Recently, a privacy flaw has been discovered in Skype, as well as other P2P applications. Please see this link for more details.
What the privacy flaw does is allow another person to make a Skype call to you and before you answer, or even if you don't, the caller can acquire your public IP address. With the public IP address, it is possible through IP location technology to determine where you are--sometimes even down to the street level. By calling throughout the day, it is possible to trace your movements and this information is useful in a variety of ways.
The article mentions that a firewall will not protect you, and this is not surprising because on the Internet you communicate with your public IP address and not the one behind the firewall.
Now, while I believe this is a privacy issue, I think it is a bit overblown. For one thing, every time we visit a website our public IP address is logged somewhere. Indeed, any time we connect to another public IP address for any reason we should assume it is logged somewhere. What makes this Skype issue problematic is that people may assume that because they are not calling anyone, their Skype VOIP is "hung up", so they are pretty safe and unreachable unless they answer the call. Unfortunately, Skype, and other P2P protocols do not work that way. When you log on to Skype, you connect to an outside server to advertise that you are on line, so just like a any other connection your public IP is now "known" on the Internet. Now, it is not known by everyone, but it is known by any system with which you are communicating. Skype and other P2P protocols by definition implicitly or explicitly share this information--if they did not, it would be difficult to establish the P2P connections necessary to make these protocols useful.
To find the other guy's IP address, it is only necessary to capture the packets as the call is trying to go through. This is something which is not too technically difficult to perform. And unfortunately, there is no way to hide your IP address given the way Skype and other P2P networks work.
So, what should we do?
First, we need to be aware, because awareness is power. If I know my IP address is knowable by others, I can take necessary action and change my behavior--for one, I can behave "as if" my location is known. How would that change my behavior if I was posting a venomous "anonymous" post somewhere? I would be more careful about what I say and do, just as I would do in any public place with people around.
Second, I could only bring up P2P applications when I need to use them. Unfortunately, if this practice becomes widespread it will lessen the utility of P2P applications. But if my location is so important, this may be the only option if I want to use P2P at all.
What we are seeing is the erosion of the assumption of anonymity, which is one reason the Internet has flourished. The day may soon arrive, and it may already be here, when we are no more anonymous on the Internet than we are in real life.
Tuesday, October 25, 2011
Wednesday, October 19, 2011
Why I side with the Government over Anonymous
In my update to the post regarding Anonymous and SCADA, I pointed out that Dan Kaplan disagrees with DOHS' characterization of Anonymous as targeting critical infrastructure.
Now, it does not seem to me that Mr. Kaplan carries a brief for Anonymous, he just thinks that:
1) The DOHS statement is at least partially motivated by a desire to paint Anonymous as a terrorist orgnization
2) That reliable Anonymous sources have not confirmed the SCADA story
3) Anonymous cares about the environment and sympathizes with the Occupy Wall Street movement, so they care about people and the planet
I cannot speak with authority about DOHS' motivation. Indeed, it is possible that DOHS is motivated by a desire to protect Americans. There is nothing in the press release itself which would lead me to believe that their motives are nefarious. However, Anonymous has already decided that the Alberta oil sands should be shut down, and Anonymous will, in its own words, "The continued development of the tar sands is a major step backward in the effort to curb global warming. Anonymous will not suffer this without a fight, and Operation Green Rights will always support the rights of the people to live in an unpolluted world, and aim to help safeguard it for the future. One way or another." (Operation Greenrights) That sounds pretty threatening to me. YMMV
That some in Anonymous have different priorities, or that there is disagreement within Anonymous, is beside the point. As a distributed, non-hierarchal organization, no one individual or group of individuals can be said to represent "Anonymous" more than another. Nor does support for Occupy Wall Street make a difference.
It is possible to support Occupy wall Street (who's ideas are difficult to pin down, honestly) and support "direct action" against the companies exploiting the tar sands. In other words, the organization of Anonymous, or its lack of organization, comes with benefits as well as disadvantages.
Basically, Anonymous comes across to me as a bunch of self righteous individuals who, if given the chance, would love the fame of bringing down a big target like the "evil" oil companies so they can confirm themselves in their own alleged moral superiority. And while I don't think they are necessarily trying to kill people, if one messes with some types of SCADA controls that will more then likely be the effect.
And that IS terrorism.
Now, it does not seem to me that Mr. Kaplan carries a brief for Anonymous, he just thinks that:
1) The DOHS statement is at least partially motivated by a desire to paint Anonymous as a terrorist orgnization
2) That reliable Anonymous sources have not confirmed the SCADA story
3) Anonymous cares about the environment and sympathizes with the Occupy Wall Street movement, so they care about people and the planet
I cannot speak with authority about DOHS' motivation. Indeed, it is possible that DOHS is motivated by a desire to protect Americans. There is nothing in the press release itself which would lead me to believe that their motives are nefarious. However, Anonymous has already decided that the Alberta oil sands should be shut down, and Anonymous will, in its own words, "The continued development of the tar sands is a major step backward in the effort to curb global warming. Anonymous will not suffer this without a fight, and Operation Green Rights will always support the rights of the people to live in an unpolluted world, and aim to help safeguard it for the future. One way or another." (Operation Greenrights) That sounds pretty threatening to me. YMMV
That some in Anonymous have different priorities, or that there is disagreement within Anonymous, is beside the point. As a distributed, non-hierarchal organization, no one individual or group of individuals can be said to represent "Anonymous" more than another. Nor does support for Occupy Wall Street make a difference.
It is possible to support Occupy wall Street (who's ideas are difficult to pin down, honestly) and support "direct action" against the companies exploiting the tar sands. In other words, the organization of Anonymous, or its lack of organization, comes with benefits as well as disadvantages.
Basically, Anonymous comes across to me as a bunch of self righteous individuals who, if given the chance, would love the fame of bringing down a big target like the "evil" oil companies so they can confirm themselves in their own alleged moral superiority. And while I don't think they are necessarily trying to kill people, if one messes with some types of SCADA controls that will more then likely be the effect.
And that IS terrorism.
Stuxnet breaks out of its Siemens box
It appears Stuxnet has been modified so that it no longer attacks SCADA, but is now a Remote Access Tool (RAT). It is unclear if the variant is from the same group which created Stuxnet, or if Stuxnet was simply reverse-engineered. Unlike the original Stuxnet, though, this variant does not seem to use a 0 Day attack. This means we need to ensure our systems are fully patched, which is the one thing which anyone can do to protect themselves from the vast majority of malware.
Monday, October 17, 2011
Anonymous to Target SCADA?
According to this link, Anonymous may be trying to target SCADA.
SCADA is the control software for environmental controls, such as AC and heating, factory machinery, dams, power plants and a host of other things we take for granted will operate correctly.
An attack on SCADA could mean more than a data breach, it could mean injury or death. It is not too difficult to envision a scenario where, for instance, a sewage treatment plant is compromised such that potable water is contaminated. Or where a generator is damaged through controls.
In other words, if a SCADA system is compromised by Anonymous, the group will have graduated from being a nuisance to becoming life-threatening. What is worrisome is that Anonymous typically compromises systems by "low hanging fruit"--unpatched systems, default, shared or easily guessed passwords or other vectors which are not too difficult to use.
I am afraid we live in interesting times.
UPDATE: Dan Kaplan pushes back http://goo.gl/5slJj
SCADA is the control software for environmental controls, such as AC and heating, factory machinery, dams, power plants and a host of other things we take for granted will operate correctly.
An attack on SCADA could mean more than a data breach, it could mean injury or death. It is not too difficult to envision a scenario where, for instance, a sewage treatment plant is compromised such that potable water is contaminated. Or where a generator is damaged through controls.
In other words, if a SCADA system is compromised by Anonymous, the group will have graduated from being a nuisance to becoming life-threatening. What is worrisome is that Anonymous typically compromises systems by "low hanging fruit"--unpatched systems, default, shared or easily guessed passwords or other vectors which are not too difficult to use.
I am afraid we live in interesting times.
UPDATE: Dan Kaplan pushes back http://goo.gl/5slJj
Monday, September 26, 2011
Methinks he doth protest too much
Nir Zuk, the inventor of stateful packet inspection and an all around firewall guru and founder of Palo Alto Networks, said that SourceFire's entry into the Next Generation Firewall market is "bull**it" because firewalls are so much more difficult to design than IPS. Now, I have evaluated Palo Alto's product and it is quite good, but I think that saying things like this about SourceFire's imminent offering shows a little bit of anxiety on his part. The NG firewall market is supposed to experience high growth, and it will probably take a while for things to settle down. Right now Palo Alto is the market leader, but that could change. Barracuda Networks (another product I evaluated) has an excellent offering, too. So yes, things could change--I think it is better to wait for the market to decide these things rather than engage in such talk, as it only makes the one screaming look desperate.
http://goo.gl/UP04G
http://goo.gl/UP04G
Saturday, July 16, 2011
Password Koolaid Part II
So, there is some tension between the complexity of passwords and the tendency of users to make it easier to remember complex passwords. Since this is really just a numbers game--we are trying to make passwords change in a time frame which makes it unfeasible to guess--suppose we make passwords change more frequently but eliminate the features which make them more difficult to remember?
But now we are fiddling with passwords again and not really adding any more security.
We could add a second factor of authentication and make the whole system functionally impossible to crack. Two factor authentication means that besides requiring something the user (or cracker) knows, she would have to either supply something she possesses or a biometric authentication mechanism. This is, in my opinion, a better way to allocate scarce security resources than making users create complex passwords (or not complex, if they are clever enough to put Fluffy!1 as their password) than the false sense of security complex passwords give.
But now we are fiddling with passwords again and not really adding any more security.
We could add a second factor of authentication and make the whole system functionally impossible to crack. Two factor authentication means that besides requiring something the user (or cracker) knows, she would have to either supply something she possesses or a biometric authentication mechanism. This is, in my opinion, a better way to allocate scarce security resources than making users create complex passwords (or not complex, if they are clever enough to put Fluffy!1 as their password) than the false sense of security complex passwords give.
Tuesday, July 27, 2010
Password Koolaid Part I
A lot of time and effort is spent on making sure an organization has a strong password policy. This is usually so that if an attacker gains access to the encrypted hashes of a password, that the password will no longer be valid by the time he or she cracks the hash.
I would like to explain password hashes because this is where the password is stored, though not in a recoverable way. On modern computing systems, if my password is P@ssword! it is not stored on the system as P@ssw0rd!, but something like 8a24367a1f46c141048752f2d5bbd14b. The "hash" is the outcome of a mathematical operation on data. In this case the hash above is the MD5 sum of P@ssw0rd!. The advantage of MD5 for storing passwords is that it is easy to change P@ssw0rd! into 8a24367a1f46c141048752f2d5bbd14b, but almost mathematically infeasible to get P@ssw0rd! from the hash. This is called "a one way hash". The advantage of storing passwords in hashes is that the actual password is not available for viewing on the system--when the system receives the password from a login attempt, it merely runs the hash algorithm and sees if the output matches. If it matches access is granted.
Even a very similar password will be hashed to a completely different output. Here is the output for P@ssword! (I replaced the "0" with the letter "o"):
32e0db0d97366631d8f1203e1ec94ccf
Let's compare the two:
P@ssw0rd!: 8a24367a1f46c141048752f2d5bbd14b
P@ssword!: 32e0db0d97366631d8f1203e1ec94ccf
Only two characters occur in the same position; there is no pattern which an attacker can use to make his guessing easier! Because of this, the only practical way to get the password from a hash is to try every combination of characters until the hashes come out the same. This can take a lot of time, especially if the password is long. The length of time to "crack" a password hash is related to the possible combinations of characters. That in turn is based on the number of possible characters raised to power of the length of the password in characters. For example, an ATM card typically has a four digit PIN. Each of the spaces can contain a number between 0 and 9, which gives 10,000 possible combinations (10*10*10*10). That is not very large though, a modern computer system could guess the PIN on seconds if the hashes were available. But what if we allow upper and lower case letter along with spaces? That would provide for 53 (2*26+space) to the power of the length of a password. So an 8 character password would mean there are 62,259,690,411,361, or over 62 trillion combinations. If we add in characters the possibilities increase, well, exponentially.
This is why password policies usually include a minimum length for the password, what characters are required for the password and for how long the password will be valid. The first and second parameters are to make the password more difficult to guess by increasing the possible combinations of characters, and the last--when the password expires--is so that before the attacker can feasibly guess the password, it is already invalid and useless for gaining access.
While all these are useful and do make a password theoretically more difficult to guess, many individual users comply with the policy but in effect defeat the purpose of the policy and make passwords much easier to guess. For instance, the password above--P@ssw0rd! can be strictly in compliance yet insecure because it is guessable even if the password is periodically changed. The following passwords are also valid and related to the original password:
p@ssword!
passw0Rd!
Pa55w0rd!
P@ssw0rd@
etc. etc.
What is happening is this; our user does not want to remember long, complex passwords because he has other things to do. So he creates a compliant password and when he is forced to change the password he makes a trivial change instead of a completely new compliant password. The problem is all the passwords are based on the English word "password", so if our attacker is minimally competent his password cracking software will try all these combinations when his word list reaches "password"--actually one of the first guesses. If his password was something like JhshI((77636jj, (hash=fbea20ddb6ec43e691bef34eb5d6325f) he will probably write it down on a piece of paper on his desk. And if we assume that the password is forced to change every 90 days, we have basically the same password for almost a full year. This is much more "doable" from a password cracking point of view.
So, we have a lot of audits and policies to make sure our passwords are hard to guess, but how much security does that actually buy us? It is my contention that much of the effort in making passwords complex consumes resources better used to make the actual information which interests attackers harder to obtain. The password complexity policies can take us only so far, and in fact they can be bypassed in most situations. So what should we do for passwords?
That is for Part II
I would like to explain password hashes because this is where the password is stored, though not in a recoverable way. On modern computing systems, if my password is P@ssword! it is not stored on the system as P@ssw0rd!, but something like 8a24367a1f46c141048752f2d5bbd14b. The "hash" is the outcome of a mathematical operation on data. In this case the hash above is the MD5 sum of P@ssw0rd!. The advantage of MD5 for storing passwords is that it is easy to change P@ssw0rd! into 8a24367a1f46c141048752f2d5bbd14b, but almost mathematically infeasible to get P@ssw0rd! from the hash. This is called "a one way hash". The advantage of storing passwords in hashes is that the actual password is not available for viewing on the system--when the system receives the password from a login attempt, it merely runs the hash algorithm and sees if the output matches. If it matches access is granted.
Even a very similar password will be hashed to a completely different output. Here is the output for P@ssword! (I replaced the "0" with the letter "o"):
32e0db0d97366631d8f1203e1ec94ccf
Let's compare the two:
P@ssw0rd!: 8a24367a1f46c141048752f2d5bbd14b
P@ssword!: 32e0db0d97366631d8f1203e1ec94ccf
Only two characters occur in the same position; there is no pattern which an attacker can use to make his guessing easier! Because of this, the only practical way to get the password from a hash is to try every combination of characters until the hashes come out the same. This can take a lot of time, especially if the password is long. The length of time to "crack" a password hash is related to the possible combinations of characters. That in turn is based on the number of possible characters raised to power of the length of the password in characters. For example, an ATM card typically has a four digit PIN. Each of the spaces can contain a number between 0 and 9, which gives 10,000 possible combinations (10*10*10*10). That is not very large though, a modern computer system could guess the PIN on seconds if the hashes were available. But what if we allow upper and lower case letter along with spaces? That would provide for 53 (2*26+space) to the power of the length of a password. So an 8 character password would mean there are 62,259,690,411,361, or over 62 trillion combinations. If we add in characters the possibilities increase, well, exponentially.
This is why password policies usually include a minimum length for the password, what characters are required for the password and for how long the password will be valid. The first and second parameters are to make the password more difficult to guess by increasing the possible combinations of characters, and the last--when the password expires--is so that before the attacker can feasibly guess the password, it is already invalid and useless for gaining access.
While all these are useful and do make a password theoretically more difficult to guess, many individual users comply with the policy but in effect defeat the purpose of the policy and make passwords much easier to guess. For instance, the password above--P@ssw0rd! can be strictly in compliance yet insecure because it is guessable even if the password is periodically changed. The following passwords are also valid and related to the original password:
p@ssword!
passw0Rd!
Pa55w0rd!
P@ssw0rd@
etc. etc.
What is happening is this; our user does not want to remember long, complex passwords because he has other things to do. So he creates a compliant password and when he is forced to change the password he makes a trivial change instead of a completely new compliant password. The problem is all the passwords are based on the English word "password", so if our attacker is minimally competent his password cracking software will try all these combinations when his word list reaches "password"--actually one of the first guesses. If his password was something like JhshI((77636jj, (hash=fbea20ddb6ec43e691bef34eb5d6325f) he will probably write it down on a piece of paper on his desk. And if we assume that the password is forced to change every 90 days, we have basically the same password for almost a full year. This is much more "doable" from a password cracking point of view.
So, we have a lot of audits and policies to make sure our passwords are hard to guess, but how much security does that actually buy us? It is my contention that much of the effort in making passwords complex consumes resources better used to make the actual information which interests attackers harder to obtain. The password complexity policies can take us only so far, and in fact they can be bypassed in most situations. So what should we do for passwords?
That is for Part II
Subscribe to:
Posts (Atom)