Are you confused by the FBI vs Apple dispute regarding Syed Farook’s iPhone? I am.
In an excellent article published today, Cnet neatly summarized the delicate position in which Apple finds itself, following the issuance of a court order that compels Apple to help authorities unlock the iPhone 5c that was used by Islamic terrorist and mass murderer Syed Farook.
The nugget that surprises me is that the FBI appears to be preparing a brute force attack on this iPhone’s 256-bit AES encryption. This is a daunting task. To brute-force attack encrypted data that’s encrypted with AES-256, you need to try each of 2256 or 116,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000 possibilities. That’s more than the number of atoms in the universe.
If Farook chose a strong passphrase, it could require thousands of years for most computers to decrypt his data. It appears that the FBI has serious horsepower to throw at this task.
Our company recently discovered a cyberattack that comprised [sic] a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network. As a result, a database containing encrypted password and other non-financial data was compromised. There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats. The company is asking all eBay users to change their passwords.
The attack resulted in unauthorized access to a database of eBay users that included:
Date of birth
I changed my eBay password today. When I read through my keepass database.kdb file, I was chagrined to find that I’d used the same password for my accounts on several other sites. I changed them all. You should do the same if you have an eBay account. Here’s why, according to eBay:
I use the same password for multiple accounts. Do I now need to change all of them?
If you used the same password for eBay and any other site, we encourage our customers to change their passwords for those sites too. As a matter of good practice, the same password should never be used across multiple sites or accounts.
The national press this week has been vocal about PRISM, the federal program that collects user data from nine major Internet companies: Apple, AOL, Facebook, Google, Microsoft, Yahoo, Skype, YouTube and PalTalk. To quote Casablanca’s Captain Renault, I’m shocked — shocked — to find that snooping is going on in here!
My guess is that all major American ISPs have a room 641A, where all traffic is inhaled by NSA analyzers. You may safely assume that NSA, despite law that restricts them to foreign surveillance only, is monitoring all of your Internet actvity.
I’m not so concerned about Facebook et al. It’s the sniffing of ISP (Internet Service Provider) traffic that concerns me. We should remember Ben Franklin’s admonition:
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.
Within the last year or so, Microsoft Windows has become pretty secure. (I didn’t think that I’d ever use the words “Windows” and “secure” in the same sentence.) Microsoft has been relentless in fixing Windows’ vulnerabilities and distributing those fixes through Windows Update. Now the malware creators have turned to Adobe Reader, Flash, and Java to spread their infections, so it’s doubly important that you keep these three programs up to date so that they block the latest exploits. Rust, and the malware scourge, never sleeps.
Yesterday Twitter and Microsoft added multifactor authentication, which is a good thing for the security of users. Microsoft has used the Internet Engineering Task Force (IETF)’s RFC-6238 time-based one-time password algorithm, which is also a good thing. I’m not sure what method Twitter chose.
Two-factor authentication, in addition to requiring a traditional static password, requires a time-sensitive password to authenticate a user. This may be delivered via a cellphone. With RFC-6238, new time-sensitive passwords are created every 30 seconds.
The beauty of RFC-6238 is that it’s a standard that’s well-documented and tested. Google already uses RFC-6238, so you can use Google Authenticator for Android to log into your Microsoft Accounts, and vice versa. Because they also use RFC-6238, you can use Google Authenticator to log into Dropbox, Facebook, Bitcoin, WordPress, et al.
Let’s hope that more websites that store our data hop aboard the RFC-6238 multifactor authentication train.
A US District Court judge has dismissed a suit that claimed that the plaintiffs were damaged by LinkedIn’s lack of diligence in safeguarding LinkedIn subscribers’ usernames and passwords. The case was brought by Katie Szpyrka and Khalilah Wright, after about 6.5 million usernames and passwords were downloaded from LinkedIn by a Russian hacker last June. (I wrote about two LinkedIn problems in LinkedIn users’ data LeakedOut. and again when 88 percent of the passwords were cracked within five days: No password news is good password news.)
Judge Edward Davila dismissed the lawsuit because
Plaintiffs hadn’t read LinkedIn’s Terms Of Service (TOS), so couldn’t claim that LinkedIn had breached their TOS, which includes
…we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.
Plaintiffs could not show consequent damage.
That clause within LinkedIn’s TOS sounds broad. “If you upload it to our site, don’t expect us to safeguard it.” Broad, I tells ya.
I’ve never been comfortable with Universal Plug and Play (UPnP). It was dreamed up by Microsoft in an attempt to make networking easier for end-users and first appeared in Windows Millenium Edition (“Win ME”). I didn’t trust it then, and I still don’t trust it. The name “Universal Plug and Play” leverages Microsoft’s successful implementation of MS-Windows’ (benign) “Plug and Play” service, which first appeared in Windows 95. The UPnP name continued Microsoft’s tradition of confusing terminology and poor corporate communications in general.
UPnP has always skated on thin ice. For one thing, it contains no provision for authentication. It assumes that all UPnP objects reside behind a firewall and that no UPnP packets can traverse any public-facing router. These are naïve assumptions. I always disable UPnP, or at least I think that I disable it. (Some routers expose UPnP to the Internet no matter what the router’s admin instructs it to do!)
Recently researchers, over a five month period, port scanned the entire IPv4 Internet multiple times, recording the IP address of each network device with exposed UPnP. They found 81 million vulnerable devices. Read the results:
Are you vulnerable?
Check your Internet-connected local area network’s devices for exposure of UPnP capability to the outside world by using Steve Gibson’s ShieldsUP!.
UPnP bugs history
Apparently Intel, many years ago, published reference code in a library that demonstrated UPnP implementation. Most router manufacturers incorporated Intel’s UPnP library into their routers’ firmware. Intel’s UPnP library apparently contains bugs that can expose UPnP capability to the router’s WAN (Wide Area Network) port(!).
Cracking of passwords has moved from an esoteric exercise for geeks to something that any kid can do.
Three developments in cracking passwords for fun and profit:
Hash Cat, a new open-source GPU-based cracking program has become available for free download at HashCat.net. It’s available in both Windows and Linux versions and can run 16 graphics processing units in parallel.
Do you recall last June’s theft of 6.5 million password / email pairs from LinkedIn? Those passwords weren’t in plaintext — they had been hashed by Linkedin using the (now discredited) SHA-1 hashing algorithm, so were presumably still pretty secure. Hash Cat was let loose on the purloined Linkedin hashed passwords by Jeremi Gosney. Using a homebrew PC with multiple GPUs, he was able to crack 20 percent of the 6.5 million hashed passwords within thirty seconds. He used a dictionary attack with a 500 million word dictionary. His machine makes 15.5 billion guesses per second. Two hours later, he had cracked an additional 33 percent of the passwords. After one day, he had cracked 64 percent of the passwords. After five days, he had cracked 88 percent of the passwords.
Jeremi benchmarked Hash Cat on his $12,000 machine containing eight AMD Radeon HD7970 GPU cards. He ran a brute force attack on an 8-character password, trying all 96 characters for each character, in twelve hours. Add one more character, and it will require 96 times as much time to crack, or 1,152 hours. Add another character (making a ten-character long password) and it will require 110,592 hours to crack by brute-force.
And the conclusion is?
Use completely random passwords whose characters are drawn from the a-z, A-Z, 0-9 and punctuation mark character set (which contains 96 characters).
Use passwords that are at least ten characters long.
The best way to create and manage strong passwords is with a password management program. I like Keepass.
Graphics Processor Unit: restricted instruction set single-chip processor that’s dedicated to graphics functions. GPUs may be used for other dedicated tasks, such as decryption.
Drew Houston, Dropbox founder & CEO Financial Times photos, Cropped:Puramyun31
Make it much harder for a thief to open your Dropbox.
I’m a big fan of Dropbox. I use it every day. It seems like magic when I update a file on my PC and retrieve it later on my smartphone. It’s been criticized for lax security, but I find that as long as I use its web interface to maintain my set of synchronized hosts and open Dropbox web sessions, it works fine.
The sad story of what happened to Mat Honan has been big news for the past ten days or so. All of his devices and data were interconnected via Apple’s iCloud, and they all got wiped clean within minutes. Here’s his story, in his own words. Excerpts:
Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification . . .
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
GET OFF OF MY CLOUD
(M. Jagger/K. Richards)
Hey! You! Get off of my cloud
Hey! You! Get off of my cloud
Hey! You! Get off of my cloud
Don’t hang around, baby, two’s a crowd
No technical skill was requs guy’s e-life. The hacker(s) just needed patience, knowledge of customer service procedures at each provider, a method, a couple lucky guesses, and convincing telephone presence. We worry about the security of 128-bit encryption, or the virtues of SHA-2 (secure hash algorithm) versus SHA-1, when the most vulnerable part of any system is the humans who use it.
The fact that the authentication value of a credit card’s last four digits is zero at Amazon and significant at Apple is worrying. Apple claimed that a service rep didn’t follow its password reset procedure. In fact, the procedure WAS followed; it was just a flawed procedure. Apple has reportedly changed their customer service procedure for authenticating an account owner over the phone.
A few days ago, while discussing the theft of 450,000 passwords from Yahoo!, I used the phrase “one-way algorithm”. Apparently the existence of such a thing is still unproven. So how do you describe a function that’s easy to perform in one direction, and difficult (VERY difficult, but theoretically possible) in the other direction?
Take the multiplication of two large prime numbers, each of 10 digits. Multiply them together – that’s easy. Now forget the first two numbers and try to factor their product — that’s difficult!
Computer science calls these functions “hash algorithms”. I guess that I’ll stick with that phrase, even though “one-way algorithm” is self-descriptive, if not 100% accurate. Language is fascinating.
Users can learn from this breach, and Yahoo! can, as well.
Last week, a group of allegedly benign attackers downloaded about 450,000 Yahoo! users’ passwords. (To see if your Yahoo! password was compromised, go to labs.sucuri.net.) This worries me: did Yahoo! store unencrypted passwords on its servers, and they were simply downloaded intact? I sure hope not! Or were the 450,000 password hash keys downloaded, attacked with cracking programs, and the passwords were recovered from the password hash keys?
How sites should handle passwords:
diagram showing how a hashed password is used by companies to secure user details
Trustworthy sites will, when you create a password, submit your password to a one-way algorithm to create a “password hash key”, and then discard your password. The site stores this password hash key — not your password. When you next attempt to login to your account, the password that you type on your keyboard is submitted to the one-way algorithm to create a password hash key, and that is compared to your account’s stored password hash key. The beauty of this system is that even if someone steals your password hash key, they still don’t have your password. To recover it from your password hash key, they’ll try three methods:
The most popular way to obtain the original password from a password hash key is the dictionary attack: common words are tried until the password hash keys match. (This is why you shouldn’t use common words for your password. If you have, it will be discovered within seconds.)
Next, the crackers will try an attack that exploits known weaknesses in older hashing algorithms. This succeeds only if the site has used a weak hashing algorithm.
If the first two attacks fail, the cracker next tries a brute force attack. This just tries every character in every position, sequentially, until the password hash keys match. If your password is 3 characters in length, this won’t take long. Each time you increase your password length by just one character, you exponentially increase the time required by the cracker.
After stealing the 450,000 password hash keys, did the crackers then crack all of the password hash keys? Or <shudder> did Yahoo! store the unencrypted passwords on its servers? I find that hard to believe. Maybe Yahoo!’s password hashing algorithm was weak. I don’t know. In any case, this breach isn’t good for Yahoo!’s public relations.
Of the 450,000 compromised passwords, the most popular were:
Don’t use these easily guessed passwords! They’re like leaving your house key under the door mat. And use a different password on each site. That way, if your email password is compromised, it can’t be used to login to your bank account. To manage all of my passwords, I use Keepass. Roboform and LastPass also have plenty of fans.
Update, 21 July: My worst fears confirmed
Apparently all of these passwords remained in clear text and were stored in a Yahoo! SQL database. This is a real no-no. No wonder Yahoo! has replaced its CEO.
I guess that all 450,000 passwords were associated with a Yahoo! voice service. A well-known SQL injection attack “liberated” them.
Remote support is great, when you initiate it and the support person is
not a crook.
You may have received a phone call from an earnest-sounding “representative of Microsoft” who offered a free security scan and then warned you that your computer was at risk. The friendly voice at the other end offers to save your data for a nominal fee . . .
A new client of mine reported that he fell for this scam six months ago. Another told me that she almost did, before she called me. Microsoft reports that the average loss is $875. The exact ploy varies, but there is a common theme: deception; what hackers call “human engineering”.
Don’t accept unsolicited technical support. (If you’re in doubt, call me at 954 873-4695.)
Another reason why I’m glad I don’t have a Facebook account.
Months ago, Facebook acquired Glancee, a small company that had developed a smartphone app that used smartphones’ GPS information to locate people. Facebook renamed it Friendshake, while they tested it within their Facebook mobile apps. In June they renamed it “Find Friends Nearby” (FFN) and quietly rolled it out.
The FFN app was quickly dubbed “the stalker’s app” and within 10 days of release, Facebook withdrew it. You can see if it works or not by going to www.fb.com/ffn.
I’m surprised that Facebook and other social networks can change their games’ rules, as the games are being played. What sort of Terms Of Service (TOS) have Facebook users signed? Apparently it’s a carte blanche.
We’re used to Facebook’s violations of users’ privacy. LinkedIn has joined the fun.
Yesterday, I became aware of two LinkedIn privacy concerns:
Users of LinkedIn’s 6-month old LinkedIn app for iPhone and iPad have been, without their knowledge, uploading their entire calendars to LinkedIn’s servers.
A Russian hacker announced that he had downloaded usernames and passwords for 6.5 million LinkedIn accounts. To prove it, he published the passwords on the web.
LinkedIn presents itself as a site where professionals meet, unlike the unwashed slobs on Facebook. Its business model is similar to Facebook’s: collect every byte of information about its users and sell that data to advertisers. I wonder if LinkedIn’s professional users will be as unconcerned by LinkedIn’s lack of diligence as Facebook’s naïve users seem to be?