Entries Tagged "authentication"

Page 13 of 28

Decline in Cursive Writing Leads to Increase in Forgery Risk?

According to this article, students are no longer learning how to write in cursive. And, if they are learning it, they’re forgetting how. Certainly the ubiquity of keyboards is leading to a decrease in writing by hand. Relevant to this blog, the article claims that this is making signatures easier to forge.

While printing might be legible, the less complex the handwriting, the easier it is to forge, said Heidi H. Harralson, a graphologist in Tucson. Even though handwriting can change—and become sloppier—as a person ages, people who are not learning or practicing it are at a disadvantage, Ms. Harralson said.

“I’m seeing an increase in inconstancy in the handwriting and poor form level—sloppy, semi-legible script that’s inconsistent,” she said.

Most everyone has a cursive signature, but even those are getting harder to identify, Ms. Harralson said.

“Even people that didn’t learn cursive, they usually have some type of cursive form signature, but it’s not written very well,” she said. “It tends to be more abstract, illegible and simplistic. If they’re writing with block letters it’s easier to forge.”

Maybe, but I’m skeptical. Everyone has a scrawl of some sort; mine has been completely illegible for years. But I don’t see document forgery as a big risk; far bigger is the automatic authentication systems that don’t have anything to do with traditional forgery.

Posted on May 3, 2011 at 2:25 PMView Comments

Nikon Image Authentication System Cracked

Not a lot of details:

ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0×0097 (Color Balance).

During validation, Nikon Image Authentication Software calculates two SHA-1 hashes from the same data, and uses the public key to verify the signature by decrypting stored values and comparing the result with newly calculated hash values.

The ultimate vulnerability is that the private (should-be-secret) cryptographic key is handled inappropriately, and can be extracted from camera. After obtaining the private key, it is possible to generate a digital signature value for any image, thus forging the Image Authentication System.

News article.

Canon’s system is just as bad, by the way.

Fifteen years ago, I co-authored a paper on the problem. The idea was to use a hash chain to better deal with the possibility of a secret-key compromise.

Posted on May 3, 2011 at 7:54 AMView Comments

Federated Authentication

New paper by Ross Anderson: “Can We Fix the Security Economics of Federated Authentication?“:

There has been much academic discussion of federated authentication, and quite some political manoeuvring about ‘e-ID’. The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC), is that a single logon should work everywhere [1]. You should be able to use your identity provider of choice to log on anywhere; so you might use your driver’s license to log on to Gmail, or use your Facebook logon to file your tax return. More restricted versions include the vision of governments of places like Estonia and Germany (and until May 2010 the UK) that a government-issued identity card should serve as a universal logon. Yet few systems have been fielded at any scale.

In this paper I will briefly discuss the four existing examples we have of federated authentication, and then go on to discuss a much larger, looming problem. If the world embraces the Apple vision of your mobile phone becoming your universal authentication device ­ so that your phone contains half-a dozen credit cards, a couple of gift cards, a dozen coupons and vouchers, your AA card, your student card and your driving license, how will we manage all this? A useful topic for initial discussion, I argue, is revocation. Such a phone will become a target for bad guys, both old and new. What happens when someone takes your phone off you at knifepoint, or when it gets infested with malware? Who do you call, and what will they do to make the world right once more?

Blog post.

Posted on March 29, 2011 at 6:43 AMView Comments

Authenticating the Authenticators

This is an interesting read:

It was a question that changed his life, and changed mine, and may have changed—even saved—all of ours by calling attention to flaws in our nuclear command and control system at the height of the Cold War. It was a question that makes Maj. Hering an unsung hero of the nuclear age. A question that came from inside the system, a question that has no good answer: How can any missile crewman know that an order to twist his launch key in its slot and send a thermonuclear missile rocketing out of its silo­a nuke capable of killing millions of civilians­is lawful, legitimate, and comes from a sane president?

Any chain of authentication ultimately rests on trust; there’s no way around it.

Posted on March 25, 2011 at 12:22 PMView Comments

Biometric Wallet

Not an electronic wallet, a physical one:

Virtually indestructible, the dunhill Biometric Wallet will open only with touch of your fingerprint.

It can be linked via Bluetooth to the owner’s mobile phone ­ sounding an alarm if the two are separated by more than 5 metres! This provides a brilliant warning if either the phone or wallet is stolen or misplaced. The exterior of the wallet is constructed from highly durable carbon fibre that will resist all but the most concerted effort to open it, while the interior features a luxurious leather credit card holder and a strong stainless steel money clip.

Only $825. News article.

I don’t think I understand the threat model. If your wallet is stolen, you’re going to replace all your ID cards and credit cards and you’re not going to get your cash back—whether it’s a normal wallet or this wallet. I suppose this wallet makes it less likely that someone will use your stolen credit cards quickly, before you cancel them. But you’re not going to be liable for that delay in any case.

Posted on February 18, 2011 at 1:45 PMView Comments

The Security Threat of Forged Law-Enforcement Credentials

Here’s a U.S. Army threat assessment of forged law-enforcement credentials.

The authors bought a bunch of fake badges:

Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense’s military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air Force Office of Special Investigations (AFOSI), and the Marine Corps Criminal Investigation Division (USMC CID). Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS).

Also available for purchase were counterfeit badges of 42 other federal law enforcement agencies including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Alcohol, Tobacco and Firearms (ATF), Secret Service, and the US Marshals Service.

Of the other federal law enforcement agency badges available, the investigators found exact reproductions of the badges issued to Federal Air Marshals, Transportation Security Administration (TSA) Screeners, TSA Inspectors, and Special Agents of the TSA Office of Inspector General.

Average price: $60.

Then, they tried using them:

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area.

[…]

Once being granted access to the military installation or federal facility, the investigators proceeded to areas that were designed as “Restricted Area” or “Authorized Personnel Only” and were able to wander around without being challenged by employees or security personnel. On one military installation, investigators were able to go to the police station and request local background checks on several fictitious names. All that was required was displaying the fraudulent badge and credentials to a police officer working the communications desk.

The authors didn’t try it getting through airport security, but they mentioned a 2000 GAO report where investigators did:

The investigation found that investigators were 100% successful in penetrating 19 federal sites and 2 commercial airports by claiming to be law enforcement officers and entering the facilities unchecked by security where they could have carried weapons, listening devices, explosives, chemical/biological agents and other such materials.

Websites are listed in the report, if you want to buy your own fake badge and carry a gun onto an airplane.

I’ve written about this general problem before:

When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.

The only solution, if this counts as one, is to move to real-time verification. A credit card used to be a credential; it gave the bearer certain privileges. But the problem of forged and stolen credit cards was so pervasive that the industry moved to a system where now the card is mostly a pointer to a database. Your passport, when you present it to the customs official in your home country, is basically the same thing. I’d like to be able to photograph a law-enforcement badge with my camera, send it to some police website, and get back a real-time verification—with picture—that the officer is legit.

Of course, that opens up an entire new set of database security issues, but I think they’re more manageable than what we have now.

Posted on January 13, 2011 at 8:00 AMView Comments

Changing Passwords

How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer’s or bank’s password expiration policy: people who finally memorized their current password and are realizing they’ll have to write down their new password. How could that possibly be more secure, they want to know.

The answer depends on what the password is used for.

The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-to-remember—and easy-to-guess—passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.

The primary reason to give an authentication credential—not just a password, but any authentication credential—an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year’s worth of benefit out of it. After that, it’s useless.

This becomes less important when the credential contains a biometric—even a photograph—or is verified online. It’s much less important for a credit card or passport to have an expiration date, now that they’re not so much bearer documents as just pointers to a database. If, for example, the credit card database knows when a card is no longer valid, there’s no reason to put an expiration date on the card. But the expiration date does mean that a forgery is only good for a limited length of time.

Passwords are no different. If a hacker gets your password either by guessing or stealing it, he can access your network as long as your password is valid. If you have to update your password every quarter, that significantly limits the utility of that password to the attacker.

At least, that’s the traditional theory. It assumes a passive attacker, one who will eavesdrop over time without alerting you that he’s there. In many cases today, though, that assumption no longer holds. An attacker who gets the password to your bank account by guessing or stealing it isn’t going to eavesdrop. He’s going to transfer money out of your account—and then you’re going to notice. In this case, it doesn’t make a lot of sense to change your password regularly—but it’s vital to change it immediately after the fraud occurs.

Someone committing espionage in a private network is more likely to be stealthy. But he’s also not likely to rely on the user credential he guessed and stole; he’s going to install backdoor access or create his own account. Here again, forcing network users to regularly change their passwords is less important than forcing everyone to change their passwords immediately after the spy is detected and removed—you don’t want him getting in again.

Social networking sites are somewhere in the middle. Most of the criminal attacks against Facebook users use the accounts for fraud. “Help! I’m in London and my wallet was stolen. Please wire money to this account. Thank you.” Changing passwords periodically doesn’t help against this attack, although – of course – change your password as soon as you regain control of your account. But if your kid sister has your password—or the tabloid press, if you’re that kind of celebrity—they’re going to listen in until you change it. And you might not find out about it for months.

So in general: you don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.

Two final points. One, this advice is for login passwords. There’s no reason to change any password that is a key to an encrypted file. Just keep the same password as long as you keep the file, unless you suspect it’s been compromised. And two, it’s far more important to choose a good password for the sites that matter—don’t worry about sites you don’t care about that nonetheless demand that you register and choose a password—in the first place than it is to change it. So if you have to worry about something, worry about that. And write your passwords down, or use a program like Password Safe.

This essay originally appeared on DarkReading.com.

EDITED TO ADD (11/14): Microsoft Research says the same thing.

The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”

Posted on November 11, 2010 at 6:45 AMView Comments

Firesheep

Firesheep is a new Firefox plugin that makes it easy for you to hijack other people’s social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.

Slides from the Toorcon talk.

Protect yourself by forcing the authentication to happen over TLS. Or stop logging in to Facebook from public networks.

EDITED TO ADD (10/27): To protect against this attack, you have to encrypt the entire session—not just the initial authentication.

EDITED TO ADD (11/4): Foiling Firesheep.

EDITED TO ADD (11/10): More info.

EDITED TO ADD (11/17): Blacksheep detects Firesheep.

Posted on October 27, 2010 at 7:53 AMView Comments

1 11 12 13 14 15 28

Sidebar photo of Bruce Schneier by Joe MacInnis.