Weekly Digest #3 – Interesting Articles

A rather large selection of news as I missed last week weekly digest!

Are Anti Virus Obsolete?
I recently had a discussion with a work colleague who was claiming Anti Virus are not as good at preventing infections as they used to be, technology is moving fast and Anti Virus vendors seem to be playing catchup with more and more delay. He also stated that most AV only detects 20% of new viruses… A claim I haven’t been able to verify by doing a quick search on the Internet, so let’s just say I agree we are seeing more and more new viruses that we, as security professionals, have to inform the AV vendors about.

On that topic, the future of AV looks to be a difficult road ahead as discussed in a recent Kaspersky’s interview below, what I found the most interesting is the last paragraph were they mention a hacker who wrote a tool which gathered many security company IP addresses. The hacker then used this information to change the behaviour of malicious software when installed in those security company sub-nets… meaning those companies could not properly study the behaviour of those malicious software, i.e.: it could be turning itself off or not show its true payload while being studied by AV vendors… I have to say… this is clever :)
http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1518312,00.html

Clean your smart-phone screen!
I saw 3 references from different sources on this topic this week. It is quite an obvious concept, as more and more mobile devices are using touch screen technology (think iPhone, Android, iPad) there could be an increasing risk that an attacker could analyse the oily smudge left by the user when typing his pass-code (which is typically 4 characters).

In practice this is not really useful, especially if you set your device to lock or wipe itself out after 10, 20 or more attempts (or less!). What I liked about that paper though, is that rather than trying all combinations of the 4 oily smudges left on the screen the attacker could try against a dictionary of most common patterns… i.e. increasing numbers, diagonals, etc

I don’t actually think this is of much value, unless you enter you pass-code and stop using the device… because if you don’t, very soon the full screen will be full of oily smudge!! moreover, it is much easier just to look at the person entering his pass-code than trying to guess by looking at the screen afterwards… so I would say you can keep you dirty screen as long as you hide your pass-code when typing it! still, an interesting concept!

The full paper is available here:
http://www.usenix.org/events/woot10/tech/full_papers/Aviv.pdf

How to hack a car!
When you read the following article you realise how sometimes technology can be too much technology! Some researchers have managed to hack into wireless tire sensors with a relatively cheap hardware kit and managed to remotely engage wipers, horns… and disable breaks!

What makes this even worse is that it seems wireless tire sensors are mandatory in the US since 2008…
http://arstechnica.com/security/news/2010/08/cars-hacked-through-wireless-tyre-sensors.ars

Smartphone challenges
The following article is about the challenges enterprises are facing with the rise of smart”devices” such as iphones, androids and ipad like devices. Most of those devices are now being bought by employees and used to access their company’s network in a very uncontrolled way.

This introduces a risk on how potentially sensitive data is secured on those devices and also where they get synced (i.e.: on home computers). What makes it even more challenging, especially with Apple, is that most of those vendors are customer driven and companies are now left with 3 choices:

– To close down access to their network resources
– To adapt to the customerisation of their client hardware (from the type of apps used to awareness campaign)
– Try to emulate RIM like security regardless of the client by the use of 3rd party software.

I believe this is a missed opportunity for companies like Apple for not trying to be more enterprise orientated. Rather than forcing companies to adopt their product through the companies’ employees desire for new gadgets, they could capitalise on the user/customer demand and offer more flexibility, openness and speed to also meet the enterprise security needs. The result would be a drive for much larger deployment from within the different support teams rather than just a handful of (often powerful) individuals within a company :)
Smartphone Challenges Article

Position based cryptography
I never thought about providing encryption based on where a recipient/sender is located. But Bruce Schneier speaks about a paper on his blog which describe just that. A research group just published a paper discussing position based cryptography being possible through Quantum Cryptography.

Basically, it would allow a message to be decrypted only if a recipient is located in a very specific geographical place. This sounds like a very interesting concept and I will try to find the time to read that PAPER.

Test your SSL implementation
Qualys is offering a free service to test the SSL implementation of public websites and if they have any issues. Do you wonder if you have any public websites with SSL which would not pass the test ;)
https://community.qualys.com/community/ssllabs

Weekly Digest #2 – Interesting Articles

WPA Cracking
An interesting reference on Schneier’s blog to an article describing a “in the cloud” service to crack WPA keys. It is the realisation of the concept of distributed security cracking mentioned in 2008 by Chad Perrin, not sure if he was the first to introduce that idea.
http://blogs.techrepublic.com.com/security/?p=4097

WPA2 Vulnerability – Hole 196
A new man-in-the-middle attack for WPA2 seems to have been found and recently demonstrated at the Defcon 18
http://www.airtightnetworks.com/WPA2-Hole196

World’s Top Malware
FireEye has produced a nice colourful report on the 20 top malware they found on the net with their technology. Although this could be guess, it is interesting that the top 4  types of malware are 1) Information gathering/stealing, 2) Generic Malware dropper, 3) Rogue Anti-virus and then Spam.
http://blog.fireeye.com/research/2010/07/worlds_top_modern_malware.html

Cisco 2010 Midyear Security Report
This is a good report published by Cisco on security risks and trends. Below is a very brief summary of what I found interesting in that report:
– An enterprise security landscape which is shifting in 3 areas: 1) A technological shift (mobile devices), 2) An economic shift (Virtualization of Operations) and 3) a Demographic shift (collaboration and social network)
– For each of those shifts, the report describes the associated security risks and provide some clear “generic” security steps to help address the risks (read here, non Cisco specific!)
– An interesting projection of number of “connected” devices by person… from 5 today to a prediction of 140 in 2013!! which push even more the need to move to IPv6 (if not for security reasons!)
– The logic behind what an attacker decides to focus on
– Security Attacks focus for 2010: 30% increase of spam compare to 2009, increase of attack on legitimate websites (i.e.: The Apple store)  and social networks.

So, all in all a very interesting report where only the last few pages offer references to Cisco specific products.
http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_mid2010.pdf

Weekly Digest #1 – Interesting Articles

Working in IT Security I receive and get to read lot of security related articles. I will list here a summary of the ones I found the most interesting, the idea is to try publishing this list on a weekly basis… not sure I will always have the time to do so, hence why the subject of those posts will be numbered, and we start with week #1:

–          Safari Vulnerability
An Auto-fill vulnerability in the Safari browser which allows attackers to get info from your personal contact details.
Reading the comments on that article, it is not clear if this could also affect other WebKit based browsers such as Chrome.
It may be best practise anyway to disable the auto fill option in any browsers you are using.
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

–          New GSM-cracking software release… the call of Kraken!
A software called Kraken has recently been released and claims to crack the A5/1 encryption algorithm used by some GSM networks. Although this algorithm had been subject to attacks before, this is a new and very efficient method. According to that article, the GSM network is also the fall-back network for the 3G network, thus maybe exposing the security of 3G users too (but not of the 3G network per say)!
http://www.networkworld.com/news/2010/072210-new-kraken-gsm-cracking-software-is.html

–          Simple and safe password
A recent Microsoft research has described a new password policy scheme using simple but safe passwords. Instead of enforcing a complex password policy, the policy is based on password popularity… if a password is too popular it becomes a forbidden password.
Now I can see two requirements for this to work: a) (as mentioned in the article) A large user base population and b) (not mentioned in the article) for the system to have access to users’ clear text passwords, or for a unique “salt” to be used in the hash algorithm… not sure it would be a good thing!

The idea is that if all the passwords used are not “popular”, then it doesn’t really matter as much if they are complex as they would not be part of the “popular” passwords list. This however, would not protect you against a brute force attack!
Anyway, this is a refreshing take on a very old IT security issue…
http://msmvps.com/blogs/donna/archive/2010/07/21/passwords-that-are-simple-and-safe.aspx

Who cares about encryption?
An interesting poll study showing there is a consensus for most people that encryption is required, especially for mobile devices/users, but technical difficulties go in the way… something which has been associated with encryption technologies for a long time and although a lot has been done in recent years to simplify encryption implementation there is still some way to go.
http://www.theregister.co.uk/2010/07/20/who_cares_about_encryption/

New Version of Truecrypt

Truecrypt is a tool I have been using for a while, it is a great product and… free!

It allows for full disk encryption, being your desktop hardisk or a USB stick.

A new version has just been released, version 7, and it now provides:
– Hardware acceleration
– Auto-mount (windows)
– Security improvements related to windows hibernation files

Its main features are:
– Creates a virtual encrypted disk within a file and mounts it as a real disk.
– Encrypts an entire partition or storage device such as USB flash drive or hard drive.
– Encrypts a partition or drive where Windows is installed (pre-boot authentication).
– Encryption is automatic, real-time (on-the-fly) and transparent.
– Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
– Encryption can be hardware-accelerated on modern processors.
– Provides plausible deniability, in case an adversary forces you to reveal the password:
– Hidden volume (steganography) and hidden operating system.

More info can be found on the following website: http://www.truecrypt.org/

Email working again

This morning I checked my spam folder related to this website/domain name and noticed there had been no new spam for about a week… not that I am missing it but this did not sound quite right!

Indeed, it looks like my service provider recently had some issues with one of their site being compromised and used to host some malicious software and as a result their back-end domain was blacklisted by Google. Something they did not like too much…

They took the drastic decision to change their back-end domain, it seems to have worked. But in the process they have messed up some accounts. They have now fixed the issue with my domain but if you have sent me an email recently then, I am afraid, that email is lost and you probably did not receive any error message either!

I never thought spamming could be useful to the receiver of it, but in this case the lack of noise highlighted another issue :)

It was only yesterday…

For over 3 years this website has not been updated and it was time to give it a face lift!

It is actually quite astonishing to think this website has existed since 1998, 12 years! I guess I am getting older, my hair are getting greyer and there is less of it! One thing that hasn’t change though is my interest in Cryptography.

Because of a busy professional life in the IT Security world I haven’t been able to work on the BUGS algorithm for many years. However, I have recently completed a Master in Information Security at the London Royal Holloway University. I logically chose to work on a cryptography subject for my Master Thesis. This allowed me to spend some time back on the BUGS algorithm and, for the first time, learn some cryptanalysis techniques!

The main subject of my thesis was to give an “Overview of Modern Symmetric-Key Cipher Cryptanalysis Techniques”, as such after a general introduction on cryptography and cryptanalysis I focused on two main cryptanalysis techniques:
Linear and Differential Cryptanalysis
Finally, I started to conduct a cryptanalysis of my BUGS algorithm. Although I still haven’t conducted a full cryptanalysis on BUGS, my early tests seem to indicate the BUGS algorithm, may show some weaknesses if not used with its default settings. On the other hand it seems to be quite secure when default settings are used . However, I would need to pursue those tests further to prove this is correct.

In the process I have also highlighted what I believe could be a new type of cryptanalysis attack:
Unrestricted XOR-Sum Uniqueness Cryptanalysis attack
At this stage this is just a suggested new type of attack and more work is required to find out if this attack is indeed possible and if it offers any value!

So here you have it, this is what I will try to spend some time on in the coming months/years:
– To conduct a full cryptanalysis on BUGS and publish the results
– To investigate my new type of cryptanalysis attack

My MSc Thesis document is available HERE.

IT Security News & BUGS Cryptography Project