Posts Tagged ‘security research’

Passwords

Posted: January 29, 2016 by uszik11 in Identity theft, Password need-to-knows, Personal safety, Uncategorized, Vulnerabilities
Tags: , , ,

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

Being the Change … from the Mouths of Babes

Posted: May 23, 2015 by IntentionalPrivacy in Security or Privacy Initiatives, Tips
Tags: , , , , , , , ,

Let me tell you about children who are leading changes in a wide variety of areas including education, research on cancer and asthma, and even information security and privacy. It was eye-opening to me because many people—including me!—discount discoveries made by children because they are “too young” to add significant information to a dialog. What they could add—if we give them a chance—is a fresh perspective.

I recently had the opportunity to attend an information security keynote presentation given by Reuben Paul. I attend many security events every year, so that might not seem so unusual, except that this amazing young man is only nine years old. He gave his first information security presentation Infosec from the Mouth of Babes at the 2014 DerbyCon conference in Kentucky at the age of eight, and he has given many presentations since then. Here is his story. His father, Mano Paul, is an information security trainer and consultant.

Reuben’s talk at DerbyCon discussed three topics:

  1. Why should you teach kids about Information Security?
  2. How can you teach kids about Information Security?
  3. What can kids teach you about Information Security?

Reuben’s advice at DerbyCon? “[Parents and educators should] teach … kids to use [technology] safely and securely.”

Many grownups do not have the level of understanding of privacy and security that Reuben does. How did Reuben gain that understanding? Reuben credits his parents and his school for being supportive, but some credit belongs to Reuben. He imagined how children could participate in information security and privacy, and insisted on being heard. That takes, well, imagination as well as persistence.

Then I started looking at other amazing children. I found a section on TED Talks called “TED under 20.”

One of the first videos I saw was called Science is for everyone, kids included. The video tells the story of neuroscientist Beau Lotto working with a class of 25 eight- to ten-year-old children from Blackawton Primary School, Blackawton, Devon, UK. The children developed an experiment on training bees to choose flowers according to rules. Then the children wrote and submitted a paper, which was published by the Royal Society Biology Letters.

The paper is free to download and fun to read!

The conclusion the Blackawton Primary School children came to was that “Play enables humans (and other mammals) to discover (and create) relationships and patterns. When one adds rules to play, a game is created. This is science: the process of playing with rules that enables one to reveal previously unseen patterns of relationships that extend our collective understanding of nature and human nature.”

Jo Lunt, science teacher at Blackawton Primary School, said, “I think one of the biggest changes I’ve seen is the children’s approach to learning science. They don’t get so hung up or worried about getting the answer right. They think more about the journey they’re on and the learning they’re doing along the way.”

How I harnessed the wind, is the story of William Kamkwamba. Malawi, the country where he lived, experienced a drought in 2001. He and his family not only couldn’t pay for his schooling, they were all starving because their crops failed. He was determined to help his family find a solution for the drought. He found a book in the library with plans for a windmill. At the age of 14, he built his first windmill from scrap yard materials to pump water for crop irrigation and to create electricity.

Award-winning teenage science in action explains the projects of the three teenage girls who won the 2011 Google Science Fair. Lauren Hodge, age 13-14 category, conducted her research on how carcinogens formed while grilling chicken. Shree Bose’s project, the age 17-18 age category and grand prize winner, concentrated on reasons why cancer survivors developed resistance to chemotherapy. Naomi Shah, age 15-16 category, used a complex mathematical model to look at ways to improve air quality for asthmatics.

Children learn very rapidly, and since they have used technology all their lives, they will often master new skills with an ease that will take your breath away. Be the change, mentor change, and be willing to change. Be open to learning from anyone who can teach you!

Public Key Cryptography Protects Your Information

Posted: October 26, 2014 by uszik11 in First Steps, Security or Privacy Initiatives
Tags: , , ,

The methods of securing data are robust. Your financial transactions, health records and other sensitive information are safeguarded by strong mathematical processes. You can use these same tools yourself to keep your emails private. It is not much harder than learning a new phone and installing an app.

Usually, when your personal data is exposed by organized gangs of Russian “businessmen” or the Chinese People’s Liberation Army, it because of failures in computer security allowed by weaknesses in the programs. The cell phone companies deliver records to the NSA. The NSA does not break your ciphers. As far as we know, no one has ever cracked one of the public key methods developed since 1975. Some theoretical weaknesses have been suggested. Brute force attacks by the NSA have been hinted at, but never demonstrated. The mathematics is as immutable as the Law of Identity: A is A.  It is absolutely true that 1 + 1 = 2, always and forever.

A Crazy Idea

In the early to mid-1970s, independent researchers Whitfield Diffie and Martin Hellman at Stanford, Ralph Merkle at Berkeley, and Ronald Rivest at MIT, along with his doctoral candidates Adi Shamir and Lenard Adelman, all sought and found ways to encrypt information that were not based on any of the historically known methods. As a result, when Ralph Merkle submitted his papers to the Communications of the Association for Computing Machinery, they were rejected for denying the established wisdom of 2000 years. Working on his doctorate at Berkeley, he was told by his professors that he obviously did not know the basics of cryptography.

Codes and Ciphers

A code is a secret translation of one set of symbols for another. If we let
Handkerchief = Train
Scarf = Bus
Blouse = Plane
Red = 2:00PM
Blue = 3:00PM
Green = 3:45 PM
Then, “Thank you for the red scarf “ or “Thank you for the green blouse” could be sent via email or on a post card and the real meaning would be hidden. The weakness is in exchanging the key. Someone has to pass the translation table. However, given the security of the key table, the code is unbreakable.

A cipher is an orderly substitution. Taking the alphabet backwards, A=Z, B=Y, C=X,… turns BARACK OBAMA into YZIZCP LYZNZ. Another kind of cipher just takes the letters in turn say, every third in rotation so that HILLARY CLINTON becomes LRLTHLYIOIACNN.

Ciphers often can be broken with applied arithmetic. In English, e is the most common letter, followed by t a o i n s h r d l u… Among the complicated ciphers was the Vigenere in which a table of letter keys allowed shifting substitutions. During World War II, the Germans employed their “Engima” machine with its shifting and changeable wheels. It fell to the first of the computers, the “Bombe” of Bletchley Park and “Ultra” Project. In The Jefferson Key by Steve Berry (Ballantine Books, 2011), a supposedly unbreakable cipher finally falls to a modern-day sleuth. As constructed, it involved writing the letters vertically, then inserting random letters, then writing the letters horizontally. However, again, common arithmetic allows you to use the fact that any English word with a Q must have that letter followed by a U; and no English words have DK as a digraph. (Until DKNY, of course.) So, the cipher was broken.

Speaking to LASCON in Austin, October 23, 2014, Martin Hellman said that he and his co-workers were considered “insane” for suggesting that an encryption method could be devised in which the formulas were public. In fact, this idea had old roots.

The 19th century founder of mathematical economics, William Stanley Jevons, suggested that certain mathematical functions that were “asymmetric” could be the basis for a new kind of cryptography. Just because A=Z does not mean that Z=A. His idea did not bear fruit. However, Martin Hellman asked his colleagues in the mathematics department if they knew of any such asymmetric functions. Indeed, many exist.  They can be called “trapdoor functions” because they are easy to do in one direction, but computationally difficult in the other.  In other words, they are are unlike the four common arithmetic operations.

The Diffie-Hellman system employs modulo arithmetic.  RSA (Rivest-Shamir-Adleman) uses the totient function discovered by Leonhard Euler in 1763. In 1974, Ralph Merkle, then at Berkeley, thought of using a set of puzzles, where each one is moderately hard, but the full set of 15 becomes computationally difficult. Working together, Merkel and Hellman created a “knapsack” function in which the challenge is to put the “most important objects” (numbers) with the smallest weights (numbers) into a bag (solution set).

You can get the papers online. If you loved high school algebra, and get a kick out of crossword puzzles (especially acrostics) this will be fun. If not, just accept the fact that they work.

The salient facts remain: the cipher system is clearly described, yet stands cryptographically secure.   That is a mandate called “Kerckhoffs Law” named for Auguste Kerckhoffs, a 19th century Dutch linguist. A cryptographic system should remain secure, even if everything about it is known, except the key. Thus, in our time, you can find the mathematical theorems and computer code for public key systems. You can download almost instantly clickable applications to secure your email.

Pretty Good Privacy
A hundred years ago, codes and ciphers and the study of cryptography all were controlled by the secret services of governments. In our time, academic theoreticians publish papers. To be patented, a device must be published. And so, Phil Zimmermann took the mathematical theorems and processes of the RSA encryption algorithm and recoded them from scratch to create a new system, just as powerful, but available to anyone without need for a license. Zimmermann was threatened with lawsuits and such, but he prevailed. Today, PGP is a free product offered by software sales giant Symantec on their website here. It is something a “loss leader” for Symantec. You can get PGP from other places as well, see here.

With it, you can encrypt your emails. Know, however, that (1) you would need to be “approved” by another PGP user (easy enough) and that (2) anyone you send emails to with this also needs it to read your emails to them. Be that as it may, it is no harder than setting up a really cool Facebook page, just a bit of work and some close focus.

New vulnerabiltity discovered in Universal Plug and Play (UPnP)

Posted: February 8, 2013 by IntentionalPrivacy in Identity theft, Privacy, Vulnerabilities
Tags: , , , , , , ,

What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.

The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here http://upnp-check.rapid7.com/. Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.

If you want to check more than your router, there is a program on that page that you can download and run.

There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if  you’re interested.

Repeating past mistakes leads to security flaws

Posted: November 4, 2012 by IntentionalPrivacy in Security or Privacy Initiatives
Tags: , , ,

Peter G. Neumann, an 80-year-old computer scientist working at SRI International, and Robert N. Watson, a computer security researcher based at Cambridge University’s Computer Laboratory, are heading a team who are working on a five-year project for the Pentagon’s Defense Advanced Research Projects Agency (DARPA) CRASH program to redesign computers and networks to make them secure. CRASH stands for Clean-slate design of Resilient, Adaptive, Survivable Hosts. The project is called CTSRD (CRASH-worthy Trustworthy Systems R&D).

Dr. Neumann quotes Albert Einstein when talking about computer security, “Everything should be made as simple as possible, but no simpler.”

The NY Times has a great article on Dr. Neumann and his project at http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?pagewanted=all&_r=0 You can read the first paper that Dr. Neumann and Dr. Watson published about CTRSD at http://www.csl.sri.com/users/neumann/law10.pdf