Security – Page 27 – A Geek With Guns

Acoustic Cryptanalysis

Can you extract an encryption key by listening to a computer? As it turns out you can:

Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations. In a preliminary presentation, we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was that the acoustic side channel has a very low bandwidth (under 20 kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers.

Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.

It should be noted that GnuPG has fixed this vulnerability. But the method of attack described in this paper is fascinating to read. It also shows that technology still hasn’t surpassed human creativity.

Understand the Tools You’re Using

When people first become interested in computer security they have a habit of downloading and using tools before they understand how they work. This is a major mistake as a Harvard University student recently learned when he attempted to use Tor to make an anonymous bomb threat:

A Harvard student was charged Tuesday with making a hoax bomb threat just so he could get out of a final exam.

Eldo Kim, 20, of Cambridge, Mass., was scheduled for a hearing Wednesday in U.S. District Court. He could face as long as five years in prison, three years of supervised release and a $250,000 fine if convicted of communicating the bomb threat that cleared four large buildings Monday.

[…]

Kim took several steps to hide his identity, but in the end, it was the WiFi that got him, the FBI said.

Kim said he sent his messages using a temporary, anonymous email account routed through the worldwide anonymizing network Tor, according to the affidavit.

So far, so good. But to get to Tor, he had to go through Harvard’s wireless network — and university technicians were able to detect that it was Kim who was trying to get to Tor, according to the affidavit.

Had Mr. Kim invested 15 minutes of reading time on Tor he would have learned that Tor doesn’t attempt to conceal the fact that you’re using Tor. Anybody monitoring the network you’re using can detect that you have a connection to the Tor network. With that knowledge in hand Mr. Kim would have been able to understand that being one of the few, if not the only, Tor users on the campus Wi-Fi would be a red flag when the campus received a bomb threat sent over Tor. This is especially true when his Tor connection times closely correlate to the time the bomb threat was sent.

So today’s lesson is this: make sure you fully understand the workings of any tools you use to enhance your security. Failing to do so will leave you vulnerable and often no better, and sometimes even worse, then you would have been if you hadn’t used the tool at all.

Enable Two Factor Authentication Where Available

This type of news is why I encourage people to enable two-factor authentication on whatever accounts they have that support it:

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.

All in all some 318,000 Facebook, 70,000 GMail, and 22,000 Twitter passwords were part of the heist. All three of these sites allow users to enable one time passwords for two-factor authentication. Facebook and GMail both use Google Authenticator, which ties to an application on your phone. The application has a token that generates a new six digit password every 30 seconds. When you log into either of these sites you will be asked to enter the current six digit password before you’re allowed access to your account. What makes such a system useful is that you need access to your phone in order to log in, just having the password alone won’t grant access. Twitter uses it’s own system that ties to the Twitter smartphone app. When you attempt to log into your Twitter account a notification is sent to your phone and you have to authorize the log in from there. Once again it requires your phone in addition to your password to successfully log in.

It’s not always clear when your password has been compromised. Hackers have gained access to use password from website databases before. When such breaches are discovered most websites reset all their users’ passwords. But until the breach is discovered anybody with the list of passwords can log into the accounts that appear in that list, unless those users have enabled two-factor authentication.

Could Nuclear Weapons be the Tool of Peace

If anything demonstrates the cowardice of the average politician it’s nuclear weaponry. Politicians have no quarrel sending other people’s sons and daughters off to die in a foreign land. But the second their lives are threatened they sudden have a strong desire to use diplomacy. Nuclear weapons are the tool that can strike directly at politicians, which is why they’re in such a hurry to prevent more countries from getting them. Once a country becomes a nuclear power it can strike directly at the politicians of foreign nations and that takes the option of invasion off of the table.

Based on this I’m beginning to think that the path to world peace involves nuclear weapons. Imagine if every country was armed to the teeth with nuclear weapons. History has demonstrated that nuclear armed countries don’t suffer foreign invasions. Even the United States and the Soviet Union, two of histories most bitter enemies, refrained from direct military engagement.

The most common rebuttal to this idea is that there are political leaders who want to immanentize the eschaton. This is a common concern expressed by those who believe it is necessary to use whatever means necessary to stop Iran from acquiring a nuclear weapon. I don’t give such rebuttals much concern. Immanetizing the eschaton requires a willingness to sacrifice one’s own life. I have never seen a politician who is willing to sacrifice themselves. They’re always quick to sacrifice others but when their own skin is on the line they topple like a house of card. Until I see a politician willing to sacrifice themselves for political or religious gain I won’t consider any such concerns seriously.

Perhaps we need to encourage more countries to join the nuclear club. It may be the only thing that makes politicians reconsider declaring war.

Decentralized Security

Centralized systems are traditionally fragile. Universal healthcare systems tend to have supply issues that lead to rationing. Highway systems managed by the state tend to be under construction for good portions of the year (at least here in Minnesota) with nothing obvious to show for it. And centralized security systems tend to be easily bypassed. While the world seems doomed to continue down the path to centralization at least some people are noticing the need for decentralization:

In an exclusive interview with ABC News, Noble said there are really only two choices for protecting open societies from attacks like the one on Westgate mall where so-called “soft targets” are hit: either create secure perimeters around the locations or allow civilians to carry their own guns to protect themselves.

“Societies have to think about how they’re going to approach the problem,” Noble said. “One is to say we want an armed citizenry; you can see the reason for that. Another is to say the enclaves are so secure that in order to get into the soft target you’re going to have to pass through extraordinary security.”

Allowing the populace to arm themselves is one of the more effective solutions for decentralizing security. All of the “blood in the streets” and “shootouts at high noon” that were predicted by gun control advocates have never arisen. In fact no area that as loosed its prohibitions against carrying firearms has experienced an increase in violent crime. The logical conclusion is that removing those prohibitions isn’t dangerous for the overall population. It also creates a great deal of uncertainty for violent person because they cannot know for sure who is and isn’t armed.

Bruce Schneier often talks about whether or not plots can be developed around security systems. It’s very difficult for a violent person to build a plot around random bag checks because of their randomness. But it is easy to develop a plot around modern police protection. For starters, police response times aren’t instantaneous. If prohibitions against carrying firearms exist and a violent person’s goal is to kill people he knows that he will have several minutes until the police arrive. Several minutes is a lot of time when we’re talking about mass murder. In addition to having several minutes of free reign a violent person also has a decent idea of the tactics used by the police.

Both of these things go away when prohibitions against carrying firearms are lifted. Since a person with a firearm can be anywhere response times are not guaranteed to be in minutes. Likewise, most people who carry a firearm have no received any standardized training, so the tactics used will be less predictable.

It’s much more difficult to design a plot around an armed population than a centralized armed force. Centralization is one of the key things exploited by practitioners of fourth generation warfare, which is a tactic that relies on decentralized forces to attack centralized forces. The more centralized a system is the more fragile it becomes. In many countries the police have a virtual monopoly on force. Those countries have an extremely fragile security system that can be exploited by decentralized forces. It’s nice to see at least one member of the International Criminal Police Organization (INTERPOL) acknowledge this fact and I hope others will over time.

Check Back Later

There’s nothing to see here at the moment. Well, almost nothing. I’ll leave you with Bruce Schenier’s guide to air gapped computers. As it turns out, maintaining an air gap between networks and a computer isn’t the easiest thing in the world.

Protecting the Monopoly

It’s time, once again, for Christopher Burg explains news articles without all the sugar coating. Today’s news article discusses the new $100 bill released by the Federal Reserve. The bill includes several new security features:

It includes a blue 3D security ribbon and a bell and inkwell logo that authorities say are particularly difficult to replicate.

These combine with traditional security features, such as a portrait watermark and an embedded security thread that glows pink under ultraviolet light.

The 2010 design was delayed because of “unexpected production challenges”.

The 3D security ribbon – which is woven into the note, not printed on it – features images of 100s that change into bells and move upwards or sideways depending on how you tilt the paper.

After discussing these new security features the article goes on to discuss counterfeiting, implying that these news security features are meant to prevent the production of counterfeit $100 bills. That implication is incorrect. What the news security features are meant to do is protect the Federal Reserve’s monopoly on counterfeiting $100 bills. You see, the Federal Reserve prints out money like it’s going out of style. It makes every other counterfeiter on the planet look like amateurs. Adding security features to $100 bills simple keeps the Federal Reserve ahead of the game and ensures that anybody wanting to compete with it faces larger barriers to entry.

Of course, if I was going to counterfeit money, I would simple focus on old bills. Why waste time counterfeiting new bills (other than fun) when you can just counterfeit old money and beat it up to look as old as the printed date implies?

Tor Stands Pretty Secure Against NSA Attack

We all know that the National Security Agency (NSA) hates Tor. Tor stands for everything the NSA is against, such as anonymity and information security. It comes as no surprise to find out that the spy agency has been attacking the Tor network:

The National Security Agency has made repeated attempts to develop attacks against people using Tor, a popular tool designed to protect online anonymity, despite the fact the software is primarily funded and promoted by the US government itself.

It’s pretty funny when one government agency is focused on destroying something originally created by another government agency (Tor was originally funded by the United States Naval Research Laboratory). Fortunately the NSA has met with very little success:

But the documents suggest that the fundamental security of the Tor service remains intact. One top-secret presentation, titled ‘Tor Stinks’, states: “We will never be able to de-anonymize all Tor users all the time.” It continues: “With manual analysis we can de-anonymize a very small fraction of Tor users,” and says the agency has had “no success de-anonymizing a user in response” to a specific request.

Another top-secret presentation calls Tor “the king of high-secure, low-latency internet anonymity”.

There has been a lot of speculation about Tor’s security. Even now people are arguing over whether or not the Tor Stinks presentation is still accurate. It is possible that the NSA has developed a way to successfully remove a Tor user’s anonymity since the presentation was leaked. So far we’ve seen no evidence of this though. The two primary stores involving Tor, the take down of Freedom Hosting and the apparent arrest of Dread Pirate Roberts, were both accomplished using old fashioned investigative work. This leads me to believe the the Tor Stinks presentation is still accurate and that the NSA hasn’t found a reliable way to attack a Tor user’s anonymity.

Once again, we can speculate about the powers of the NSA. The problem is we can’t work off of speculations. I agree with Bruce Schneier who said we should “trust the math.” Unless we have evidence to the contrary we can only assume that Tor works. With that said, it’s never good to rely entirely on a single tool. Tor is great but you should also take other precautions to protect your anonymity online (for example, Tor doesn’t do you a lot of good if somebody has already managed to install a trojan onto your computer).

Fingerprint Folly

It was only a matter of time before somebody found a way to crack the fingerprint reader on the iPhone 5S. Coming in as the first group to publicly announce a bypass is the Chaos Computer Club (CCC), which has a habit of breaking security systems:

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

[…]

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

I’ve never been a fan of biometrics. While it’s true that using features unique to a person can be used to uniquely identify that person it’s also true that, as Frank Reiger of the CCC pointed out, one cannot change their biometrics:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC.

If you can’t change your authorization token and somebody compromises that token things aren’t going to end well. Fingerprints are especially bad tokens because they can be lifted from many of the surfaces we touch. An authorization token isn’t very secure when you go around telling everybody about it.

With that said, if Apple’s fingerprint reader is convenient enough that people actually use it it will have served its purpose. While an unchangeable security token that you leave everywhere you touch isn’t great it’s better than no authorization control whatsoever.

The iPhone 5S Fingerprint Reader

Yesterday Apple announced their new iPhones. The iPhone 5c was, in my opinion, wasn’t at all newsworthy. Apple’s new flagship phone, the iPhone 5s, wouldn’t be newsworthy except for its fingerprint reader:

Apple’s brand-new iPhone 5s isn’t dramatically different from last year’s model, but it has at least one major addition: a “Touch ID” sensor. Us human beings are calling it a fingerprint sensor, and it’s built into the phone’s main Home button below the screen. Apple’s Phil Schiller says, “It reads your fingerprint at an entirely new level” — it’s 170 microns in thickness with 500 ppi resolution. According to Cupertino, it “scans sub-epidermal skin layers,” and can read 360 degrees. As expected, the sensor is actually part of the Home button, making it less of a button and more of a…well, sensor. Using Touch ID, users can authorize purchases in iTunes, the App Store, or in iBooks by simply using their thumbprint (starting in iOS 7, of course). Pretty neat / scary!

Honestly, I have mixed feelings about this. It’s certainly a neat piece of technology and I don’t want to decry Apple for trying something new in the smartphone field. Today you can lock your phone with a four-digit passcode or a full password. If I were betting money I would bet that a majority of users use neither option. Of the people who put a passcode on their phone a vast majority likely opt for the four-digit option. Phones are devices that are accessed frequently. Having to enter a long password every time you want to check your Twitter feed get annoying quickly. Therefore few people are willing to use a complex password to security their phones. That leaves most people not enabling any security and those who enable security most likely opt for a relatively insecure four-digit passcode.

Apple has been fairly good about including security features that are relatively easily to use and this fingerprint reader looks to be another one. Time will tell if the sensor is easily fooled by other fingerprints but if it convinces more people to put some kind of security on their phone I’m happy. If the technology is properly implemented it could easily be more secure than the four-digit passcode (admittedly not a high barrier to climb over).

Then there’s the other side of the coin. My first thought after seeing the announcement of a fingerprint reader was that the police are going to love it. As it currently stands, a police officer wanting immediate access to your phone must obtain a search warrant and gain your cooperation, have a mechanism of exploiting a security hole in the phone on site, or bring force into things either as a threat or as physical harm. With the inclusion of a fingerprint reader a police officer need only force your finger onto the sensor to unlock it. That seems to be far less hassle than the other three mentioned options.

In light of Edward Snowden’s leaks there is also the concern that your fingerprint will be send off to the National Security Agency (NSA). While Apple promised that your fingerprint data will only be stored locally there is no way to verify that fact. Furthermore, if Apple was compelled with a national security letter to include a mechanism to allow the NSA to obtain fingerprint data they wouldn’t be legally allowed to tell us. That thought should scare everybody.

Finally, on a more practical side, biometrics have a fatal flaw: the technology is based on sensor data obtained from your body as a point in time. What happens if you cut your finger? Will the sensor detect your altered fingerprint as somebody else? What happens if your finger is cut off? Our bodies can change over time and those changes are often difficult, if not impossible, for biometric technology to detect.

As with most security technology there are ups and downs to this fingerprint reader. If it convinces more people to enable security on their phones then I will be content. However, one must realize that there are real downsides to using your fingerprint as a security token.