Category Archives: English

Social Engineering, Password Reset and DNS Hijack

Posted on by

The DNS provider Web.com has been subject to a Social Engineering attack which allowed a pro-Palestine hacking gang to successfully reset the password of a few important customers, and use the new password to change the resolution of their domain name to other sites. See for example here for a description of the attack.

Again and again, as of today the technical side does not look to be the weak side of  ICT Security. In particular cryptography is sound and reliable, and many technical ICT security products deliver what the promise.

On the other side, username + password show another time how much inappropriate they are to support our current security needs. But what can we use instead?

The general problem lies mostly in our ability to make a system “secure” by including logical, physical and procedural measures to give a 360 degrees protection. Indeed, the security level of a system is that of its weakest point, which for most systems means that they are really insecure.

Physical Security and ATM withdrawls

Posted on by

Lax physical security means access to hardware and the possibility to install and run what you want. This is just what happened to some ATMs in Mexico, see for example here.

It is just a reminder that logical security alone does not work. You always have to start from the hardware on which your software runs and have a comprehensive, eg. “holistic”, approach to security.

Device fingerprinting and user tracking

Posted on by

A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.

This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.

On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.

At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.

It never happens to me :-(

Posted on by

ICT “Glitches” are smaller brothers of “Bugs” which in turn can become major security disasters. Well sometimes they can make us (the one benefitting innocently from the Glitch) happy or at least they can make us laugh. This case is quite notable: “Bank error makes restaurant manager the world’s first ever trillionaire (and he even offered to pay off the national debt before the glitch was spotted)”.

I am also addicted to this blog “IT Hiccups of the Week” which sometime reports on some very good discounts (due to some kind or another of Glitch) we just missed at our local supermarket.

On Trust and Security

Posted on by

Since a few months we have been reading and discussing the Snowden’s documents. Most of the information present in these NSA documents is not new since we have been discussing the possibility of similar facts at lenghts in many occasions. For example, years ago the modifications introduced in the cryptographic algorithm DES by the NSA led initially to suspicions: were they backdoors or algorithm improvements? (In this case later it turned out to be improvements.)

The real difference is that now we know that our worst suspicions in many recent cases were correct.

So what can or should we do? This is a very interesting and hard question since the main issue in my opinion is that we are mostly dealing with the possible introduction of backdoors in hardware and software, for example to weaken cryptographical algorithms. As normal, even if technical-savy, users we do not have personally the competences nor the resources to verify that all hardware and software we use, from mobile phone to super-computers, are clean of backdoors. So we have to trust third parties, in particular hardware and software makers, that hardware, operating systems, applications, libraries (in particular cryptographic libraries) etc. do not have hidden functionalities or backdoors.

This is not new, we trust car, train, airplane makers with our life, so we should also trust hardware and software makers with our information, or not?

Is our trust in today ICT companies well-founded?

I’m back

Posted on by

After a few months absence due to personal reasons, I am back to my blog. In the next days I will catch up with what has happened recently, sharing my comments and ideas.

More Trouble for SSL/TLS

Posted on by

Besides CRIME, BEAST and Lucky13, two new attacks for SSL/TLS have been just announced. One attack exploits weaknesses in the RC4 cypher, which is used by most websites starting from Gmail, and many cryptographers had been thinking about this possibility for a long time, now they found out how. The second attack, called TIME; is a new timing attack, in part a refinement of CRIME.

As of today, both attacks are not practical, but they could become real threats in the future. Notice that the adoption of RC4 by many websites has been mostly to withstand BEAST attacks. Now that Lucky13 and this new attack aim at RC4, it is not clear what to do in practice.

Of course, we should seriously consider what to do with SSL/TLS and even more the CA model, but it will take a long time and I do not see among the big internet players, enough motivation or incentive to change the current situation.

You can find a summary description of these new attacks for example in this article by ArsTechnica.

More Evidence for the Higgs Boson

Posted on by

At the 2013 Moriond Conference, CERN has released more data indicating that the particle discovered last year is really a Higgs boson, and it looks more like the Standard Model particle we studied in text books, see here for CERN announcement.

The ATLAS experiment has also published here some very nice animated plots which show how the measured events slowly build up statistics which give the above mentioned results.

On Web Browser Security

Posted on by

This week two news about web browser security got my attention.

First of all, the CanSecWest’s Pwn2Own contest ended with a complete debacle for all web browsers (for example see here for a summary). Only Chrome OS has survived untouched. I interpret this more as an indication of the poor security state of the web browsers than the (undeniable) ability of the participants. From the implementation point of view, the security of our web browsers is not great at all, and this notwithstanding all what has happened in the last years.

From the strategic point of view, the participants to this ACM panel discussion state very clearly that the security of Web Browsers is broken by design, which just confirms the very sorry state of affairs in which we are. Even more, they claim that there is little if no incentive to improve the situation.

And it is no joke that our lifes daily depend more and more on web browsers, from banking to health, work, education etc.

Project Management and Boeing’s 787 Battery Blues

Posted on by

I found interesting this article by Prof. Tang and Zimmerman and this interview with Prof. Tang about complex Project Management like the one needed to build the 787 Dreamliner, and the problems and risks associated with it.

Needless to say I wonder what it could come out by looking at the IT part of this project. We know that IT projects are almost by definition exceedingly over budget, outrageously behind schedule and full of bugs. Add to this that for the 787 Dreamliner detailed requirements, specifications and integrations have been left to tier 1 suppliers, that for the first time ever the entertainment system is on the same network as the flight-control system, and I am not sure of what has been the final outcome. On the other side, if the IT part of the project has come out right, I believe we have a lot to learn from it.