It is always interesting, almost amusing, to follow what thieves can come up to steal money from ATMs, POS etc. Here one of the latest stunts described by Krebs. How is it possible that the physical security of these devices is so weak? We should be good at least in physical security, since has been around for thousands of years. It is more understandable that we have difficulty in dealing with ICT security, which is a relatively new discipline, and quite complex at that.
Human Factor is Always the Weakest Point
The take-over of the RSA Conference website(see Krebs here for a nice summary) reminds us (as if it was needed) that is not the technology the weakest link (and even less cryptography as such), but us, humans. Two points should be stressed:
- if system are too complex (like in this case, the relations between content providers of online information) we are not up to the task of managing their complexity and we fail to adopt the needed security measures
- technology and technical security is best and most easily circumvented and avoided by exploiting the human factor: why deploy expensive and technologically complex malware when you can send an email (well-formed) to ask employees to provide their usernames and passwords to access even mission critical systems? Much easier, faster, less expensive and you are sure to get an obliging answer!
Some Considerations On Heartbleed
The OpenSSL Heartbleed vulnerability is by now well-known to anybody in the ICT security field. At first sight it looked catastrophic, Schneier wrote that on a scale 1 to 10 it was worth 11. At the moment it is not clear which damages it has directly produced, in particular before the public announcement. But what is possibly more worrisome is the future on which there is an ongoing big discussion of which I try to summarize a few points:
- this is an extremely serious bug in a security library used but almost everybody, OpenSSL is indeed embedded in many software products, how long and how hard will it be to update all software? Major software producers have and will have a hard time to update all their programs to run with a patched version of the library.
- but even more difficult is the process of getting all users of vulnerable applications to update them; in particular all embedded systems (think as a simple example about routers and firewalls with VPN capabilities) which often do not have simple ways of updating their software
- and what about the Internet way of producing the so-called “Open Source” software (and sometime also hardware)? One of the great forces which helps the development of Internet is the “free” availability of fundamental components of it, but who is providing these components? There are some large companies which do support directly some of these, but other projects, like OpenSSL, are mostly run by volunteers in their free time, how can Internet rely on this? (Not from a technical competence point of view, most of these people are the brightest and more competent that there are, but from the availability and support point of view). How can we at the same time still have “open” or “free” software and guarantee availability, correctness, support etc., all characteristics which require infrastructure, commitment and first-of-all money?
On Target and other Breaches
These days one of the top IT security news is the one concerning the Target breach which allowed the criminals to steal up to 40 million credit and debit cards data (see Krebs On Security for details). What is very interesting is the complexity of the entire operation. This is not someone who stumbles almost by accident on a bug or a security weakness and exploits it. This, and other similar ones (it is at least a couple of years that similar frauds have been known to be realized), are really criminal operations, well designed, carefully planned and implemented.
It is enough to mention a few details of this breach to understand the complexity of the operation. The malware has been designed and/or modified to fit exactly the environment in which it has been installed. The way of accessing the the IT systems has been carefully studied and most probably has been through a most unlikely third part. The stealthiness of the operation has been extremely good, including the way of exporting the extracted credit/debit card data from the company network into the criminals’ systems.
These are targeted attacks which adopt the best of technologies, included IT technologies but not limited to the IT world. The biggest issue is that the target of the frauds is not the IT, but is the everyday business which must understand that these new kind of frauds are very real and can target everyone.
Home Banking Mobile Apps: unsecure at any speed
Security researchers at IO Active have tested 40 iOS-based banking apps from 60 banks around the world and the results are not reassuring. All apps could be installed on a jailbroken iOS device, 90 percent used also some non SSL links, roughly half of them lacked some security feature or left sensitive information non protected and easily readable.
We have a long way to go before mobile platforms will become safe to use for any use.
Hubble Amazing Pictures of Newborn Stars
The Hubble Tarantula Treasury Project has just released some amazing pictures (see here and here with more technical details) of the Tarantula Nebula with more than 800.000 baby and young stars. Worth a look.
New Year, Old Bug
Happy New Year, and we start the new year with a very old bug which really amazes me.
This (see here for some explanation) is a bug introduced on May 10th, 1991 in X11 (now also Xorg), the graphics environment of any Unix and Unix-like OS. The bug is a buffer overflow which when exploited could give administrator rights (if X11 is running with these rights).
We have seen too many of these bugs and now they are almost history, in the sense that it is so well-known how to avoid them that they should not appear in any program. How is it then possible that in an open-source program, very well-known, very well scrutinized, widely adopted, a bug like this will remain undetected for 22 years?
Side Channel Cryptanalysis
In line with the previous post, it is of interest, albeit only at the research level and we should not really worry about it right now, the paper published by Adi Shamir, Daniel Genkin and Eran Tromer (download here and here for a comment) in which they describe how they have been able to extract an RSA private key managed by GnuPG 1.4.x (current version is 2.x) by listening to the noises of the PC.
Yes, an acoustic attack on cryptographic private keys seems very unlikely, even if the idea has been discussed for long time. It is very interesting that it has been shown possible in practice, and this means that also other side channel attacks, like listening on the power cord, should be considered seriously at least when your security requirements are really high.
How Not to Use Security Tools
Security is not an easy business, we all should know it quite well. Probably the main issue is that you have to implement security with a comprehensive approach (the term often used is “holistic”). In other words, you have to consider all possible sides of the issues at hand, both technical, procedural and human. And if you forget one side of your problem, then all the rest you did, could add up to nothing. Not easy at all.
And this is what an Harvad kid should be thinking right now (see here for example): he did use Tor and other anonimization tools to send an anonymous threat to his university in order to avoid taking a test, but he used his campus network and did not consider the fact that very few students did use such tools and that the fact of using them would attract attention to himself. So it was not so hard to find him after all.
More News About Authentication and Passwords
A couple of interesting news on authentication and passwords:
- Telepathwords is a (Microsoft Research) website which tests passwords you digit into it, to verify their strength by checking how likely the next character in the password is to appear in common words and password checking tools; at first sight the idea seems nice, but I wonder to the usefulness of writing your passwords in a public website: obviously any password tested in the website cannot be used, so this should be taken only as an exercise to learn how to create good passwords (moreover, I tested it with pseudo-random generated password and the results were not completely clear to me)
- “Nymi Is A Heartwave-Sensing Wristband That Wants To Replace All Your Passwords & Keys”: it is a wristband that measures your unique (but I have no idea how much “unique” that it is) heartwave and, via bluetooth, authenticates you to any (capable) device; it is the first time I hear of this kind of biometrics and I suspect that it shares with all other biometrics authentication approaches, good and bad points.
Andrea Pasquinucci 