You are hereFeed aggregator / Sources / Scheier on Security
Scheier on Security
"1234" and Birthdays Are the Most Common PINs
Tue, 02/21/2012 - 23:36Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson:
Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.EDITED TO ADD (2/22): News article
Categories: Industry Blogs
Covert Communications Channel in Tarsiers
Mon, 02/20/2012 - 22:30Marissa A. Ramsier, Andrew J. Cunningham, Gillian L. Moritz, James J. Finneran, Cathy V. Williams, Perry S. Ong, Sharon L. Gursky-Doyen, and Nathaniel J. Dominy (2012), "Primate communication in the pure ultrasound," Biology Letters.
Abstract: Few mammals -- cetaceans, domestic cats and select bats and rodents -- can send and receive vocal signals contained within the ultrasonic domain, or pure ultrasound (greater than 20 kHz). Here, we use the auditory brainstem response (ABR) method to demonstrate that a species of nocturnal primate, the Philippine tarsier (Tarsius syrichta), has a high-frequency limit of auditory sensitivity of ca 91 kHz. We also recorded a vocalization with a dominant frequency of 70 kHz. Such values are among the highest recorded for any terrestrial mammal, and a relatively extreme example of ultrasonic communication. For Philippine tarsiers, ultrasonic vocalizations might represent a private channel of communication that subverts detection by predators, prey and competitors, enhances energetic efficiency, or improves detection against low-frequency background noise.Categories: Industry Blogs
Friday Squid Blogging: Squid Desk Lamp
Sat, 02/18/2012 - 08:37Beautiful sculpture.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Categories: Industry Blogs
What Is a Suspicious-Looking Package, Anyway?
Sat, 02/18/2012 - 05:45Funny comic.
Categories: Industry Blogs
Self-Domestication in Bonobos and Other Animals
Fri, 02/17/2012 - 22:25Self-domestication happens when the benefits of cooperation outweigh the costs:
But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the south, and they never returned. That last common ancestor suddenly had the southern jungles to themselves.As a result, competition for resources wouldn't be as fierce as before. Aggression, such a costly habit, wouldn't have been so necessary. And whereas a resource-limited environment likely made female alliances rare, as they are in modern chimpanzees, reduced competition would have allowed females to become friends. No longer would males intimidate them and force them into sex. Once reproduction was no longer traumatic, they could afford to be fertile more often, which in turn reduced competition between males.
"If females don't let you beat them up, why should a male bonobo try to be dominant over all the other males?" said Hare. "In male chimps, it's very costly to be on top. Often in primate hierarchies, you don't stay on top very long. Everyone is gunning for you. You're getting in a lot of fights. If you don't have to do that, it's better for everybody." Chimpanzees had been caught in what Hare called "this terrible cycle, and bonobos have been able to break this cycle."
This is the sort of thing I write about in my new book. And with both bonobos and humans, there's an obvious security problem: if almost everyone is non-aggressive, an aggressive minority can easily dominate. How does society prevent that from happening?
Categories: Industry Blogs
Cryptanalysis of Satellite Phone Encryption Algorithms
Fri, 02/17/2012 - 04:22From the abstract of the paper:
In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the two algorithms from freely available DSP-firmware updates for satphones, which included the development of a custom disassembler and tools to analyze the code, and extending prior work on binary analysis to efficiently identify cryptographic code. We note that these steps had to be repeated for both systems, because the available binaries were from two entirely different DSP processors. Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design. The second main contribution lies in the cryptanalysis of the two proprietary stream ciphers. We were able to adopt known A5/2 ciphertext-only attacks to the GMR-1 algorithm with an average case complexity of 232 steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 5065 bytes of key stream and a moderate computational complexity. A major finding of our work is that the stream ciphers of the two existing satellite phone systems are considerably weaker than what is state-oft-he-art in symmetric cryptography.Press release. And news stories.
Categories: Industry Blogs
Lousy Random Numbers Cause Insecure Public Keys
Thu, 02/16/2012 - 22:51There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well.
The cause of this is almost certainly a lousy random number generator used to create those public keys in the first place. This shouldn't come as a surprise. One of the hardest parts of cryptography is random number generation. It's really easy to write a lousy random number generator, and it's not at all obvious that it is lousy. Randomness is a non-functional requirement, and unless you specifically test for it -- and know how to test for it -- you're going to think your cryptosystem is working just fine. (One of the reporters who called me about this story said that the researchers told him about a real-world random number generator that produced just seven different random numbers.) So it's likely these weak keys are accidental.
It's certainly possible, though, that some random number generators have been deliberately weakened. The obvious culprits are national intelligence services like the NSA. I have no evidence that this happened, but if I were in charge of weakening cryptosystems in the real world, the first thing I would target is random number generators. They're easy to weaken, and it's hard to detect that you've done anything. Much safer than tweaking the algorithms, which can be tested against known test vectors and alternate implementations. But again, I'm just speculating here.
What is the security risk? There's some, but it's hard to know how much. We can assume that the bad guys can replicate this experiment and find the weak keys. But they're random, so it's hard to know how to monetize this attack. Maybe the bad guys will get lucky and one of the weak keys will lead to some obvious way to steal money, or trade secrets, or national intelligence. Maybe.
And what happens now? My hope is that the researchers know which implementations of public-key systems are susceptible to these bad random numbers -- they didn't name names in the paper -- and alerted them, and that those companies will fix their systems. (I recommend my own Fortuna, from Cryptography Engineering.) I hope that everyone who implements a home-grown random number generator will rip it out and put in something better. But I don't hold out much hope. Bad random numbers have broken a lot of cryptosystems in the past, and will continue to do so in the future.
From the introduction to the paper:
In this paper we complement previous studies by concentrating on computational and randomness properties of actual public keys, issues that are usually taken for granted. Compared to the collection of certificates considered in [12], where shared RSA moduli are "not very frequent", we found a much higher fraction of duplicates. More worrisome is that among the 4.7 million distinct 1024-bit RSA moduli that we had originally collected, more than 12500 have a single prime factor in common. That this happens may be crypto-folklore, but it was new to us, and it does not seem to be a disappearing trend: in our current collection of 7.1 million 1024-bit RSA moduli, almost 27000 are vulnerable and 2048-bit RSA moduli are affected as well. When exploited, it could act the expectation of security that the public key infrastructure is intended to achieve.And the conclusion:
We checked the computational properties of millions of public keys that we collected on the web. The majority does not seem to suffer from obvious weaknesses and can be expected to provide the expected level of security. We found that on the order of 0.003% of public keys is incorrect, which does not seem to be unacceptable. We were surprised, however, by the extent to which public keys are shared among unrelated parties. For ElGamal and DSA sharing is rare, but for RSA the frequency of sharing may be a cause for concern. What surprised us most is that many thousands of 1024-bit RSA moduli, including thousands that are contained in still valid X.509 certificates, offer no security at all. This may indicate that proper seeding of random number generators is still a problematic issue....Categories: Industry Blogs
Dumb Risk of the Day
Thu, 02/16/2012 - 05:11 Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA.The location information could possibly be used to locate a child's home or other location based on information publicly available on Flickr," explains Kuzma. "Publishing geolocation data raises concerns about privacy and security of children when such personalized information is available to internet users who may have dubious reasons for accessing this data."
It's children, though, so it's going to be hard to have a rational risk discussion about this topic.
Categories: Industry Blogs
The Sudafed Security Trade-Off
Wed, 02/15/2012 - 23:09This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine:
Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this is accurate: half of all pseudoephedrine is sold to meth labs. That still wouldn't mean that manufacturers of cold medicines are making "hundreds of millions of dollars a year" off of the stuff--not in the sense that they end up hundreds of millions of dollars richer. The margins on off-patent medicines are not high, and in retail, 50% or more of the cost of the product is retailer and distributor markup*. Then there's the costs of manufacturing.But this is sort of a side issue. What really bothers me is the way that Humphreys--and others who show up in the comments--regard the rather extraordinary cost of making PSE prescription-only as too trivial to mention.
Let's return to those 15 million cold sufferers. Assume that on average, they want one box a year. That's going to require a visit to the doctor. At an average copay of $20, their costs alone would be $300 million a year, but of course, the health care system is also paying a substantial amount for the doctor's visit. The average reimbursement from private insurance is $130; for Medicare, it's about $60. Medicaid pays less, but that's why people on Medicaid have such a hard time finding a doctor. So average those two together, and add the copays, and you've got at least $1.5 billion in direct costs to obtain a simple decongestant. But that doesn't include the hassle and possibly lost wages for the doctor's visits. Nor the possible secondary effects of putting more demands on an already none-too-plentiful supply of primary care physicians.
I like seeing the debate framed as a security trade-off.
Categories: Industry Blogs
Trust Requires Transparency
Tue, 02/14/2012 - 23:12Adam Shostack explains to VeriSign that trust requires transparency.
This is a lesson Path should have learned.
Categories: Industry Blogs
<i>Liars and Outliers</i> Update
Tue, 02/14/2012 - 06:53Liars and Outliers is available. Amazon and Barnes & Noble have been shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped books to everyone who ordered a signed copy.
I've seen five more reviews. And there's one print and one audio (there's also a transcript) interview about the book.
A bunch of people on Twitter have announced that they're enjoying the book. Right now, there are only three reviews on Amazon. Please, leave a review on Amazon. (I'll write about the problem of fake reviews on these sorts of sites in another post.)
I'm not sure, but I think the Kindle price is going to increase. So if you want the book at the current $10 price, now is the time to buy it.
Categories: Industry Blogs
What Happens When the Court Demands You Decrypt a Document and You Forget the Key?
Mon, 02/13/2012 - 21:20Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key.
What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It's less credible for someone to say "I have no idea what my password is," and more likely to say something like "it was the word 'telephone' with a zero for the o and then some number following -- four digits, with a six in it -- and then a punctuation mark like a period." And then a brute-force password search could be targeted. I suppose someone could say "it was a random alphanumeric password created by an automatic program; I really have no idea," but I'm not sure a judge would believe it.
Categories: Industry Blogs
Friday Squid Blogging: Squid's Beard
Sat, 02/11/2012 - 08:04It's an acoustic bluegrass band.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Categories: Industry Blogs
Securing iPads for Exams
Fri, 02/10/2012 - 22:21Interesting blog post about locking down an iPad so students can take exams on them.
Categories: Industry Blogs
Security Implications of "Lower-Risk Aircraft"
Thu, 02/09/2012 - 22:10Interesting paper: Paul J. Freitas (2012), "Passenger aviation security, risk management, and simple physics," Journal of Transportation Security.
Abstract: Since the September 11, 2001 suicide hijacking attacks on the United States, preventing similar attacks from recurring has been perhaps the most important goal of aviation security. In addition to other measures, the US government has increased passenger screening requirements to unprecedented levels. This has raised a number of concerns regarding passenger safety from radiation risks associated with airport body scanners, psychological trauma associated with pat-down searches, and general cost/benefit analysis concerns regarding security measures. Screening changes, however, may not be the best way to address the safety and security issues exposed by the September 11 attacks. Here we use simple physics concepts (kinetic energy and chemical potential energy) to evaluate the relative risks from crash damage for various aircraft types. A worst-case jumbo jet crash can result in an energy release comparable to that of a small nuclear weapon, but other aircraft types are considerably less dangerous. Understanding these risks suggests that aircraft with lower fuel capacities, speeds, and weights pose substantially reduced risk over other aircraft types. Lower-risk aircraft may not warrant invasive screening as they pose less risk than other risks commonly accepted in American society, like tanker truck accidents. Allowing passengers to avoid invasive screening for lower-risk aircraft would introduce competition into passenger aviation that might lead to better overall improvements in security and general safety than passenger screening alone is capable of achieving.The full paper is behind a paywall, but here is a preprint.
Categories: Industry Blogs
Solving the Underlying Economic Problem of Internet Piracy
Wed, 02/08/2012 - 22:46This essay is definitely thinking along the correct directions.
Categories: Industry Blogs
Error Rates of Hand-Counted Voting Systems
Tue, 02/07/2012 - 21:53The error rate for hand-counted ballots is about two percent.
All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem, of course, is that elections must produce a single winner.)
Categories: Industry Blogs
