Author Archives: eric

A graphical password solution: PixelPin

Posted on by
Reply

Graphical passwords are an alternative to usual textual passwords. They use an image as main support and image handling such as pointing position in the picture as entry mode. They can be convenient on tactile screens, more difficult for robots to mimic human behavior, and claimed to offer better memory resilience.

Since early 1990s, the literature has been rather extensive in the field. Technicolor published several papers in the field (search for Maetz and Eluard). But we rarely see a product that implements such a solution.

UK-based company, PixelPin offers such a solution. It is based on Bonder’s seminal patent (5559961). When registering, you select one image as a support and four points in the image in a given order. When answering the challenge, you have to select the four points in the initial order. To limit risks of shoulder surfing, the precision of positioning is rather fine (at least on a computer). After 5 attempts, the account is locked for 15 minutes. Reset sends a reset token via the email used to register.

To increase memory resilience, and to ease the positioning you should select a picture with clear identified salient points else you will be quickly locked out. Of course, using too obvious salient points reduces the space of “keys” to explore.

The main issue is the network effect needed for such solution. It will be efficient if the sites are common and often visited, else your memory will fade. Unfortunately, I did not find many sites using PixelPin. The startup was launched beginning last year.

NSA spies us: what a surprise!

Posted on by
Reply

I twill start this new year (for which I wish you all the best) by some ranting.  Since the Snowden’s story started, I never commented.  Now I will a little bit as I start to be upset by all this hypocrisy.  Snowden shed some lights on the behavior and skillset of the NSA.   This is interesting.  But what is not acceptable, is that media seem to be surprised.  WE KNEW IT FOR YEARS.

 

NSA spies our electronic personal communications!  We knew it for years.  Echelon was  known in the 90s.  The new systems are just a natural evolution to new communication means and enhanced computing capacities. It was even known that the scope was larger than military/political actions.   NSA published patents about semantic analysis of natural speech.  The purpose was obvious.  I remember an initiative that asked people to generate random mails with gibberish inside but also some alleged keywords (such as terrorism, NSA,…) that should trigger the scrutiny of NSA.  The aim was to try to flood the system.

 

NSA is studying advanced techniques such as quantum computing to crack ciphers!  I would expect any serious governments to have their black cabinet studying this topic.  Once more, it is known that NSA may have some advances over the academic/public domain in this field.  In 1974, US banking industry asked IBM to design a commercial cipher to protect electronic banking transaction.  With the help of the NIST, IBM designed the famous DES.  End of 80s, academic world discovered a new devastating technique: differential cryptanalysis.  In 1991, Eli BIHAM and Adi SHAMIR demonstrated that surprisingly DES was immune to this ”unknown” attack (which was not the case for many other ciphers).  In 1994, Don COPPERSMITH, who was part of the DES design team, revealed that DES had been designed to resist to differential cryptanalysis.  In 1974, NSA knew already differential cryptanalysis but kept this knowledge secret as it gave a competitive edge to US secret agencies.

Secret services do not play fair democratic games!  This is why they are called secret services.  Hollywood told about that so often as well as John LE CARRE. 

 

So please, let us stop this hypocrite surprise: we knew about (but not the details).

 

E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, Jan. 1991, pp. 3–72 available at http://link.springer.com/article/10.1007/BF00630563.

D. Coppersmith, “The Data Encryption Standard (DES) and its strength against attacks,” IBM Journal of Research and Development, vol. 38, 1994, pp. 243–250.

Preventing weak passwords by reading your mind

Posted on by
Reply

This is what the site Telepathwords proposes. This site estimates the strength of a password. The interesting part of this Microsoft Research site is the used heuristics.

After each dialed character, it attempts to guess what the next character. if it guessed right, then the character is considered as weak (indicated by a red cross). How does it guess the characters?

Telepathwords tries to predict the next character of your passwords by using knowledge of:

  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

It considers the password strong if it has at least six non guessable characters.

Of course, the strength of the system relies on the richness of its dictionaries of common passwords and common phrases. Obviously, the game was to play with it. My first thought was that it would be purely English centric. Thus, I tried French and the first one was azerty. Azerty of course was weak. “abrutifrançais” (or French idiot) was a strong password even without the special character ç  “Je pense donc je suis” was also middle (as it guessed the end) . Let’s go further and switch to Latin. “CogitoErgoSum” was also weak as well as “venividivici”.  But “aleajactaest” was extremely robust!!

For the fun, I checked consistency with Microsoft Password Checker. The answers are not consistent. For instance, “CogitoErgoSum” turns out to be strong whereas “aleajactaest” is medium.

As always, it is always rather easy to trick this type of sites. Nevertheless, the site clearly explains that it will not detect all weak passwords, especially from languages other than English

Laundering money in the digital world

Posted on by
Reply

With the advent of the digital world, laundering money has been able to create new techniques. Two new trends: online gaming, and micro laundering.

Online gaming is not online gambling (which we may have thought about when speaking of illegal activities), it is the use role playing games (RPG) such as World Of Warcraft (WoW) to move money. Indeed many RPG provide the possibility to purchase or sell either virtual coins collected during the game play, or rare virtual artifacts. The trade can use real money. Blizzard recently announced that it will close Diablo III’s market place. A way to avoid this type of issues?

Micro laundering uses services such as PayPal or virtual credit cards and people that will transfer temporary through their accounts. Interestingly, I learned that some Nigerian scams were indeed semi-real. They look for people to transfer illegal money. The people accepting the transfer operation may be rewarded, but this person will be liable for money laundering!!

This activity is described in Jean Loup RICHET’s report “Laundering Money Online: a review of cybercriminals’ methods”. This report gives a high-level view of the new trends. Unfortunately, it misses serious figures, references and technical details. I do not know if there is a non-public version with more information.

If you look for a quick draft overview, it is a good start. Also, a good view on how inventive they can be.

 

J.-L. Richet, Laundering Money Online: a review of cybercriminals methods, 2013 available at http://arxiv.org/abs/1310.2368.

Ten laws: a little help?

Posted on by
Reply

I am writing my second book.  It will explore the ten laws of security.  It will be published by Springer in 2015.   The book will describe many examples of real situations illustrating the laws.  Some examples will comply with the law, others will violate the laws.

I have already many examples. Nevertheless, the larger the stock of potential examples, the better.   Thus, I am looking for examples.   If you have examples illustrating one law, and are ready to share it with me, you are welcome.  Would it be a new unknown example that I would use in the book, then, of course, you will be cited in the book.   Winking smile

I am also looking for examples:

  1. Not related to IT
  2. Historical examples

A votre bon coeur…

SF: Rainbow Ends

Posted on by
Reply

It is interesting to see how contemporary Sci-Fi authors embrace the new technologies.   Vernor Vinge in his “Rainbow Ends” demonstrates his deep knowledge of current IT technologies.  In a not too far future, his heroes are immerged in a world with three technical characteristics:

  • Wearables; computers are part of the day to day clothing.  Funnily, the French translation uses the sad term “vetinf”.
  • Augmented reality; Every body wears eye lenses.  Not only do they give additional information but they can also disguise the world with the fantasy desired by the viewer
  • Ubiquitous network

Therefore, from the technical point of view, the book is interesting.  What about the story itself.  It is mixture of Fahrenheit 411, Snow Crash and a jump to the future.  Unfortunately, there are some inconsistencies with characters, as some young kids are too “efficient” ‘(at least, according to me).  Thus a good book, but not a major opus.

PS: I do not share his vision and definition of DRM Smile

CCC hacked Apple’s TouchID

Posted on by
Reply

One of the “innovative” features of the new Apple iPhone 5S is TouchID. TouchID is an integrated fingerprint recognition system. Once your fingerprint registered, you will be able to unlock the phone by pressing your finger on the home button. Is it secure?

 

On Saturday, the German Chaos Computer Club (CCC) announced that they cracked TouchID. According to them, the technology had nothing new excepted a higher resolution sensor. Thus the countermeasure was to use the traditional proven methods with higher resolution. Of course, it worked.

More interestingly, the official announcement of CCC highlights two major limits of biometrics:

  • It is not secure; Most of the systems can be lured.
  • Biometrics cannot be revoked! Once cracked, your fingerprint will always valid!

 

Nevertheless, some comments to mitigate these comments:

  • Some systems are more sophisticated. for instance, some fingerprint systems check whether the applied “finger” is living or a piece of latex. These systems are more expensive of course.
  • Some biometrics systems such as venous system recognition are far more difficult to lure. Their price is currently out the reach of consumer market.
  • As many people do not use pin to lock their phone, using fingerprint may be a more acceptable solution for many people. This would be better than using no access control to the phone, as long as the user does not blindly believe that the phone’s security is absolute.