Schneier on Security

Clive Robinson • May 26, 2012 1:51 PM

@ A Nonny Bunny, ShadowHatesYou,

Let’s say adding a character (since we don’t use all of them, nor entirely randomly), adds about 5 bits.

I know you said “all these numbers are highly inaccurate” but each character in a ‘human rememberable’ pass word/phrase of moderate size (~10 chars) is realy only worth between 1.5 and 1.8 bits in practice, and this decreases well below 1 bit for longer pass phrases simply because most humans usuall take them from well known sources such as poems or songs etc. Thus anyone who want’s to attack them can usually pre-compute the more likely ones (Google “dictionary attacks” or “rainbow tables” to get more info) and most password/phrase cracking software (including “truecrack”) usually does this as a matter of course.

Some estimates put the “real entropy” [1] of (the average) human rememberable password/phrase below 30bits…

However the situation is actually a whole lot different for the likes of the NSA than for other organisations. The reasons for this are primarily two fold, mass communications harvesting (what the NSA does best) and for want of a better expression “human limitations”.

Most comercial and nearly all open source etc “secure communications” software use PubKey encryption to send a “randomly selected” key for AES etc that is used to encrypt the actuall communications.

The problem with a lot of these PubKey systems is that the random number generators used to generate the initial two primes that are the PQ pair have been found in practice to be quite predictable for a number of reasons (usually a lack of entropy or broken design of random generator).

Now as discussed on this blog a little while back, you don’t need to factor out the PQ pair composite to see if two PubKeys share a prime. And the test to group PubKeys with a shared prime is very very fast. Thus the likes of the NSA who will have tested just about every available piece of software or hardware random number generator can make up “test keys” containing the most likely primes to be generated by a particular software random generator and quickly break large numbers of PubKeys.

Thus when doing “mass communications harvesting” for data collection” they would be going after these “low hanging fruit” in an automated way.

Now this does not mean they can break all PubKeys or even specific PubKeys, just a lot of them that are used on the Internet currently.

But even if they cannot break a specific individuals PubKey they may well be able to break the PubKey of someone they corespond with, and as humans have a very very bad habit of “including” the other persons message when replying… there is a reasonable chance the NSA will get the conversation in part or whole…

Then of course humans make other dumb mistakes like emailing passwords and passphrases using emails that may be in plain text or encrypted using PubKey. Or they may use the same or verry similar passwords or passphrases for “web accounts” that they do for their other accounts or for their TrueCrypt volumes. Gathering these is of course trivial due to poor protocols and implementation in web browsers etc that allow those “bogus” CA certificates to be used for man in the middle attacks on SSL etc. And of course if a users online account is in the same juresdiction as an interested LEA then the chances are that the account passsword/passphrase will be made available with just a simple request these days.

Thus the NSA does not need to have vast arrays of GPU’s cracking away… they just have to be patient and wait for the passwords/phrases to be giffted to them.

[1] Even though the “real entropy” of a password/passphrase may be quite low the “work factor” to find it is most likely to be considerably greater for a variety of reasons.

Clive Robinson • May 27, 2012 10:33 AM

@ Nick P,

A question arises from all of this,

“Are there any Bio-metrics that do not age, or can change due to illness or medical treatment?”

For instance it is known that the “Bio-Metric Gold Standard” DNA will change after certain medical treatment such as “bone marrow transplant”. Likewise in certain cases “DNA trace evidence” will be wrong or have a probability of providing false results (ie after a blood transfusion, your blood is a mixture of yours and somebody elses, thus you have their DNA in your blood stream, and if you cut yourself whilst committing a crime then the blood stain will likewise be a mixture…)

Thus if we assume all Bio-metrics will need to be perriodicaly re-tested it raises the question of,

“At what point is a Bio-metric use to wide-scale?”

Also of course there is the question of proving identity for the “first” bio-metric reading.

There are some people who have no preceding generation relatives alive, and whose preceding relatives were cremated or buried sufficiently long ago that no viable DNA remains. Thus they cannot prove who they are reliably or at all, other than by knowledge within their heads (which as it is “learned” could have been learnt only a very short time prior to the test…).

So untill we grab a baby in the birth canal and DNA test it, then immediatly fingerprint it and retina/iris scan it what is the actual point of taking Bio-metrics…

Clive Robinson • May 28, 2012 4:24 AM

OFF Topic:

As quite a few readers are aware German Banks like TAN’s (Transaction Authorization Numbers), originaly sent on a paper list by the bank, some now do it through an SMS to the account holders phone. Although the original TAN list was fairly secure and could have easily been made tamper evident the SMS system is less so for various reasons.

However the new malware exploits a security failing that is not due to a technical fault with the SMS or bank systems but with “social engineering” of the account holder via malware (based on Tatanga Trojan) on the account holders computer..

It works as follows,

1, At some point the account holders PC becomes infected with the Tatanga Trojan based malware.

2, The malware detects the account holder loging into the bank system and uses a “Man in The Browser” (MiTB) attack to inject a new HTML page to the account holder that says a security verification procedure is taking place and instructs the user to enter the SMS TAN from the bank into the verification box in the HTML page.

3, The malware selects from the account holders balances the account with most money and sends a money transfer to a mule account. This transfer request is kept hidden from the account holder.

4, The transfer request triggers the TAN SMS from the bank to the account holder. However the SMS does include transaction details, the malware (in step 2) covers this by saying it is irrelivant “experimental” data…

5, If the user believes what they read and types in the TAN it gets sent to the bank and the money transfer compleates.

6, To prevent the account holder quickly discovering the transfer the malware adjusts the account balance displayed on the account holders computer.

Thus the whole fairly sophisticated scheme revolves around and hangs on step 5 and if the account holder “believes” the “social engineering” that is in front of them on their computer screen and ignore the information with the TAN in the SMS…

Now I know most readers will think they will not get caught out by such a trick, but I’m not so sure (unless like me you DON’T do online banking or e-finance in any shape or form).

Then there is the question of can the scheme be extended on smart phones, where the malware might also be able to effect the way the TAN SMS is displayed…

As Bruce has noted in the past “Attacks only improve with time…”

And the speed criminal hackers are improving their attacks suggests that getting at the authorization Side Channel (SMS) in a smart phone will happen within a year or two at most.

Thus there are only two mittigations,

1, Stop the malware getting on a smart phone (highly unlikely).

2, Develop an authentication side channel that cannot be tampered with by malware.

It is this latter option banks should be investigating and however it works it must fully authenticate the transaction through the account holder (to prevent “end run” attacks). As some readers will know several people including Nick P, and myself have discussed this in quite some depth in the past on this blog.

The original report from those discovering this current criminal scheme can be read at,

http://www.trusteer.com/blog/tatanga-trojan-bypasses-mobile-security-steal-money-online-banking-users-germany

Clive Robinson • May 29, 2012 4:23 AM

@ Nick P,

You might find this little “do-hicky” of interest,

http://en.m.wikipedia.org/wiki/Superconducting_nanowire_single-photon_detector

Not just for “Backside FA” (which is more than a decade old now, early papers were from M.K. McManus &co out of IBM’s TJ Watson Research labs) But all sorts of Optical Tempest and Quantum Crypto etc.

Note the following about the device,

1, Single photon detection
2, Very low “dark count” rates
3, Operation in the hundreds of MHz
4, Jitter rates below 50pS.

It does have a few disadvantages detection wavelength being one, but I’m told there are now much better detectors avaialble…

@ ALL,

As some of you know I’ve a few rules of thumb about security, the one I mention most often is,

“Security-v-Efficiency”

That is the more “efficient” you make something the less likely it is to be secure (due to inadvertantly opening up covert channels).

But another another and more important rule is,

“Security-v-Testing”

That is the more “testable” you make something the less likely it is to be secure (due not just to inadvertantly opening up covert channels but actually opening up overt/unconcealed channels and labeling them “test”, the fact you don’t publish how to use them is the same old “security by obscurity” nonsense”).

Both these rules have a rider on them with the use of the word “inadvertantly”… That is these rules do not prohibit you making things more efficient or putting in testability, it means you Realy Realy MUST Know what you are doing at ALL levels.

Such people are extreamly rare, and we know from experiance (WEP, ISO C, et al) being on a “Standards Body” does not make you anything near an expert in fields of endevor outside your own narrow perspective or that of your employer (which might be the reason you were put on the standards body in the first place 😉

I’ve “dabbled” in Communications Security and related areas for over a third of a century, and what it has taught me is I’m not a specialist, and thus should not be afraid to get a “domain expert” in as and when required. And in my view the earlier the better (ie before you draw up the product spec is probably to late).

Which gives rise to the important rule,

“If you do not understand it, at all levels, you can not say it’s secure.”

Which gives rise to another general rule, not just about security but life in general,

“Much of what we do is unkown, and time can teach us our mistakes, but only if we are prepared to learn.”

This is a very important rule because it effects the way you look at life, and thus your philosophy with respect to what you do, and importantly how.

As some of you know I occasionaly bang on about “framework standards” with regards to security (and when NIST are going to step up to the plate on them). This is because I know from experiance that the likes of AES, RSA, and all the other “nuts and bolts” we use for security will in practical terms not be secure at some point in the future.

In the case of practical implementations, it’s usually before the standard has even been agreed (AES and cache timing attacks).

Thus you have to design systems so that you can repair them easily and most importantly in the case of security quickly. This means “plugable modual” design, where you can pull out the broken part and put in a new (hopefully) stronger part. To do this you need to think long and hard about the framework these moduals plug into.

Importantly when something breaks, don’t keep reusing the broken part….

It should go without saying but in security we do it all the time, usually without the users knowledge and this invariably gives rise to a type of MiTM attack where the attacker causes the system to “fall back” to use the broken and insecure part…

Why do we do this so often, well because there are so many products out there that can not be patched, but importantly can not be replaced either. Both faults due to poor design choices made before the product spec was thought of…

(And please don’t get me started on penny pinching managment of features crazy moronic marketing types 😉

Any way having said that it’s time for a cup of hot brown stuff 🙂

Clive Robinson • June 1, 2012 11:12 AM

@ Jacob,

I would like to know if you, bruce, and clive think this might be similiar to the breaking out of cryptography

The first thing that comes to mind is “why has it taken so long?”…

I quick look back through this blog will show that there have been several conversations on how to do the individual parts of Stuxnet, Duqu and now Flame either around about the time they are alledged to have been designed or before that. So we can safely say the overall design / methodology has been out in the open to anyone who cared to read thi or one or two (lightbluetouchpaper) blogs.

I’ve also banged on for quite some time that “bot herders” realy did not know how to capitalize on their “assets” and made it fairly clear that stealth/covert removal of information had a way better rate of return than SPAM AND DDoS. You can see my thoughts on how “fire and forget” is actually more likely to get you into a target than “directed attacks” (mainly because the obvious rat holes have been blocked).

As for modular design well I keep going on about it for amongst other things “standards”… It’s actually a real indicator that this has been designed by people that have been around the block a few times and realy know what they are doing at the strategic level as well as the code level. Thus they are probably in their mid to late thirties with a wife and the usuall 2.7children and 0.1dog and 0.3cat that “Mr average” has.

What I’d be most interested in seeing would be the targeting method and algorithms, this would provide a very clear idea of the thinking and reasoning behind it. Again I would urge caution that where it appears to have ended up may not be the designated target, but a potential steping stone towards the target that might be effectivly shut off from other methods of access.

As for the people behind it there is by no meanss sufficient information to say, even if there was it would more than likely be a false indicator such is the “smoke and mirrors” deployed by most players in the game.

Oddly one of the strongest players (the UK) is not normaly “fingered” for such activities which might tell you something about their skill levels. Likewise the Russian’s who are directly or indirectly in it upto and beyond their necks are likewise not that frequently mentioned. As for some places like Sweden, Germany and other north European nations you get to hear nothing. For some reason most “pundits” be they “arm. chair” or “news organisation” appear incapable of thinking further than their next drink. And thus almost always point the finger at the most obvious candidate such as the US or Israel with zero supporting evidence.

My gut feeling is a year or more of speculation will go nowhere except technicaly and it will be another “seven day wonder” for the press that has conveniantly poped up in time for the US elections…

As for the Intel organisations being “ahead of the game” actually probably not, they don’t pay very well and unlike the old days where the mathematically inclined had limited job options this is not the same game or the same rules. Collectivly I suspect there are more clued up and better paid “hackers” of the “old school” variety out there on way better money than the various Govs can offer and many Govs are going the COTS route as paying even quite large sums for first rate exploits is still better value than employing a couple of hundred second hundred second or third rate code cutters.

Any way that’s my “pennies worth” I shall now retire to my comfy chair in my “dead tree” reading room with a cup of nice hot brown stuff to sip whilst I contemplate 🙂