STE WILLIAMS

Free ESG report : Seamless data management with Avere FXT

The ongoing revelations about NSA snoopery have prompted The Chocolate Factory to accelerate its effort to encrypt user data at every possible point.

Mountain View had already announced that its Google Cloud Storage platform was adding server-side encryption to reassure users. User data uploaded to the service is now being encrypted using AES-128 in RAM before being written to disk.

Now, according to the Washington Post, Google is also planning to encrypt data travelling between all of its data centres. The company’s security engineering VP Eric Grosse described encryption as “an arms race” and told the newspaper government agencies are “among the most skilled players in this game”.

The company told the Washington Post the current program is an acceleration of an effort first approved in 2012.

Details are sketchy about the extent of the latest effort: while the Washington Post leads its story saying that Google will encrypt “the torrents of information that flow among its data centres around the world” (which would indicate encryption at the network edge, designed to thwart covert taps on fibre links), it later told the outlet that encryption would be “end-to-end”, covering both the links and the data held within its data centres.

Its earlier Google Cloud Storage work will, however, have given Google a good idea of both the computational and performance requirements of implementing an “encrypt everything, everywhere” strategy.

Google would still be bound to comply with legal requests for data, backed by a court order or warrant. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/10/google_scrambles_to_block_backdoors/

With all of the sensational stories about baby monitors being taken over by remote intruders and SCADA systems perennially vulnerable to potentially disastrous flaws, it’s easy to forget that insecurity of the Internet of Things isn’t just relegated to consumer devices and critical infrastructure.

The ever-growing fabric of smart devices with dumb security poses very real workaday risk to the average enterprise. It’s risk that comes by way of network devices, physical security systems, instrumentation systems and any number of machine to machine (M2M) communications running in enterprises today.

In short, the Internet of Things “brings a whole new Internet of harms,” says Jeff Williams, CEO of Aspect Security.

“Currently, most harms caused by internet attackers cause digital harm, not physical,” he says. “But when attacks can have real world consequences, attackers will surely find a whole new set of ways to cause harm: causing fires, overloading networks, turning off refrigeration, opening locks, blocking communications, starting alarms, suppressing alarms, cutting power, releasing chemicals, stopping cars, hiding the remote. The jump to an Internet of Things is huge, and so is the leap in security thinking that will be needed to make it safe.”

As Williams’ examples show, one of the big issues posed by embedded systems and M2M is the blurring of the line between physical and logical security, with vulnerabilities in either potentially compromising both.

[Is IPS in it for the long haul? See The Future of IPS.]

“As these lines blur and more systems and things are brought into the IT/IS framework, it stretches the boundaries of what is now considered a targetable asset and how we must protect them,” says Vann Abernethy, senior product manager at NSFOCUS. “It is no longer just information that we must safeguard, but physical security systems, manufacturing automation, and the physical machines themselves.”

Often the weakest and most dangerous links in the embedded device ecosystem are those easily forgotten small devices that are small enough for administrators to forget about, but large enough to be running a full Linux stack or a full version of embedded Windows, says Spencer McIntyre, security researcher for SecureState.

“These devices are running software that is well known enough that there are vulnerabilities in them and these vulnerabilities can be leveraged by attackers,” he says. “A lot of times it’s all that is needed by an attacker to be able to pivot into a network and gain access into more systems.”

He gives an example of a penetration test one of his colleagues ran just last week that played out that scenario exactly. According to McIntyre, his coworker used an exploit that McIntyre had written in the past year for LifeSize teleconferencing systems to compromise one of those devices in the client’s environment.

“He was actually able to use that as a beachhead to actually contact the internal domain controllers of this organization and he was able to run attacks on internal systems from this teleconferencing system that was exposed to the Internet,” he says.

According to HD Moore, chief research officer at Rapid7, the pervasive susceptibility of embedded systems to exploit is like de ja vu for the security world.

“This is like 1995 all over again ; its great from an exploit standpoint, but its terrible for all of security,” he says. “We spent all this time trying to lock things down, like Windows 7 having ASLR , and (developing) all these really great tools to lock down your desktops and clients and even mobile phones that are getting pretty solid. You don’t see these types of improvements happening in the embedded device world.”

Moore has spent a good part of 2013 conducting research about the state of embedded devices online—this spring he published a report that showed of more than 300 million IPs online hosting network devices with known flaws or configuration problems. Such statistics show that we’re at another security inflection point, experts say.

“I thik we’re at a a place where we need to figure out what to do because we do need to do somehting about this,” says Adam Ely, co-founder of Bluebox Security. “We have to understand how we protect ourselves, how we update ourselves and then once we understand that, to apply context and risk-based practices to it to really know what to address—and in what order—and what doesn’t matter.”

Abernethy believes that in this quest of improving the security around embedded devices, forensics and situation awareness become even more important than with traditional systems.
“Track and monitor everything,” he suggests. “Build zones and track their interactions – understand how each system works, how they interrelate and look at all possible vectors.”

Additionally, the industry and enterprises must work together to find better ways to update systems when vulnerabilities are discovered.

Perhaps more radical, some within the identity and access management (IAM) world say that getting embedded risks under control will require a paradigm shift in access management, moving from a user-centric to a device-centric view of how identities are managed.

“As more and more devices become connected, and ‘self aware,’ we are going to need to be able to reliably and uniquely identify each thing, regardless of location or any kind of static context,” says Allan Foster, vice president of community at IAM vendor ForgeRock. “Not only do we need to identify the thing, but we also need to ensure that the identity cannot be hijacked or impersonated whether the cause is malevolence or a stressed environment.”

This may not necessarily supersede other pushes for user federation schemes, but it could mean added layers of complexity, and standards, involved in IAM initiatives, says Patrick Harding, CTO of Ping Identity.

“The identity protocols and token formats used to communicate device identity versus user identity should be consistent,” he says. “There are existing initiatives that aim to standardize M2M interactions across this heterogeneity so the hope is that, like IP HTTP on the Internet, there will be a common addressing model and set of protocols.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/tackling-enterprise-threats-from-the-int/240161055

Back in July 2013, four computers were stolen from a large health care provider in Illinois, USA.

At first blush, it doesn’t sound like “Crime of the Century,” but according to reports, those missing computers have become a huge thorn in the side of Illinois-based Advocate Health Care.

That’s because the computers contained Personally Identifiable Information (PII) of patients going right back to the 1990s – four million of them, in fact.

The computers were password protected, whatever that means, but the data on their hard disks was not encrypted.

In theory, then, if you were to put the hard disks into another computer, or boot the “protected” computers from a CD or USB key, you would almost certainly be able to copy off any or all of those four million records.

The stolen data is said to have contained at least names, addresses, dates of birth and Social Security numbers (SSNs).

SSNs are the closest thing that the US has to a national identity number, giving them an influence in identity and identification that they don’t really deserve.

With your address, date of birth and SSN, an identity crook has a pretty good shot at committing fraud in your name.

So, Advocate has apparently already been hit with the expense (and hassle) of contacting the affected patients, and of offering them a year of free credit monitoring.

Credit monitoring services aim to keep their eye on financial transactions carried out in your name, helping you to spot fraudulent activity on your existing accounts, as well as attempts to open new accounts that you might otherwise know nothing about.

Now, things have just got a whole lot more onerous, with the filing of a class action suit that could end up pitting millions of individuals against Advocate in court:

This is a consumer class action lawsuit brought by Plaintiffs, individually and on behalf of all other similarly situated persons (i.e. the Class Members), whose unencrypted personally identifiable information and personal health information — names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, their medical diagnoses, medical record numbers, medical service codes, and health insurance information (collectively referred to as “PII/PHI”) — entrusted to Advocate was stolen by a thief or thieves while in the possession, custody, and control of Advocate.

(You have to love lawyerly English. Why not use three words when none would have done? The data wasn’t just stolen from Advocate, it was stolen from the company’s possession, custody and control.)

Class actions of this sort can end up expensive for the defendant (and lucrative for the lawyers, I must add, which may help to explain their propensity for pleonasm).

Facebook, for example, recently paid out a settlement for attaching its users’ names and photos to online ads without permission; the bill for that, which involved just over 600,000 eligible claimants, came to $20 million.

The chief lawyer of the company that has taken on the class action against Advocate said:

In this age of advanced technology, Advocate had to realize that its unorthodox methodology for maintaining important and private data posed a risk to the safety and security of their patients.

I don’t mean to excuse Advocate’s lapse, and I don’t disagree that the company should have realised the risk it was taking, but (for all the wrong reasons) I’m not so sure about the word “unorthodox.”

In my experience, encryption is still a technique more honoured in the breach than in the observance, with an awful lot of the world’s PII stored in plaintext.

At the end of 2011, for example, we bought a stash of USB keys from an Australian train company’s lost property auction, interested to see what we might find.

We ended up with 50 USB keys containing 4443 directly readable files, ranging from movies and images, through tax records and software source code, to the minutes of an activists’ meeting.

The number of encrypted files we found?

Zero.

We need to change the world so that storing data unencrypted really is unorthodox.

Follow @duckblog

Image of crook half-inching laptop courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M9obu9zmbVE/

I’ll readily admit I’m numb to advertising — at least when I’m online. Ads are everywhere, taking up every visual inch of screen real estate, with the exception of the text I’m looking at. But I just focus on the text I’m looking for, so the rest of the stuff is noise. It’s a bit different with TV since the magic of the DVR allows me to skip pretty much all of the ads. When I’m on the road and not using a DVR, I realize the true annoyance of these TV ads. In fact, I don’t really watch TV without a DVR, with the exception of live sports. And in that case, the commercials annoy me.

But that’s just annoyance, right? You can tune out the ads. Or check your Twitter or Facebook for two or three minutes while you learn about the latest magic pills to cure insomnia, frequent urination, or erectile dysfunction. (As an aside, if anyone has a good way to describe erectile dysfunction to a 10-year-old, I’m all ears. It’s just a matter of time before I’m watching a football game with my kids and one of those ads show up.)

Yet at Black Hat, my friends Jeremiah Grossman and Matt Johansen showed that online advertising networks can be manipulated and gamed by attackers using pretty simple tactics to launch an attack (typically DDoS) against a specific site without any effort from the user. All they have to do is render a Web page with the attack ad embedded. We’ve spent years talking about not clicking on strange links or not going to those sites. But that’s about not being in a bad neighborhood. What if the bad neighborhood comes to you?

That’s right: If an advertising network accepts a compromised ad, likely paid for with a stolen credit card, it will display the ad almost anywhere on legitimate sites. There isn’t much the website can do — it has outsourced the ads to the ad network. The ad networks should have better controls, but well, you know. It’s basically a drive-by attack that you can’t really block. Render the legitimate page and get owned. That’s awesome, right?

As Jeremiah and Matt described during their session, “Networks that serve up advertisements on ad-supported sites across the Internet frequently allow their advertisers to run arbitrary JavaScript on browsers displaying their ads.” This JavaScript (if the browser is set to run JavaScript, which is the default mode) can have the browser make a request to the target, start a drive-by malware download, or lots of other diabolical stuff.

Even better, the pair of researchers got around an ad network’s typical need to approve every change to an ad (for instance, changing the target) by referring to an external site to download the target URL or any other instructions in real time. JavaScript for the win. This gives an attacker the ability to dynamically change anything pertaining to the attack at will.

I know this is the “vulnerabilities and threats” section, and I don’t necessarily need to suggest some ways to deal with this kind of attack. But that’s not how I roll. So here are a few not-so-simple things you can do to protect the devices from this kind of activity. First, you can implement advanced malware protection on the endpoint devices, as I described in “Controlling the Big 7.” This doesn’t really help if the ad just gets the device to render a website (for DDoS purposes), but it can stop other compromises targeting the endpoint device.

Next is to address the traffic by blocking it on the network. Maybe you tighten the egress filtering policies on your egress NGFW, IPS, or Web filter looking for traffic bursts to a specific site. Or perhaps you implement a pretty tight device firewall policy to block outbound Web traffic unless it’s approved. I use a tool called Little Snitch, which does this. It’s a great tool, but it’s a pain. The user would need to be sophisticated enough to realize an outbound connection request is no bueno and to deny it.

Or you can do what most folks will do — ignore the problem. I mean, maybe it consumes a little Internet bandwidth with some of your devices pounding an unsuspecting website. But, ultimately, that isn’t really going to impact much of anything from the standpoint of the success factors of either security or operations. There’s the rub. These folks have no incentive to deal with this issue, so they won’t.

And the attackers will run to the bank. Again.

Mike Rothman is President of Securosis and author of the Pragmatic CSO

Article source: http://www.darkreading.com/vulnerability/yet-another-reason-to-hate-online-ads/240160983

MAHWAH, N.J., Sept. 9, 2013 — There are several dates throughout the year that are notorious for wreaking havoc on businesses via denial-of-service (DoS) attacks, data breaches and even malware or botnet assaults. As September 11th nears, rumors about coordinated cyber attacks on American websites continue to increase. Because of these potential risks, it’s imperative that businesses tighten their network security measures now in order to protect themselves from potential intrusion or disruption, which can result in profit-loss and tarnished user confidence.

According to Radware, (Nasdaq:RDWR) a leading provider of application delivery and application security solutions for virtual and cloud data centers, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States in addition to September 11th include Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours.

Additionally, hackers commonly use important dates and holidays to disrupt specific industries. For example, retail and credit card companies see a significant rise in cyber attacks between Thanksgiving and Christmas, whereas government websites may be targeted during Election or Independence Days.

“Timing is an extremely influential risk-factor for cyber attacks throughout the year,” said Carl Herberger, vice president of security solutions for Radware. “Hackers capitalize on overwhelming their target’s environment on days of great importance and look to exploit vulnerabilities that cause the most detriment.

Because these types of assaults show no signs of slowing, it’s crucial that businesses implement anticipatory security measures in preparation of these peak times so that networks and data centers are able to properly detect and defend against sophisticated threats.”

There are five immediate steps that network administrators and security professionals can take to defend and prepare their networks during these at-risk times of the year:

1) Identify High-risk Dates: Businesses should recognize which times of the year present excessive levels of risk and develop strategic plans to mitigate issues in the event of a cyber attack.

2) Conduct Seasonal Risk Assessments: Once these dates are acknowledged, Radware recommends conducting a detailed risk assessment. Aside from classifying top dates for cyber attacks, companies should also highlight seasons for increased web traffic and periods for increased vulnerability that have presented an issue in the past or have the potential to be problematic. Through this assessment, a strategic security plan can then be developed.

3) Review Network Security Technology: Companies are also advised to plan ahead of seasonal risk by ensuring the network is properly and reliably protected by a leading network security solution. Because it could take up to six months to prepare in advance of high-risk dates, it is important for IT organizations to plan for at-risk periods ahead of time.

4) Run Attack Scenarios: In order to ensure that security solutions are functioning at full capacity, Radware suggests running network simulations using both common and emerging cyber attacks approaches. By analyzing potential methods of infiltration and denial-of-service (DoS) disruptions, network administrators will be able to detect flaws and repair the system before the high-risk season commences.

5) Educate Employees: Employees are often the weakest links in an organization’s cyber security plan. Ensure that all staff members are fully aware of the latest tricks and scams that hackers are utilizing to infiltrate networks by providing training and ongoing education on organizational cyber security policies and procedures.

By implementing these best practices, businesses can prepare and fortify their networks against heightened times of risk. Regardless of these hypersensitive periods, businesses should employ reliable security solutions to protect their networks year-round.

About Radware

Radware (Nasdaq:RDWR), is a global leader of application delivery andapplication security solutions for virtual and cloud data centers. Its award-winning solutions portfolio delivers full resilience for business-critical applications, maximum IT efficiency, and complete business agility. Radware’s solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit www.radware.com.

Radware encourages you to join our community and follow us on; LinkedIn,Radware Blog, Twitter, YouTube, Radware Connect app for iPhone and our new security center DDoSWarriors.com that provides a comprehensive analysis on DDoS attack tools, trends and threats.

2013 Radware, Ltd. All rights reserved. Radware and all other Radware product and service names are registered trademarks or trademarks of Radware in the U.S. and other countries. All other trademarks and names are property of their respective owners.

This press release may contain statements concerning Radware’s future prospects that are “forward-looking statements” under the Private Securities Litigation Reform Act of 1995. Statements preceded by, followed by, or that otherwise include the words “believes”, “expects”, “anticipates”, “intends”, “estimates”, “plans”, and similar expressions or future or conditional verbs such as “will”, “should”, “would”, “may” and “could” are generally forward-looking in nature and not historical facts. These statements are based on current expectations and projections that involve a number of risks and uncertainties. There can be no assurance that future results will be achieved, and actual results could differ materially from forecasts and estimates. These risks and uncertainties, as well as others, are discussed in greater detail in Radware’s Annual Report on Form 20-F and Radware’s other filings with the Securities and Exchange Commission. Forward-looking statements speak only as of the date on which they are made and Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware’s public filings are available from the Securities and Exchange Commission’s website atwww.sec.gov or may be obtained on Radware’s website at www.radware.com.

Article source: http://www.darkreading.com/vulnerability/preparing-for-notorious-cyberattack-date/240161021

Documents taken from the NSA showing that the spy agency has systematically been cracking encryption and establishing a foothold in secure communications technology could provide the strongest impetus yet to spur a long overdue update of the underlying protocols of the Internet.

That the U.S. National Security Agency cracks encryption comes as no surprise–codebreaking is part of the spy agency’s mission—but reports that the NSA went too far by urging software companies to insert backdoors and weaknesses into their code has raised valid questions over the viability of today’s commercial encryption technologies. The latest Snowden document leaks, reported by The New York Times and The Guardian late last week, said the agency has cracked or evaded encryption used in much of the Internet’s sensitive communications today, potentially exposing users’ encrypted email, online chats, and phone calls.

“I don’t find it particularly surprising that their agenda was to crack all the crypto—that’s always been their agenda,” says Lawrence Garvin, head geek at SolarWinds. But what’s still unclear in the latest Snowden revelations is whether the NSA can successfully crack newer, stronger encryption technology, he says.

The latest developments indicate potentially glaring overreach by the NSA, and security experts in response are calling for efforts to speed up some long-awaited updates to the ‘Net’s underlying TCP/IP protocols.

“This should speed up the [adoption] of new protocols,” says Stephen Cobb, security evangelist for ESET. “Ten years down the road, we may look back and say we avoided massive cyberattacks because we took measures to improve our security. Ironically, it was prompted by our own government agency [the NSA].”

Crytpo expert Bruce Schneier in a blog post post last week publicly called for a re-engineering of the Internet to thwart spying, urging the use of open protocols that are harder for the NSA to subvert. Schneier said the Internet Engineering Task Force’s meeting in November should be “dedicated” to this topic. “This is an emergency, and demands an emergency response,” Schneier said.

IETF chair Jari Arkko today confirmed that security indeed will be under discussion at the IETF November meeting in Vancouver: “We have obviously been disturbed by the revelations, and continue to do our best to improve the Internet security in view of these and other threats,” Arkko says. “We have a policy to employ strong security mechanisms, and we care a lot about having trusted services and protocols in the Internet. We are discussing this topic and we will discuss it in our next meeting. There may be some technical improvements that are helpful.”

Internet security isn’t just about technology, however, Arkko says. “Communications security will not help if you do not trust the party that you are communicating with, or the device that you are using,” he says.

The IETF already is working on a new version of the Transport Layer Security (TLS) protocol that ratchets up security to prevent eavesdropping and tampering, as well as other efforts to beef up encryption algorithms. Also in the works is mandatory security for HTTP 2.0.

“I believe mandatory security in HTTP 2.0, in particular, if adopted, would be helpful against eavesdropping in some situations,” Arkko says. But he cautions that it must be coupled with trust between the communicating parties, he says, or else “complete protection for eavesdropping is difficult to achieve.”

[NSA says it only touches about 1 percent of online communications in the U.S. See NSA Responds To Criticism Over Surveillance Programs .]

At the heart of many of the Internet’s security woes is the old “on the Internet, no one knows you’re a dog” problem: the ability to remain anonymous or to pose as someone you’re not. One key solution here would be to authenticate packets, says David Frymier, CISO and vice president at Unisys.

The next-generation IP protocol, IPv6, holds some promise for this, he says. “With IPv6, if you require authentication of packets, a lot of problems … go away,” Frymier says. “A lot of Internet problems are derived from the fact you can do things anonymously and spoof your identity, such as man-in-the middle attacks.”

Frymier says the NSA is basically exploiting incorrectly implemented or designed technologies to get to the intelligence it wants. And bad guys can do the same, he says. “I stood in front of a computer that I knew was infected, yet it came up clean even though I could see it beaconing to a server in China,” he says. “The fact is bad guys know how to get inside Windows in such a way that you just can’t tell they are there.”

Look for new encryption software to emerge as well. “I think the latest revelation will energize efforts to improve some of the security and privacy fundamentals” of the Internet protocols, ESET’s Cobb says. “I think we will see a lot of growth in … new encryption software, for example, that could potentially defeat current NSA capabilities.”

James Clapper, director of national intelligence, said in a statement yesterday that it’s no secret the U.S. intelligence community gathers “information about economic and financial matters, and terrorist financing.”

“What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of – or give intelligence we collect to – US companies to enhance their international competitiveness or increase their bottom line,” Clapper said.

“As we have said previously, the United States collects foreign intelligence – just as many other governments do – to enhance the security of our citizens and protect our interests and those of our allies around the world. The intelligence Community’s efforts to understand economic systems and policies and monitor anomalous economic activities is critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security,” he said.

Encryption Implosion?
The latest NSA revelations late last week from the Snowden files don’t mean that either encryption or the Internet are broken, however, experts say. The NSA appears to have set its sights on a common weakness in encryption—the deployment and management and storage of encryption keys, experts say.

Older algorithms with shorter bit-key lengths were brute-forcible by the NSA, Unisys’ Frymier says. But the “other ten percent” of encryption using longer bit-key lengths is still safe from NSA snooping, he says. “If you’ve got strong encryption properly implemented with a secure key management structure, then you’re safe from the NSA,” he says.

The NSA is basically boiling the ocean, he says, and most organizations in comparison have a relatively small set of data that they need to protect. “I’m convinced this is possible to have a secure communications system,” Frymier says. Aside from strong encryption that’s properly deployed, that would also entail managing your own keys and better control of endpoints so they can securely transmit data, he says.

“The Internet is not broken,” he says. “I’m not surprised by any of this at all. It’s not just the NSA that’s doing this. The Chinese are doing it” as well, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/latest-nsa-crypto-revelations-could-spur/240160971

If you’ve used Windows 8, or even just seen the ads for it, you’ll know it has a feature called Picture Passwords.

You choose a picture, any picture, and then “annotate” it with three finger movements: you can tap a point, draw a stroke, or sweep a circle.

The picture helps you to remember where you made the gestures, so you can repeat them reliably enough to pass the test and unlock your device.

If you have a touch screen tablet, Picture Passwords are surprisingly handy. (Pun intended.)

But how safe are they?

One of the ads I’ve seen for Windows 8 made a pretty big deal out of the coolness of Picture Passwords, and illustrated their convenience with a login sequence to which my immediate reaction was, “Surely not?”

The ad showed a picture of someone’s two young daughters, heads close together and looking at some distant object; the password involved circling their heads and then drawing a line in the direction they were looking.

That struck me as far, far too easily guessed; a bit like an ad showing someone choosing the keyboard password SECRET and implying that would be good enough.

→ The question of whether you should be using something as personal as your children’s pictures as a background visible even on a locked device is another issue entirely. I advise against it, but we shan’t consider that further here.

Others were concerned, too, including four security researchers from Arizona State University and Delaware State University.

They actually tried to measure the safety of Picture Passwords in a paper presented at last month’s USENIX Security Symposium.

When the media got stuck into their work last week, the conclusions were often uncomplimentary, with headlines like Windows 8 picture passwords easy to crack and Windows 8 Picture Passwords Easily Cracked.

But what did the researchers really find?

How do you go about cracking Picture Passwords, anyway?

For text passwords, it’s fairly obvious what you do: start at AAAAA and go to ZZZZZ (that’s brute force, where you try all possibilities), or take some shortcuts and start at ABASH and end at ZESTY (that’s a dictionary attack, where you try only the likely ones).

Will this work for pictures?

According to Microsoft’s help page, even brute force attacks are impossible [my emphasis below] because there is no limit to the number of possible picture passwords:

Because you choose the picture and the shapes you draw on it, the combinations are infinite — a picture password is actually more secure from hackers than a traditional password.

Oh dear. That’s the marketing department getting technical, I imagine.

Fortunately, wiser minds – the developers themselves, in fact – have published a much more sanguine (and well worth reading) paper on the design, implementation and likely strength of Picture Passwords, and they estimate that there are just over 1,155,000,000 (a billion-and-a-bit) possible Picture Passwords if three gestures are used.

→ You should read the Microsoft paper if you want to know the details of how Picture Passwords are calculated (the screen is chopped into a grid with 100 squares on the longer side), and how they are tested (various degrees of inaccuracy are tolerated when you repeat your gestures).

So a brute force attack is certainly possible, where you ignore the picture entirely and just try every possible tap-click-circle combination.

You’ll have just over 2³⁰ passwords to try (that’s a billion-and-a-bit).

That’s only about four times as many as there are six-character passwords using the characters A to Z, and no-one is seriously suggesting six-character, letters-only passwords these days.

Furthermore, the equivalent of a dictionary attack is possible, too, if you can identify the most likely Points of Interest (PoIs) in the password picture.

The Microsoft team actually tried to evaluate what effect the complexity of the image had on passwords, and the results were quite dramatic.

With ten PoIs, such as heads, noses, dogs, cats, flowers and so forth, and with gestures based around those PoIs, they estimated that there are about 8,000,000 possible passwords; with five PoIs, you’re looking at only about 420,000 different passwords.

That does indeed sound rather limited, equivalent to 23-bit and 19-bit keys repectively.

Online attacks

Of course, we already have an environment where we routinely use 13-bit or 14-bit keys in comparative safety: the PIN on a mobile phone SIM card is only four digits; on a credit card, usually five digits.

Such short passwords are rendered safe by strictly limiting the number of wrong attempts before you get locked out.

And that’s what Microsoft has done with Picture Passwords: you can’t use them remotely, only if you have physical access to the device, and after five mistakes, you have to switch to using your old-fashioned text password.

So, someone who has a copy of your password picture would have to pre-compute their five best guesses, based on what they know about PoIs and the most likely gesture sequences to go with them, like the “circle your daughter’s heads and look where they are looking” password I described above.

Having done that, what’s the chance they’ll get in?

Groovily, the authors of the USENIX paper quantified that, using a realistic test set of just over 10,000 passwords that they constructed.

Very simply put, here’s how well they did:

Automated PoI recognition, 1st guess: Correct  8 in 1000
Manual PoI recognition, 1st guess:    Correct  9 in 1000

Automated PoI recognition, 5 guesses: Correct 19 in 1000
Manual PoI recognition, 5 guesses:    Correct 26 in 1000

That’s perhaps not “easily cracked,” as the headlines proclaimed, but it’s certainly cause for concern when compared against the less than three-in-10,000 chance of correctly guessing a randomly chosen four-digit SIM or credit card PIN.

More precisely, perhaps, it would be cause for concern if there really were just a 0.03% chance of guessing a four-digit PIN code.

But experience suggests that there will always be users who tilt the odds in the favour of the crooks, since not all four-digit codes are equally likely.

For example, Apple iPhone developer Daniel Amitay estimated in 2011 that a “five most likely” list of Apple iPhone lock codes (1234, 0000, 2580, 1111, 5555) would get you in more than 110 times out of 1000.

Against that measurement, the worst case of 26 times out of 1000 for guessing Picture Passwords doesn’t sound quite so bad.

So, if you use Picture Passwords, don’t make it easy for the crooks: choose pictures with lots of PoIs, and don’t just “do the obvious” when you choose the gestures you’re going to use.

In short, read the Microsoft developers’ paper and treat their example image and gestures as excellent advice on what NOT to do!

Offline attacks

I’ll conclude by mentioning something that the USENIX paper touches on, and which is perhaps the most important and as yet unquantified aspect of Picture Passwords: offline attacks.

How Picture Password data is stored, and how password attempts are tested against the database, is proprietary.

With an effective key size of just 30 bits, it is vital to set a very high cost for testing each potential password against an offline copy of the password database.

That requires a computationally expensive Key Derivation Function (KDF).

That’s the algorithm by which you convert the digital representation of a password gesture (from a password space of 30 bits) into a unique and psuedorandom choice out of a much larger set of keys, say 128 bits’ worth.

Doing this means that attacker can’t predict which 2³⁰ out of the 2¹²⁸ keys represent a picture password: they have to calculate the list first, even for a brute force attack.

You needn’t inconvenience your users with a KDF, since the extra password validation effort only applies once to each login attempt, but you can make it computationally impractical to try all 2³⁰ possibilities.

So here’s a free-of-charge technical and marketing suggestion for Microsoft.

Go public – heck, go open source! – with the way that Picture Passwords work, from how they’re stored to how the KDF is calculated.

You’d let outside experts assess the risk of offline attacks, which would be technically valuable.

And you’d get great positive publicity for openness, considering the current brouhaha facing proprietary software vendors over the cryptographic influence of the world’s intelligence services.

Just saying.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CRWvTmJjBMo/

Google is stepping up efforts to toughen data encryption in an effort to limit unofficial snooping on user information in the wake of the revelations about the NSA and PRISM.

Speaking to the Washington Post, Eric Grosse, vice president for security engineering at Google said “It’s an arms race”, as he described government hackers as “among the most skilled players in this game.”

In the aftermath of leaked documents from Edward Snowden, suggesting that some US companies have made it easy for information to flow to the government, Google is keen to show it is doing its utmost to protect its users’ privacy.

The company did say, however, that it would still have to comply with any legally approved Foreign Intelligence Surveillance Act (FISA) requests and would hand over data whenever obligated to. Google, like Microsoft, is currently taking steps to sue the US government to gain permission to disclose just how many FISA requests it receives each year.

If such details do enter the public domain they could prove interesting reading, in conjunction with recent disclosures from companies like Yahoo, who revealed that it had received 12,444 requests for data from the US government in the first six months of this year.

Google officials declined to pass comment on how exactly the new encryption techniques would work, or what technology would be employed, though it does already have some experience in the field. Google implemented encryption with its Gmail service back in 2010 and then, later, did the same with many web queries using its own search engine.

While this affords protection to data travelling between Google and its users it does not cover its data centres where a huge amount of information – eg. web searches, emails and browsing histories – is stored and transmitted to and from each other on high speed fibreoptic lines.

Google officials did say that the new encryption will be “end-to-end” which suggests it will cover both the data centres and the connections between them, thus mitigating one vulnerable point of entry to potential snoopers.

Having accelerated the encryption program back in June, following the controversy over PRISM, Google is now apparently “months ahead” of its original deployment schedule with completion due very soon.

While this move from Google may not completely guarantee that data will remain private, it will likely bring some good PR the company’s way and at the same time make eavesdropping a far more time consuming and costly activity.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CpxrCgP0Uag/

Win a top of the range HP Spectre laptop

Sophos has pulled out the weeds in its web-scanning software after Core Security identified multiple holes in its Web Protection Appliance versions 3.8.0, 3.8.13 and 3.7.9 and earlier.

The Core Security advisory states that if a remote attacker can gain access to the appliance’s web administrator interface, the attacker could execute arbitrary commands and gain root privileges.

Acknowledging the issue to The Register, Sophos advised that it had not observed any exploits of the vulnerability in the wild.

The issue arises via a slip in a Perl script, as the advisory states:

[T]he invoked /opt/ws/bin/sblistpack Perl script itself is vulnerable to OS command injection, because its get_referers() function doesn’t escape the first argument of the script before using it within a string that will be executed as a command by using backticks.

This opens a vulnerability in which a POST parameter allows the attacker to execute OS commands on the appliance, with the privileges of the operating system user – in this case, “spiderman”.

To get from spiderman’s OS user privileges to root privileges, the Core Security testers then located a Perl command which runs with root privileges, and which also had an escaping error. Core Security points out that the script “doesn’t escape the second argument of the script before using it within a string that will be executed as a command by using backticks. Since it can be run by the spiderman user with the sudo* command, it can be abused to gain root privileges within the appliance.”

Sophos has acknowledged the issue, and Core Security’s disclosure, in this notice.

The company says it is now rolling out the update to customers with automatic updating. Customers who have disabled automatic updates can run a manual install. The fix was posted on Friday 6 September. ®

* “sudo”, or “superuser do” allows users to run programs with the security privileges of another user.

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/09/sophos_patches_web_appliance_vuln/

I’ll readily admit I’m numb to advertising. At least when I’m online. There are ads everywhere taking up every visual inch of screen real estate, with the exception of the text I’m looking at. But I just focus on the text I’m looking for, so the rest of the stuff is noise. It’s a bit different with TV since the magic of the DVR allows me to skip pretty much all the ads. When I’m on the road and not using a DVR, I realize the true annoyance of these TV ads. In fact, I don’t really watch TV without a DVR, with the exception of live sports. And in that case, the commercials annoy me.

But that’s just annoyance, right? You can tune out the ads. Or check your Twitter or Facebook for 2-3 minutes while you learn about the latest magic pills to cure insomnia, frequent urination, or erectile dysfunction. As an aside, if anyone has a good way to describe erectile dysfunction to a 10-year old, I’m all ears. It’s just a matter of time before I’m watching a football game with my kids and one of those ads show up.

Yet at Black Hat, my friends Jeremiah Grossman and Matt Johansen showed that online advertising networks can be manipulated and gamed by attackers using pretty simple tactic to launch an attack (typically DDoS) against a specific site without any effort from the user. All they have to do is render a webpage with the attack ad embedded. We’ve spent years talking about not clicking on strange links or not going to those sites. But that’s about not being in a bad neighborhood. What if the bad neighborhood comes to you?

That’s right, if an advertising network accepts a compromised ad, likely paid for with a stolen credit card, it will display the ad almost anywhere on legitimate sites. There isn’t much the website can do, they’ve outsourced the ads to the ad network. The ad networks should have been controls, but well, you know. It’s basically a drive-by attack that you can’t really block. Render the legitimate page and get owned. That’s awesome, right?

As Jeremiah and Matt described during their session, “As they explained, networks that serve up advertisements on ad-supported sites across the Internet frequently allow their advertisers to run arbitrary JavaScript on browsers displaying their ads.” This JavaScript (if the browser is set to run JavaScript – which is the default mode) can have the browser make a request to the target, it could start a drive-by malware download, or lots of other diabolical stuff.

Even better, the pair of researchers got around an ad network’s typical need to approve every change to an ad (for instance, changing the target) by referring to an external site to download the target URL or any other instructions in real-time. JavaScript for the win. This gives an attacker the ability to dynamically change anything pertaining to the attack at will.

I know this is the “vulnerabilities and threats” section and I don’t necessarily need to suggest some ways to deal with this kind of attack. But that’s not how I roll. So here are a few not-so-simple things that you can do to protect the devices from this kind of activity. First you can implement advanced malware protection on the endpoint devices, as I described in Controlling the Big 7. This doesn’t really help if the ad just gets the device to render a website (for DDoS purposes), but it can stop other compromises targeting the endpoint device.

Next is to address the traffic by blocking it on the network. Maybe you tighten the egress filtering policies on your egress NGFW, IPS or web filter looking for traffic bursts to a specific site. Or perhaps you implement a pretty tight device firewall policy to block outbound web traffic unless it’s approved. I use a tool called Little Snitch, which does this. It’s a great tool, but it’s a pain. The user would need to be sophisticated enough to realize an outbound connection request is no bueno and to deny it.

Or you can do what most folks will do — ignore the problem. I mean maybe it consumes a little Internet bandwidth with some of your devices pounding an unsuspecting website. But ultimately that isn’t really going to impact much of anything from the standpoint of the success factors of either security or operations. There’s the rub. These folks have no incentive to deal with this issue, so they won’t.

And the attackers will run to the bank. Again.

Mike Rothman is President of Securosis and author of the Pragmatic CSO

Article source: http://www.darkreading.com/vulnerability/yet-another-reason-to-hate-online-ads/240160983