Wednesday, July 15, 2009
How safe is your Twitter account?
Twitter has been successfully hacked several times but the most egregious of them all is the breakin that compromised Twitter's own employee and other confidential information. I don't use Twitter but I am concerned about the security of other major social networks like Facebook, Orkut etc; frankly, I don't think they are much better. In the race to capture more and more users social networking websites and applications often ignore security and privacy issues. This is because these issues are considered an economic externality by these companies. In that respect, the information age is a bit like the early industrial era where corporations ignored the impact of their factories on the environment. We need laws that "internalize" these externalities. But given the focus of the government on the economic crisis, health reform and other issues, will this important issue be addressed?
Thursday, April 16, 2009
How secure will the smart grid be?
There is a good article about the security of our power grid. Unlike the innumerable fear-mongering writeups I generally find, this one is quite reasonable.
In particular I find this paragraph about the increasing proliferation of "smart-grids" interesting:
While Meyerrose, Mansoor and other experts agree that the utility industry's vulnerability will grow as its command-and-control systems rely ever more on computer networks, those concerns are not new. Some security experts have cautioned against the growing use of "smart grid" technology — which relies even more on computer networks to allow both utilities and individual consumers to monitor and reduce power usage. There are already 2 million smart meters in use in the U.S., and the Obama Administration's 2010 budget includes $4.5 billion in spending on such technology. The fear is that these meters may allow hackers access to the grid's control systems. But smart-grid backers say the opposite is true: the use of more-sophisticated monitoring systems makes the grid safer.
Of course, they will say this because that is good for their business. The truth is that it depends on the details. If these systems are designed with security in mind they will be safer. If not (and this is more likely), the new smart grid will be less secure than the "dumb" grid we have today.
In particular I find this paragraph about the increasing proliferation of "smart-grids" interesting:
While Meyerrose, Mansoor and other experts agree that the utility industry's vulnerability will grow as its command-and-control systems rely ever more on computer networks, those concerns are not new. Some security experts have cautioned against the growing use of "smart grid" technology — which relies even more on computer networks to allow both utilities and individual consumers to monitor and reduce power usage. There are already 2 million smart meters in use in the U.S., and the Obama Administration's 2010 budget includes $4.5 billion in spending on such technology. The fear is that these meters may allow hackers access to the grid's control systems. But smart-grid backers say the opposite is true: the use of more-sophisticated monitoring systems makes the grid safer.
Of course, they will say this because that is good for their business. The truth is that it depends on the details. If these systems are designed with security in mind they will be safer. If not (and this is more likely), the new smart grid will be less secure than the "dumb" grid we have today.
Tuesday, March 24, 2009
Phonefactor: how secure?
A system is only as secure as its weakest link. Phonefactor seeks to replace hardware security tokens with your phone. It is an interesting idea because not only does it use two factors: something you know (password) and something you have (phone)but also because it uses two channels: internet and phone (unless of course your phone is VoIP*). This would appear to increase security but it doesn't necessarily do so. The challenge in using a phone in real-time for authentication is that you have to handle the case where the user is not near the registered phone or if it is a cellphone and it is not reachable when the user wants to log into her account. And handling of this case is the weak link. The system has to fall back to what Phonefactor claims "strong security" but which in reality is quite weak. All you have to do in convince the call center staff to do a one time bypass or change the registered phone number. Usually this is done by asking for information like social security numbers, mother's maiden name etc. This is not secure. If it were, why have the phone factor at all? Just ask these questions on the internet while authenticating the user. Indeed, many banks/brokers have adopted this approach(I am not saying that this is secure). But some like one of my credit unions have fallen for the marketing gimmick and false sense of security provided by Phonefactor.
*Even if your phone is not VoIP, your provider may be susceptible to being hacked. For now, I ignore that angle, because there is a much easier way to bypass the 2nd factor.
*Even if your phone is not VoIP, your provider may be susceptible to being hacked. For now, I ignore that angle, because there is a much easier way to bypass the 2nd factor.
Wednesday, January 21, 2009
Signs of intelligent life appear in Washington...still missing from Mumbai
There are signs of intelligent life in Washington security circles:
A federal appeals court in Philadelphia ruled that would violate the First Amendment, because filtering technologies and other parental control tools are a less restrictive way to protect children from inappropriate content online.
http://www.siliconvalley.com/latestheadlines/ci_11511321?source=email
But missing in the Mumbai police department
...several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks.
http://blog.wired.com/sterling/2009/01/bombay-cops-kee.html
A federal appeals court in Philadelphia ruled that would violate the First Amendment, because filtering technologies and other parental control tools are a less restrictive way to protect children from inappropriate content online.
http://www.siliconvalley.com/latestheadlines/ci_11511321?source=email
But missing in the Mumbai police department
...several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks.
http://blog.wired.com/sterling/2009/01/bombay-cops-kee.html
Friday, April 25, 2008
Should Microsoft encrypt/obfuscate patches?
Securityfocus has this story about a group of researchers that have found a way to semi-automate the creation of exploits.
... Microsoft has not taken adequate steps to make such attempts more difficult, Brumley said. The researchers suggested possible avenues that Microsoft could pursue to increase the likelihood that customers received patches before attackers could reverse engineer them, including obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer distribution to push out patches faster.
The researchers recommend the above for Microsoft. However, each method may create more problems than it solves. Let us consider them, one by one:
1)Obfuscate the code - Obfuscating the patching code doesn't help at all. One could simply snapshot the system before and after applying a patch and get the diffs. Obfuscating the application code (the application that is being patched) if done manually will make it prone to more bugs and hence more exploits. Automated obfuscation will not introduce any extra bug/exploits but it could make the application run slower.
2)Encrypt the patches and withhold the key - Well, the key will have to be distributed eventually. The window of opportunity for automated exploit generators will be smaller assuming the key can be distributed faster than the patch. However, the window of opportunity for zero-day exploits will be bigger. Also, the exploit generation can be done by using as input IDS/IPS signature updates instead of the patch. So should you encrypt those as well and withhold the key?
3)Using peer to peer distribution of patches - This could work...but why is it better than using other content delivery methods?
... Microsoft has not taken adequate steps to make such attempts more difficult, Brumley said. The researchers suggested possible avenues that Microsoft could pursue to increase the likelihood that customers received patches before attackers could reverse engineer them, including obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer distribution to push out patches faster.
The researchers recommend the above for Microsoft. However, each method may create more problems than it solves. Let us consider them, one by one:
1)Obfuscate the code - Obfuscating the patching code doesn't help at all. One could simply snapshot the system before and after applying a patch and get the diffs. Obfuscating the application code (the application that is being patched) if done manually will make it prone to more bugs and hence more exploits. Automated obfuscation will not introduce any extra bug/exploits but it could make the application run slower.
2)Encrypt the patches and withhold the key - Well, the key will have to be distributed eventually. The window of opportunity for automated exploit generators will be smaller assuming the key can be distributed faster than the patch. However, the window of opportunity for zero-day exploits will be bigger. Also, the exploit generation can be done by using as input IDS/IPS signature updates instead of the patch. So should you encrypt those as well and withhold the key?
3)Using peer to peer distribution of patches - This could work...but why is it better than using other content delivery methods?
Friday, February 15, 2008
Can I protect private data from the threat of coerced password disclosure?
Bruce Schiener mentioned the threat of government authorities asking you to divulge the password to your encrypted file or disk:
The latter threat is becoming more real. I have long been worried that someday, at a border crossing, a customs official will open my laptop and ask me to type in my password. Of course I could refuse, but the consequences might be severe -- and permanent. And some countries -- the United Kingdom, Singapore, Malaysia -- have passed laws giving police the authority to demand that you divulge your passwords and encryption keys.
This is indeed a pain. The same could be done by an adversary by holding you at gun-point etc. Truecrypt, a free disk encryption software that I use, has a partial solution. It allows you to create a hidden volume within an encrypted volume. So to protect yourself from the above threat you can enter the password for the outer volume and deny the existence of any inner volume. I don't know how Truecrypt implements this but I think it works somewhat like this:
The descriptor of the inner volume(and not just the user data) is stored at a fixed location and encrypted with the inner volume's password. Until that password is typed there is no way to know whether there is a valid descriptor(and hence a hidden volume) or not.
This is nice since one can pretend that the inner volume does not exist and the adversary has no way to prove otherwise(all unused space is initialized with random bytes). However, a clever adversary may threaten to overwrite the fixed location where the hidden volume's descriptor resides. At that point you can choose between disclosing the data to the adversary or losing it forever. And in many cases it is good to have that choice.
The latter threat is becoming more real. I have long been worried that someday, at a border crossing, a customs official will open my laptop and ask me to type in my password. Of course I could refuse, but the consequences might be severe -- and permanent. And some countries -- the United Kingdom, Singapore, Malaysia -- have passed laws giving police the authority to demand that you divulge your passwords and encryption keys.
This is indeed a pain. The same could be done by an adversary by holding you at gun-point etc. Truecrypt, a free disk encryption software that I use, has a partial solution. It allows you to create a hidden volume within an encrypted volume. So to protect yourself from the above threat you can enter the password for the outer volume and deny the existence of any inner volume. I don't know how Truecrypt implements this but I think it works somewhat like this:
The descriptor of the inner volume(and not just the user data) is stored at a fixed location and encrypted with the inner volume's password. Until that password is typed there is no way to know whether there is a valid descriptor(and hence a hidden volume) or not.
This is nice since one can pretend that the inner volume does not exist and the adversary has no way to prove otherwise(all unused space is initialized with random bytes). However, a clever adversary may threaten to overwrite the fixed location where the hidden volume's descriptor resides. At that point you can choose between disclosing the data to the adversary or losing it forever. And in many cases it is good to have that choice.
Tuesday, January 15, 2008
To WPA or not to WPA?
Renowned security expert Bruce Schneier wrote a controvertial essay arguing about the benefits of keeping his home wireless network unsecured. He talks a lot about less important things like the possibility of someone using your network for doing bad stuff and getting you involved in legal proceedings. He is not concerned about it and neither am I.
However, as this article points out Bruce mentions the most important point only in passing: he has secured his computers in a way that the wireless link being unsecure does not matter to him(perhaps disk encryption and VPN). This is probably because he travels a lot and uses unsecured wireless access often. Many people don't. I don't use any public wireless network. I don't have a reason to use PGP or any other disk encryption techology on my laptop. I do however have a desktop at home which is accessible only from behind my internet firewall and since it is connected only via a wired link I do not have to lock it down (use long and difficult passwords, change passwords often, use disk encryption etc). If I make my wireless network open, drive-by hackers can easily hack into my desktop and laptop. Passive eavesdroppers can read my mail, instant messages etc. easily when I am using my laptop to access them. Choosing between taking that risk and enabling WPA is a no-brainer for me.
Regarding WPA Bruce says:
"This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are."
The question is not whether WPA has any flaws or not, it is whether any have been found and are easily exploitable by drive-by hackers. In his own words "security is a tradeoff". As a I mentioned above this tradeoff is a no-brainer to me.
The bulk of Bruce's argument centers on social politeness. He has an open network to provide people "stranded without internet access" the courtesy of using his network. If this can be done without jeopardizing my own security I won't mind. However, I am not going to encrypt my disks, use strict password policies etc in order to do that. Bruce already did that for other reasons and "sharing" is easy for him. Good for his neighbors!
However, the social politeness argument involves another party: the ISP. This article does a good job of explaining that factor. Under most ISP's terms of service, sharing your internet connection is analogous to sharing your cable TV: it is illegal. There may be other terms of service where you buy internet access "by the byte or by the hour" and in those cases it is perfectly OK to let others use your connection. However, how many people will continue to extend this courtesy if it cost them by the byte? It is easy to share something that doesn't cost you anything extra. Bruce uses economic reasoning particularly the concept of externality often to explain security issues. That concept applies here: the action of a subscriber to extend his internet access to neighbors and others has a consequence for the ISP. Charging by the byte or by the hour makes this externality "internal".
In conclusion, regarding the question of whether to use WPA on your home wireless or not, I find that it really depends on your situation. If your computers are secured and your ISP does not mind, you may decide to extend "internet access courtesy" to those in your wireless range. Otherwise, it is better to secure your wireless connection.
However, as this article points out Bruce mentions the most important point only in passing: he has secured his computers in a way that the wireless link being unsecure does not matter to him(perhaps disk encryption and VPN). This is probably because he travels a lot and uses unsecured wireless access often. Many people don't. I don't use any public wireless network. I don't have a reason to use PGP or any other disk encryption techology on my laptop. I do however have a desktop at home which is accessible only from behind my internet firewall and since it is connected only via a wired link I do not have to lock it down (use long and difficult passwords, change passwords often, use disk encryption etc). If I make my wireless network open, drive-by hackers can easily hack into my desktop and laptop. Passive eavesdroppers can read my mail, instant messages etc. easily when I am using my laptop to access them. Choosing between taking that risk and enabling WPA is a no-brainer for me.
Regarding WPA Bruce says:
"This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are."
The question is not whether WPA has any flaws or not, it is whether any have been found and are easily exploitable by drive-by hackers. In his own words "security is a tradeoff". As a I mentioned above this tradeoff is a no-brainer to me.
The bulk of Bruce's argument centers on social politeness. He has an open network to provide people "stranded without internet access" the courtesy of using his network. If this can be done without jeopardizing my own security I won't mind. However, I am not going to encrypt my disks, use strict password policies etc in order to do that. Bruce already did that for other reasons and "sharing" is easy for him. Good for his neighbors!
However, the social politeness argument involves another party: the ISP. This article does a good job of explaining that factor. Under most ISP's terms of service, sharing your internet connection is analogous to sharing your cable TV: it is illegal. There may be other terms of service where you buy internet access "by the byte or by the hour" and in those cases it is perfectly OK to let others use your connection. However, how many people will continue to extend this courtesy if it cost them by the byte? It is easy to share something that doesn't cost you anything extra. Bruce uses economic reasoning particularly the concept of externality often to explain security issues. That concept applies here: the action of a subscriber to extend his internet access to neighbors and others has a consequence for the ISP. Charging by the byte or by the hour makes this externality "internal".
In conclusion, regarding the question of whether to use WPA on your home wireless or not, I find that it really depends on your situation. If your computers are secured and your ISP does not mind, you may decide to extend "internet access courtesy" to those in your wireless range. Otherwise, it is better to secure your wireless connection.
Subscribe to:
Posts (Atom)
