You are here


Observations on information security.

Cloud Computing Discovers Covert Channels

A SANS Handler Notebook entry by Toby Kohlenberg reports on data leakage in cloud computing, and links to a terrific paper from some UCSD/MIT people: Ristenpart, Tromer, Shacham, and Savage.

If we set the wayback machine to the early 1970s, we find a paper by Butler Lampson about something called the confinement problem. It's the same thing. Ristenpart et al pick up some of the threads (like noninterference) though their paper doesn't point all the way back to Lampson.

This is a hard problem to solve. The only defense right now is if attackers lack the motivation to exploit it.

Malware Ad on

Troy Davis posted info about a malware ad encountered on I always enjoy a good, basic forensic analysis. The location of the ad is disturbing, to say the least, though it reflects a problem with today's on-line commercial culture.

It's so easy to do on-line transactions (you send money, I do an on-line service) that vendors aren't inclined to vet their customers. Vetting costs money: it takes time and it puts the vendor in the position of turning down potential sales.

Post category: 

Boak's Puzzle Revisited

A reader, GregoryF, has proposed a solution to Boak's puzzle. Many years ago, David G. Boak of the NSA gave lectures to train employees on communications security matters. In one case he presented a written story about insufficiently burned crypto materials (keys, etc.), several tons' worth, that needed disposal.

Boak didn't quite explain how they disposed of the waste. Instead, he coded the answer using an innocent text system and challenged the readers to solve it.

GregoryF's solution is posted as a comment to the earlier article. He actually came up with two different solutions. The "system" behind the second solution gets somewhat complicated, which casts some doubt on its correctness. Also, I haven't quite recovered the same results.

Spoilers ahead!

Wordpress tag: 

Vernam's Cipher

Gilbert Vernam was a digital systems designer from the early 20th century. He invented the stream cipher, what browsers often use today to encrypt messages exchanged with protected web sites. In his days, however, the mechanism of choice was the relay: an electromagnetic switch. Vernam also described the one-time pad, and noted the danger in reusing the key stream.

What, then is a Vernam cipher? Is it a stream cipher or a one-time pad? I've seen the term used both ways.

Now we can check the source. Steve Bellovin recently blogged on Vernam's work, and posted a PDF of Vernam's original  paper. Vernam wrote the paper for an AIEE conference (that's one of the precursors of today's IEEE - Bellovin negotiated permission to post the historic paper).

If we look at the historical description, Vernam does not restrict his cipher to the one-time pad case. Thus, a Vernam cipher in practice might - or might not - be a one-time pad. [revised 9/7/09]

Time - Again - For Trustworthy Computing

Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord. The strategy is to steal a user's one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim's computer.SecurID Card

One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there's no way to use your computer reliably. Attackers can intercept what you're doing, change it to benefit them, and you won't know what happened until you look at your bank statement.

The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.

Post category: 

Managing Your Passwords

In 2009, another blogger posted an article on password problems that suggests 10 hard-to-follow rules.

The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.

Here's the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you're going to slack off, do it when registering to post a one-off blog comment.

Let me take a stab at my own list of recommendations.

Post category: 

Cutting a "black" wire in Tyson's Corner

The LA Times, of all places, has an interesting tidbit about an incident in Northern Virginia. A construction crew in Tyson's Corner cut a "classified" fiber optic cable. And the construction site was promptly visited by men in black SUVs.

Moreover, the cable cut was fixed that very day by AT&T personnel. Impressive response time, eh?

Post category: 

Crypto bypass on the iPhone 3GS

Cousin Jon sent me this Wired link: how to bypass iPhone's 3GS encryption using jailbreaking tools. I haven't paid serious attention to the iPhone (AT&T hasn't had a strong signal in my town) but crypto bypass always gets my attention.

In fact, the weakness has nothing to do with protecting personal information on an iPhone. It's all about third parties: Apple, the cell provider, and possibly an employer who provides/manages the iPhone.

If you're not troubled by being limited to the iPhone Apps Store, then the threat's relatively small, especially compared to desktop systems. Moreover, I doubt we'll see real iPhone viruses as long as most people are happy with Apple's app restrictions.

Post category: 

Spyware from a Cell Phone Carrier

Here's a scary harbinger of things to come - the top Blackberry carrier in the United Arab Emirates developed its own "upgrade" and distributed it to its customers. The carrier's upgrade contains spyware that apparently sends decrypted e-mails back to the vendor.

The vendor is 60% owned by the UAE government. (digg)

Post category: 

Hacking Business Accounts

A couple of months ago I talked to an attorney at a regional law firm. He mentioned that some of his clients had lost tens to hundreds of thousands of dollars to fraudulent wire transfers. I surmised that it was due to rootkits that allowed someone to remotely perform a wire transfer. I also wondered if this was a local or widespread phenomenon.

Apparently it's widespread.

Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer