STE WILLIAMS

An older malware exploit called Sykipot has recently been reworked to steal data on the civil aviation sector in the United States, researchers say.

According to a new blog from researchers at Trend Micro’s TrendLabs, the retooled attack appears to be an intelligence-gathering operation.

“The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission,” the blog states.

Sykipot, which has been used as a backdoor since 2007, traditionally has targeted U.S. defense agencies and related industries, such as telecommunications, computer hardware makers, and government contractors, according to TrendLabs. But now it appears to be going after aviation data.

“Like most targeted attacks, Sykipot uses malicious attachments to spread,” the blog says. “Once Sykipot is running on the victim’s machine, it establishes an SSL connection to a [command and control] server, where more malicious files are then downloaded and installed on the victim’s machine. The capabilities of the Sykipot framework allow for arbitrary code and commands to be run.

“The change — slowly moving away from file-based exploits and into [the PC’s dynamic link library] or process injection — is a notable observation on the evolution of the campaign,” TrendLabs says. “The closed-source intelligence of the most recent attacks shows consistency in methodology, tools and exploited target entity, but examining the targeted data suggests the campaign expanded beyond the typical US [defense industry] and into more civilian sectors and infrastructure.”

Sykipot frequently spreads through the use of zero-day versions, so organizations in civil aviation and related industries should seek to patch frequently, TrendLabs says. And since the initial infection often occurs through phishing or other forms of social engineering, a solid end user training program may also help, the blog says.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/sykipot-malware-now-targeting-civil-avia/240160988

I’d not been asked questions about Gramm–Leach–Bliley (GLBA) compliance in two or three years, but I received two inquiries last month. Both raised difficult problems with entitlements, I figured there are other firms out there with the same questions, so I’d address them here.

The basic issue is you need to ensure that only authorized people access sensitive personal information (aka personally identifiable information, or PII for short). This issue gets difficult if your auditor wants to know which applications use sensitive data, and which users have access to it. If you’re running 80- to 100 applications, some of them like Sharepoint or SAP applications, it is not and easy question to answer. What data sits behind those applications? Are they in files or databases? Is access logged? Are generic accounts used? Which users map to which roles? These issues make compliance an incredibly complex task, both placing the right controls on the data, and perhaps most important, how you prove the controls are in place to your auditor?

The general recommendations I made are the use of discovery and entitlement management reports. The use of data discovery tools to locate PII in both databases and unstructured storage locations. The second is entitlement reports; a listing of which roles have access to the sensitive data you have discovered, and the users that map to each role. I make these recommendations because entitlement reports are typically the way that the GLBA auditors want to verify data access controls. This can be a pain in the ass to set up, but once you’ve written the reports, maintenance and verification is not so bad. And most database monitoring platforms offer some of these discovery and entitlement reports out of the box.

That’s the answer to the specific questions I got. That said, those were probably not the right questions. One of the reasons I don’t get specific GLBA questions is that large enterprises lump GLBA compliance under a more general PII program revolving around state privacy laws.

If you’ve ever read GLBA, there are some incredibly vague sections on data privacy. What privacy constraints are doing within legislation that repealed the Glass-Steagall act in order to allow banks to engage in very different types of business (e.g.: collateralized debt obligations) is beyond me. Inappropriate though they may be, they are there, and there are incredibly vague. As many states have legislation that govern storage and access to PII, and these laws dictate some minimum standards in a far less ambiguous way, the companies lump their compliance controls together under one PII set.

Now I’ve always been surprised that the handful of GLBA auditors I’ve spoken with over the last ten years feel the appropriate controls for PII compliance is entitlement reports. Role-based access controls are fine, but that’s not great security, and even less “assurance” given widespread use of generic group or “service level” accounts. In fact, many large enterprises don’t consider access control and role membership sufficient security. Their focus on general data protection is to leverage other technologies to remove data, add further fail-safe protections, or use access reports.

As such, here are a couple of other tricks you should consider.

Protection: Label-based protection for database columns, dynamic content redaction, or tokenization. When you are building a compliance strategy, any time you can remove a copy of sensitive data it is one less place you need to do compliance reporting.

Masking and tokenization get rid of data from non-essential places. Dynamic masking, redaction and database labeling technologies provide an enforcement mechanism to automatically conceal sensitive data when a users group or role should not have access. These tools offer a finer-grained control over data access than role based access and database groups.

Monitoring:Who accessed the data? Funny thing about database logs; they were not designed to record data access. Relational databases were designed to provide data access, and tend to only record changes to data, so they can’t show you who viewed what. That is where Database Activity Monitoring systems come in, as they record access. What is more there can, based upon access policy, show which users accessed data they should not have. Administrators or other users who should not have read access but did, and you can be alerted on policy violations. This is a lot better way to show that only the users who should have access are reading PII.

These latter two recommendations require that you negotiate with your auditor. Yes, I know for some of you you’d rather pull out your fingernails, but if you feel your security controls are a sensible approach that accounts for all access to sensitive data, have your auditor explain why they would want something different. Throw the porcupine back in their lap. DAM and Masking and Tokenization and labeling are simply better, more flexible tools than role based access controls.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading.

Article source: http://www.darkreading.com/database/pii-and-entitlement-management/240160994

TORONTO, Canada, September 9, 2013 – SecureKey, the leading provider of trusted identity networks, today announced it is adding FIDO specification support to its briidge.nettrade cloud-based authentication platform to expand the range of hardware-based authenticators that can be used with the service. With the addition of FIDO specification support, briidge.net customers will have the option of employing briidge.net DNA-enabled devices, as well as any FIDO-enabled authenticator, including biometrics and secure USB devices. SecureKey also announced that it has joined the FIDO Alliance as a Sponsor Level member.

“Adding FIDO specification support to our cloud-based service will enable us to provide additional value to our customers by offering more choice of hardware authenticators supported across multiple channels and use cases with our authentication platform,” said Andre Boysen, executive vice president of marketing for SecureKey. “By extending our current key management infrastructure based on the Global Platform standard to support FIDO-specified server key management, we can enable a broader range of identity and authentication solutions combining multiple authentication factors.

“Additionally, we believe FIDO-enabled credentials will provide another source of strong what-you-have factors to be federated over an open network of trusted identity providers and relying parties, using the briidge.net Exchange platform. We are optimistic that FIDO specifications can help accelerate the movement away from users having many weak credentials to fewer, stronger, and more convenient credentials.”

According to Boysen, SecureKey’s FIDO-enabled solution will provide the additional benefit of being cloud-based, eliminating the need for many web sites to purchase and operate their own individual FIDO-enabled servers.

SecureKey’s participation in the alliance ties directly with its values and philosophy concerning user privacy. The company has already taken an active role in the FIDO Alliance, establishing itself in a Leadership Position in the FIDO Privacy Working Group, and lending its expertise in ensuring identity privacy by design to help ensure that user privacy is maintained within the context of the FIDO protocol.

“The FIDO Alliance and SecureKey share a vision of strong authentication for a broad range of identity and payment applications – in fact, better authentication that is at once more secure, private and easy-to-use,” said Michael Barrett, president of the FIDO Alliance. “We welcome SecureKey to the FIDO Alliance as a Sponsor member and look to SecureKey for its expertise in protecting user identity information. SecureKey is dedicated to user privacy and confidentiality, and contributing to a core value and characteristic of the FIDO specifications: ensuring user privacy.”

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. The alliance seeks to change the nature of authentication by developing specifications that define an open, scalable and interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug-ins will allow any web site or cloud application to utilize a variety of existing and future FIDO-enabled devices that the user has for online security.

“SecureKey’s proven experience in the payment industry infrastructure is essential to accelerate FIDO adoption by service providers. With briidge.net robustness and multiple certifications, SecureKey will bring a key element to the FIDO Alliance,” said Sebastien Taveau, CTO at Validity Inc., a founding member of the FIDO Alliance. “SecureKey has been recognized as a privacy leader in identity and authentication, and will play a key role in the Privacy Working Group to gather user trust and adoption. Coupled with strong local authentication such as fingerprints, service providers can now provide new experiences to their users while increasing the security of the whole ecosystem.”

About SecureKey Technologies Inc.

SecureKey is the leading provider of cloud-based, trusted identity networks that eliminate the burden, cost, and risks associated with user authentication. The company’s federated authentication solutions ensure that users are properly authenticated regardless of the service, device or credential they prefer to use. Organizations can quickly and easily deliver high-value online services to millions of consumers and citizens with improved transaction privacy, simplicity, and convenience. SecureKey is headquartered in Toronto, with offices in Boston, Washington D.C., and San Francisco. The company is backed by a world-class group of venture and corporate investors. For additional information, please visit www.securekey.com.

Article source: http://www.darkreading.com/end-user/securekey-to-add-fido-specification-supp/240160999

WASHINGTON, D.C. – September 9, 2013 – Silent Circle, the global encrypted communications firm revolutionizing mobile device security for organizations and individuals alike, today announced new bundled service offerings for customers turning to the company’s unique peer-to-peer encryption platform as a secure alternative to traditional calling, mobile messaging and file transfer tools susceptible to escalating privacy threats. The new bundle options help businesses, government agencies and individuals in Silent Circle’s fast-growing customer segments secure their preferred means of communication, from mobile calling and messaging to desktop videoconferencing.

“As demand for our service increases daily, we have updated our service offerings with new bundle options to accommodate customers’ secure communications priorities – offering easy to use apps that enable peer-to-peer encrypted calling, messaging and file transfer on employees’ smartphones and tablets,” said Silent Circle Chief Revenue Officer Spencer Snedecor. “Nearing our first full year of operation as the trusted provider of private and secure communications services, our business continues to experience explosive growth as we meet the urgent privacy needs of demanding users in over 100 countries, including government agencies and Fortune 500 FTSE 100 leaders across defense, manufacturing, aerospace, energy, finance, media, healthcare and many other sectors worldwide.”

To ensure complete privacy, Silent Circle’s comprehensive set of peer-to-peer encrypted apps and services never log user metadata and manage encryption keys exclusively on users’ devices. These apps include Silent Phone for secure mobile voice and video calls, Silent Text for encrypted mobile messaging with attachments up to 100MB and “Burn Notice” auto-delete protection and encrypted voice and videoconferencing on Windows PCs through Silent Phone for Desktop. Options in Silent Circle’s service bundles include Out-Circle Access, which lets Silent Phone users place calls to conventional phone numbers* and the Silent Circle Management Console, a secure Web portal letting customers rapidly purchase, organize and disseminate Silent Circle’s apps for employees’ devices. The new bundles include:

Silent Circle Mobile (for business and personal use)

Silent Phone and Silent Text for $9.95/month or $99.95/year, per subscriber

Optional Out-Circle Access for an additional $23.95/month or $249.95/year, per subscriber

Silent Circle Enterprise (for business use only)

Silent Circle Mobile with Silent Circle Management Console for $139.95/year, per subscriber

Optional Out-Circle Access for an additional $249.95/year, per subscriber

Optional Silent Circle Desktop for an additional $69.95/year, per subscriber

Silent Circle Desktop (for business and personal use)

Silent Phone for Desktop for Windows PCs for $69.95/year

“Greater awareness of privacy threats and business losses linked to global surveillance is prompting more organizations to pull back from vulnerable communications mediums and seek alternatives that are inherently more secure, enterprise-ready and flexible enough to cover corporate and employee-owned devices,” Snedecor continued. “Anticipating these demands, our breakthrough peer-to-peer encrypted platform protects a host of executives’ and officials’ private communications through the devices they already carry without the need for additional infrastructure, IT overhead costs or usability trade-offs.”

*Currently limited to PSTN calls in U.S., Canada and Puerto Rico.

ABOUT SILENT CIRCLE

Silent Circle is a global encrypted communications service headquartered in Washington D.C. providing a revolutionary peer-to-peer platform for encrypted voice, video, text and file transfer on mobile devices via a secure, proprietary network, software and mobile apps. Silent Circle was co-founded by Mike Janke, former Navy SEAL and best-selling author and Phil Zimmermann, the world famous Silicon Valley creator of Internet encryption for voice and data and 2012 inductee into the Internet Hall of Fame. For more on Silent Circle, go to: https://www.silentcircle.com

Article source: http://www.darkreading.com/authentication/silent-circle-announces-new-service-bund/240160963

This week Dark Reading launches a new feature: the Security Analytics Tech Center, a sub-site of Dark Reading devoted to bringing you more detailed news, insight, and in-depth reporting on the use of security data analysis techniques to identify sophisticated threats and improve enterprise defenses.

Security Analytics is the 22nd of our Dark Reading Tech Centers, which are drill-down sections designed to provide you with a more focused view of specific issues, threats, and technologies in the world of IT security. The Tech Centers offer in-depth reports and studies, breaking news, and links to additional articles and information not found on the main Dark Reading home page. Just as a traditional newspaper offers in-depth sections or supplements on sports, entertainment, or politics, the Dark Reading Tech Centers provide an additional range of news and information for readers who have an interest in specific aspects of IT security.

While Dark Reading has always covered issues related to security information and event management, data forensics, and incident response, recently we have seen a pronounced movement toward data analysis as a means of identifying persistent threats that are designed to slide under the radar of traditional security detection tools. By using sophisticated data analysis techniques, many enterprises are finding that they are able to more quickly find and stop obfuscated attacks that otherwise might have gone unnoticed.

These sophisticated security data analysis techniques – collectively known as security analytics – are also enabling some enterprises to identify attack trends that are specific to their own IT environments. By studying security data in depth, they find, it is sometimes possible to develop more effective, tailored defenses that improve overall enterprise data security.

The new Security Analytics Tech Center will take a deeper look at these changes in security data analysis, and offer insights on the tools, techniques and best practices for analyzing security information, including emerging methods that use “big data.” The goal of the Security Analytics Tech Center is to help you see how you can leverage these emerging tools and best practices in your enterprise tasks to identify nascent attacks and improve enterprise defenses.

Of course, the creation of this new Tech Center doesn’t mean that our coverage of security analytics on the main Dark Reading site will decrease. You’ll continue to see news and analysis of new strategies for forensics and incident response on our home page and in our opinion section. But when you click on those stories or blogs, you’ll be brought here, to the Tech Center, so that you can see the full range and depth of analysis that we offer on the topic, and gain additional context to support what you’re reading.

We think this new Tech Center will help provide more depth and context around your challenges in security forensics and incident response. But in the end, this is your site. Please let us know what you think of the Tech Center,, our coverage of security analytics, and what you’d like to see us cover in more depth. We can’t guarantee we’ll answer every query with a story or in-depth report, but we’ll do our best to meet your needs for additional information and analysis.

If it has to do with analyzing security data, emerging threats, or cyber forensics, you’ll find coverage on Dark Reading. And if you don’t, let us know – our goal is to be the most comprehensive source of security news and information on the Web.

Article source: http://www.darkreading.com/dark-reading-launches-new-tech-center-on/240161004

If you’re looking to advance your career in the world of security, then you probably have a lot of questions about what you should do – what books to read, what groups to join, what training or certifications to get.

Ten years ago, I would have shared a short list of books and courses. These days, the number of options has multiplied to the point where it’s almost a precondition to know what specialization you want to pursue – from being a “penetration tester” to a “forensics expert” to a “SOC analyst” or “compliance analyst.” There are many paths to go down, and each calls for a different set of skills. In this article, we’ll assume you want to become a penetration tester.

Let’s also say you have the drive to become a good pen tester, maybe even a great pen tester. You’re not reading this because you think there’s a decent paycheck at the end of it.

Like anything you set out to do, it’s best to start with the fundamentals. I’ve been teaching, training, and leading penetration testers for a long time, and the ones who always wind up the best have a thorough understanding of what’s going on under the hood. Are you already a great sys admin who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? Perfect. You have a big advantage, over the long term, compared to the people getting into security without understanding how things work, including those with lots of letters after their names. Most of the pen-testing-related certifications test you on a thin level of knowledge across a broad domain, which belies the true complexity of pen testing. Or they gauge your ability to run tools, which just validates that you’re a script kiddie. To be more than a tool jockey, here’s what you should consider:

Learn to program. It doesn’t matter what language, although C is a good language that forces you to understand many key concepts. Too hard? Try PHP, Python, or Ruby. Eventually, you’ll want to progress to lower-level languages. Keep in mind you don’t have to be the best programmer in the world; you don’t even have to be decent. But you must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).

In order to break an application, you must be able to think like a developer. In order to think like a developer, you must understand how they build applications and the programming models and paradigms. So it’s important to learn the common design patterns and algorithms used by programmers. This way when you’re breaking an application, you have a reasonable idea to answer questions like, “How did they implement this functionality?” and, “What didn’t they think of when writing this code?” Then, finally, “How can I leverage that gap to break their application?” Building an attack based on an assumption that’s based on another assumption should be considered de rigueur. Layered assumptions, sometimes almost a leap of faith, underscores many of the more sophisticated and elegant exploits.

Many other subjects are worth studying as well. Learn the basics of networks by setting up and running your own home network. That way, you’ll gain an understating of how network administrators view the world. Learn operating system nuances by building your own home servers so that you better understand how system administrators view things. Read Security Engineering, and learn how to think like a security engineer. You may even take a look at the concepts in the CISSP domains. A solid foundation in security concepts is essential to understanding how security should work and how it shouldn’t.

At the risk of trotting out the too-oft quoted Sun Tzu, “If you know your enemy and know yourself, you can fight a hundred battles without disaster.” You learn programming, networks, and system administration because if you know how to think like a programmer, sysadmin, and network administrator, then you’ll be much more effective at breaking in.

This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.

The early years of my professional career (and a great deal of my free time) were spent reading as much as I could put my hands on, learning on my own, and studying all tof he available texts that were out there. When I started, there was only one book that had anything to do with security on shelves. Now there are so many options you could spend all of your time just reading the security books. But don’t make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend.

Article source: http://www.darkreading.com/intrusion-prevention/so-you-wanna-be-a-pen-tester/240161007

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

General interest

• Facebook privacy, Google security bug, Law Enforcement victories – 60 Sec Security [VIDEO]

• Sophos honoured with Partnership Award by Queensland Police

• Nokia is dead. Long live Nokia!

• US Army ignores shared PC login flaw, asks soldiers to keep quiet

Hacking and scams

• Anatomy of a phish – a “generic mass targeted attack” against WordPress admins

Law and order

• 15 years jail time for Romanian card heist ringleader, 5 for light-fingered company president

• Lawyers report steep rise in employee data theft cases

• Cyberextortion by US gov, or simple P2P security lapse by medical firm?

Social networks

• Has Facebook violated its 2011 Federal Trade Commission settlement?

• Does posting photos of your child on Facebook make you a bad parent? [POLL]

• Another 5 tips to help keep you safe on Facebook

• Twitter makes good on promise to make abuse reports easier and more obvious

• Facebook vulnerability that allowed any photo to be deleted earns $12,500 bounty

Cryptography

• Faces, gestures, heartbeats – how will the passwords of the future work?

OS and software

• Get ready: Microsoft Patch Tuesday looms large with 14 patches and 8 remote code execution holes

• Google coding glitch locks Apple iOS users out of on-line accounts

Privacy and online safety

• Database of illegal downloaders – are British ISPs to become the “music NSA”?

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Days of the week image from Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L9wVlVaaWvs/

If you’ve used Windows 8, or even just seen the ads for it, you’ll know it has a feature called Picture Passwords.

You choose a picture, any picture, and then “annotate” it with three finger movements: you can tap a point, draw a stroke, or sweep a circle.

The picture helps you to remember where you made the gestures, so you can repeat them reliably enough to pass the test and unlock your device.

If you have a touch screen tablet, Picture Passwords are surprisingly handy. (Pun intended.)

But how safe are they?

One of the ads I’ve seen for Windows 8 made a pretty big deal out of the coolness of Picture Passwords, and illustrated their convenience with a login sequence to which my immediate reaction was, “Surely not?”

The ad showed a picture of someone’s two young daughters, heads close together and looking at some distant object; the password involved circling their heads and then drawing a line in the direction they were looking.

That struck me as far, far too easily guessed; a bit like an ad showing someone choosing the keyboard password SECRET and implying that would be good enough.

→ The question of whether you should be using something as personal as your children’s pictures as a background visible even on a locked device is another issue entirely. I advise against it, but we shan’t consider that further here.

Others were concerned, too, including four security researchers from Arizona State University and Delaware State University.

They actually tried to measure the safety of Picture Passwords in a paper presented at last month’s USENIX Security Symposium.

When the media got stuck into their work last week, the conclusions were often uncomplimentary, with headlines like Windows 8 picture passwords easy to crack and Windows 8 Picture Passwords Easily Cracked.

But what did the researchers really find?

How do you go about cracking Picture Passwords, anyway?

For text passwords, it’s fairly obvious what you do: start at AAAAA and go to ZZZZZ (that’s brute force, where you try all possibilities), or take some shortcuts and start at ABASH and end at ZESTY (that’s a dictionary attack, where you try only the likely ones).

Will this work for pictures?

According to Microsoft’s help page, even brute force attacks are impossible [my emphasis below] because there is no limit to the number of possible picture passwords:

Because you choose the picture and the shapes you draw on it, the combinations are infinite — a picture password is actually more secure from hackers than a traditional password.

Oh dear. That’s the marketing department getting technical, I imagine.

Fortunately, wiser minds – the developers themselves, in fact – have published a much more sanguine (and well worth reading) paper on the design, implementation and likely strength of Picture Passwords, and they estimate that there are just over 1,155,000,000 (a billion-and-a-bit) possible Picture Passwords if three gestures are used.

→ You should read the Microsoft paper if you want to know the details of how Picture Passwords are calculated (the screen is chopped into a grid with 100 squares on the longer side), and how they are tested (various degrees of inaccuracy are tolerated when you repeat your gestures).

So a brute force attack is certainly possible, where you ignore the picture entirely and just try every possible tap-click-circle combination.

You’ll have just over 2³⁰ passwords to try (that’s a billion-and-a-bit).

That’s only about four times as many as there are six-character passwords using the characters A to Z, and no-one is seriously suggesting six-character, letters-only passwords these days.

Furthermore, the equivalent of a dictionary attack is possible, too, if you can identify the most likely Points of Interest (PoIs) in the password picture.

The Microsoft team actually tried to evaluate what effect the complexity of the image had on passwords, and the results were quite dramatic.

With ten PoIs, such as heads, noses, dogs, cats, flowers and so forth, and with gestures based around those PoIs, they estimated that there are about 8,000,0000 possible passwords; with five PoIs, you’re looking at only about 420,000 different passwords.

That does indeed sound rather limited, equivalent to 23-bit and 19-bit keys repectively.

Online attacks

Of course, we already have an environment where we routinely use 13-bit or 14-bit keys in comparative safety: the PIN on a mobile phone SIM card is only four digits; on a credit card, usually five digits.

Such short passwords are rendered safe by strictly limiting the number of wrong attempts before you get locked out.

And that’s what Microsoft has done with Picture Passwords: you can’t use them remotely, only if you have physical access to the device, and after five mistakes, you have to switch to using your old-fashioned text password.

So, someone who has a copy of your password picture would have to pre-compute their five best guesses, based on what they know about PoIs and the most likely gesture sequences to go with them, like the “circle your daughter’s heads and look where they are looking” password I described above.

Having done that, what’s the chance they’ll get in?

Groovily, the authors of the USENIX paper quantified that, using a realistic test set of just over 10,000 passwords that they constructed.

Very simply put, here’s how well they did:

Automated PoI recognition, 1st guess: Correct  8 in 1000
Manual PoI recognition, 1st guess:    Correct  9 in 1000

Automated PoI recognition, 5 guesses: Correct 19 in 1000
Manual PoI recognition, 5 guesses:    Correct 26 in 1000

That’s perhaps not “easily cracked,” as the headlines proclaimed, but it’s certainly cause for concern when compared against the less than three-in-10,000 chance of correctly guessing a randomly chosen four-digit SIM or credit card PIN.

More precisely, perhaps, it would be cause for concern if there really were just a 0.03% chance of guessing a four-digit PIN code.

But experience suggests that there will always be users who tilt the odds in the favour of the crooks, since not all four-digit codes are equally likely.

For example, Apple iPhone developer Daniel Amitay estimated in 2011 that a “five most likely” list of Apple iPhone lock codes (1234, 0000, 2580, 1111, 5555) would get you in more than 110 times out of 1000.

Against that measurement, the worst case of 26 times out of 1000 for guessing Picture Passwords doesn’t sound quite so bad.

So, if you use Picture Passwords, don’t make it easy for the crooks: choose pictures with lots of PoIs, and don’t just “do the obvious” when you choose the gestures you’re going to use.

In short, read the Microsoft developers’ paper and treat their example image and gestures as excellent advice on what NOT to do!

Offline attacks

I’ll conclude by mentioning something that the USENIX paper touches on, and which is perhaps the most important and as yet unquantified aspect of Picture Passwords: offline attacks.

How Picture Password data is stored, and how password attempts are tested against the database, is proprietary.

With an effective key size of just 30 bits, it is vital to set a very high cost for testing each potential password against an offline copy of the password database.

That requires a computationally expensive Key Derivation Function (KDF).

That’s the algorithm by which you convert the digital representation of a password gesture (from a password space of 30 bits) into a unique and psuedorandom choice out of a much larger set of keys, say 128 bits’ worth.

Doing this means that attacker can’t predict which 2³⁰ out of the 2¹²⁸ keys represent a picture password: they have to calculate the list first, even for a brute force attack.

You needn’t inconvenience your users with a KDF, since the extra password validation effort only applies once to each login attempt, but you can make it computationally impractical to try all 2³⁰ possibilities.

So here’s a free-of-charge technical and marketing suggestion for Microsoft.

Go public – heck, go open source! – with the way that Picture Passwords work, from how they’re stored to how the KDF is calculated.

You’d let outside experts assess the risk of offline attacks, which would be technically valuable.

And you’d get great positive publicity for openness, considering the current brouhaha facing proprietary software vendors over the cryptographic influence of the world’s intelligence services.

Just saying.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_LVd5sEaKNc/

In the last few months the giant companies which provide our favourite internet services have been falling over each other to prove their dedication to openness and transparency.

Thanks to PRISM and the numerous other shocks unveiled by Edward Snowden’s leaked cache of secret documents, just how much of our data is accessible by government agencies, and how they go about getting at it, is a major question for many people.

Reassuring us that our data is kept as private as possible is thus a must for any provider hoping to hang on to its users.

So, there will be little surprise that Yahoo! Inc. has published a breakdown of which governments have been asking for info on its users, and what data has been handed over.

Following similar reports from Google and more recently Facebook, Yahoo’s first Transparency Report covers the first half of 2013, with figures for 17 countries. It has promised to update it every six months.

The limited number of regions featuring in the report is due to it only covering countries where Yahoo maintains a ‘legal entity’ – essentially, a corporate presence. In other areas, users should be protected from having their government snoop into their doings on Yahoo sites, as there is no local Yahoo branch for the government to put pressure on.

The countries which do have power to request data seem to do so with the usual regularity.

Unsurprisingly, the US tops the list, with 12,444 requests made affecting 40,322 separate users. This is mainly due to a very large user base in Yahoo’s native land, where it is the fourth most popular website and picks up a third of its traffic.

The second biggest hitter is Germany, at 4,295 requests covering 5,306 user accounts. This is a little more of a surprise as Yahoo’s popularity is somewhat lower in Germany than elsewhere, only just scraping into the the top ten sites.

Third place goes to Italy, which asked for info on 2,937 people in 2,637 separate requests. Taiwan (where Yahoo is the most visited site), France, the UK and India made between 1,000 and 2,000 requests, covering between 2,000 and 3,000 user accounts each.

Perhaps more interesting than these raw numbers of requests are the details of how requests were responded to.

Yahoo has helpfully broken down the information, showing how many requests were rejected, how many failed to turn up any information, how many produced user metadata and how many led to actual content (which could include anything from email and messenger traffic to calendars, address books or Flickr photo stashes) being revealed to governments.

Looking at some of these metrics, Hong Kong stands out as something of an outlier.

Although, uniquely, the country’s authorities had no requests turned down, a rather large 36% returned ‘no data found’. This suggests, perhaps, that although Hong Kong agencies are very good at ensuring they only put in requests backed up by full legal propriety, they are also somewhat prone to fishing expeditions.

Presumably, if they take an interest in a particular person, they simply send out requests for account information to all potential providers. Yahoo is the fourth most popular site in Hong Kong, on a par with its overall significance worldwide, so police and snoops might fairly expect many of their suspects to hold accounts.

Even when accounts were found to exist, in-depth information was rarely forthcoming, with only 1% returning actual user content. The remaining 63% produced user metadata only, although it’s not made clear whether requests generally were for actual content – in many cases, cops may only be after details of IP addresses, for example.

The opposite is true of Canada, where requests were pretty limited at only 29, covering 43 users, but all of them turned up at least some data on the person of interest, barring only a single rejected request.

90% of all Canadian requests produced actual content, implying that the Mounties only go after data they are fairly sure exists and that they can legally demand.

Ireland also failed to turn up any ‘no data’ entries, but had a rather higher rejection rate, and received only metadata in 70% of cases.

Canada’s neighbours to the south had a similarly high hit rate, with only 2% of requests from US agencies rejected by Yahoo and 6% returning no data, but a much higher 55% produced only metadata. Again, it’s entirely possible that this was all they were after.

Another country with a high percentage of failed requests is Australia, with 21% returning no data and 34% rejected as lacking adequate legal backing. This reflects rather dimly on the Australian authorities, as not only are they fishing for data rather randomly, they’re also often doing it without adequate justification.

India also managed to have 34% of requests turned down, and Singapore – the leader on this scale – had 41% failing to show the proper legal standing. The UK’s rejection rate is also pretty high, at 27%.

All in all, some interesting numbers are revealed here. Yahoo may not have the clout of Google, Facebook, Microsoft and Apple these days, but it remains a major player, boasting half a billion users worldwide and a $5 billion turnover.

Although that’s only a tenth of the revenues Google generates, its contribution to our privacy (or lack thereof) is well worth keeping an eye on.

If you are a Yahoo user, and live in a region where Yahoo has a major presence, you may want to cast an eye over the numbers for yourself, check out how your government has been acting and ponder what it means.

Are you happy to live in a state which routinely fishes for information on its people’s online lives, or are you lucky enough to live somewhere where the authorities make only limited and controlled requests?

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-PQP_8uxpyc/

Google is stepping up efforts to toughen data encryption in an effort to limit unofficial snooping on user information in the wake of the revelations about the NSA and PRISM.

Speaking to the Washington Post, Eric Grosse, vice president for security engineering at Google said “It’s an arms race”, as he described government hackers as “among the most skilled players in this game.”

In the aftermath of leaked documents from Edward Snowden, suggesting that some US companies have made it easy for information to flow to the government, Google is keen to show it is doing its utmost to protect its users’ privacy.

The company did say, however, that it would still have to comply with any legally approved Foreign Intelligence Surveillance Act (FISA) requests and would hand over data whenever obligated to. Google, like Microsoft, is currently taking steps to sue the US government to gain permission to disclose just how many FISA requests it receives each year.

If such details do enter the public domain they could prove interesting reading, in conjunction with recent disclosures from companies like Yahoo, who revealed that it had received 12,444 requests for data from the US government in the first six months of this year.

Google officials declined to pass comment on how exactly the new encryption techniques would work, or what technology would be employed, though it does already have some experience in the field. Google implemented encryption with its Gmail service back in 2010 and then, later, did the same with many web queries using its own search engine.

While this affords protection to data travelling between Google and its users it does not cover its data centres where a huge amount of information – eg. web searches, emails and browsing histories – is stored and transmitted to and from each other on high speed fibreoptic lines.

Google officials did say that the new encryption will be “end-to-end” which suggests it will cover both the data centres and the connections between them, thus mitigating one vulnerable point of entry to potential snoopers.

Having accelerated the encryption program back in June, following the controversy over PRISM, Google is now apparently “months ahead” of its original deployment schedule with completion due very soon.

While this move from Google may not completely guarantee that data will remain private, it will likely bring some good PR the company’s way and at the same time make eavesdropping a far more time consuming and costly activity.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C0VjdubiFNw/