Categories
Computing

What is your mother’s maiden name and other insecure security questions

Security Researchers at the University of Cambridge’s Computer Laboratory have produced a whitepaper titled Evaluating statistical attacks on personal knowledge questions.

Aside from the fact that the answers to these questions are readily findable for celebrities and increasingly easy to uncover through social networking sites for the average individual the researchers found that even guessing is good enough to render the system insecure if carried out on a wide scale.

There is a strong result that anything named by humans is dangerous to use as a secret. Sociologists have known this for years. Most human names follow a power-law distribution fairly close to Zipfian, which we confirmed in our study. This means every name distribution has a few disproportionately common names—”Gonzalez” amongst Chilean surnames, “Guðrún” amongst Icelandic forenames, “Buddy” amongst pets—for attackers to latch on to. Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security.

I think that until such time as the companies that use password reminder questions as a security method change the system they use I recommend that people give a nonsense answer to the question. If you are sure that you’d never need to use the password reminder facility then you could just use a completely unguessable random alphanumeric string as the answer. Otherwise it would be a good idea to choose something memorable as your nonsense answer that you consistently use e.g. Throatwobbler Mangrove unless inexplicably that does happen to be your mother’s maiden name.

There has been other research in the last few years into this subject.

Microsoft researchers wrote Measuring the security and reliability of authentication via ‘secret’ questions

Categories
Computing Security

The hype of cyberwarfare used to control the internet

Ryan Singel writing for Threat Level believes that the Cyberwar Hype Intended to Destroy the Open Internet

With the rise of the internet nation states have begun to lose control of their citizens and have introduced ever more draconian laws to try and claw some of that control back.

The War on Terror was framed as a Cold War for the 21st Century and a fog of fear was spread over the population but that fog gradually lifted as people realised that they were not at risk from Al Qaeda. Even when a nutcase tried to ignite explosives in his underpants on an aircraft and politicians and the news media spewed rhetoric about this dangerous new tactic of the terrorists and how something had to be done most people soon went back to their lives as if nothing happened.

The powers that be needed a new threat with which to control the people and the Chinese hacking of Google and others provided them the framing to do it.

Western civilisation is now under the peril of being destroyed by China in the form of computer hackers.

Google’s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is “losing” the cyberwar, according to McConnell.

But that’s not warfare. That’s espionage.

We do not need as Mike McConnell to ‘reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable.’

The ‘Google hacking situation’ was first and foremost the infiltration of the servers of private industry not an attack on the United States itself. The IT security of American companies is an issue where the US government can be of assistance by offering advice or notifying of specific threats that they’ve become aware of, but not through monitoring and controlling the internet.

Categories
Computing

Chip and PIN is broken

Chip and PIN is broken

The technical paper for the discovered vulnerability

Categories
Computing

How To Safely Store A Password

Use bcrypt

Categories
Computing

Parallel Algorithm Leads to Crypto Breakthrough

Parallel Algorithm Leads to Crypto Breakthrough [via]

Dr. Dobbs reports that a cracking algorithm using brute force methods can analyze the entire DES 56-bit keyspace with a throughput of over 280 billion keys per second, the highest-known benchmark speeds for 56-bit DES decryption and can accomplish a key recovery that would take years to perform on a PC, even with GPU acceleration, in less than three days using a single, hardware-accelerated server with a cluster of 176 FPGAs. The massively parallel algorithm iteratively decrypts fixed-size blocks of data to find keys that decrypt into ASCII numbers. Candidate keys that are found in this way can then be more thoroughly tested to determine which candidate key is correct.

Categories
Computing

Creating secure passwords

CyberNet News have a clever solution to the age old problem of how to create and remember strong passwords that are extremely resistant to brute force attacks. [via]

Their method seems to be just for the creation of a single password, but I’ve adapted it below for use as a secure generator of unique passwords for websites.

1. Choose a master password, go for something memorable because this will form the basis of every password you’ll generate. e.g. sherlock

2. Get the URL of the website for which you wish to create a secure password. Attention: use just the domain name part to avoid confusion later! You’ll thank me for that, trust me. Valid examples are facebook.com and google.com Bad: http://www.facebook.com and https://mail.google.com/mail/.

3. Go to http://www.onlinefunctions.com/. Enter your master password and the domain name in the “Input” field. e.g. sherlockgoogle.com

4. What we’re going to do is convert this input into an md5 hash. All we need to know about the md5 algorithm is that it’s commonly used to encrypt data.

5. Hit the “Create MD5″ button.

6. Take the first eight characters from the “MD5 hash” field and use it as your new secure password.

The SuperGenPass bookmarklet automates this process if you wish to trust a third party and there is no reason not to given that the source code is available to scrutinise.

Categories
Computing Security

Jailed hacker gained control over prison computer

The Mirror reports that a jailed hacker was allowed to gain control over the prison computer hard drive. [via]

Slashdot says prison computer network was in the control of this hacker but the Mirror states that he had control of the hard drive and managed to lock everyone else out by password protecting it.

That’s two quite different things, but regardless it sounds like he didn’t do much harm. I’d be more concerned about the inmate that at the same jail managed to get a key cut that opened every door.

Categories
Computing

A Stick Figure Guide to the Advanced Encryption Standard (AES)

A Stick Figure Guide to the Advanced Encryption Standard (AES) [via Schneier]

This is simply brilliant as is AES/Rijndael which when explained like this seems amazing that in its simplicity it is also so powerful.

Categories
Computing

The security of GSM is broken

The encryption system used for GSM mobile phones has been demonstrated to be fundamentally flawed and is crackable. But to be honest what is most surprising is that it has taken until now for the security of the 20-something years old encryption system to be broken.

At the recent Hacking at Random (HAR) conference, held from 13-16 August, Karsten Nohl detailed plans for cracking standard GSM cell phone encryption, known as A5/1, and making the results available for anyone to use. You can see a PDF of his presentation here.

This issue was covered by Steve Gibson and Leo Laporte in the latest episode of the podcast Security Now, transcript here.

Categories
Computing

Identity Theft Manifesto – Protect yourself

Identity Theft Manifesto
Protect yourself. Protect your family. Protect your identity.

Very comprehensive website about all aspects of identity theft. How to prevent it happening to you and what to do if you do become a victim of identity theft.