November 16, 2009 • 12:49 am 0
An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.
Here is a list of links to websites where the issue is being followed:
Filed under: Authentication, Encryption, Hacking, InSecurity, SSL, Security, Technology, e-commerce, networks , Authentication, e-commerce, Encryption, Hacking, InSecurity, networks, Security, SSL
November 2, 2009 • 6:40 am 0
I have a few new reviews of papers on cryptography in my updated page. For those interested in the security of NMAC and HMAC or affiliation hiding key exchanges, I recommend reading the reviews. They include links to relevant papers.
Filed under: AMS, Authentication, Cryptanalysis, Cryptography, Encryption, Information Theory, Security , Authentication, crypt, Cryptography, Mathematics, Security
August 22, 2009 • 6:01 am 0
An article stating the need to protect biometric data appeared in the IEEE spectrum magazine. Not a lot of new information, a good summary of the threats as biometrics are being used more and more as authenticators.
Filed under: Authentication, Encryption, Security, biometrics, in the News , Authentication, biometrics, Encryption, Security
August 18, 2009 • 9:06 pm 0
It looks like Canadian laws are finally forcing Facebook to play nice with their users’ personal information.
read the whole article http://www.financialpost.com/news-sectors/technology/story.html?id=1902992
Filed under: InSecurity, Technology, in the News
August 7, 2009 • 3:36 am 1
Having all your personal information in one ID is not a very good idea, even if protected by a good encryption scheme. Having all your information in a card protected with a bad encryption scheme is definitely a bad idea.
That seems to be the case with the ID cards issued by the Home Office to foreign nationals working in the UK. As described in a news article, it looks that a cell phone fitted with an RFID scanner and a laptop is all the hardware you need to clone one of these cards and even change the information on it.
Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.
This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.
But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.
He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains – the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.
These cards use the same technology as the ID card for British citizens unveiled last week by Alan Johnson, the Home Secretary. ID thieves must be anxiously waiting for the introduction of government ID cards, which will facilitate their daily jobs.
Filed under: Hacking, ID Theft, InSecurity, RFID, biometrics, in the News , ID Theft, in the News, InSecurity, RFID, Technology
July 8, 2009 • 4:29 am 0
The latest edition of Ouch! Newsletter issued an article on the risks of trusting too much personal information to social networks. The article include a list of tips to avoid getting in trouble, most of them an exercise in applying common sense.
ID theft is a constant threat as thing can get really serious out there. Alessandro Acquisti team of Carnegie-Mellon University conducted a study in which they were able to guess Social Security Numbers using information commonly available.
Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.
For people born after 1988 _ when the government began issuing numbers at birth _ the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts
Social networking is here to stay and , if you do it, make sure to practice ‘safe networking’.
Update
Ditto:
…..
Social networks are exploding in popularity. Forty-three percent of the online community now uses social networking sites, including Facebook, MySpace and LinkedIn. This is up from 27 percent a year ago, reports The Conference Board and TNS.
…..
The top concerns of social networking members — expressed by about 50 percent — are viruses/malware, exposure of information to strangers and lack of privacy. Women tend to be moderately more concerned than men. Only 14 percent claim they have no concerns, compared to 22 percent of men.
From a recent Conference Board Report.
Filed under: ID Theft, InSecurity, in the News , ID Theft, in the News, InSecurity
June 1, 2009 • 2:22 am 0
Many years ago I was involved in a research project looking to use tiny differences in processing time inside a computer as a way to fingerprint the device. The idea was not unique, I guess that at the same time many were busy looking for similar things.
The reason was that in the framework of Internet security protocols such as SSL, if each party can fingerprint the other party’s computer, that will add another dimension to the development of a strong authentication scheme. Eventually the company supporting the research run out of interest and money and I forgot all about the idea until I recently read the news.
Enter the Fingerprint Extraction and Random Numers in SRAM (FERNS) method developed by Holcomb, Burleson and Fu of the University of California Berkeley. They analyzed the initial state of the cells of a 512 kb Static Random Access Memory (SRAM) after power up and discovered that the stable states of some cells representing the bits were random, that is they have equal probability to be 1 or 0, while others cells were skewed to start as a 1 or as a 0. This property of the cells is due to imperfections of the fabrication process and are impossible to control.
A paper describing Burleson’s group work is going to appears in the IEEE Transactions on Computers.
From the Abstract
….. We use experimental data from high performance SRAM, and the WISP UHF RFID tag to validate the principles behind FERNS. We demonstrate that 8 byte fingerprints from an SRAM chip are sufficient for uniquely identifying circuits among a population of 5,120 and extrapolate that 16 to 24 bytes of SRAM would be sufficient for uniquely identifying every instance of the SRAM ever produced. Using a smaller population, we demonstrate similar identifying ability from the embedded SRAM microcontroller memory of the WISP. In addition to identification, we show that SRAM fingerprints capture noise, enabling true random number generation. We demonstrate that the initial states of a 256 byte SRAM can produce 128 bit true random numbers capable of passing the NIST approximate entropy test.
The possibilities for the application of this technology to authentication and key generation schemes are enormous, specially in the field of portable devices. To have an entropy generator “in a chip” is great, if you get that together with a fingerprint of the chip is wonderful news. Certainly we’ll hear more about it.
Related reading: Quirks of RFID Memory Make for Cheap Security Scheme
Filed under: Authentication, Entropy, Fingerprint, RAM, RFID, Random Numbers, SRAM, Security, Technology , Authentication, Technology, Entropy, SRAM, Random Numbers, Fingerprint
April 18, 2009 • 5:49 am 0
Continuing with the main theme my last two posts, hacking, I am going to wrap up with this post about Secure Processors.
A secure processor is meant to protect the information and the communications, validate the communications channel and be tamper-resistant, should it falls into the adversary’s hands.
Successful hacking of secrets has the duality of being a happy/sad event, depending on which team are you playing for. The design of secure processors makes this duality patent as, in practice, the most important evaluation criterion is that the resulting product should resist the designer’s best attempts at hacking it.
The current research and development efforts are guided by U.S. DoD Anti-Tamper specifications. To prevent reverse engineering, architectures of secure processors are based on a combination of hardware and encrypted software in such a way that if the hardware is captured, its exact functions cannot be guessed without knowing the encryption keys. During WWII, the capture of an ENIGMA machine paved the way for the breaking of the enciphering by the allied forces. These historical lessons are incorporated into today’s design criteria. Some design even incorporate sensors that will detect attempts at using physical means to force the hardware and destroy the critical information upon detection (often called zeroization).
A new dimension to the problem is added by procurement system. Electronic chips are nowadays a commodity and absolute control over the manufacturing of chips is not possible. Therefore it is essential to ensure that the critical parts, that is the processors, are designed and made in controlled facilities.
The lessons learned in military applications are now being applied to commercial system. This is where the lines blurred because in the interconnected world the enemy can wreak havoc on the infrastructure without firing a shot. Communication and control networks associated with utilities will become more resistant to attacks by using computers fitted with secure processors.
Related:
Filed under: Anti-tamper, Cryptography, Encryption, Hacking, Security, Software, Technology , Anti-tamper, secure processors, Security, Technology
April 10, 2009 • 3:22 am 1
After the Conficker April fool’s day scare fizzled, they try to scare us saying that utilities can be hacked through the internet …
Wait!, they already were hacked !
Filed under: InSecurity, Misc., in the News
March 19, 2009 • 5:30 am 0
I recently discussed the problems associated with weak passwords here. Since then, there have been a few cases of hackers publishing stolen passwords form popular sites such as phpbb or the passwords that the conficker worm uses to spread across shares. Some researches report that people often use the same password on many websites making themselves vulnerable to serious attack if the password for a low value website is the same as the one used in a high value target
Password selection tips abound and as long as your password has enough entropy, users data is somewhat out of reach of most hackers.
Despite the advice of security gurus, the manifest limitations of the average human brain for generating and remembering more than a few passwords is a physical barrier to a widespread adoption secure practices. Password managers may help to keep your passwords organized. They have functions to generate strong passwords and can connect directly with browsers or e-mail programs.
Another way around is the OpenID network that allow users to have one identity for multiple on-line services. The OpenID protocol is inclusive enough that can work as an Authenticator using biometrics or smart-tokens. Open ID is still in the adoption phase, not all online services accept it.
Filed under: Authentication, Security, biometrics, in the News, passwords , Authentication, Cryptography, passwords, Security
Data Security and Information Theory are essential to modern life. Far from being the exclusive domain of academics and geeks, the fundamentals and its application are easy to understand for most people. Here, my modest attempt to bring some of the issues to the public discourse and spread the knowledge to make the internet a safer place for your virtual self.
Click below to find out more
ScienceDaily: Computer Security News Wired: Commentary
