It is always interesting, almost amusing, to follow what thieves can come up to steal money from ATMs, POS etc. Here one of the latest stunts described by Krebs. How is it possible that the physical security of these devices is so weak? We should be good at least in physical security, since has been around for thousands of years. It is more understandable that we have difficulty in dealing with ICT security, which is a relatively new discipline, and quite complex at that.
Tag Archives: Vulnerabilities
Human Factor is Always the Weakest Point
The take-over of the RSA Conference website(see Krebs here for a nice summary) reminds us (as if it was needed) that is not the technology the weakest link (and even less cryptography as such), but us, humans. Two points should be stressed:
- if system are too complex (like in this case, the relations between content providers of online information) we are not up to the task of managing their complexity and we fail to adopt the needed security measures
- technology and technical security is best and most easily circumvented and avoided by exploiting the human factor: why deploy expensive and technologically complex malware when you can send an email (well-formed) to ask employees to provide their usernames and passwords to access even mission critical systems? Much easier, faster, less expensive and you are sure to get an obliging answer!
Some Considerations On Heartbleed
The OpenSSL Heartbleed vulnerability is by now well-known to anybody in the ICT security field. At first sight it looked catastrophic, Schneier wrote that on a scale 1 to 10 it was worth 11. At the moment it is not clear which damages it has directly produced, in particular before the public announcement. But what is possibly more worrisome is the future on which there is an ongoing big discussion of which I try to summarize a few points:
- this is an extremely serious bug in a security library used but almost everybody, OpenSSL is indeed embedded in many software products, how long and how hard will it be to update all software? Major software producers have and will have a hard time to update all their programs to run with a patched version of the library.
- but even more difficult is the process of getting all users of vulnerable applications to update them; in particular all embedded systems (think as a simple example about routers and firewalls with VPN capabilities) which often do not have simple ways of updating their software
- and what about the Internet way of producing the so-called “Open Source” software (and sometime also hardware)? One of the great forces which helps the development of Internet is the “free” availability of fundamental components of it, but who is providing these components? There are some large companies which do support directly some of these, but other projects, like OpenSSL, are mostly run by volunteers in their free time, how can Internet rely on this? (Not from a technical competence point of view, most of these people are the brightest and more competent that there are, but from the availability and support point of view). How can we at the same time still have “open” or “free” software and guarantee availability, correctness, support etc., all characteristics which require infrastructure, commitment and first-of-all money?
Home Banking Mobile Apps: unsecure at any speed
Security researchers at IO Active have tested 40 iOS-based banking apps from 60 banks around the world and the results are not reassuring. All apps could be installed on a jailbroken iOS device, 90 percent used also some non SSL links, roughly half of them lacked some security feature or left sensitive information non protected and easily readable.
We have a long way to go before mobile platforms will become safe to use for any use.
New Year, Old Bug
Happy New Year, and we start the new year with a very old bug which really amazes me.
This (see here for some explanation) is a bug introduced on May 10th, 1991 in X11 (now also Xorg), the graphics environment of any Unix and Unix-like OS. The bug is a buffer overflow which when exploited could give administrator rights (if X11 is running with these rights).
We have seen too many of these bugs and now they are almost history, in the sense that it is so well-known how to avoid them that they should not appear in any program. How is it then possible that in an open-source program, very well-known, very well scrutinized, widely adopted, a bug like this will remain undetected for 22 years?
Side Channel Cryptanalysis
In line with the previous post, it is of interest, albeit only at the research level and we should not really worry about it right now, the paper published by Adi Shamir, Daniel Genkin and Eran Tromer (download here and here for a comment) in which they describe how they have been able to extract an RSA private key managed by GnuPG 1.4.x (current version is 2.x) by listening to the noises of the PC.
Yes, an acoustic attack on cryptographic private keys seems very unlikely, even if the idea has been discussed for long time. It is very interesting that it has been shown possible in practice, and this means that also other side channel attacks, like listening on the power cord, should be considered seriously at least when your security requirements are really high.
Interesting Linux backdoor
Symantec has released here information about a new kind of Linux backdoor found on broken-in Linux servers.
The most interesting point is the use of injecting data in normal SSH traffic for communication, without opening new network ports nor adding new daemons to the process list.
It would be interesting to learn more about it.
Statistiche sulle Vulnerabilità
Secunia ha rilasciato il suo Vulnerability Review 2013 (qui c’è un breve riassunto) da cui risulta che la grande maggioranza delle vulnerabilità che hanno afflitto i sistemi Microsoft nel 2012 hanno avuto origine in applicazioni di terze parti quali flash, acrobat, java ecc.
E’ probabile che i numeri citati da Secunia siano corretti, ma la cosa importante è quale conclusione se ne trae. E’ ovvio che la presenza di vulnerabilità in qualunque applicazione è una mancanza, ma quello che personalmente mi preoccupa di più è che un sistema operativo, che per definizione ha come principale scopo quello di gestire le risorse hardware e software, quindi anche le applicazioni, possa essere sovvertito a causa non di una propria vulnerabilità interna ma di una vulnerabilità di una applicazione.
More Trouble for SSL/TLS
Besides CRIME, BEAST and Lucky13, two new attacks for SSL/TLS have been just announced. One attack exploits weaknesses in the RC4 cypher, which is used by most websites starting from Gmail, and many cryptographers had been thinking about this possibility for a long time, now they found out how. The second attack, called TIME; is a new timing attack, in part a refinement of CRIME.
As of today, both attacks are not practical, but they could become real threats in the future. Notice that the adoption of RC4 by many websites has been mostly to withstand BEAST attacks. Now that Lucky13 and this new attack aim at RC4, it is not clear what to do in practice.
Of course, we should seriously consider what to do with SSL/TLS and even more the CA model, but it will take a long time and I do not see among the big internet players, enough motivation or incentive to change the current situation.
You can find a summary description of these new attacks for example in this article by ArsTechnica.
Bypassing iOS 6.x Passcode Lock
According to JBN, with a sequence of moves it is possible to bypass iOS 6.x passcode lock, to directly access the address book and from here to make calls, get emails, SMS, pictures etc.
I am just curious to know if this is a planned “feature”, a back-door or just a bug and in this last case how someone managed to discover it.
The security consequences for iPhones’ owners who have their phones stolen, lost or just borrowed, should be obvious.
Andrea Pasquinucci 