Security – Page 53 – a sibilant intake of breath

More amateur cryptography

One of the oldest problems in cryptography is key management. The simplest kind of cryptographic arrangement is based on a single key used by however many parties both for encryption and decryption. This carries two big risks, however. In the first place, you need a secure mechanism for key distribution. Secondly, it is generally impossible to revoke a key, either for one individual or for everyone. Because of these limitations, public key cryptography (which utilizes key pairs) has proved a more appropriate mechanism in many applications.

Once in a while, now, you read about ‘unbreakable’ cryptography based on quantum mechanics. The quantum phenomena employed are actually used for key generation, not for the actual business of encrypting and decrypting messages. Like the use of a one-time pad, the symmetric keys produced by this system hold out the promise of powerful encryption. Of course, such systems remain vulnerable both to other kinds of cryptographic attacks, particularly the ‘side channel’ attacks that have so often been the basis for successful code-breaking. Recent examples include the cracking of the encryption on DVDs, as well as Blu-Ray and HD-DVDs.

An example of a side-channel attack is trawling through RAM and virtual memory to try and find the password to some encrypted system. When you login to a website using secure socket layering (SSL), the data sent over the network is encrypted. That said, the program with which you access the site may well take the string of text that constitutes your password and then dump it into RAM and/or the swap space on your hard disk somewhere. Skimming through memory for password-like strings is much less resource intensive than simply trying every possible password. Programs like Forensic Toolkit by AccessData make this process easy. People who use the same string in multiple applications (any of which could storing passwords insecurely) are even more vulnerable.

As in a large number of other security related areas, people using Apple computers have a slight advantage. While not on by default. if you go into the security menu in the system preferences, you can turn on “Use secure virtual memory.” This encrypts the contents of your swap space, to help protect against the kind of attack described above.

The real lesson of all of this is that total information security can never be achieved. One just needs to strike a balance between the sensitivity of the data, the probability of it coming under examination, and the level of effort that would be required to overcome whatever security is in place.

PS. My PGP public key is available online, for anyone who wants to send me coded messages. Free copies of the encryption software Pretty Good Privacy (PGP) can also be easily downloaded.

WordPress 2.0.6 update

Only WordPress administrators are likely to care much about the following.

Continue reading “WordPress 2.0.6 update”

GMail security hole

As people who read techie news pages like Engadget and Slashdot already know, a somewhat serious security flaw in GMail has recently been uncovered. Specifically, when you are logged into GMail in one browser window or tab, any other site you visit can grab your entire contact list. Whether that is a serious leak or not is a matter of perspective. Certainly, it exposes all of your friends of even more spam than they already receive.

Read the following carefully before you click anything. If you want to see the script that grabs contact lists at work, follow this link. Engadget says it’s “non-malicious,” but the risk is yours. The bug arises from the way in which GMail stores your contacts as a JavaScript file that can be requested by other websites. Google claims they have fixed the bug but, as the link above will prove, they have not.

Plausible attacks

A site that wanted to be really sneaky could exploit this information in many ways. At the very least, it could be used to very easily identify many of the people who are visiting. Knowing someone’s contact list might help in the launching of phishing attacks. It could, for example, make it easier to work out what company someone works for. You could then find out who does their information technology and send spoofed emails that seem to come from the IT department, asking for passwords or other sensitive information.

If it is a site that contains content that many people would not want others to know that they view, it could grab the email addresses for people with the same last name as you and threaten to send them information on your surfing history. A less complicated ploy would be to use emails that seem to come from people who you know to get through spam filters. Because of email spoofing, it is very easy to make messages seem to be coming from someone else.

Implications

As someone with 1037 MB of data in my main GMail account – including 14,410 emails and more than 1500 instant message conversations – I am naturally very concerned about GMail security. There is tons of stuff in there that I would be profoundly opposed to seeing on a public search engine, as has already happened in at least one case with private GMail data.

Contrary to their own assertions, Google had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour.

Source

Clearly, it would be preferable if GMail started using durable encryption on their archived messages. This would both protect the messages from hostile outsiders and keep Google from doing anything undesirable with them. Even a passphrase based symmetric-key encryption system (perhaps based on AES) would be an improvement. I bet all the students at Arizona State University, which had turned to GMail to provide all their email services would feel likewise, if they knew.

[Update: 8:30pm] This article by Brad Templeton, the Chairman of the Electronic Frontier Foundation, makes some good general points about GMail and privacy.

[Update: 11:00pm] According to Engadget, this hole has been fixed. It’s good that it was dealt with so quickly, but there are still reasons to be concerned about GMail security in general.

[Update: 2 January 2007] The mainstream media has caught up with the story. CBC News: Teen exposes Google security flaw.

[Update: 18 July 2008] GMail just added a very useful ‘Activity on this account’ feature. It tells you (a) whether any other computers are logged into account and (b) when and where the last five logins took place from. This is excellent.

Back in the UK

Back in the comparative warmth of Oxford, I am enjoying how it feels to be on a computer with a properly calibrated screen and a keyboard familiar enough to require no peeking. It is gratifying to see how much better my photos look when properly displayed.

Since this is my father’s last night in England, I am not going to spend the three hours or so that it will take to sort through my photos from Turkey, just now. You can expect my previous entries to start getting illustrated as of tomorrow, as well as additional batches on Facebook and Photo.net.

PS. Both my iPod Shuffle and my USB flash drive picked up a few viruses over the course of visiting hostel and internet cafe computers. Thankfully, they are all viruses that only affect Windows machines. Travelers with laptops (or computers running Windows back home) beware. I do feel bad about spreading viruses between all those machines; no wonder they were so slow.

Fraud via disappearing ink

A particularly cunning sort of fraud is occurring in the UK right now: someone comes to your door and convinces you to donate to worthy charity X. You agree, and bring out your chequebook. The fraudster hands you their pen, to fill out the cheque. The ink of of a vanishing sort and, after the transaction, the fraudster traces your signature from the groove in the paper, (generally) re-writes the original amount for the cheque, then puts their own name as the payee. Since most people only check amounts (and banks check nothing at all, unless the customer asserts that fraud has taken place) the fraudster makes off with however many charitable donations.

My personal inclination is to see this as one more among many reasons why cheques are no longer a decent form of payment.

Camera phones and police brutality

One very considerable advantage of the greater dissemination of video phones is increased ability to effectively document police brutality and other abuses of power. A recent example example involves UCLA police officers gratuitously using tazers on students in a library. While that situation cannot be entirely understood from the YouTube video, it supports testimony given elsewhere that the use of force was excessive and inappropriate. Hopefully, these tazer-happy UCLA police officers will end up in jail. At least one other incident filmed with a camera phone and uploaded to YouTube is being investigated by the FBI. That incident is also discussed in this editorial.

As I have said again and again here: protection of the individual from unreasonable or arbitrary power – in the hands of government and its agents – is a crucial part of the individual security of all citizens in democratic states. In a world where normal activities increasingly take place within sight of CCTV cameras, it’s nice to see that recording technology can also work for the protection of individuals or – at least – improve the odds of things being set to rights after abuse takes place.

Just don’t expect for it to be impossible for people to determine whose camera was used to shoot the video. Apparently, output from digital cameras can be linked to the specific unit that produced it.

American midterm elections today

Those looking for more polling data than they will know what to do with, for today’s midterm elections in the United States, should have a look at Pollster.com. For first year M.Phil students nervous about the quantitative methods test, it might be worthwhile reading as well.

I will definitely be watching the news closely between now and whenever the House and Senate races are settled. Hopefully, none of the quite justified concerns about problems with electronic voting machines will manifest themselves. Unfortunately, the vulnerabilities exposed by the Princeton study and others could be exploited in ways that could never be detected by electoral officials. Anyone who thinks that electronic votingi s secure, with paper ballots and automatic auditing of part of the vote, should watch this short video produced by the Princeton team.

No matter which way this election goes, fixing the mechanics of the electoral system should be a huge priority before the 2008 elections. Relevant previous posts:

Also well worth a look:

How to steal an election (via Bruce Schneier)
How to steal an election by hacking the vote (via Ars Technica)
Evaluation Report of New Methods of Voting (Chief Electoral Officer of Quebec)
A longer and much scarier video showing how vulnerable the computers that tabulate election data are to undetectable manipulation.
HBO Special: Hacking Democracy (1 hour 22 minutes)

Revitalized

Essentially back to back this evening, I had two of the best lectures since arriving in Oxford. It was a well-timed reminder of why it is so valuable to be here, and the kind of knowledge and people one can be exposed to in this environment.

The first speaker was Hilary Benn, appearing as part of the Global Economic Governance series. He is the Secretary of State for International Development in the current British Government. His speech took in everything from institutional reform at the World Bank to what should be done in Darfur. While he may have oversimplified a great deal at times, it was nonetheless refreshing to hear a government official saying some very sensible and progressive things about the role Britain should play in the world. During the question session, I asked him about his department’s policy position on West African fisheries. He advised me to write him a letter, and promised a detailed response. Thanks to an aid, I have the real email address of a British cabinet member in my pocket. I will come up with a cover letter that addresses the major points, then include a copy of the article in print in case he (or a staffer) wants more detail.

The second speaker, through the Strategic Studies Group, was Rear Admiral C.J. Parry. I spoke with him during dinner about his aviation experience (he actually flew a V-22 Osprey). His talk, in the capacity of Director General of Development, Concepts and Doctrine for the Ministry of Defence at Shrivenham, was a look forward into major strategic threats in the next thirty years or so. That said, it was a candid and engaging presentation that has sparked a lot of thought and debate – exactly what the mandate of OUSSG is to provide.

Sorry if this is all a bit breathless, but I suddenly feel as though I have a lot to do – and not just in terms of the thesis work I have been dreading.

PS. Both Kai and Alex are back, which adds to my sense of rejuvination. Likewise, the opportunity that has been afforded to see the friendly trio of Bryony, Claire, and Emily was most welcome. Indeed, seeing all members of the program has felt a bit like suddenly being surrounded by friends in Vancouver. Things with my new college advisor – Robert Shilliam – are also going well.

PPS. I have my first free Wadham high table dinner booked for tomorrow, as part of the Senior Scholarship.

Protecting your computer

At least once or twice a month, someone who I know endures a computational disaster. This could be anything from a glass of wine spilled on a laptop to some kind of complex SQL database problem. In the spirit of Bruce Schneier, I thought I would offer some simple suggestions that anyone should be able to employ.

The most important thing is simply this: if it is important, back it up. Burn it to a CD, put it on a flash memory stick, email it to yourself or to a friend. The last thing you want is to have your laptop hard drive fail when it contains the only copy of the project you’ve spent the last month working on.

Now, for a quick list of tips. These are geared towards university students, not those with access to sensitive information or large amounts of money:

Do not trust anything you see online. If you get an email from ‘PayPal’ or your bank, assume it is from someone trying to defraud you. It probably is. Likewise, just because a website looks reputable, do not give it any sensitive information. This includes passwords you use for things like your bank.
Never address email messages to dozens of friends. Lots of viruses search through your computer for email addresses to sell to spammers or use for attacks. If anyone in that fifty person party invitation gets a virus, it could cause problems for all the rest. If you want to send emails to many people, use the Blind Carbon Copy (BCC) feature that exists in almost all email programs and web based email systems.
If you run Windows, you must run a virus scanner. All the time. Without exception. If you run a Mac, run one in order to be sure you don’t pass along viruses to your friends. Both Oxford and UBC offer free copies of Sophos Antivirus. Install it and keep it updated.
Run a spyware and adware scanner like AdAware often. If you are not doing advanced things with your computer, be proactive and use something like Spyware Blaster. (Note, some of the patches it installs can cause problems in rare circumstances.)
No matter what operating system you run, make sure to apply security updates as soon as they come out. An unpatched Windows XP home machine is basically a sitting duck as soon as it is connected to the internet. See this BBC article.
Only install software you really need. Lots of free software is riddled with spyware and adware that may not be removed when you uninstall it. Especially bad for this are some file-sharing programs. If you do any kind of file sharing, the importance of having a virus scanner becomes imperative.
Never use secret questions. If you are forced to, fill the box with a long string of random letters and numbers. If you cannot remember your passwords, write them down and guard them like hundred dollar bills.
For your web browser, use Firefox. Safari is fine, but you should never use Internet Explorer. If a website forces you to (especially something like a bank), complain.
If there is something you really want to keep secret, either keep it on a device not connected to any network or encrypt it strongly. A user-friendly option for the latter is PGP. Whether it is some kind of classified research source or a photo of yourself you never want to see on the cover of the Daily Mail (once you are Prime Minister), it is best to encrypt it.
Avoid buying compact discs that include Digital Rights Management (DRM). Many of the systems that are used to prevent copying can be easily hijacked by those with malicious ends. See one of my earlier posts on this.
If you have a laptop, especially in Oxford or another high theft area, insure it. They can be stolen in a minute, either by breaking a window, picking a lock, or distracting you in a coffee shop. Aren’t you glad you made a backup of everything crucial before that happened?
If your internet connection is on all the time (broadband), turn your computer off when you aren’t using it.

Basically, there are three big kinds of risks out there. The first is data loss. This should be prevented through frequent backups and being vigilant against viruses. The second is data theft. Anyone determined can break into your computer and steal anything on there: whether it is a Mac or a PC. That is true for everything from your local police force to a clever fourteen year old. Some of the suggestions above help limit that risk, especially the ones about security updates and turning off your computer when it is not in use. The third risk is physical loss or destruction of hardware. That is where caution and insurance play their part.

If everyone followed more or less this set of protocols, I would get fewer panicked emails about hard drives clicking and computers booting to the infamous Blue Screen of Death.

[Update: 6 January 2007] The recent GMail bug has had me thinking about GMail security. Here are a few questions people using GMail might want to ask themselves:

If I search for “credit card” while logged in, do any emails come up that contain a valid credit card belonging to me or to someone else? I only ask because that is just about the first thing that someone malicious who gets into your account will look for. “Account number” and similar queries are also worth thinking about.
Can someone who gets the password to my Facebook account, or some other account on a trivial site, use it to get into my GMail account?
Have I changed the password to my GMail account in the last few weeks or months?

If the answer to any of those is ‘yes,’ I would recommend taking some precautionary action.

More split nuclei

On 16 July 1945, the United States did it. The Soviets followed suit on 29 August 1949, followed by the UK on 3 October 1952. The French followed on 13 February 1960, followed by China on 16 October 1964. On 18 May 1974, India joined the club, with Pakistan doing so on 28 May 1998. Israel and/or South Africa may have tested on 22 September 1979, in an incident detected by an American satellite.

As of 9 October 2006, North Korea seems to have tested a nuclear bomb. It makes you wonder how many more states will do so in the next fifty years, as well as what the security character of the Southeast Asian area, in particular, will be by then.

That said, while they seem to have scientists and engineers capable of making nuclear weapons, the North Koreans don’t seem to have staff capable of producing a particularly cogent English press release:

The nuclear test was conducted with indigenous wisdom and technology 100 percent. It marks a historic event as it greatly encouraged and pleased the KPA and people that have wished to have powerful self-reliant defense capability.

Since this test was pretty clearly meant for American audiences, you might have expected them to pay more attention to their wording. I suppose multi-kiloton underground blasts speak louder than press releases.

Despite such nationalist rhetoric, the test seems more likely to endanger the average North Korean than help them. In the short term, there is the danger that someone will try to strike their nuclear capability before they develop credible delivery systems. Also, as The Economist identifies: “[T]he immediate threats from North Korea’s new capability come from radioactive leaks into the atmosphere and North Korea’s groundwater.” Finally, the test risks sparking a nuclear arms race in Asia that threatens the security of the whole region, at least.

[Update: 1:30pm] Based on my server logs, lots of people have been looking for these photos of test sites in Nevada during the last few days. Google still hasn’t figured out that this site has moved to WordPress. In any case, the photos show one of the ugly legacies of testing and reinforce the point that, while world should be moving towards nuclear disarmament, the converse seems to be taking place.