Monday, July 30, 2012

Black Hat Society

In today’s enlightened computer culture, most know that passwords need to be secret and not something someone can easily guess, like the word “password” spelled with a zero instead of the letter ‘o.’ That’s good. But what about your router. Oh, didn’t even know you had a router, eh? That little box that makes the wireless in you house work, or supplies the internet via ethernet cable ... yeah that little box.

Did you know it has a password? Is it “secret”? Or is the userid “admin” and the password “password”? Oh, what does that matter?

From a recent article in IEEE Spectrum Magazine.

Researchers at AppSec Consulting Inc., in San Jose, Calif., reported new vulnerabilities at the annual Black Hat computer security conference, which took place from 21–26 July in Las Vegas. To be sure, compromises to routers, switches, printers, and other frequently networked hardware have been discussed at Black Hat as far back as 2006.

But the associated attacks were hard to pull off back then, so the problem was never addressed. This year, though, the AppSec team demonstrated their exploit using a popular type of Linksys router. As reported by Information Week, after getting a computer user to go to a malicious website, the site pushed a JavaScript app instructing the Web browser to relay information about all locally-connected devices—including the router. A brute force attack—or in too many cases, an educated guess—can easily yield the router's login information and thus access privileges that let the attacker install malicious firmware.

"We're replacing an operating system on a network device and taking complete control of it," AppSec presenter Phil Purviance, an information security specialist, told Information Week. The exploit, which could easily go undetected,

“could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.”

The Black Hat conferences annually supply a rich vein of revelations about just how vulnerable computers and related devices are to the machinations of people intent on doing dastardly things. Fortunately, despite the suggestive name, the presenters conduct their hacks with the aim of revealing vulnerabilities before they can be exploited for nefarious purposes.

Another of this year's hacks looked at the new cellphones that allow users to share photos and other data by tapping the devices together. They're cool and convenient, but the near-field communication that allows this swapping of data — including credit card information for making online payments — may leave handsets open to outside attacks. In a session called “Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface,” researchers from Accuvant Labs reported that there are technologies capable of letting someone access another person’s phone to view stored images, videos, and documents, open Web pages in the phone’s browser, or turn the handset into a zombie that allows them to send text messages and make phone calls using the victim’s calling and data plan.

And a researcher at Universidad Autonoma de Madrid delivered a talk debunking the notion that the binary code used in biometrics databases to represent scanned iris images do not contain enough information to allow the original iris image to be reconstructed. Javier Galbally, whose research focus is on synthetic generation of biometric traits, came up with a probabilistic approach to reconstituting the images from binary templates. Subsequent experiments showed that although they wouldn’t fool a human biometrics expert, the reconstructed images may be good enough to fake out an iris recognition system.

Now, I hope I haven’t ruined your day. Go back to you regular Facebook viewing, photo sharing, and bank account logon day, and don’t worry about security. After all, what could go wrong ... go wrong ... go wrong ...

Security starts with good passwords ... on all your devices. Don’t use the same password for any of your really serious connections like the bank, credit union, broker, or Facebook :-) And for those who have already posted the name of their first elementary school, where they were born, mother’s maiden name, name of their first pet, or anything else that is easy to find in this internet age, think how easy it would be for someone to have your password reset by just knowing the answers to these “security” questions.

My recommendation ... make up bogus answers for these security questions. And don’t log onto your bank account while on public wi-fi at Starbucks. That guy in the corner that looks so serious, he’s monitoring your internet connection via wi-fi.

Public wi-fi, blue tooth, router security, near field radio. Ain't modern science wonderful? Now, go have a nice day.

1 comment:

  1. What comprises a secure password? Answer: one that is very, very, (very, very) hard to guess.

    In mathematics, the number of unique combinations of symbols where the order matters are called permutations. It is easy to calculate the number of permutations based on the number of different symbols or characters used and the length of the string or word.

    For example, if you only use the 26 lower case letters of the alphabet to create a six character password, there are n to the r possible passwords where n = number of characters and r = length of word:

    Number of possible passwords = n^r = 26^6 = 308,915,776

    If we make the password 8 characters:

    Number of possible passwords = n^r = 26^8 = 208,827,064,576

    That is quite a few more. Programs that try to break or guess passwords are called “brute force” algorithms. Using a computer, you can generate quire a few attempts to break in. Some systems limit the number of bad attempts to a small number and then lock the system. Others limit the speed at which a failed password can be reentered. Both are effective methods to block guessing.

    It is often recommended to use upper and lower case letters in your password. There are a total of 52 letters with upper and lower case:

    Number of possible passwords = n^r = 52^8 = 53,459,728,531,456

    Now imagine using every single symbol on the keyboard including numerals and punctuation symbols. There are about 94 characters on the computer keyboard:

    Number of possible passwords = n^r = 94^8 = 6,095,689,385,410,816. That's over six trillion combinations.

    One final thought. Don’t use common words. Although there are 208,827,064,576 permutations of eight letter passwords, there are only about 50,000 eight character words in the dictionary (common words).

    If you must use words to make the password easy to remember, add additional characters (and don’t just substitute 0 or O or 1 for l. Be smart: “gud9nite” is harder to guess than “goodnite.”

    My favorite passwords are ones that really deny any guessing like “rp159gtu.” Won’t find that in the dictionary.

    (And your password can be longer than 8 characters too.)