CryptoBlog – Data Security and Information Theory

Cryptography, Information Theory and Codes

December 26, 2008 • 10:10 pm 0

The Dark Face of Facebook

The popularity of networking sites such as facebook (and others of the same kind) is certainly a magnet for people with not-so-kind intentions. For starters, the place can be considered as a gold mine of personal information and ID thieves would love to work overtime to put their stakes on the ground, like in any good old day’s gold-rush.
I do not necessarily oppose the idea of networking sites, moreover I think they can provide a lot of value for most users. However I was intrigued by a comment my wife made about being able to look at pictures of somebody that is not in her list of friends. It looks like the security settings used by most people will allow a friend of a friend to look at your pictures or profile by just sharing a collection of pictures.
I setup my own account to see first hand how it works. I went through the security setups and found the BIG problem with the security in facebook. That is, by default, facebook leaves everything open, you are supposed to go and explicitly forbade the system to share information about you with third parties. This goes against the common-sense approach in security, that is, forbade sharing by default and let the user explicitly share (in an item by item fashion). Although this approach has the disadvantage of being annoying to most people, there is the only way to make sure you don’t end up sharing your dearest secrets with a stranger or maybe even an enemy.
A little bit of Googling around turn out a lot of references of bad thing that can happen: for example, many applications ask you permission to override certain security settings and it looks like the system allow third party companies to write applications. I do not know the process that facebook uses to vet these applications. I will not comment on that.
Below, a scary short video form the BBC, facebook’s answer to it and a bunch of links to keep you aware of the issues.

Here is the answer form facebook

Related and highly recommended
Safety Tips
The danger of facebook identity theft
facebook ignores huge security hole for four months
3 ways to protect yourself from social networking malware
For a Change Spammers get Whacked
The perils of sharing

Filed under: Authentication, ID Theft, InSecurity, Software, in the News , , , , ,

December 21, 2008 • 5:37 am 3

Authentication – Part III Passwords

Passwords have been the main tool for verifying identity and granting access to computer resources.In general, as FIPS 112 defines it, a password is a sequence of characters that can be used for several authentication purposes.

There are two security problems with a password; 1) somebody other than the legitimate user can guess it; or 2) it can be intercepted (sniffed) during transmission by a third party. Over the years, many different kinds of password generation methods and password protection protocols were designed to address  hese two weaknesses.

Password Strength

The security (strength) of a password is determined by its Shannon entropy , which is a measure of the difficulty in guessing the password. This entropy is measured in Shannon bits. For example, a random 10-letter English text would have an estimated entropy of around 15 Shannon bits, meaning that on average we might have to try \frac{1}{2}(2^{15}) = 2^{14} =16384 possibilities to guess it. In practice, the number of attempts needed would be considerably less because of side information available and redundancy (patterns and lack of randomness).  Since most human users cannot remember long random strings, a major weakness of passwords is that the entropy is usually too small for security. Even if the user can construct long passwords using an algorithm or a fix rule, the same rule may be know or guess by hackers. 

It is well-known to hackers that users commonly select passwords that include variations of the user name, make of the car they drive, name of some family member, etc.  Social engineering is one of the most powerful tools being used by hackers.

Because of limitations in the underlying infrastructure, some authentication systems (notably banks) limit the number of characters and the alphabet from which the characters can be chosen. These kind of limitations are susceptible to dictionary-type attacks. In a dictionary  or brute force attack, the hacker will attempt to gain access using words from a list or dictionary. If the actual password is in the list, it can be obtained (in average)  when about half of the total number of possibilities have been tried. Even with systems that limit the number of trials for a user this is a potential security risk, because the hacker has good chances at gaining access by randomly trying names and passwords until a valid combination is found.

It is commonly accepted that with current tools, up to 30% of the passwords in a system can be recovered within hours. Moreover it is predicted that even random (perfect) passwords of 8 characters will be routinely cracked with technology available to most users by the year 2016.

There are many documents that give rules and policies for good password selection such as NIST Special Publication 800-63 and SANS security Project.

CrypTool  (ver 1.4)  has a very good tool to check the strength of a password against several criteria such as the amount of entropy and the resistance to dictionary attacks.

image

 

Related Posts:

Filed under: Authentication, Infomation Theory, Security , , ,

December 17, 2008 • 6:28 am 0

Internet Explorer Security Hole

There is an important  Microsoft advisory regarding a security gap in Internet Explorer 7. More details here and there.

The main thing is that the defect can be exploited by hackers by luring user to go to a website containing the malware. By exploiting a zero-day flaw in IE the malicious site execute a Java Script in the users computer that downloads a trojan.

Be very careful when you follow links in e-mails. Microsoft have some workarounds to stay safe. Other browsers are not affected. 

Filed under: InSecurity, Software

December 5, 2008 • 3:31 am 0

Cryptool 2.0 Beta available for download

cryptool21

The latest stable version of cryptool is 1.4.21. I highly recommend to download both ;-)

Filed under: Encryption, Software , ,

Most Popular

About this blog

Data Security and Information Theory are essential to modern life. Far from being the exclusive domain of academics and geeks, the fundamentals and its application are easy to understand for most people. Here, my modest attempt to bring some of the issues to the public discourse and spread the knowledge to make the internet a safer place for your virtual self.

Click below to find out more

Short Presentation

View Mario Forcinto's profile on LinkedIn

Crypto Book

bookcover.jpg

ID Theft Resources

Copyright

© Mario Forcinito and CryptoBlog, 2007-2009. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Mario Forcinito and CryptoBlog with appropriate and specific direction to the original content.

Blog Stats

  • 7,247 visits

Categories

Archives

Crypto Links