shakespeare's “To be or not to be” soliloquy from Hamlet as its constant text. Muffett joked in a 2005 blog that using the soliloquy “ exposes more programmers to Shakespeare, which has got to be a good thing.”
The .onion success came after the Tor Project began working with members of the peer-to-peer community (led by Christian Grothoff) to register a number of Special-Use Domain names, Appelbaum said. “We were strongly encouraged to split out .onion from the other Peer to Peer Names draft.”
Following the same process as Apple used to register .local, the .onion proponents crafted a draft detailing security and privacy considerations, and the recent publication of the special-use domain name by the RFC Editor (as RFC 7686) was a move toward standards that would secure the internet.
“By recognizing .onion as a special use top level domain, IETF has made it easier for other organizations to provide more secure connections for people online,” says Muffett, who contends that “effective security encompasses privacy, integrity and availability.”
But the more secure alternative offered by .onion shouldn't be readily apparent to the end user, nor should it be disruptive. “If we do this right, users won't even know,” Appelbaum explains. – Teri Robinson
Joshua Drake, vice president of research, Zimperium Enterprise Mobile Security
In a time of incessant hacks and new vulnerabilities discovered daily, it's difficult to make computer users more concerned about the security of their personal information. Yet, occasionally, new research stands out and creates an even greater degree of paranoia among technology users.
And so it was when Joshua Drake announced his discovery of Stagefright vulnerabilities.
Drake's research led to the discovery that Android's media playback tool could be exploited through a multimedia text message to provide attackers with elevated audio and camera privileges. This meant, effectively, that nearly every Android device was vulnerable to a spyware-infected RAT that allowed an attacker to listen to the conversations and watch the surroundings of victims' devices.
In July, Drake told SC Magazine that the affected software runs with system privileges on some devices. Apart from these elevated privileges, remote arbitrary code execution allows sophisticated attackers to execute privilege escalation attacks, which would provide complete control of the device, he said.
Drake, who joined Zimperium's zLabs in April, says that the vulnerabilities are difficult to exploit. Previously, he was director of research science at Accuvant, where he headed up a team of elite vulnerability researchers. He also worked at Rapid7's Metasploit and VeriSign's iDefense and he is one of Metasploit's top contributors. In 2013, he won Pwn2Own 2013 for his discovery of a zero-day exploit of Oracle's JVM that allowed him to take control of a fully-patched Windows OS within 15 seconds. Previously, in 2010, he won DefCon 18 CTF with the ACME Pharm team.
Drake's research changed much of the conversation about the devices that we use regularly – and about Android specifically. The Android platform has many complications, Drake said during his presentation at the Black Hat security conference. “Mobility – especially in the Android space – has gotten a bad rap from a lot of people,” he said. “When you start researching Android, you learn this very quickly.”
While Android security has for years been viewed as highly problematic, it was Drake's discovery that brought this conversation to a more mainstream audience. It was Stagefright that finally convinced Lorenzo Franceschi-Bicchierai, a longtime Android fanboy and information security reporter at Motherboard, to switch to iPhone.
Drake, author of the Android Hacker's Handbook (2014), has a collection of different Android devices and uses these for ongoing security research projects, calling the collection his “Droid Army.” In his Black Hat presentation, he said he is driven to improve the state of mobile security, increase the visibility of risky code in Android, and “put the Droid Army to good use!”
His discoveries gained enough attention among mainstream users to cause Google to rethink Android's longtime open source strategy. Open source makes it difficult to ensure quality control since Google relies on device manufacturers to build security into its devices and telecommunications providers to provide timely patches.
Thanks to Drake, Google now wants to build its own chips as the first step toward offering devices that use solely in-house technology. This security-first approach is notable for a company that has long lagged in that area, and is due at least in part to the consumer fury that Stagefright unleashed.
Google's security team, Project Zero, has focused more of its attention on mobile. In November, the team held a competition to find vulnerabilities on Samsung's Galaxy 6S Edge. The team announced that it discovered 11 “high-impact security issues.”
Meanwhile, Drake continues to be a thorn in Google's side. He has continued the original attack, says Samy Kamkar, a security researcher and CTO at Ctrl Me Robotics who discovered GM's OnStar vulnerability. In August, Drake informed Kaspersky Lab's Threatpost that a number of additional issues have arisen since he discovered the Stagefright vulnerability.
Further, Chris Wysopal, CTO and CISO of Veracode, says that Stagefright is “Heartbleed for mobile.”
“A lot of people realized that there needed an easier and more methodical approach to providing updates,” says Kamkar. He called Stagefright one of the most powerful attacks he has seen and said it demonstrates “a clear differentiation between Android and iOS.” – Jeremy Seth Davis