simple security

CircleID reports on how project Honeynet has revealed how phishers build and use their infrastructure to carry out phishing attacks. Here is the paper: Know your enemy that details the complete study.

Here is one of my earlier entries describing what Phishing is.

While standing at the checkout lane this afternoon, I noticed that the cashier refused to accept the credit card from the guy who was standing ahead of me. He had not signed the back of his credit card yet. Instead he has written "See I.D." on the little white stripey thingy on the back of the card. The intention being, I presume, that the cashier/checkout guy would ask for an ID and as the ID contains both the photo and signature it makes the whole process more secure. Right? Wrong.

He asked the cashier why she was refusing to take the card. He said that the ID (drivers licence in this case) contained the signature also and the cashier could verify his signature on the receipt with the one on the drivers licence. She said that if the card is signed and if that guy refutes the transaction then it Visa/Mastercard/ or whoever issued the card has to pay-up. But if the card is not signed and if she relies on the ID then the liability shifts onto the them.

Look guys, I am no lawyer... but is this true? I know people who write "See ID" on the back of their cards and get away with it (atleast so far). Did she BS him or is that a factual thing?

Check out a two part article on Tom's networking that gives a detailed how-to on breaking WEP keys - Part-I and Part-II. These articles dont just talk fluff, they lead you through the steps needed to break the WEP keys. It took them less then 5 minutes to break a 64 bit WEP key which includes the time to scan using airodump and cracking with aircrack and simulating traffic.

At an ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. So even the 128 bit key is not safe enough.

Here is what The Feds suggested to protect your WiFi network:

• Network segregation: Seperate your WiFi network from your internal network and put a firewall in between.
• Change default settings of your Access Point: Seems like a no brainer that you should change your default password and default SSID to some more secure.
• Turn off the Wifi network when not in use: Use a timer to turn off the Wifi network when you are not using it (eg. sleeping hours).
• Firmware updates: Keep updating you firmware on the AP, as vendors might release patches for existing vulnerabilities.
  

You should use either WPA (WiFi Protected Access) or WPA-2 (with a strong password) or turning off wireless altogether until you can.

In a typical J2EE application there are various ways of of storing session state which include client-side cookies, the HttpSession object, database, an EJB, or even the POJO. Another place you can store the application state, in an encrypted form, is in the HTML page itself. Interesting read. Check it out here and here.

According to the article these are the pros and the cons of storing the state in the HTML itself:

Storing state on the client has the following benefits:

* Scalability - A single server can support more clients. An increase in clients does not require more memory or database resources on the server.
* Back Button is not a Problem - All state is saved in the page making the back button no longer an issue. What you see in the HTML page is the Java object used to generate that page.
* Session Time-Outs not an Issue - HttpSession time outs are not a problem.

Saving state on the client does not come for free. Here are some of the drawbacks:

* Computing Resources - There is a CPU cost associated with encoding/decoding and encrypting/decrypting of state for each interaction.
* Bandwidth - Since all the state related to a page is sent back to the server on each request there will be more data sent.
* Navigation must be from a form - The state is kept as HTML form hidden variables requiring page to page navigation to be from a form though links could use JavaScript to performs a form submits.
* Browser Crashes - If the browser that contains the state crashes the state is lost.

So laptops get stolen all the time. Some are stolen from cars, some from apartments/homes etc. With the laptop storage increasing, we tend to store all kinds of stuff on it. If the laptop is gone so is all the data that resides on it. Why isnt the data on a laptop stored in an encrypted state, so that even if the laptop is stolen, the thief, or who ever bought it from the thief, has no way to retrieve the data? Yes, you have to enter you login/password when the laptop boots up but that can be bypassed with some booting up tricks (this is used by specialists who retrieve data from crashed hard-disks).

Encryption on laptops should be done by the O/S itself. Although the Windows O/S gives you an option to encrypt files and folders, it doesnt let you encrypt the entire hard disk. I am not sure about the other operating systems like Linux/Solaris. Let me know if they provide encryption capabilities across the board for all the data on your hard-drive on a laptop or even on the desktop.

Update: On my flight to San Francisco, I came across an article in the in-flight magazine which said "4425 number of laptops left in the cabs of one taxi in chicago in 6 consecutive months in 2004 - according to a survey of taxi drivers by security firm Pointsec. 21460 handheld computers and 85619 mobile phones get left behind." As we store more and more data on our mobile devices we need a way protect it even more.

Lets say you need to order a server side SSL certificate from Verisign or Thwate or some other Certification Authority (CA). Here is how you can use Java's in-built keytool to create a CSR, request a certificate and then import it in the keystore database.:

Create your key. Always use the full state name, no abbreviations. CN (Common name) should be domain of your site. This will also create a keystore if it doesnt already exist.
keytool -v -genkey -keyalg RSA -keystore keystore -dname "cn=www.mysite.com, ou=None, L=Redmond, ST=Washington, o=MyCompany, c=US"

Now generate the Certificate Signing Request known as a CSR. This process should create a file called "www.mysite.com.csr" in your current directory.
keytool -certreq -sigalg MD5withRSA -file www.mysite.com.csr -keystore keystore -storepass password

Go to Verisign's (or any CA's) site and submit the CSR file. There are two kinds of certificates that you can order. Either the 40-bit or the 128-bit. If you anticipate people outside of the US coming to your site (and using SSL, obviously) then you should go for a 40-bit certificate. If this is needed for a machine-to-machine or for a US only site, then you can go for a 128-bit certificate. 128-bit encryption offers 2⁸⁸ times as many possible combinations as 40-bit encryption. That is over a trillion times a trillion times stronger. But not all the browsers world-wide have the capability to decrypt 128 bit encrypted stuff (because of US export regulations) and so you might have to settle with the 40-bit certificate.

Once Verisign is done with their verification process they will sign and issue you a certificate. They might email it to you. Some CA's like Thwate provide the facility of login/password and ask you to download the certificate.

Once you save the certificate file locally lets say as "www.mysite.com.cert", you will need to import it into your keystore.
keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file www.mysite.com.cert

A server side certificate contains the name of the site/domain it is intended for and cannot be shared across domains. It is valid only for a particular domain, unlike client side SSL certificates which can be shared.

You can follow this link on keytool, if you need more information about using it.

Per my previous rant about how yucky passwords are, here is something that shows how to have a unique password for every site/service that you have signed up for without remembering it like Shakuntala Devi or writing it down on a post-it under your keyboard.

The concept is simple, but brilliant and effective. You create a personal master password. I recommend creating it with all the standard tricks ~ alphanumeric, minimum length 10 chars and includes a special character or two. This password is then mashed up with the name of the site that you are visiting to create a unique MD5 hash that can be used as a password for that site. Now each time the hashed up key would be different, giving you the ability to create a unique password for each site without having to remember it.

A password generator Greasemonkey script simplifies life even further. Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. Check out Jon Udell's 2.75 minute screencast demonstrating how easy it is to use this concept. You just have to remember a single personal master password giving you a kind of Single Sign-on effect.

This solution works best in Firefox with Greasemonkey installed, though it is not needed (check Nic's website below). It even works with IE and Safari.

Resources:
Nick Wolff's Password generator
Johannes la Poutré's Password composer
Jon Udell's entry talking about the single sign-on solution

While waiting at the DMV for my wife's written test to complete, I picked up one of the leaflets they had put in there along with a bunch of other stuff. The leaflet was about how to avoid Identity theft and what to do incase you became a victim of identity theft. Here is what it stated:

How to avoid becoming an Identity Theft victim:

• Do not give your Social Security number, mother's maiden name, or account numbers to strangers who contact you by phone, Internet, or mail.
• Guard your mail from theft.
• Pay attention to the time of the month your bills arrive (and call up the service you are subscribed to, if the bill doesnt come on time).
• Put passwords on all your accounts with creditors.
• Dont carry your Social Security Card (I carry a photocopy in my wallet).
• Dont carry credit cards or ID cards that you dont need.
• Cut or shred credit cards or ID cards you dont need.
• Cut or shred unwanted documents.
• Order a copy of your credit report at least once a year. (check this out to get your free credit report).

What to do if you become a victim of Identity theft:

• Keep a log of every transaction and action.
• Report identity theft to the police or sheriff in the area where you live.
• Report the identity theft to your bank and other creditors.
• Contact the three major (Experian, TransUnion and EquiFax) credit reporting agencies.
  
• Ask businesses to provide you with information about transactions make in your name (Businesses are mandated by a law in Washington to provide it).
• Contact the Federal Trade Commission's (FTC) identity theft hotline (1-877-IDTHEFT) or visit their website.

It is scary to have your identity stolen. Hopefully, with the above precautions you should never have to face this scenario.

So when was the last time you changed your password? Maybe the company you work for requires you to change your work password every 60 or 90 days or something like that. They might have stricter rules about not reusing any of the previous 5-6 passwords or how they have to be alpha numeric with a special character blah blah.

But how about your personal passwords? Lets say your hotmail password. Did you *ever* change it since you created it? I have only changed my hotmail password once since I created my account in 1998. Thats not just me, that is a typical user behavior. There are a gazillion issues with passwords and managing them. Here are a few:

• Each website or service that you register with requires you to create a new username and password.
  
• Each one has a different rule for what constitutes a safe password or the length of your password.
  
• You typically have 2-3 passwords that you resuse everytime you register on a website. One the them might be the cryptic one that you use with your bank accounts and such, one of them might be the lousy (eg 1234) one that you use for stuff like hotmail.
  
• You dont change your password ever. (you think: who is break into my free New York Times registration?)
• You write down your passwords in a text file that you put on your desktop or carry in your wallet.
• You think of a genius password (or so you think!) that no one should be able to guess. Like some word in your native language. This doesnt work, because crackers usually conduct dictionary attacks and yes they use native dictionaries. I have around 40 native language password dictionaries, that can be used for an attack.

Its time the password became passe. We could use biometrics to start with. How about fingerprints?

Computer manufacturers need to ship keyboards and/or mice with inbuilt fingerprint scanners. Browsers like IE and Firefox should be able to scan your index finger and send it to a website whenever it asks for you to sign-up or sign-in. Ofcourse the whole process of sending across fingerprints should be encrypted end-to-end. Mobile phones need to be equipped with fingerprint scanners as well, that let you sign-in into your email account.

The password issue is going to become messier as we move ahead with putting stuff like videos, photos, blogs, music on the network. The network could be a home network or something like a file store online. Everything needs a password these days: phones, wireless routers, voicemail accounts, websites, TV's etc. Our reliance on digital stuff is increasing. We need to rely on the digit (aka finger ~ pun intended) to make the digitization of our lives simpler.

A few days ago, I had written about what a DOS attack is. DOS attacks are usually targetted towards ISPs or websites of large corporations. Home users might get affected by a DOS attack, such that if their ISP is attacked then they might face connectivity issues. As a home user, you dont have too many options. But as a sys-admin incharge of a large corporation's website or if you are working for an ISP, you might be wondering what your options are.

So what can be done when a DOS attack occurs? Can it be stopped or its effect mitigated? Well, lets look at a few options:

• Configure your router to block all outbound packets that have a source address that doesnt match your network subnet (this mostly helps when your network/machines are used to conduct an attack on someone else).
  
• You can use a combination of firewall and Intrusion Detection Software (IDS) to cut down on suspicious traffic.
  
• Restrict broadcast traffic.
• Rate limit your traffic. Rate limiting restricts the amount of bandwidth a specific type of traffic can consume at any given moment.
• Disallow broadcast ICMP packets through your router

These are just the preliminary starting points. Preventing a DOS or a DDOS attack is a huge topic in itself. In a future post, I'll describe the various types of DOS attacks like smurf, fraggle etc.

SSL is used to encrypt transmission of data between a browser and a webserver. So if a website out there uses SSL to encrypt sensitive information then everything is secure and perfect and nobody needs to worry about anything. Right? Well no.

SSL works only at the transport layer. Let me explain. What SSL can do is protect data exchanged between a browser and a server. What it cannot do is protect the server which stores the data from other kinds of attacks.

The data inside the server's database is NOT protected by SSL. It lies there in plain text unless the server uses some sort of encryption while storing data inside the database. SSL does not protect against operating system vulnerabilities. If someone out there can exploit a known vulnerability about the operating system, then the server and potentially the data might be exposed.

It is difficult to track down what was sent in as data via SSL (because everything is encrypted) and infact hackers prefer SSL to exploit application level vulnerabilities. Often hackers use a combination of outbound proxy servers and SSL so that their activities cannot be traced back to their computer.