Category Archives: Security

Preventing weak passwords by reading your mind

Posted on by
Reply

This is what the site Telepathwords proposes. This site estimates the strength of a password. The interesting part of this Microsoft Research site is the used heuristics.

After each dialed character, it attempts to guess what the next character. if it guessed right, then the character is considered as weak (indicated by a red cross). How does it guess the characters?

Telepathwords tries to predict the next character of your passwords by using knowledge of:

  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

It considers the password strong if it has at least six non guessable characters.

Of course, the strength of the system relies on the richness of its dictionaries of common passwords and common phrases. Obviously, the game was to play with it. My first thought was that it would be purely English centric. Thus, I tried French and the first one was azerty. Azerty of course was weak. “abrutifrançais” (or French idiot) was a strong password even without the special character ç  “Je pense donc je suis” was also middle (as it guessed the end) . Let’s go further and switch to Latin. “CogitoErgoSum” was also weak as well as “venividivici”.  But “aleajactaest” was extremely robust!!

For the fun, I checked consistency with Microsoft Password Checker. The answers are not consistent. For instance, “CogitoErgoSum” turns out to be strong whereas “aleajactaest” is medium.

As always, it is always rather easy to trick this type of sites. Nevertheless, the site clearly explains that it will not detect all weak passwords, especially from languages other than English

Laundering money in the digital world

Posted on by
Reply

With the advent of the digital world, laundering money has been able to create new techniques. Two new trends: online gaming, and micro laundering.

Online gaming is not online gambling (which we may have thought about when speaking of illegal activities), it is the use role playing games (RPG) such as World Of Warcraft (WoW) to move money. Indeed many RPG provide the possibility to purchase or sell either virtual coins collected during the game play, or rare virtual artifacts. The trade can use real money. Blizzard recently announced that it will close Diablo III’s market place. A way to avoid this type of issues?

Micro laundering uses services such as PayPal or virtual credit cards and people that will transfer temporary through their accounts. Interestingly, I learned that some Nigerian scams were indeed semi-real. They look for people to transfer illegal money. The people accepting the transfer operation may be rewarded, but this person will be liable for money laundering!!

This activity is described in Jean Loup RICHET’s report “Laundering Money Online: a review of cybercriminals’ methods”. This report gives a high-level view of the new trends. Unfortunately, it misses serious figures, references and technical details. I do not know if there is a non-public version with more information.

If you look for a quick draft overview, it is a good start. Also, a good view on how inventive they can be.

 

J.-L. Richet, Laundering Money Online: a review of cybercriminals methods, 2013 available at http://arxiv.org/abs/1310.2368.

Has NSA broken the crypto?

Posted on by
Reply

With the continuous flow of revelations by Snowden, there is not one day without somebody asking me if crypto is dead.  Indeed, if you read some simplifying headlines, it looks like the Internet is completely unsecure.

 

Last Friday, Bruce Schneier published an excellent paper in the guardian : “NSA surveillance: a guide to staying secure.”  For two weeks, he has analyzed documents provided by Snowden.   From this analysis, he drives some conclusions and provides some recommendations.  In view of the security profile of Bruce, we may trust the outcome.  I recommend the readers to read the article.

My personal highlights from this article.

  • The documents did not present any outstanding mathematical breakthrough.   Thus, algorithms such as AES are still secure.
  • To “crack” encrypted communications, NSA uses the same tools than hackers but at a level of sophistication far higher.   They have a lot of money.  The tricks used:
    • Look for used weak algorithms
    • Look for weak passwords with dictionary attacks
    • Powerful brute force attacks
  • The two most important means are:
    • Implementing back doors and weakening commercial implementations (poor random generator, poor factors in Elliptic Curve Cryptosystems (ECC), leaking keys…).   The same is true for hardware.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.

    • Compromising the computer that will encrypt or decrypt.  If you have access to the data before it is secured, then you do not care about the strength of the encryption.

These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

His recommendations are common sense.   The most interesting one is to avoid using ECC as NSA seems to influence the choice of weak curves and constants in the curve.

 

His final statement

Trust the math.

is OK, but I would add “Do not trust the implementation.”  Always remember law 4: Trust No One.

Do users care about security warnings?

Posted on by
Reply

This is an important question.   The common belief in the community is that people are oblivious of security issues.  They will not care.   Akahawe (Berkley) and Felt (Google) launched and empirical study by observing more than 25 million real interactions during security warnings for Chrome and Firefox browsers. This recent study was conducted during May and June 2013.    They collected information using the in-browser telemetry system.  For memory, the telemetry system is switched on voluntarily by users.   The researchers studied phishing warnings, malware warnings and SSL warnings.  They measured the click-through ratio, i.e. the number of times, users click through to view the corresponding page

First some raw data extracted from their paper.

Firefox Chrome
Malware 7.2% 23.2%
Phishing 9.1% 28.1%
SSL 32.2% 73.3%

The good news is that the majority of users take into account the security warnings in case of malware or phishing.  As the detection mechanism uses Google’s Safe Browsing List, the ideal ratio should be near 0% as the ratio of false positive in the list is extremely low.   For SSL warnings, the ratio is significantly higher.   Of course, there are many legitimate sites that generate such warnings (misconfiguration of the server, self signed certificates…).  Thus, the ideal ratio may not be null.  Nevertheless, the ratio seems high.

Interestingly also, Chrome has a higher click-through ratio than Firefox.  In other words, Chrome users take less care of the warnings.  In the case of SSL, the huge difference (+40%) can be explained because for several reasons, Chrome users receive more warnings.  For instance, by default, Firefox memorizes an accepted SSL warning whereas Chrome will repeatedly present the same warning.

Some interesting findings:

  • Consistently, Linux users did have a higher click-through ratio than  other operating systems’ users. Two reasons may explain it:
  • They feel more confident in their skill set because they are tech savvy, and have less risk aversion than average users.
  • They feel that being under Linux prevents them from security issues.  Unfortunately, that is not true for phishing or SSL.
  • The number of clicks to go through the warning did not impact the ratio.  To accept malware or phishing, you need one click with Mozilla and two clicks with Chrome.
  • Users who discarded the warnings spend less time on the page (1.5s) compared to users who took into account the warnings (3.5s).

In any case, a good reading…

D. Akhawe and A.P. Felt, “Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness,” 2013 available at http://research.google.com/pubs/archive/41323.pdf.

Top threats for cloud computing

Posted on by
Reply

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.

European industry worried by APT

Posted on by
Reply

According to a recent report from Quocirca, the trouble heading for your business, European business claim they are concerned by APT.  Many interviewed companies assert to have been under targeted attacks.  Even more worrying, most of them believe that undetected malwares are running on their networks.

Advanced Persistent Attacks (APT) or targeted attacks are high profile attacks that aim to one precise target with a precise objective.   The attackers are highly efficient attackers.  most of the time, they are either funded by criminal organizations or are state operated teams.     This is the most dangerous type of attack.  Usual tools such as firewall and anti viruses are not sufficient.  Bit9 and RSA attacks are good examples of targeted attacks.

The report gives interesting insights to the perceived impact on business of APTs.  For instance, we discover that loss of regulated financimageial data is the top impact.  Loss of IP is in fourth position.  Reputational damage and negative media coverage are the least impacts.

(Copyright Quocirca 2013 for the figure)

The ranking of concern about the impacts following an APT:

  1. Loss of regulated data
  2. Loss of IP
  3. Reputational damage
  4. Fines
  5. Remediation costs

 

 

Thus, this report is a good reference when you have t explain why you need this new deep  packet inspection tool, or the latest behavioral analysis software. 

It is good to see that companies are aware of this new APT risk.  Is your company aware?

Mega is running: does it hold its promises?

Posted on by
Reply

King Dot Com, the owner of previous MegaUpload, is back.  And he is making the headlines of the Internet and other medias.  Hiimages new baby is the sharing site Mega.   Since Monday, it is online.  Where is the difference with MegaUpload?   You have noted “the privacy company”.

The uploaded data are encrypted before being sent to the server.  Encryption uses AES 128 bit and the encryption key is protected by a personal RSA 2048 bit key.  Every crypto calculations are done in your browser.   Therefore, Mega does not know what is uploaded.  This is safe harbor for Mega, at least in theory.

Furthermore, the Terms of Services are very clear.

Protection against copyright holders.

17. You can’t:

17.3 infringe anyone else’s intellectual property (including but not limited to copyright) or other rights in any material.

Good faith and will with copyright holders

19. We respect the copyright of others and require that users of our services comply with the laws of copyright. You are strictly prohibited from using our services to infringe copyright. You may not upload, download, store, share, display, stream, distribute, e-mail, link to, transmit or otherwise make available any files, data, or content that infringes any copyright or other proprietary rights of any person or entity.

We will respond to notices of alleged copyright infringement that comply with applicable law and are properly provided to us…

It will be interesting how Mega will handle the cease and desist form content owners.  mega is not supposed to know if the claim is legitimate or not.   Blind obedience or nit picking?   The future will tell.

Furthermore, Mega protects itself from its users.

5. If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data), in addition to them accepting these terms, you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms.

 

Of course, with the claims of security, Mega got a lot of attention from the security community.  It seems already that it is possible to get the master key of somebody if you intercept her confirmation email.  Steve Thomas has published a first hack (MegaCracker).  Some other weaknesses seem around.

 

The blogosphere is no claiming that Mega did a bad job.  Is it really true?  I am not sure.  of course, if you believe that Mega’s purpose is to securely store your data, then it may be true.  I would not recommend to use it if confidentiality is at stake.   If you believe that encryption is just a way to claim safe harbor for Mega and build a new MegaUpload (without taking the infringing risk) then it is another story.  Then Mega does not care to be hacked (by the way, the TOS do not guarantee confidentiality of your data).

 

In any case, weak security or not, Mega did already an extremely good job of public relation.   The news of Mega launch is all around the world.