Tag Archives: Cryptography

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

Foiling EMI

Further to my rant yesterday about digital rights management, my friend Mark tells me that getting around the Coldplay X&Y copy protection is easy — just rip it on a Mac. He’s right, at least for me: Works like a dream, after no joy at all on two ThinkPads.

This may not be true with all copies of the CD. I bought mine in Hong Kong in 2005, although it appears to be imported from Europe. A piece on ConsumerAffairs says the “CD’s restrictions also prevent it from being played or copied on Macintosh PCs.” Some folk reported problems playing it on their Macs.

Hopefully this idiocy will not last much longer. Boing Boing reported a couple of weeks ago that EMI was apparently ending copy protection on new CDs, although I’ve not seen anything since. If this is true, I suggest we all send our Coldplay and other copy protected CDs back to EMI and demand copies without DRM on them.

Whatever Happened to Geo-encryption?

Ok, not the question on the tip of your tongue, but bear with me. Geoencryption, or geo-encryption, boils down to: How about if you could only access data when you’re at a certain spot? 

It’s not a new idea: the brains behind it, Dorothy Denning, a veteran of cryptology has been talking about it for at least a decade. When people were last getting excited about it, in the wake of 9/11,  it was all about movie studios being able to release films digitally confident that only movie theaters could decrypt them, or coded messages to embassies only be deciphered within the building itself. Now we probably know better: with more accurate GPS, and with GPS in phones, one could imagine much more portable uses, such as transmissions to the field that could only be deciphered once the recipient is in location, or automatically encrypting data if a device is moved without authorisation. 

But not much seems to have actually happened since then. The website for Geocodex, the company she helped set up, doesn’t seem to have an active web site — this one is blank, and has been since its inception (it was registered under the name Mark Seiler, a movie executive who set up the company in around 2000.) She does have a string of patents, though, the most recent of which was approved on November 28. Of course, the patent isn’t new: It was filed five years ago to the month. But it does seem to be the only one that mentions geo-encryption. So does this mean something will now happen? 

Some pieces: 

Geo-Encryption: Global Copyright Defense? from Slashdot, April 2002

How Geo-Encryption Makes Copyright Protection Global, CIO Insight, April 2002

Using GPS to Enhance Data Security at GPS World

and a profile of Dorothy Denning by Anne Saita, Information Security, Sept 2003, her homepage at the Center on Terrorism & Irregular Warfare and at Georgetown U.

update Dec 13 2006: after writing to Dorothy Denning I received this back from Mark Seiler:

It is still a bit premature for us to discuss GeoCodex publicly. Granted, after seven years, the word “premature” seems strange in any context. However, there are still other, related patent filings that we anticipate receiving shortly. This is not to say that we are not active while waiting on the patent office. This past year we began field trials for several different geo-encryption applications and additional test deployments will be on-going in 2007.

We to expect to start making announcements towards the middle of the year. If you’d like, we’ll make a note and give you a “heads up” at the appropriate time.

Although it’s taken much longer than we would have hoped, we still believe that geo-encryption – and GeoCodex in particular – offers a unique solution to the problem of protecting digital content.

Mark

Hang On, I’m Just Calling My Getaway Car

A bank in Chicago has banned use of cellphones in five of its branches, hoping to prevent the bad guys from communicating with each other during a robbery, according to UPI:

“We ban cell phone use in the lobby because you don’t know what people are doing,” Ralph Oster, a senior vice president [of the First National Bank], told the Chicago Tribune. Cell phone cameras are also a worry.

Oster said there have been holdups in which bandits were on the phone with lookouts outside while committing bank robberies.

As the piece points out, this isn’t the first such ban: West Suburban Bank, based in Lombard, Ill., barred customers wearing hats in January but has not moved to silence cell phones.

Does this make sense? Well, in some ways it does. If there’s a guy hanging around the bank on the phone, it could be that he’s coordinating his getaway car, and you would want to try to nip that kind of thing in the bud. It does happen. By stopping him (or her) from using a cellphone he may decide not to rob your bank, but the one next door instead, where cellphones aren’t banned.

However, where does it stop? Would someone texting/SMSing be told to stop? And how would a security guard, however many PhDs he has, be able to tell the difference between someone jabbing away on a cellphone and jabbing away on a PDA? How about people using handsfree devices? Are they just singing/talking to themselves?

On the other hand, isn’t there an easier way? I would have thought a cellphone blocker would be a better idea (check out this excellent Google Answer on the difference between jammers (illegal in the U.S., since it involves actually interfering with the signal) and blockers (which build a shield around the location to block signals from penetrating it).

Of course, there are downsides. How many times have you been in a bank and then realized you needed to contact a friend/colleague/family member to discuss how much money you should take out/deposit/borrow? As Bruce Schneier would say, devices can be used for both good and ill and if the good outweighs the ill, as it usually does, banning is stooopid:

We don’t ban cars because bank robbers can use them to get away faster. We don’t ban cell phones because drug dealers use them to arrange sales. We don’t ban money because kidnappers use it. And finally, we don’t ban cryptography because the bad guys it to keep their communications secret. In all of these cases, the benefit to society of having the technology is much greater than the benefit to society of controlling, crippling, or banning the technology.

Biometrics Close To The Bone

Further to my column about fingerprint biometric scanners (subscription only ), I’ve heard from  a company working on a different kind of biometric security: Via the bone.

Last week, Mass.-based RSA Security Inc. (the guys who make the SecurID number tag, called ‘a two-factor user authentication system’ in the jargon) announced a joint research collaboration with Israel’s i-Mature, specialists in ‘online age recognition’. The two vow to bring together RSA Security’s cryptographic expertise and i-Mature’s Age-Group Recognition (AGR) technology to “work towards a unique solution that would genuinely improve the safety of the Internet for children, by enabling both adult and children’s sites to restrict their content more reliably to their appropriate audience”:

i-Mature has developed an innovative technology that can determine, through a simple biometric bone-scanning test, whether a user is a child or an adult – and thereby control access to Internet sites and content. AGR technology could help prevent children from accessing adult Internet sites and prevents adults from accessing children’s sites and chat rooms.

As far as I understand it, users wanting to visit a website would be required to press their fist against a small scanner, which would work out whether they are 18 or above, or 13 or younger, and then determine, based on software installed at the website itself, whether they are old enough to visit it:

Although the i-Mature website focuses not on confirming the identity of the user but his/her age group, the press release suggests that RSA’s involvement would fact bring some verification: The project would bring a “unique combination of technologies verifying that the person accessing the age-appropriate site is in fact who they claim to be,” the release says.

Obvious benefits? No need for the website itself to know who the user is or keep any data on them, since the scan is simply confirming age-group. Users can’t transfer their passwords or authentication tag to someone else (unless, I guess, if they happen to be around and ‘fist’ themselves into the computer for another user). Also not much work for the parent or teacher to set things up. It might prove popular with public Internet access, since providers might be able to use to limit underage surfing to a select number of websites.

Downsides? The website the person visits needs to have software installed to match the fist-tag. While some pornographic sites, for example, are going to be delighted to conform and limit access, I can’t imagine all of them are. And how many porn websites are there out there at any given point?

I assume RSA and (the rather oddly named) i-Mature are going to limit their targets to chat-rooms and more general websites, rather than the pornographic web. Indeed, the press release suggests as much: “The collaboration will include joint research as well as joint marketing activities around age-group recognition, including market education and engagement with government policy makers.”

Indeed, i-Mature has set its sights more broadly than the net: The press release says:

The protection and safety of children is also required outside the Internet arena. The AGR system complies with this since it is also compatible with mobile phones, television, video and DVD systems that can use AGR technology to prevent children from viewing harmful content. i-Mature can also partner with developers of computer games, online games and video games to block extremely violent and un-educational materials.

Sounds like something worth watching.

Didtheyreadit’s Response To Privacy Issues Part II

More on Alastair Rumpell’s response to my privacy concerns about his new email monitoring service, didtheyreadit.  (Here’s the first one.)

I wondered how the email addresses harvested by Rampell would be used (These would include all emails sent from and to recipients via the service since as far as I can understand it didtheyreadit, unlike MSGTAG, would work via tagging the email address, not the email itself. This would involve collecting the email address of sender and recipient). Alastair’s response: “We don’t harvest any e-mail addresses—I wasn’t sure to which e-mail addresses you are referring. We can send you e-mails to the account you register with, but we also allow you to opt-out at any time. We do not send any commercial e-mail or e-mail for any other companies to our customer list.” That’s not quite the complete denial I was looking for, but perhaps I wasn’t specific enough in my original post.

Another question I raised: How will Rampell prevent this service being used by spammers and other mass-mail marketers? Alastair’s response:
“We limit you to 750 messages per month. Very few individuals will ever exceed this number…whereas all mass-mail marketers would.” Fair enough.

Although Alastair takes pains to address my general privacy concerns, however, I’m not sure I can agree with his arguments. He candidly writes, “I had a discussion with somebody last week who was offended and repulsed by the idea of our service; the reason why is because a criminal could use our service to tell if somebody was at home. (Although she recognized that a telephone call could be used for the same purpose).” I can agree with that: Privacy is a long tunnel that can suck you in if you’re not careful — where everything is a threat — but while I don’t think didtheyreadit and MSGTAG represent threats to one’s physical safety, there are still some serious issues out there.

Alastair, for example says in response to my question “Why is the service invisible by default?” (In other words, why is there no default notice in the email informing the recipient the email they are reading is being tracked). Alastair’s response: “I believe it is what the market demands.” He later goes on: “We are planning on doing a free version (like msgtag) that automatically places the disclosure there, as it is a form of marketing. In
our initial tests, though, people who were trying the service were very concerned about having it disclosed to the recipients that the messages were being tracked.” I think that pretty much defines the problem. If someone sends a message to someone but doesn’t want them to know they know their message is being monitored, you’ve pretty much got yourself trapped in a privacy quagmire. If I do something to know something about you, but I don’t want you to know I am doing something to know something about you, then I would submit that as a default definition of snooping, or invasion of privacy.

What’s more, what kind of user would want to monitor their sent emails so invisibly? It’s hard to imagine they’re sending something to Aunt June or their son Bobcat. Given the other elements of didtheyreadit — monitoring exactly when, how long, where and how many times an email has been read — I’d say a consumer who demands the service be invisible may not be the kind of customer you’d be proud of having. What’s more, Alastair’s response to the issue of informing the recipient the email is being tracked is a rather strange one, in my view: Including a message informing the recipient might deter customers. “Even if it is an option,” he writes, ”it will confuse a good deal of people who might avoid using our service as a result.” I can hardly agree with that. Including an option to address a serious privacy issue is only likely to deter folk who aren’t great respecters of privacy.

I had some other issues with Alastair’s company, not least because it sells products that inhabit a grey privacy area. They include a keyboard logger called Spector, and ViewRemote (“record everything that happens on your computer and watch it from any other computer in the world!”). Alastair’s response: “I realize that some of our other products are often considered invasions of privacy. However, we take great pains to make sure that the products (ViewRemote and Spector) are only used by authorized people. For example, you cannot install ViewRemote or Spector without entering your computer’s administrative password—so it can’t be installed without your permission. Installing Spector or ViewRemote on somebody else’s computer is not only a gross violation of privacy—but it’s also illegal. I feel that this is immoral and unethical, and thus we do not support it. But “spying” on your own computer, for lack of a better word, is sometimes necessary. Our products have been used to catch an employee stealing, identifying a pedophile, etc.”

I’m sure there are legitimate uses of such programs. But it leaves an uncomfortable taste that the company whose main products are what I would call stealth software is now selling a service that invisibly and remotely monitors the fate of emails. Alastair, who says his academic background is on the other side of privacy, via cryptography research, is at least discussing the issues, which is a good sign. But I am not sure I agree with him when he concludes that ”I believe that DidTheyReadIt is relatively harmless. Yes, you can use it to catch somebody in a lie…but there are a wealth of legitimate purposes that give the sender more information (such as if the message was even received) without necessarily infringing upon the privacy of the recipient.”

My response: Yes, in the midst of spam’s deluge there’s definitely a legitimate market here for checking whether your email got to where it was supposed to go safely. But it shouldn’t be necessary to go beyond that, to check about aspects of its fate that should really be the private property of the recipient: How long the message was read, where it was opened, whether it was forwarded to others. Furthermore, didtheyreadit (and MSGTAG) need to address the issue of allowing the recipient to easily and definitively opt out of having the emails they receive tagged by such services; if possible, before the first email they receive from either service. If such companies don’t address these issues before they get successful, they may find themselves caught up the full glare of privacy advocates, and end up destroying what is in essence a useful and benign service.

Going Public With Sensitive Data

Forget phishing for your passwords via dodgy emails. Just use Wi-Fi.

Internet security company Secure Computing Corporation have today released a report prepared by security consultants Canola/Jones Internet Investigations which “documents the serious risks of password theft that business travelers encounter when using the Internet in hotels, cafes, airports, and trade show kiosks.”  The full report is available (in PDF format) here.

Posing as a business traveler, the author “found multiple methods available to cyber-criminals that could be used to steal passwords and corporate information”. Wireless access points are especially vulnerable: “Tests conducted at an airport Internet cafe and at a popular chain of coffee shops showed that unencrypted streams of data from the laptops of patrons could easily be seen in many instances by another patron sitting nearby with wireless ‘sniffer’ software.”

Even hotel broadband is risky. Canola/Jones shows “how a hotel guest can use widely available snooping software with a laptop logged onto the hotel network. The guest can successfully snoop on the hard drives of fellow guests who have file sharing” enabled on their PCs. Corporate data and passwords can easily be stolen.” Gulp. Other holes: keyboard logging software secretly installed on public terminals, and the hardy perennial, shoulder surfing, where a ne’er-do-well passes your terminal just as you happen to be entering a banking password.

Needless to say, this is all pretty scary. And Secure Computing would like to offer you a solution: their “two-factor authentication SafeWord line of tokens” which generate one-time-only passcodes for each user session. But there are other ways of foiling most of these exploits: Firewalls on your computer, common sense (don’t go to important websites like Internet banking on a public computer), and only using public Wi-Fi when you a) know it’s encrypted and b) you’re not dealing in sensitive data. Have I forgotten anything?

News: Beware The Password

 As if you didn’t know it already, (and I’ve posted about this before) your Windows passwords are not safe. According to an article on TechExtreme, some Swiss researchers have published a paper detailing how to crack Windows computers protected by alphanumeric passwords in an average of 13.6 seconds.
 
Their approach can crack 99.9 percent of all alphanumerical passwords in 13.6 seconds, against a previous 101 seconds. The bottom line: When you can, include non-alphanumeric characters in your password, such as a question mark or a plus sign.

News: Cracking a Password is Fast

Now your Microsoft Windows password can be cracked in 13.6 seconds, a vast improvement over the slow and tedious 101 seconds it took previously. An improved cryptanalytic method uses large amounts of memory–in this case, 1.4 GB–to speed its cracking of
keys, says Security Wire Digest.

I won’t bore you with how they did it. But the bottom line is that this attack doesn’t pose any practical threat, since only an administrator would be able to encryped password to conduct the attack, and users can resist by using passwords that contain more than just letters and numbers.