Category Archives: Security

Twitter’s selection of bad password

Posted on by
Reply

When signing up to Twitter and selecting your password, Twitter bans some passwords although they have the minimal size. These passwords are hard coded in the code, and thus can be consulted (which is not an issue at all).

If you don’t want to reverse engineer code, the full list of 370 bad passwords is published by the Wundercounter.

It is interesting to see them. They are totally logic. Interestingly, this password ban is only for English native speakers. Foreigners can still use stupid passwords. For instance, as expected QWERTY, but also ASDFGH are banned. In france, among the worst passwords, we have AZERTY and QSDFGH due to our specific keyboards.

It is really fun to see the selection. My preferred one is THX1178. How many geeks would use this one? It is an ultimate recognition to be listed with STARWARS and STARTREK.

In any case, it is a good initiative. But internationalisation would be better. Do you know any repository of bad passwords for many languages?

Augmented Identity

Posted on by
Reply

Technologies were around. Social networks become prevalent. People are not aware of risks (or at least they are less paranoid than me 🙂 ). Somebody had to do it.

The Astonishing Tribe (TAT) did shake all the elements together and presented recognizr. Using a mobile phone to capture a picture of the person, recognizr extracts 3D parameters of the face and sends it to a server. The server uses a face recognition software and looks in social networks to identify the person and provide data.

TAT was privacy aware. Thus, the system works on strict opt in. In other words, you must register to the system to be recognized.

TAT is privacy aware, but what prevents another company/agency/group to design a similar software and scout the social networks without the consent of the people? Law enforcement? Well, it uses only public data. The data that you/we posted on the Internet.

This application was inevitable. Everything was available. Nevertheless, it scares me. Once more, be very cautious on what personal data you post on the Internet.

Amazon’s PayPhrase

Posted on by
Reply

On November 2009, Amazon launched a new payment mode so called PayPhrase. The idea is simple. You associate to your profile a passphrase, i.e. a sentence with at least two words (more than four characters) and a 4-digit PIN. The payphrase is linked to a shipping address and a payment method. Would you like another shipment address, use a second payphrase.

Amazon offers this service for other sites. The other sites will validate the information through Amazon but will never have access to your personal data neither to your credit card data. The basic assumption is that you trust Amazon to make a clean work in securing your personal data (which seems a reasonable assumption)

Of course, Amazon expects to become a competitor to established payment methods such as PayPal.

Is it serious? Well, I have spotted one funny issue. How do I define a payPhrase?

Create an original PayPhrase yourself, or choose one of our suggestions. Once you have claimed a particular PayPhrase, it can’t be claimed by anyone else.

The unicity of the payPhrase shows that the idea is that you replace your identity by the payPhrase and the authentication is the PIN. This means two things:

  • The latest incomers may have some trouble to set up an easy to remember payPhrase because the most trivial will be used.
  • People will use the most trivial ones

And this last one is the fun part of the game. Try to find a trivial payPhrase and check if it is active. Then, you may try a DOS for this person by trying many PINs until it is blacklisted.

I tried my favorite trivial passphrase “Trust no one”. Guess what? It belongs to somebody of Portland paying with Visa! I did not try the PIN.

Lesson: Some design decisions may have “funny” side effects.

Bourse aux Technologies 2009

Posted on by
Reply

IE club (a network of entrepreneurs), Seventure Partners (VC) and Institut Telecom (group of schools) organize each year a technology fair. This year’s theme was security.

I was invited to make the opening presentation for the panel. My presentation was ”Sécurité et Success Stories : quelques leçons” (Sorry, it is in French).

Of course, the key event is the demonstration of a set of technologies. The goal is for entrepreneurs to possibly find a technology to promote/use in their products.

Many demonstrators were promising. My selection:

  • Analysis of vulnerabilities in software; all demonstrated technologies were limited to static analysis
  • Analysis of information flow for embedded devices
  • Secure storage of files using P2P based on control access
  • Hardware based real random generator
  • Smart card emulation for simulation of fault injection

The two last ones were extremely technical but have probably a very narrow possible market (secure IC manufacturers that were not present)

Both the panel and the demonstrations demonstrated that France is still one of the homes of serious security.

Security of cloud computing

Posted on by
Reply

There is not a lot of doubt that cloud computing is the next frontier. Unfortunately, like for Far West, Cloud Computing will be in its early days a territory where the security may be weak (euphemism :Wink: ).

Already, a lot of effort is placed on analyzing the threats and finding solutions. In this trend, there is an interesting approach proposed by Thomas RISTENPART, Eran TROMER, Hovav SHACHAM and Stefan SAVAGE in their paper “Hey, You, Get off of My Cloud“. They discovered that a same server may run Virtual Machines (VM) for different customers. The goal of their attack was to plant a malicious VM on the same server than the target. Then, by measuring several parameters such as cache usage, or estimated traffic rates, they should be able to infer some information. In other words, a side channel attack.

Obviously the most questionable point is the first one. It has two assumptions:

  • – Being able to co-reside on a server with the target. A complete section (number 7) proposes different strategies to succeed on Amazon’s EC2.
  • – being able to implement a malicious VM for instance through existing vulnerability. This one seems even more questionable.

I am not sure that the disclosed attack is more than a nice theoretical play. Nevertheless, it has the advantage to rise many interesting questions. I’m sure that side channel attacks on cloud computing will become a very thrilling domain of exploration.

The paper was presented at CCS’09. Thomson was sponsor of one the hosted workshop (ACM DRM workshop 09)

A password strength checker

Posted on by
Reply

I recently stumbled across a useful site for increasing security awareness. The Password Strength Checker evaluates the submitted password. The use is intuitive.

Sure, when a password is declared as strong, then it is strong. I played a little bit with. I discovered that my Firefox master key was 74%, my account password was 70%, and my password for this blog was only 30%!

When examining the poor result of this last password (rather long), I find that I was not in total agreement with the rationales of the penalties. Consecutive upper case letters, lower case letters or numbers are “penalized”. Intuitively, I would think that systematically you recommend to avoid consecutive upper case, lower case or numbers would give an advantage in brute force. If I select a upper case, then in brute forcing next character, I would avoid to use an upper case. It reduces (slightly) the space of passwords.

Nevertheless, a nice useful tool.