Tuesday, August 18, 2015

On how not to do things right

Recently one of the users of our SecureBlackbox product has reported, that the SMTP client component can't login to GMail with a strange message: "Someone just tried to sign in to your Google Account [my email] from an app that doesn't meet modern security standards". 

The message itself doesn't sound like having lots of sense, as it neither explains the problem ("doesn't meet standards" is not an explanation) nor it suggests a solution. 

Forum search has taken me to an the answer in Google knowledgebase, which doesn't add much to the error message' explanation either. While it offers a partial solution for the owner of the mailbox, it does not explain what exactly happens.

Finally another forum post has driven me to the what could be an explanation, although it's only a hint. Turns out that Google has implemented OAuth2 in protocols like SMTP and IMAP. And here lies a huge problem.

OAuth2 is a web-based protocol which in many cases involves the web browser and user interaction. This makes fully automated operations nearly impossible and also significantly complicates the implementation of any client. 

There exist plenty of authentication schemes which prevent password transfer and/or allow third-party servers to be used for authentication. Google seems to have chosen the worst least appropriate variant instead. 

Google is known for non-standard technical and business solutions. And they mostly work for users' and Google's own benefits. But some solutions seem not just to be not tested, but not to pass any sanity check.

Friday, February 6, 2015

Come as you are

Any authorization (and to some extent authentication) is based on one or more of three elephants (and a turtle): "what you know", "what you have" and "what you are".

All those three components were used since prehistoric times. Passwords, keys on the keyring, secret signs or labels on the skin (including tattoos) - these are the widely used examples of those three types of authentication.

"What you know" in the digital age is something that is extremely easy to disclose. Passwords are hard to remember and easy to steal. While still being used, they are now complemented by other factors to form multifactor authentication.

The article on CIO has an excellent overview of methods and technologies to authenticate you based on what you are and to some extent on what you have. Not only body parts themselves are expected, but also the way they function. Heartbeat and brain waves - they seem to be the most advanced authentication sources for today.

Yet it remains unclear, how the freshness of the data can be ensured. A computer system receives authentication data from the person by digitizing them and comparing them to the stored patterns. Potentially the data can be intercepted while in transit and then replayed later for false authentication.

And even worse, fingerprints and iris pictures can be captured distantly by using powerful photo cameras and then misused.

The only way I can think about right now is a challenge-response mechanism that measures how the person reacts to certain stimuli such as certain light flash pattern (when inspecting iris) or math problem that the user has to solve (when capturing brain waves).

Saturday, January 10, 2015

Working in public places? Think again.

For decades remote capturing of the data (first from people or TV set talking, then from the working computer) was an effective way for political and business espionage. We saw methods to capture sounds, CRT emission, keyboard clicks etc. Tablets and low-power notebooks give much less information to outside world, yet the spies don't calm down and try to capture even tiny bits of electronic emissions hoping to grab your passwords or even more valuable information.

Though I am a bit skeptical about real-world use of these attacks, you still need to be careful when working with confidential information in public. It is also important to mention that rubber-hose cryptanalysis remains effective and if you have logged into your banking account and the attacker knows that you have a fortune in the bank, it makes sense for him to just grab your notebook and run.

Wednesday, April 23, 2014

The Urban Legend of Multipass Hard Disk Overwrite

It is "known" that to securely delete the data from the disk you need to write the data over the deleted blocks several times (different sources say from 3 to 35 times). But is this true?

The Urban Legend of Multipass Hard Disk Overwrite article will tell you what the state of things is as of now (well, of '2011).

The overall conclusion, I think, is "if you are paranoid, physical destruction of the disks is recommended".

Saturday, April 5, 2014

Internet of Things strikes back

The Internet Of Things is another big hype around the corner. Or ... right in your room already, if you have one of those consumer devices, which are silently powered by general-purpose (or wide-spread proprietary specialized) operating system like Linux or that Cisco OS that powers all their products. The devices include network appliances, smart (and some "dumb") TV sets, and also surveillance cameras and DVRs.

And all those "things" are part of Internet, either by incident (due to misconfigured and overly opened networks) or intentionally. 

What happens if the hacker finds a way to one of those things, is described in this article. In the article the malware (bitcoin miner) was silently installed over Telnet port opened by default (and properly not blocked on the nearest router/NAT). And the miner is a small evil, comparing to what can happen if hackers get to camera recorder, disable recording and then join some robbers to rob the protected house.