Wednesday, November 29, 2006

Programmers please do meet Designers

As an open source programmer I try to make my code very flexible and customizable. This means that my code may be read by someone else and take extra modules or be applied in various environments and still behave in an optimal way. This is achieved through a variety of options and parameters passed at run time by the end user. Sounds cool, right?

Well, this demands a configuration file, in the worst case, as long as the number of options the code parses. Of course all is set to default and the end user may never notice but what happens when we go GUI?

A Graphical User Interface is connected to a "user-friendly" way of controlling a program or a computer in general. The problem starts with the way people understand this. For me, user-friendly is when I am given a list of options (well documented of course) which shape the program according to my wish. For someone else, user-friendly is a program which contains only one button "Run" and NO options. The user clicks "Run" and it runs, no questions asked. The user will never understand what is going on. The program may not work properly or may not work at all. The user doesn't know. As long as nice balloon messages pop up, everything is smooth.

So... it is very important to take the burden of GUI from programmers and establish communication channels with designers. Otherwise you'll get something like this:


Combating Keyloggers

Ever found your self in an Internet Cafe checking your e-mail or a forum you are registered in? Did you stop for a moment to assess your security? Is someone looking over your shoulder? Is someone watching you in any way? Is the computer you are logged in infected with programs recording every keystroke? (You can't really check that one) No? Well, you should!

Ideally your presence in a public Internet access place should be entirely transparent. This means you should not type in at any time any personal information (no form filling, no logging in).

Anyway, I've come across a very interesting paper (PDF) which describes a simple yet effective technique in entering secure credentials in a compromised computer. It all begins with the basic principle in security: always assume someone is listening. So let's say you are sitting in a public computer. Always assume there's a keylogger installed which records every keystroke therefore is able to record your username and password as you type them.

For every valid username or password character you type, click somewhere outside the form and hit a long string of random characters. Then go back inside the form and continue with the second character, etc. That way while you'll have entered "ABC" as you password, the malicious software will have recorded "AasdsalklkblB9rbvmdsaCdg9tmbafff" (capital letters are used to distinguish the actual token).

This works because the keylogger may know that you are inside an internet Browser and what keys you press but cannot figure out the exact location of the keyboard cursor.

Sounds like a good trick huh? Well, I agree. It is pretty good. But let's be smart about using it.


[ Debugging... ]

Improper use of any security technique is all it takes to render it useless.

In the above method you should not type the same password twice in the same computer because, as you can understand, patterns emerge. So if I type:
AasdsalklkblB9rbvmdsaCdg9tmbafff
AlkfdlgmkmbkdasB324kfdlklCkfkbba
dmfdlkdsAmmkdgfg552BdfdffdCcba

we have three strings of characters all containing, for sure, the actual password.

Now all we have to do is use a known algorithm which uses certain known characteristics to crack the system. For starters if a certain letter or number or symbol is not present in all three tokens, it is excluded since it can't be part of the password (which exists in all three). Next, there's the sequence of characters. If for example we encounter the sequence "mb" (and not the sequence "bm") in only one or two of the tokens then either "m" or "b" have to excluded. The algorithm goes on so that only a few characters are left and then we start with possible combinations. If we take into account that most users use 5-8 character-long passwords, a brute force won't be too hard.

Of course there's always the smart way called Longest Common Subsequence problem.


Let's sum up...

what we have here is a very practical technique in protecting our sensitive information from a keylogger. But we must use it wisely and only once since patterns emerge which can bring the whole thing down.

P.S.: Also please consider the majority of users, when asked to type in a random string, will go for "asdf..." due to their fingers' position on the keyboard. Not so random :P
So here you have another characteristic which can make the cracker's life a lot easier.

Saturday, November 18, 2006

RFID Passports Cracked

It seems that the new uber-secure RFID Passports issued by many European countries after pressure from the U.S. are not that secure after all.

RFID Passports are ordinary-looking passports containing, besides the "human readable" information and authenticity signs, a Radio-Frequency Identification Chip which stores all printed information (and more) and transmits them to wireless readers used at Border Control. The reason for the chip's existence is that it is considered (or at least was) impossible to copy or forge so that even if a malicious person managed to reproduce the actual document he would never make it in producing a valid chip to complete the passport.

So one could ask "what if I buy an RF Reader for $9.99?". Well, authorities are using the 3DES encryption algorithm to encrypt the information on the chip. It is currently considered an above average method, providing 112 bit effective security.

The problem starts with the (known) fact that three public pieces of information are used to build the encryption key: (in the exact order) the passport's serial number + the owner's birth date + the passport's expiry date. So... you don't have to attack the encryption! Just find out (pretty easily) that kind of information and you have yourself the actual encryption/decryption key. Then you can go home, in your garage and clone or modify the chip's contents.

This is very much disturbing since the whole purpose for the new passports was the security provided by that chip but it turns out there are a few wide cracks in it.

[...]

Another problem with these passports is that they transmit in the air and that they are (normally) unique. So... one could identify you by placing an RF Reader inside a dumpster that you walk by every day. And maybe place a bomb inside that would go off if you and only you be in proximity.

Of course, official authorities have issued passports sleeves that act as "RF shields". According to this the chip cannot be read from inside that sleeve and you only take it out just before the police checkpoint. Well, it has been demonstrated that even then, the chip can be read. You just have to be really close to the subject. Doesn't seem like a problem when you are packed up against each other in a crowded area like the subway or a huge waiting line in the airport.


To sum up, current government efforts to control foreigners in their countries seem like panicked maneuvers of a nation under attack. If they feel that way, then somebody should admit it and then maybe we can all go home at toss those e-passports away (maybe shred them and burn them just to be safe).

And for the last time, just leave cryptographers to deal with cryptography issues!

Committee members are excellent at screwing it all up.

Goodnight.

Monday, November 06, 2006

"For your convenience"

It is a common joke here in Greece the story about a boyscout who desperately wants to do his good deed for the day and helps an old woman cross the street although she preferred to stay on the other side. The last few years many services online tend to do things for us, before us.

For example, today I received a World of Warcraft 10-day free pass from a friend of mine. According to the instructions all I had to do was install the game and create an account using the key written on the pass to play for free on the WoW servers. Right? Wrong! During the account creation process Blizzard asked me for my credit card number. Why? So that should I wish to continue my "online experience" I won't have to go through a new registration process and possibly don't make it in time to keep my current character in the game. In fact the disclaimer insists that this is for my own "convenience" and that if I make that choice (to renew my subscription), my credit card will be automatically billed every time my pre-paid time expired to ensure "undisrupted gameplay". The above are an essential step in the "free" account registration process. If I want to get a free account, I have to fill in my credit card number. I may stop playing at the end of the 10-day free period and never get a new subscription ever again. It doesn't matter for them. They still need my credit card information. Of course I do not believe this is a scam and that I'll be billed but what a minute.

The problem is that Blizzard will store and manage my sensitive credit card details according to its policy. Well, I do NOT trust that policy. Having that information available in some hard disk somewhere in the world does NOT make feel safe. And what if some cracker manages to compromise the safety of their systems? Certainly no one can claim they have a "hack-proof" system. You never know the next point of penetration until you are penetrated in that way. So why do I have to worry about that?

Giving your credit card for an one-time automated billing process is one thing and keeping it stored for the future is quite another. The people who use the second policy have to say in their defence that the user does not have to go through the information fill-in process again and again. I don't mind. As long as we are talking about SSL sessions I really don't mind typing in a few letters and numbers every time I want to buy something.

So this is a classic case where they make me give up my information for them to store in order to make a single purchase. I may never get anything from them in the future. That doesn't matter. For my "convenience" and "service" they'll keep that information. Well, if they care so much about my "convenience" why don't they take the time to ask me what I really want?

How safe do you feel about your online accounts? Right now, this moment, assume your identity is compromised. What would you lose? Do you have your credit card details stored somewhere? Assume they are compromised. How much money do you have in your bank account? Think about it.

These things scare people off the net. It's not me or any other guy talking about security and possible attacks. It's the marketing departments of companies providing "digital ease" and then when someone hacks in one of these databases and it hits the newspapers everyone is terrified and talking about how vulnerable we are against these "criminals".

Let's go back to the Blizzard case. I did not give my credit card. For a moment I considered opening another bank account and having a second credit card, linked to that account, so that I can contain a possible disaster (I would keep a very limited amount of money there etc). Then again why should I do it? Why should I get into paperwork and banks and ultimately employ a very "inconvenient" way in order to register in a system designed for my "convenience"? And what if I do not have a credit card? World of Warcraft subscriptions may be payed with the use of pre-paid cards sold in stores. Many people, especially teenagers, use them. So there's an alternative payment method for full-time subscriptions but not for guests.

To sum up, the "free guest pass", designed to bring people in the game, worked exactly the opposite way for me. And any other "smart" system that works for my "own good" without asking me what I really want will never have me as a customer.


Dear Blizzard,

I am not technophobic or anything. In fact the majority of my purchases are placed online. I am into technology and that's why I want to see things getting more secure and therefore more user-friendly. I JUST DO NOT TRUST YOU GUYS.

Friday, November 03, 2006

Reorder accounts in Thunderbird

Ever wanted to change the order in which Thunderbird presented your e-mail accounts in the left panel? Me too. Unfortunately it is not that easy for a novice user.

First of all, I tried to think like the people who wrote it. We' re talking about serious developers here. So it is common to allow a lot of configuration/customization to be done through special files (known as "conf" files). These files contain text which is interpreted by the application at runtime and are an excellent way to pass many arguments. This provides much more options that the typical "Options" button under the Tools menu.

So I started looking around my Thunderbird Profile folder until I found "prefs.js". I opened it using a serious text editor like Notepad++ to find the entry:

user_pref("mail.accountmanager.accounts", "account1,account2,account3");

I experimented by swapping "account1" with "account3" and restarted Thunderbird. And guess what, it worked!

Excellent Tip if you ask me :)

Oh, make sure you are not running Thunderbird while modifying this file and, just to be safe, take a backup before doing anything.

P.S.: You Profile folder should be located under "C:\Documents and Settings\[username]\Application Data\Thunderbird\Profiles\"