Thursday, July 16, 2009

Is SSL broken?

I was reading Network World and for a very brief moment was alarmed to learn that SSL is not secure and that Tim Greene recommends (or is he quoting the researchers opinion?) that people should not use public wifi even for SSL-safe browsing.

[Network World article says "SSL VPN..." although the threat if real should apply to non-VPN uses of SSL as well and the examples cited are for online banking and most people won't call an SSL connection to their bank an SSL VPN. SSL VPN is the extension on an "intranet" over the internet using SSL to secure it]

Then I found the this article that seems to have slightly more data. I havn't seen the demonstration but I have a suspicion that this is much ado about nothing. It seems the flaw is that if parts of the page are EV SSL and other parts are not EV SSL the browser does not complain as long as the domain is the same. (The part is bold is my assumption but if it is true, there is nothing to worry about. If my assumption is not true all hell will break loose, public Wifi or not!). I think all parts are not EV SSL because the site owner did not want to shell out extra money for EV SSL certificates for every sub-domain. This makes sense, because EV SSL is pretty much useless and I don't understand why the website got an EV SSL certificate at all!

If you read this and know that my assumption above is false, please comment and let me know. I should stop using the internet!

Update 3.11pm: Found the abstract here: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html

[scroll down to find "Alexander Sotirov, Mike Zusman
Breaking the security myths of Extended Validation SSL Certificates" ]

My assumption is valid. SSL is still secure. Their point is that EV SSL is not more secure than cheapo SSL.

"Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate"

We already know that is true...this is one more reason and makes it "truer", if that is possible :-)

Wednesday, July 15, 2009

How safe is your Twitter account?

Twitter has been successfully hacked several times but the most egregious of them all is the breakin that compromised Twitter's own employee and other confidential information. I don't use Twitter but I am concerned about the security of other major social networks like Facebook, Orkut etc; frankly, I don't think they are much better. In the race to capture more and more users social networking websites and applications often ignore security and privacy issues. This is because these issues are considered an economic externality by these companies. In that respect, the information age is a bit like the early industrial era where corporations ignored the impact of their factories on the environment. We need laws that "internalize" these externalities. But given the focus of the government on the economic crisis, health reform and other issues, will this important issue be addressed?

Thursday, April 16, 2009

How secure will the smart grid be?

There is a good article about the security of our power grid. Unlike the innumerable fear-mongering writeups I generally find, this one is quite reasonable.
In particular I find this paragraph about the increasing proliferation of "smart-grids" interesting:

While Meyerrose, Mansoor and other experts agree that the utility industry's vulnerability will grow as its command-and-control systems rely ever more on computer networks, those concerns are not new. Some security experts have cautioned against the growing use of "smart grid" technology — which relies even more on computer networks to allow both utilities and individual consumers to monitor and reduce power usage. There are already 2 million smart meters in use in the U.S., and the Obama Administration's 2010 budget includes $4.5 billion in spending on such technology. The fear is that these meters may allow hackers access to the grid's control systems. But smart-grid backers say the opposite is true: the use of more-sophisticated monitoring systems makes the grid safer.

Of course, they will say this because that is good for their business. The truth is that it depends on the details. If these systems are designed with security in mind they will be safer. If not (and this is more likely), the new smart grid will be less secure than the "dumb" grid we have today.

Tuesday, March 24, 2009

Phonefactor: how secure?

A system is only as secure as its weakest link. Phonefactor seeks to replace hardware security tokens with your phone. It is an interesting idea because not only does it use two factors: something you know (password) and something you have (phone)but also because it uses two channels: internet and phone (unless of course your phone is VoIP*). This would appear to increase security but it doesn't necessarily do so. The challenge in using a phone in real-time for authentication is that you have to handle the case where the user is not near the registered phone or if it is a cellphone and it is not reachable when the user wants to log into her account. And handling of this case is the weak link. The system has to fall back to what Phonefactor claims "strong security" but which in reality is quite weak. All you have to do in convince the call center staff to do a one time bypass or change the registered phone number. Usually this is done by asking for information like social security numbers, mother's maiden name etc. This is not secure. If it were, why have the phone factor at all? Just ask these questions on the internet while authenticating the user. Indeed, many banks/brokers have adopted this approach(I am not saying that this is secure). But some like one of my credit unions have fallen for the marketing gimmick and false sense of security provided by Phonefactor.

*Even if your phone is not VoIP, your provider may be susceptible to being hacked. For now, I ignore that angle, because there is a much easier way to bypass the 2nd factor.

Wednesday, January 21, 2009

Signs of intelligent life appear in Washington...still missing from Mumbai

There are signs of intelligent life in Washington security circles:

A federal appeals court in Philadelphia ruled that would violate the First Amendment, because filtering technologies and other parental control tools are a less restrictive way to protect children from inappropriate content online.

http://www.siliconvalley.com/latestheadlines/ci_11511321?source=email

But missing in the Mumbai police department

...several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks.
http://blog.wired.com/sterling/2009/01/bombay-cops-kee.html