Archive

Archive for November, 2013

EC continues its froth(ing at the mouth) over the NSA

November 28, 2013 Leave a comment

I never cease to be amazed by our politicians – they seem to be incapable of taking a stand and holding a line.

The European Commission is, we are told, furious at the surveillance programs of the National Security Agency. (They are also slightly miffed at those of GCHQ, which is just as bad, if not worse, than the NSA. But GCHQ is British, and Britain is a member of the EU, and the EU cannot, by law, interfere with the security matters of its own members. So that one’s a tad tricky; best keep a low profile.)

But back to the fury at the NSA. In a pit of fique, the EC has declared that if the US doesn’t do what it wants, it might reconsider the safe harbor agreement that allows US companies to export personal European data even though the US is not considered safe to secure it. It won’t, of course. Can you imagine the uproar if Europeans could suddenly not have their hourly fix of Facebook or Twitter or Google mail?

And apart from that, what the EU wants is not for the NSA to stop spying on Europeans, but for Europeans to be able to sue the NSA in the US if it oversteps the mark. Well, good luck with that. A US judge saying that NSA spying on foreigners (perfectly legal, in fact required by law in America) is not legal if that foreigner is European but OK if he is not European? Or perhaps US judges will have to become proficient in European law and adjudicate on EU law for EU citizens living in the EU but spied on from the US? This one will run and run until it is kicked into the long grass and quietly forgotten.

Meanwhile, the EC is keeping quiet over its genuine weapons. Will it stop negotiations on the new ACTA, called the TTIP (Transatlantic Trade and Investment Partnership, not to be confused with – wait, to be totally confused with – the Trans-Pacific Partnership)? Will it hell. A threat like that might actually have an effect.

And what about the Swift agreement – the one that ships European financial data to the US for onforwarding to the NSA? Not a dicky-bird there either.

So, frankly, all this huff and puff from the EC over the NSA spying is pure froth designed to appease the voting public – after all, we’ve got elections coming up in just a few months.

That’s not to say there aren’t some good guys in Europe. An emailed statement from MEP Jan Philipp Albrecht comments, “It is, however, seriously regrettable that the Commission has completely ignored the demand of the European Parliament to suspend the EU-US agreement on the transfer of SWIFT bank transaction data and, instead, delivered a glowing endorsement of the agreement. Revelations that US authorities by-passed the provisions of the agreement, including using cyber-attacks to access SWIFT data, undermine the entire essence of the agreement and cannot be simply left unanswered. This slight by the Commission in ignoring Parliament’s demand must make MEPs more wary in the future about waiving through far-reaching international agreements.”

Sadly, the Albrechts in Europe are massively outweighed by the Camerons in Europe.

Categories: All, Politics

Password theory is good – password practice is poor

November 25, 2013 Leave a comment

There’s nothing wrong with passwords. At least there’s nothing wrong with the theory of passwords.

You have a locked room. The only way into the room is through a single door. The only way through the door is with a single key. You have the only key. What’s wrong with that?

Throughout this article we’ll talk about locked rooms and keys. The locked rooms are your accounts, mostly on the internet; and they contain your valuable personal data. The keys are your passwords to those accounts. You should have a separate key for each locked room. If you have a single key for multiple rooms and you lose that key or it is stolen, the finder can get into all of your rooms.

So, just like any key to any room, we have a responsibility to keep it or them safe if we want to keep our property safe. We need to make sure they cannot be guessed; that we do not leave them lying around for others to find; that we make it as difficult as possible for hackers to steal them directly from our desktop computers (anti-virus, firewalls and above all else, common sense); and that we do not make copies and use the same key for multiple rooms (we need a different key for every different room).

The problem is that we hear about new password thefts almost every day. Some of them happen because of earlier password thefts. As soon as your password is stolen, you are no longer the only person who can get into your locked room. Any person who has your password, the key to your locked room, can steal all of your personal, private and valuable information. Here’s a selection of thefts, basically just what I can remember – there’s many, many more – from this year alone:

spacer

Adobe 150,000,000 https://kevtownsend.wordpress.com/2013/11/14/adobe-you-really-cocked-up-on-this-one/
Apple 275,000 http://www.theguardian.com/technology/2013/jul/22/apple-developer-site-hacked
Cupid Media 42,000,000 http://www.infosecurity-magazine.com/view/35767/42-million-passwords-compromised-as-hackers-aim-at-cupid-online-dating/
Drupal 1,000,000 http://www.infosecurity-magazine.com/view/32697/drupal-hit-by-massive-data-breach
Evernote 50,000,000 http://www.infosecurity-magazine.com/view/31023/evernote-hacked-50-million-passwords-reset
Living Social 50,000,000 http://www.infosecurity-magazine.com/view/32087/50-million-livingsocial-passwords-stolen
LoyaltyBuild 1,500,000 http://www.infosecurity-magazine.com/view/35604/irish-data-center-breach-hits-15-million-european-consumers
MacRumors 860,000 http://www.infosecurity-magazine.com/view/35592/macrumors-breached-860k-passwords-potentially-compromised/
Morningstar 182,000 http://www.infosecurity-magazine.com/view/33348/morningstar-provides-some-information-about-breach
Nintendo 24,000 http://www.infosecurity-magazine.com/view/33342/thousands-of-club-nintendo-accounts-compromised
Racing Post unknown http://www.infosecurity-magazine.com/view/35814/racing-post-breached-users-passwords-stolen/
Scribd c300,000 http://www.nbcnews.com/technology/scribd-hack-exposes-thousands-users-1B9239618
Twitter 250,000 http://www.wired.co.uk/news/archive/2013-02/02/twitter-hacked
UbiSoft up to 58,000,000 http://www.infosecurity-magazine.com/view/33248/ubisoft-maker-of-assassins-creed-and-ghost-recon-breached
Ubuntu 1,800,000 http://www.infosecurity-magazine.com/view/33556/ubuntu-forum-hacked-18-million-accounts-compromised
vBulletin 900,000 http://www.infosecurity-magazine.com/view/35718/is-there-a-vbulletin-zeroday-out-there/
Yahoo 450,000 http://www.infosecurity-magazine.com/view/26976/yahoo-confirms-what-everyone-already-knew-about-password-breach

spacer

Criminals get passwords either by knowing them (because they are given them, or they are insufficiently hidden), or they guess them. In the first case they use social-engineering psychology to persuade the user to hand them over (more information on social engineering here, and spear-phishing here), or they find them unhidden by the user. In the latter case they guess the most common passwords, or use automated dictionaries to try every possibility until the right password (key) for a known account (locked room) is found.

Most websites include a limit on the number of failed access attempts allowed within a predetermined period. This means multiple attempts to guess the right password while online are almost certain to fail. That is why criminals steal password databases from websites – so that they can try millions of automated guesses offline without being interrupted. The purpose is still to find the key to gain entry to your locked room, and to steal everything of value within it.

But there’s an easy solution: use complex passwords that cannot be manually guessed, and electronically hide them so that automated guessing still won’t work.

There are two methods for ‘electronically hiding’ text: encryption and hashing. Encryption involves converting text into an apparently meaningless jumble of characters in a manner that can only be unjumbled if you have the secret decryption key – which can be the same as (symmetric encryption) or different to (asymmetric encryption) – the encrypting key for your password. Encryption, by definition, comes with the ability to decrypt – the ability to return the jumble back to the original text. Hashing is different. Hashing is one-way only. Hashing converts the original text into a meaningless jumble that cannot be de-hashed back to the original.

Hashing is the right solution for websites to hide their users’ passwords. It means that even the website doesn’t need to know the password, only the hash, which they cannot return to the original password key. With this method passwords need never and should never be stored by websites.

When you create a new account you are asked to provide a password. That password is hashed, paired with your user ID (often, but not necessarily, your email address), associated with your account, and stored. Whenever you want to access your account, you again enter your password. It is hashed again. If your user ID and the new hash result match with something stored, you are allowed access to the associated account.

Hint: if you forget your password, distrust a website that is able to send you your old password by email – it shouldn’t have your password. The ‘correct’ procedure is to guide you to a place where you can create a new password.

So, the effective use of passwords is a partnership. User’s need to create good passwords and keep them safe, while internet companies need to store them safely and securely. It is my contention that done properly, this will be enough.

Alternatives to the simple password
Before we go too far on the strengths and weaknesses of passwords, we should mention the alternatives.

Passwords are designed to provide user authentication – to prove that Joe Smith really is not just any Joe Smith, but the right Joe Smith. In security terms, authentication is often described by the number of factors it uses – with the implication and a degree of validity that the more factors used, the more secure the authentication. (Personally, I do not believe that is necessarily true.) ‘Factors’ in this sense are things you know (like a password), things you have (like a token), things you are (like a biometric), and so on. The two most commonly used additional factors today are soft tokens and biometrics.

Soft token 2FA
An example of the most commonly used two-factor user authentication is the separate token sent out-of-band to the user’s mobile phone. This is a one-off code. Now you could say that ‘the thing that is owned’ is the separate code, or the phone that it is received on. Either way, the user now requires something he knows (password) and something he owns (phone/token).

I have two problems with this. Firstly, whenever you introduce complexity into security, you also introduce weakness – the phone and the communication sending it can both be attacked separately. The second issue is that this complexity makes it harder to use – and users do not want any more difficulty. If 2FA is an option, most users opt to ignore it. That in itself is not an issue, because we’re back where we started. But the fact that there **is** a 2FA option can mean that users take less care, whether they opt for 2FA or not, simply because it is clear that the vendor is taking more care. There is a danger that 2FA can cause a false sense of security.

Biometric authentication
Biometrics is getting a lot of publicity. Governments use facial biometrics for surveillance and passports; law enforcement uses fingerprints for criminal recognition; and Apple uses finger scans for opening the new iPhone.

I have three concerns. Firstly, nearly all biometrics can be forged. It took researchers just days to break through Apple’s iPhone finger scan. Secondly, what do you do if your biometric is compromised? If your password is compromised, you create or request a new password. What do you do if your iris, or your voice, or your thumbprint is compromised? And thirdly, it’s that old false sense of security – people using biometrics tend to think they are more secure than they actually are.

My contention, which I shall try to demonstrate below, is that passwords – used correctly – are adequate on their own. All we have to do is use them correctly.

Creating secure passwords and keeping them safe
Criminals get into locked rooms by guessing the password key.

When Gawker was breached in 2010, researchers found that the ten most popular passwords were

  1. 123456
  2. password
  3. 12345678
  4. lifehack [LifeHacker is a Gawker publication]
  5. qwerty
  6. abc123
  7. 111111
  8. monkey
  9. consumer
  10. 12345

When LinkedIn was breached in 2012, researchers discovered that the ten most popular passwords were:

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football

How long do you think it would take to guess passwords like these?

Of course, if the passwords are all held in a single database without any form of electronic jumbling, then a password thief doesn’t need to guess anything because he’s got them written down in front of him. So the websites store the passwords ‘hashed’.

Now the criminals have to start guessing. To help this process, they use computers and specialized dictionaries called rainbow tables. Rainbow tables are effectively long lists of precomputed hash outputs together with the original input text that was used.

Stolen password hashes are then simply compared to the rainbow tables. If the hash output is found, then the password is known – that is, the password has been cracked.

So when you consider a new password, you should also consider how they are cracked with rainbow tables. Any word that appears in a dictionary will be in the tables. Any number up to at least 999,999,999 will be in the tables. All conceivable combinations of letters up to a certain length, and all conceivable combination of letters and numbers up to a certain length, will appear in the tables. In short, if you use a password made up of any combination of letters and numbers up to, say, seven characters, and that password is stolen, you should consider it already cracked and available to the criminals.

This will include some of the commonly recommended methods for coming up with passwords – such as initial letters from quotations. “into the valley of death rode the six hundred” could provide ‘itvodrt600’. That looks like a strong password – but you should assume that it’s in a rainbow table somewhere.

The way to avoid rainbow tables is to use a very long password that mixes uppercase, lowercase, numbers, special characters and punctuation marks. The problem then becomes one of usability – passwords that are difficult to guess are even more difficult to remember.

The best way to produce, store locally and safely, and use strong passwords is to use a reputable and recommended password manager. I’m not going to recommend any myself – you must research that on your own. But the one I use generates passwords for me such as

%wc;I’,;Gp*CfQr9FUFpZYm|

I consider that to be reasonably secure against most tables.

The responsibility of the website
The fact remains that if the vendor doesn’t keep passwords hashed, then it really doesn’t matter how complex I make them.

So if it is incumbent on me to generate strong passwords, then it is equally incumbent on the website to store them securely. That means hashing them.

Actually, it means more than that. It means using a strong hashing algorithm (not all are equally good); it means using a slow algorithm (some were designed for speed when computers were slow, with the unintended consequence of making cracking faster and therefore easier); and they should be salted. Salting is the addition of additional random characters to the user’s password. Basically, salt makes the password even harder to crack – it turns a medium strength password into a strong password.

This is standard best-practice. Unfortunately, too many websites do not conform to best practice. In the last few weeks we have heard:

  • Adobe did not hash its passwords; it encrypted them (better than nothing, but not as good as hashing) It also stored users’ password hints next to the encrypted passwords in plain text – making it, in some cases, obvious what the password was.
  • LoyaltyBuild stored users’ credit card numbers unencrypted and with the cards’ CVV numbers.
  • Cupid Media stored its users’ passwords in plaintext.

What is the point of coming up with a long, complicated, unguessable password if the website just hands it to the criminals on a plate?

Conclusions and recommendations
For password access to locked rooms to work, they need to be strong (from the user) and hashed and salted by the website. Clearly that frequently doesn’t happen; and that’s why we have rampant identity theft.

Since it doesn’t happen voluntarily, we need a new code of practice backed by regulation if necessary. Much of it will fall on the website; but that’s a small price to pay for a secure and trusted internet.

Firstly, websites should require a minimum strength password from their users – so strong, in fact, that it becomes easier to use a password manager than to try to make them up.

Secondly, users must learn not to reuse the same password on multiple sites. Security audits must confirm this as part of staff awareness training, and schoolchildren need it to be taught in schools.

Thirdly, websites must be required, by law if necessary, to make it clear how they protect their users. Inadequate password security could then be shunned by users and ridiculed by professionals.

With these three basic developments, password-protected access will do the job it was designed to do: locked rooms will stay locked, personal and private.

Categories: All, Security Issues

An evolution in the theory of security risk management

November 22, 2013 Leave a comment

Time to rewrite the text books. We have ‘security by threat transfer’, ‘security by threat avoidance’, ‘security by threat reduction’, and ‘security by threat acceptance’.

Now I bring you the latest evolution in the theory of security risk management: security by denial

spacer

pearsontweet

spacer

This, ladies and gentlemen, is why we have a problem.

Categories: All, Security Issues

Trust and the Internet

November 12, 2013 Leave a comment

Wonderful idea from Deutsche Telekom. Yesterday it said it would launch a clean pipe secure service for small companies that cannot afford their own security. For a fixed monthly fee small companies will be able to access the internet via DT’s own secure data centres. “Hackers will have no chance,” said management board member Reinhard Clemens. Well, we’ll just gloss over that, and accept it at face value.

“The ‘clean pipe’ project, in which Deutsche Telekom partners with RSA – part of U.S. technology firm EMC – is in a test phase and scheduled to hit the market early next year,” reports Reuters.

So, just a little due diligence required before I sign up…

OK, Deutsche Telekom owns T-Mobile. T-Mobile “operates the fourth and fifth largest wireless networks in the U.S. market with 45 million customers and annual revenues of $21.35 billion.” (Wikipedia). Slight problem; that means that T-Mobile is subject to FISA in the US – and the US gets DT more than $20 billion.

OK, RSA is a huge name in encryption. That’s got to be good (even though it is, well, yes, an American company). RSA got big and very rich on its invention of public key cryptography. Thing is, RSA didn’t invent it – it was invented by Ellis, Cocks and Williamson at GCHQ.

Now the details are rather obscure and still shrouded in secrecy, but there are suggestions that GCHQ told the NSA what it had discovered, and shortly after that, public key cryptography was (re)invented in the US.

I would not for one moment suggest anything underhand in the timing – but given what we now know about both the NSA and GCHQ there is a temptation to ask whether public key cryptography would have been allowed to develop if the very same mathematicians who produced it had not also discovered a way to unpick it.

Mathematicians and cryptographers tell us that cryptography based on the difficulty in factoring large nearly primes is valid.

But…

And that’s the point. But.

Thank you NSA. Thank you GCHQ. You have reduced a wonderful and exciting internet into something dirty and distrustful. Thank you for removing any possibility of trust anywhere.

Categories: All, Politics, Security Issues

The truth is out there – it’s just not in the newspapers

November 10, 2013 Leave a comment

Blogs are different to newspapers. You can get away with greater subjectivity in a blog than you can in a newspaper. But newspapers cannot absolve themselves of their responsibility for pure objective fact by calling a particular section a blog.

So when Martha Gill wrote about Anonymous in the Telegraph blog, it was wrong. Her headline says it all: Anonymous have been exposed as hypocrites. Watch them try to wriggle out of it (6 November 2013). You can hear the glee in her voice – this is personal, not factual.

Anonymous responded with an open letter to the media in general. It accused Gill of being inaccurate in one of her two accusations (that their masks are produced in what she strongly implies is a sweatshop) and hypocritical in another (that Warner Bros benefits from every sale of a mask). On the latter, Anonymous suggests that royalties are a sad fact of life; and wonders how many Telegraph staff support Foxconn by using Apple or Dell, Sony or HP equipment. “Since 2010, at least 17 deaths occurred when employees committed suicide by jumping from the roof of the building. To use a phrase from Martha Gill’s article, these are certainly ‘unpleasant conditions.’”

But in reality, this incident is just a small local battle in a much larger war. Anonymous – and it’s not alone – believes that much of the media has been bought and usurped by government and big business; and supports the agenda of government and big business to the exclusion of truth. It is no coincidence that there is a nationwide (US) march against corporate media planned for next Saturday:

We are planning a march and rally in Washington DC to raise awareness of the privatization, corporatization, and monopolization of the mainstream media and the corruption of our fifth estate. The failure of the corporate networks to adequately cover critical social issues has allowed for the rampant corruption of our political and economic system to go unquestioned and unchallenged.
March against mainstream media

If you have already thought about this, it cannot be denied. A few (very few) newspapers have kicked back in recent months with the Snowden revelations (notably the Guardian, Washington Post and Der Spiegel); but it’s also noticeable that the Guardian is under threat of prosecution in the UK for doing so.

And if you want a specific current example of this media betrayal, consider an EFF blog from Thursday: How Can the New York Times Endorse an Agreement the Public Can’t Read?

The New York Times’ editorial board has made a disappointing endorsement of the Trans-Pacific Partnership (TPP), even as the actual text of the agreement remains secret. That raises two distressing possibilities: either in an act of extraordinary subservience, the Times has endorsed an agreement that neither the public nor its editors have the ability to read. Or, in an act of extraordinary cowardice, it has obtained a copy of the secret text and hasn’t yet fulfilled its duty to the public interest to publish it.

TPP is the successor to ACTA. ACTA was defeated by European activism. It is dead. TPP allows the same provisions to be established everywhere else without European involvement. Once this is achieved, the new discussions on an EU/US trade agreement will be dragged into the same agreements – it will be inevitable.

But where is the mainstream media’s concern over either? In defeating ACTA, the people made it very clear that they do not want ACTA – more specifically the internet-controlling, copyright-enforcing aspects of it. To understand the great Battle of ACTA, read Monica Horten’s new book, A Copyright Masquerade.

Rather than accept the will of the people, big business and government withdrew, regrouped, renamed and returned from a different direction, calling it TPP and being equally if not more secretive.

The problem is that the mainstream media is not on the side of its readers, but on the side of its owners.

spacer

media 6

spacer

Quite simply, the majority of US news outlets are owned by the same media companies that are lobbying in favour of trade agreements that will take over control of what appears on the internet, who can see what, and who goes where. Quite frankly, we can no longer believe what we read in the press any more than we can believe what government tells us.

Categories: All, Politics

Bits of Freedom seeks clarity from the AV industry on collusion with law enforcement

November 7, 2013 1 comment

On 25 September I posed the question: Is the anti-virus industry in bed with the NSA? Now Bits of Freedom, a Dutch digital rights group, has asked the same question in a letter signed by more than 25 civil rights groups and individuals (including Bruce Schneier, EDRi and EFF).

On 25 October it wrote to more than a dozen of the world’s leading anti-virus companies asking four specific questions:

1. Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?

2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?

3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?

4. Could you clarify how you would respond to such a request in the future?

With the greatest respect, this is a pointless exercise; the companies will deny any collusion with law enforcement to subvert their products whether they have or not. And they may have, or they may not.

I have no idea whether there is collusion between AV and law enforcement. Every single member of the AV industry I have spoken to denies it absolutely – and I believe them. There really are some great, learned, honest and honourable guys in the AV industry. But the NSA says it doesn’t break the law; and I absolutely do not believe them.

We know that the NSA hacks into third-party computers and installs malware. We know that it is the AV industry’s job to detect and neutralise such malware. We therefore know that the NSA will not want the AV industry to do that to their own malware.

It would be easy enough to defeat AV engines to get onto a computer; but it is less easy to stay hidden for any length of time after that. But we know that state-sponsored malware remains undetected for years. How does it do that? The easiest way would be to subvert the seek and destroy software that hunts it.

So, given the amount of time and resources that the NSA has spent on subverting what gets in its way – such as encryption – is it reasonable to believe that it hasn’t spent similar effort on neutralizing the AV industry?

I don’t know the answer; and it doesn’t matter who in the AV industry tells me, nor in what regard I hold them, nor how many times they tell me, I still will not know.

And that, perhaps, is the very worst thing that the NSA has done. It has destroyed trust in the internet, and has destroyed trust in anything to do with the internet. For that the NSA cannot – and must not – ever be forgiven.

Categories: All, Politics, Security Issues