Tuesday, December 13, 2011

Pros losing confidence in hard tokens

I was always a proponent of hardware security devices due to their hard to copy or steal undetected nature. The human factor, though, seems to play the biggest role in this form of authentication as well, and here's why:

Pros losing confidence in hard tokens

I should notice that hardware token such as OTP generator is no security by itself. Such devices must be password- or PIN-protected, so that if the device is lost, it becomes useless. PKCS#11 devices (USB cryptotokens and cryptocards) include such protection on board, and probably this is why they are not mentioned in this articles. Simple access control devices such as pass cards, don't have sufficient protection though. And this can lead to lowered confidence in all types of devices, including strongly protected ones

Thursday, October 13, 2011

Possible alternative to CA hierarchy

Convergence. If you didn't hear about it before, don't worry - so did(n't) we. This is a new invention presented on a conference just a couple of months ago. It aims to make MITM (man-in-the-middle) attacks, which are necessary to make use of the fake SSL certificate, useless. How does it do this?

MITM attack is local, i.e. it can affect usually a limited number of clients. Other clients (in other areas of the world) are not affected. So if our client calls other clients (called notaries here) and asks "do you see what I see?" (i.e. do you get the same certificate from that site), it ensures that the certificate is authentic OR it detects MITM attack. Of course, there exist some technical complexities here, but they are just minor details.

Convergence is a good case of proper use of peer-to-peer technologies, which makes complex (and expensive) CAs completely unnecessary.

The only question left is "who will guard the guards". If MITM can fake server's certificate, how do you ensure that notary's response to your request has not been forged? MITM attacker will quickly pay attention to forging notaries' certificates as well and producing valid response. So the large number of notaries is required, with possibility to switch them on the fly for each new request which needs validating.

Read more details about Convergence on Convergence homepage

Wednesday, August 31, 2011

Javascript Cryptography Considered Harmful

The article discusses why implementing any cryptography in JavaScript gives no security and, what's even worse, gives a feeling of false security.

Hackers acquire Google certificate, could hijack Gmail accounts

The conceptual problem is that PKI stands on the trust to companies that issue certificates (CA). When there were few CAs and they did their job, everything was fine. As the number of certificates issued increased, CAs started to outsource their work to resellers and lower their cost by automating certificate issuance. So now this kind of problems will happen again and again.

Read the story and today's official statement (which proves my words -- if the computer issuing the certificates would not be connected to network, the trouble would not happen).

Thursday, August 25, 2011

"Apache Killer" tool spotted in the wild

Yipe! While DoS attacks hardly have a 100% working remedy, weakness to some special kind of attack means that another generation of script kiddies to put servers down just for fun.

"Apache Killer" tool spotted in the wild

Friday, August 19, 2011

Trojanized Android app intercepts messages to hide costly subscriptions

Trojanized Android app intercepts messages to hide costly subscriptions

Now that is nasty. Note, however, that the user must install the trojan first, and users who don't pay attention to permissions requested by the installed application, probably deserve some lessons.

Tuesday, August 16, 2011

What really breaks SSL?

An article about how SSL is misused (or not used at all).

The point is that SSL itself is secure, and it's people whose mistakes and misunderstandings make SSL-protected resources vulnerable.

Tuesday, June 28, 2011

Why Sign & Encrypt operation is weaker than you might thought

The article discusses the problems that arise from using Sign & Encrypt operation carelessly or from putting too much trust into data, secured this way.

Saturday, June 25, 2011

Is MacOS X really secure?

This technical article discusses in details the topic of how [in]secure MacOS X is. The article includes a number of references to flaws in design and implementation of MacOS X and can serve like a good how-to guide for those who plan attacks on MacOS X.

Sunday, May 29, 2011

About TCP protocol flaws

While not about security itself, this topic is about very related question - performance of internet communication (and performance is closely linked to security).

The article discusses alternatives to TCP and includes description of TCP design as part of the discussion. The flaw of the design is caused by the strategy used by TCP stack when detecting undelivered packets - it reduces transmission rates dramatically and increases them back in small steps. This leads to very uneven delivery rate and ineffective transmission in the end.

"Another issue of current TCP implementations is the fact that the AIMD algorithm constantly pushes network loads into an overflow condition. This occurs because the only feedback that the sender gets from the receiver is about whether or not packets are lost along the way. If packets aren’t lost, then the assumption is that the sending rate can be increased; if packets are lost then the sending rate needs to be decreased. In this situation, senders are constantly ramping up data rates to the point when buffer overflow occurs."

Monday, May 2, 2011

Nikon's signature mechanism broken, vendor ignores the problem

According to this article, russian company ElcomSoft (well-known for the lawsuit in which Adobe attempted to attack the company for finding weaknesses in Adobe's DRM) managed to extract the private key from DSLR cameras, produced by Nikon. This allowed the designers to create fake pictures and make them look as real ones by digitally signing these pictures.

Nikon supposedly doesn't react on the problem, ignoring it. Ostrich position of Nikon is bad cause, as much as with ostrich, while protecting the head it leaves the back (and everything below) opened to attacks.

SFTP Net Drive beta is available

The fist public beta version of free SFTP Net Drive application is available for download and use.

SFTP Net Drive is a free tool that lets you work with remote SFTP server as if it were a local disk. You can copy the files to and from that disk or open them directly (without prior downloading) in any application, modify those files and save them back (again without creating a local copy) to the remote server.

Tuesday, March 8, 2011

Looking for SFTP component for .NET?

EldoS Corporation offers the most feature-rich SFTP component for use in .NET, Mono, Silverlight and .NET CF - SFTPBlackbox (SFTP .NET component). Just the list of offered functions takes several pages of text. Add first-grade support and samples in C# and VB.NET to this and you get the offer that is hard to beat.