No Tricks

Crypto from Tesco

2011-10-07T11:57:00.001-07:00

You can now order the new Block Cipher Companion book from Tesco’s, just published this month. I have seen an earlier draft and the text is very detailed and comprehensive, as you would expect from authors of this caliber.

Xobni becomes Smartr

2011-10-04T08:29:00.001-07:00

I recently posted about the reads on my Scribd collection, and one of the most frequently read is the master’s thesis by the founder of Xobni (inbox spelt backwards) called How to Organize Email. There is a new version of this software called Smartr for Gmail and you can watch a video on its features.

Yoda Pie Chart - there is no Try

2011-10-02T15:31:00.001-07:00

Love it, from Flowing Data.

150,000 reads of my Scribd documents

2011-10-02T09:15:00.001-07:00

I have uploaded about 200 documents to Scribd over the last few years and the number of reads has just passed 150,000. You can see the categories here. The top 5 documents, each with over 3000 reads each are

The Other Binomial Expansion

2011-09-29T16:12:00.001-07:00

From this collection of creative exam answers.

SHA post as SPAM magnet

2011-09-26T15:47:00.001-07:00

Don’t ask me why but a lot of SPAM has accrued, and keeps accruing, at this May 2009 post on SHA-1. Apart from the common penis enlargement references, some of the other SPAM is quite long and seems to be playing on some quirk of SEO. Fine.

Fibonacci Pigeons

2011-09-25T08:49:00.001-07:00

This just made me laugh.

These aren’t the key management systems you are looking for

2011-09-22T08:15:00.001-07:00

This is a nice presentation on enterprise key management issues from Anthony Stieber given at the 2nd IEEE (KMS 2010) Key Management Summit. The main message is that KMS is tricky and don’t roll your own. By the way if you are looking for examples of Powerpoint that breaks all the rules for good presentations, then you will find them here.

Also there is a very polished and informative presentation from Chris Kostick of E & Y on an enterprise key management maturity model, and below is a comprehensive diagram on the life-cycle management of keys.

Liability for Risk Decisions

2011-09-22T07:10:00.001-07:00

I am currently in-between positions, somewhat happily, and are casting my net of interest a bit wider than my traditional roles in IT Security and Risk. One position that caught my eye from a global reinsurer in town was the role of Earthquake Expert within their Natural Catastrophe department (or Nat Cat in insurance lingo). I really don’t have any specific background in this area but I sometimes entertain the idea that I can transfer hard-learnt crypto math skills into a numerate role like this one which calls for extensive modeling and prediction. You also think that this might be a nice and cozy niche area to ply your trade as a specialist, holding something of a privileged position.

Well I was disabused of any such notion this week when I read this week of six Italian scientists and a former government official are being put on trial for the alleged manslaughter of the 309 people who died in the 2009 L'Aquila earthquake in Italy.

The seven defendants were members of a government panel, called the Serious Risks Commission (seriously), who were asked to give an opinion (or risk statement) on the likelihood that L'Aquila would be struck by a major earthquake, based on an analysis of the smaller tremors that the city was experiencing over the previous few months. The panel verdict delivered in March stated that there was "no reason to believe that a series of low-level tremors was a precursor to a larger event". A week later the city suffered an earthquake of magnitude 6.3 on the Richter Scale, denoting a “strong quake”.

The crux of the case against the scientists is that they did not predict the strong quake coming to L'Aquila to allow a proper evacuation of its inhabitants. The defense rebuttal is simply that such a prediction is impossible, and they cannot be held accountable for this unreasonable expectation. The scientists cannot be expected to function as a reliable advanced warning system. The international scientific community has weighed in to support the defendants with a one-page letter from the American Association for the Advancement of Science, which supported the scientists by saying that there is no reliable scientific process for earthquake prediction, and they should not be treated as criminals for adhering to the accepted practices of their field.

Recently people were evacuated from New York City as precaution to the impact of Hurricane Irene. The hurricane passed by New York causing far less extensive damage than expected, and yet there were still complaints from residents about being asked to leave their homes “unnecessarily”. It seems that authorities cannot win in these matters unless they can predict the future accurately.

PageRank Increment for No Tricks

2011-09-14T18:38:00.001-07:00

Every now and again I run this blog through the free Website Grader tool which measures your site on a variety of criteria, hoping to lure you for a more thorough paid analysis. The tool used to report a PageRank value, and No Tricks seemed to be stuck at 3 for quite a few years. The site now uses there own page ranking metric, which reported a value higher than 3. I was overjoyed and eagerly confirmed that the “true” PageRank metric had also increased from 3 to 4, representing some form of “exponential” improvement since the scale is logarithmic. I can now claim that the No Tricks site has gone from being of “low importance” to being of “medium importance”. Fine, I’ll take it.

Incidentally, I wrote a short introduction to the mathematics of PageRank a few years back, with a security spin.

Jesus and spending a trillion dollars

2011-09-14T07:10:00.001-07:00

Amit Agarwal at Digital Inspiration has put together some information on just how big the number one trillion actually is, in human-sized terms. We have heard a lot about trillions of dollars in the context of credit crisis and, more recently, in the debate over the US budget deficit. Not to mention that Facebook recently reported that their total number of page views has passed the one trillion mark.

Agarwal started by reporting the following Biblical metaphor

If you start spending a million dollars every single day since Jesus was born, you still wouldn't have spent a trillion dollars by today.

And in terms of a diagram, Agarwal starts with takes a single 100 dollar US bill, and represents larger values as

Extending further, a trillion dollars then requires a football field of space, as shown below, with our human-sized man dwarfed in the bottom left corner.

Can you win the lottery too many times?

2011-09-14T02:20:00.001-07:00

Last year I posted on The Fabled 25 Sigma Event, referring to a quote from David Viniar, then CFO of Goldman Sachs, who was attempting to describe the magnitude of the movements in the financial markets. Mr. Viniar probably did not fully understand the implications of what he was saying, since a 25 sigma event translates into a phenomenon occurring once every 10^{135} years - a period of time that we have yet to see even a fraction of. Several researchers at the business school of the University College Dublin gave another interpretation of how unlikely this event was by stating that it equates to winning the UK lottery more than 20 times in a row.

Winning the lottery 20 times does seem very unlikely. Recently a woman won the Texas lottery for the fourth time in the last 10 years or so, accumulating prize money of just over 20 million USD, and is being scrutinized by the press for potential fraud. There is a lot of suspicion about the luck of Joan Ginther (pictured below) and her winning streak. Googling on “4 time lottery winner” produces pages of articles on Ginther’s supposed luck.

Nathaniel Rich ran an interesting 4-page story in the August issue of Harper’s magazine, where he visits the small Texas town of Bishop to look at the lone town store where three of the winning tickets were purchased. Rich spoke to enough mathematics professors beforehand to determine that the odds of an individual winning four times by pure luck are extremely low indeed, about 10^{-24}, or a practical impossibility (still “far more likely” than a 25 sigma event though). The alternate scenarios are (1) an inside job potentially amongst the state lotteries and their suppliers (2) cracking the parameters of the psuedo-random number generator for selecting the winners, and (3) dumb luck, or increasing your odds of winning by buying many tickets. The most likely answer seems to be a combination of (2) and (3).

The local town people are going with scenario 3 or just ascribing it to pure luck outright, as there is a strong (American) belief that everyone can be a winner. Getting back to those 25 sigma events, it seems then that no one would actually be able to win the UK lottery over 20 times as they would be suspected of foul play, and likely to find themselves arrested way before that many wins. Perhaps Mr. Viniar should have been arrested for his remarks.

An unexpected business model for Angry Birds

2011-09-13T04:48:00.001-07:00

Rovio, the company that developed Angry Birds, recently announced at the Techcrunch Disrupt conference that they are now selling more than one million Angry Birds T-shirts and toys each month. That’s after 350 million downloads of the game. What a business model, if they were intending it, and a movie deal is apparently in the works as well. Oh yes, and a theme park. So it seems it is possible to use a mobile game as the basis to leverage the creation of real world profits.

All Eyes on Facebook

2011-09-13T01:09:00.001-07:00

A recent social media report from Nielsen’s shows, amongst other things, that Facebook dominates our attention on the Internet, larger in terms of minutes of face time than the four next most popular social media sites. Business Insider produced the following chart based on Nielsen’s data

It was recently (and widely) reported that the number of page views on Facebook passed the 1 trillion mark, but that figure has been disputed. In any case, all internet path seems to lead to Facebook one way or the other.

A short touching remark on 9/11

2011-09-11T04:47:00.001-07:00

I am stepping out more of late, meeting new people and doing new things, which has seen more doing far less blogging over the last year. One of the site I use to find things to do is Meetup in the Zurich locality. I received the following email from the founder today who relates how the origin of the service was 9/11, and his intention was to “use the internet to get people off the internet”,

Fellow Meetuppers,
I don't write to our whole community often, but this week is
special because it's the 10th anniversary of 9/11 and many
people don't know that Meetup is a 9/11 baby.
Let me tell you the Meetup story. I was living a couple miles
from the Twin Towers, and I was the kind of person who thought
local community doesn't matter much if we've got the internet
and tv. The only time I thought about my neighbors was when I
hoped they wouldn't bother me.

When the towers fell, I found myself talking to more neighbors
in the days after 9/11 than ever before. People said hello to
neighbors (next-door and across the city) who they'd normally
ignore. People were looking after each other, helping each
other, and meeting up with each other. You know, being
neighborly.

A lot of people were thinking that maybe 9/11 could bring
people together in a lasting way. So the idea for Meetup was
born: Could we use the internet to get off the internet -- and
grow local communities?

We didn't know if it would work. Most people thought it was a
crazy idea -- especially because terrorism is designed to make
people distrust one another.
A small team came together, and we launched Meetup 9 months
after 9/11.

Today, almost 10 years and 10 million Meetuppers later, it's
working. Every day, thousands of Meetups happen. Moms Meetups,
Small Business Meetups, Fitness Meetups... a wild variety of
100,000 Meetup Groups with not much in common -- except one
thing.

Every Meetup starts with people simply saying hello to
neighbors. And what often happens next is still amazing to me.
They grow businesses and bands together, they teach and
motivate each other, they babysit each other's kids and find
other ways to work together. They have fun and find solace
together. They make friends and form powerful community. It's
powerful stuff.

It's a wonderful revolution in local community, and it's thanks
to everyone who shows up.
Meetups aren't about 9/11, but they may not be happening if it
weren't for 9/11.

9/11 didn't make us too scared to go outside or talk to
strangers. 9/11 didn't rip us apart. No, we're building new
community together!!!!

The towers fell, but we rise up. And we're just getting started
with these Meetups.

Scott Heiferman (on behalf of 80 people at Meetup HQ)
Co-Founder & CEO, Meetup
New York City
September 2011

The “Half-life” of a bitly link is about 3 hours

2011-09-10T13:30:00.001-07:00

Hilary Mason, Chief Scientist at bit.ly, a large link shortening service, has done an analysis on some of their link data to get an idea of how long links remain “alive” or “popular”. The measure was to look at 1,000 links and graph the number of hits that a link receives over 80,000 seconds (almost a day), and then determine the point over that period where half of the total number of hits were received. From the post

So we looked at the half life of 1,000 popular bitly links and the results were surprisingly similar. The mean half life of a link on twitter is 2.8 hours, on facebook it’s 3.2 hours and via ‘direct’ sources (like email or IM clients) it’s 3.4 hours. So you can expect, on average, an extra 24 minutes of attention if you post on facebook than if you post on twitter.

Running the data yielded the following graph, showing a strong power law for Facebook, Twitter and direct links (links shared via email, and instant messengers), but a delayed curve for YouTube.

What Mason computed would more accurately be called the median rather than the half-life, since she is interested in the first point in time that divides the total number of hits for the period into two roughly equal sets. More discussion on this point is given in the comments to the post. The conclusion from the post

In general, the half life of a bitly link is about 3 hours, unless you publish your links on youtube, where you can expect about 7 hours worth of attention. Many links last a lot less than 2 hours; other more sticky links last longer than 11 hours over all the referrers. This leads us to believe that the lifespan of your link is connected more to what content it points to than on where you post it: on the social web it’s all about what you share, not where you share it!

A while back I posted on the half-life of patching vulnerabilities being 30 days and there we probably have confusion with the sample median as well. I also noted the attrition for my own links in Shark Fin posts.

Two victories for Randomness

2011-09-09T10:10:00.001-07:00

I recently came across two smallish examples of where randomness was the solution to two perplexing problems. That is, rolling the dice seems to help you out of a situation where a planned method was not giving you what you wanted.

The first issue is the problem of how to board passengers on a plane. Finding the best way to board people is actually a well-studied problem, both theoretically and in practice, and you can see some of the work here. At the top of the same page there is a nice simulation program which shows you how different boarding strategies play out, and random boarding (just calling out people to board at random) is better than the usual front-to-back boarding that most of us are familiar with.

The reason is that random boarding gives a better utilization of the space in the plane whereas front-to-back boarding piles people into one part of the plane, eventually causing jams in the aisles. The full set of strategies examined are

Back-to-front
Rotating-zone
Random
Block
Outisde-in
Reverse-pyramid

On another topic, a Freakonomics blog post describes how researchers in South Africa are using a randomness trick to get truthful answers from farmers who are suspected of illegally killing leopards and hyenas. The method is called randomized response surveying, where when the farmers are asked potentially incriminating questions they first flip a coin, and based on the result give a yes or no answer to either the incriminating question if it was heads, or a harmless question (do you think the Springboks will win the RWC?) if it was tails. The farmers actually used a die, taking specific actions on which value from 1 to 6 was thrown, but the principle is the same as I have described it.

The trick here is that the person asking the question cannot tell which question the farmer is answering, but the farmer’s answer can be recorded. Statistical methods can then be used to determine the distribution of answers for the two questions, and actually make inferences about the proportion of positive answers to the incriminating question. This method was devised in the 60’s, and by the early 80’s it was being taught at my undergraduate university as part of a first year course.

Green IT Swiss Data Center presentation

2011-08-07T14:36:00.001-07:00

Here is a short presentation on a relatively new data center in the west of Zurich that is designed to be green and secure. More information at green.ch, and the language can be changed to English in the upper right corner.

US Grade Inflation Study

2011-08-07T13:11:00.001-07:00

A recent study has examined the prevalence of grade inflation at US universities over the last 100 years or so, and has found some identifiable patterns. The chart below shows the increase in grades between various types of schools in the primary colors, with the grey representing (unnamed individual schools).

What is clear is that there was a huge increase in grade in crease in the 60’s and then a steady increase over the last 30 years of so. From the study

The rise in grades in the 1960s correlates with the social upheavals of the Vietnam War. It was followed by a decade
period of static to falling grades. The cause of the renewal of grade inflation, which began in the 1980s and has yet to
end, is subject to debate, but it is difficult to ascribe this rise in grades to increases in student achievement. Students’ entrance test scores have not increased (College Board, 2007), students are increasingly disengaged from their studies (Saenz et al., 2007), and the literacy of graduates has declined (Kutner et al., 2006). A likely influence is the emergence of the now common practice of requiring student-based evaluations of college teachers. Whatever the cause, colleges and universities are on average grading easier than ever before.

Further science and engineering students are graded more harshly than their fellow students in liberal arts degrees.

A 10% Tipping Point Threshold

2011-08-07T12:49:00.001-07:00

Scientists at Rensselaer Polytechnic Institute have recently published research into social networks which indicates that when just 10 percent of a network steadfastly holds a given belief, then that belief will eventually be adopted by the majority of the society. These group of 10% “believers” are referred to as a committed minority.

Even though the research has produced quite a bit of press (see here and here for example) it is a little difficult to say how the result was arrived at. The abstract of the paper states that

We show how the prevailing majority opinion in a population can be rapidly reversed by a small fraction p of randomly distributed committed agents who consistently proselytize the opposing opinion and are immune to influence. Specifically, we show that when the committed fraction grows beyond a critical value p_c≈10%, there is a dramatic decrease in the time T_c taken for the entire population to adopt the committed opinion. In particular, for complete graphs we show that when p<p_c, T_c~exp[α(p)N], whereas for p>p_c, T_c~lnN. We conclude with simulation results for Erdős-Rényi random graphs and scale-free networks which show qualitatively similar behavior.

It seems that they are using a model for the spread of opinion overlayed on various network topologies, starting with the complete graph (everyone knows everyone), then scale free, and a simulation of a random graph process. The results are strengthened by finding the 10% threshold present in each topology. Even so, the following graph was not that informative for me.

I think I will have to wait get a copy of the paper to make full sense of the result. Reported in Freakanomics.

iPhone Passcode Bias

2011-08-05T16:06:00.001-07:00

An informal study from collecting just over 204,000 iPhone passcodes, produced the graphic below on the top ten most common passcodes

The author concludes that

Formulaic passwords are never a good idea, yet 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000). The implication? A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock--even more if the intruder knows the users’ years of birth, relationship status, etc.

DIPK Graphic

2011-08-05T15:42:00.001-07:00

From Flowing Data

Mark Johnstone uses a cake metaphor to represent data, presentation, and what you gain.

Don’t like the last shot for knowledge. Perhaps lots of smaller cakes?

Block Cipher Bible coming

2011-06-06T09:26:00.001-07:00

There is a new and authoritative block cipher book soon to be published, by my good friend Lars Knudsen and my respected colleague Matt Robshaw. These are two of the top experts in the field – both veterans of the AES selection process and long time contributors to understanding why and what makes a good - or simply not a bad - block cipher. The book will be available this year and you can pre-order from Amazon right now.

A Loch Ness Month

2011-06-06T06:14:00.001-07:00

The graph below from Google Analytics shows the reading “humps” of my blog with unusual clarity. Typically readership tapers off on the weekend and picks up as the work week commences. You can see the peaks and valleys for the weekends quite clearly below, and it reminded my of those famous Loch Ness humps. Thanks to the 2000+ visitors in May, even when I am struggling to find the time for meaningful posts.

ISACA Risk Assessment Guidelines

2011-05-02T08:40:00.001-07:00

I uploaded a 15 page guideline from ISACA for audit risk assessments to my Scribd collections. The document gives a reasonable overview of how a standard IT audit assessment can be enhanced from a risk perspective, taking into account additional factors beyond controls and their gaps.

No Tricks recently passed 50,000 visitors

2011-04-14T23:54:00.001-07:00

Just a short note to say that the number of visitors to the No Tricks blog recently passed the 50,000 mark, which was very satisfying for me. The blog has been running since September 2008, starting out with just a few posts but then building open slowly to around 250 now. You can see the monthly increase in visitors below, and some other statistics from Google Analytics.

How many users does Twitter have?

2011-04-05T05:45:00.001-07:00

A nice power law looking graph from Business Insider on the properties of Twitter users, and about 175 million Twitter accounts have been registered to date. But how many of those accounts are actually active and being used? Hard to say it seems. The article reports on digging into the Twitter API and finding that

Using data that is now just one month old, he found out that…

There were 119 million Twitter accounts following one or more other accounts.

There were 85 million accounts with one ore more followers.

With these figures, and Twitter's claim of 175 million accounts, a little subtraction shows us that there are 56 million Twitter accounts following zero other accounts, and 90 million Twitter accounts with zero followers.

Freehaven papers on Anonymity

2011-03-26T06:01:00.001-07:00

I have not looked at the Freehaven site for some time, but just a reminder that there is a huge collection of research papers sourced, tracing the history of anonymity systems, MIXES and other PETs. The collection was well-attended to up till the end of last year but is missing updates for 2011 so far. I am sure that they will come. BibTeX references for the papers as well.

Trust and security in the cloud

2011-03-26T05:33:00.001-07:00

The Register has published a new 16-page whitepaper on trust and security in cloud computing, with the key findings being

Many companies could do much better when it comes to in-house security
SaaS adoption is limited currently, but there is increasing interest from the business
The biggest impediment to SaaS adoption is a perception of security issues
Companies with experience of SaaS are positive about provider security
SaaS is likely to help with shortcomings of on-premise security capabilities

The whitepaper was written from data gathered in an online survey with over 500 participants. Amongst the many tabulated responses to the survey there is an interesting list of the ways data can exit from corporate boundaries.

iPad Competition is Toast

2011-03-12T05:45:00.001-08:00

Business Insider recently reported that the iPad is outselling the competition about 4-to-1. So as security professionals the iPad is the platform to focus on for risk assessments.

An example of redundancy in English

2011-03-12T05:37:00.001-08:00

After I apologized too often for my bad typing, my sister-in-law sent me the following text to demonstrate that our brain can understand words even if only the first and last letters are correct

Yet aoccdrnig to a sudty at Cmabrigde Uinervtisy, it deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a ttoal mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

Apparently this text is well-known to language people!

24 minutes with Bill Gates on career choices

2011-01-29T14:49:00.001-08:00

In April last year Bill Gates addressed a collection of students at Harvard for 24 minutes on the topic of where to devote your talents. It is well-known that Gates dropped out of Harvard in the mid 70’s to develop his fledgling software company. He was returning as a philanthropist on this occasion, armed with the following question “Are the brightest minds working on the most important problems?”. And clearly he does not think so, as it appears many of top minds in the US are going into sports, entertainment or finance. In fact, “The allocation of IQ to Wall Street is higher than it should be.” You can find the video of the talk here.

Calculus vs. Probability

2010-12-23T07:59:00.000-08:00

I am trying out listening to podcasts on my – yes – iPod, during what was figuratively described to me as my “downtime”. In Zurich for me this means being on trams and trains, and walking between them or to them. So I went looking for captivating podcasts and of course ended up at the TED site, where you can download any number of interesting speakers and topics. I came across a short and poignant talk by mathematician Arthur Benjamin's on his formula for changing math education.

His simple approach is to switch from calculus being the pinnacle of math education to actually probability and statistics, because while the former is beautiful yet little used, the latter two topics are in fact very practical and in high demand. In short we need to better understand risk. Below is the full text of his short talk, where I have highlighted a few phrases in bold

Now, if President Obama invited me to be the next Czar of Mathematics, then I would have a suggestion

The mathematics curriculum that we have is based on foundation of arithmetic and algebra. And everything we learn after that is building up towards one subject. And at top of that pyramid, it's calculus. And I'm here to say that I think that that is the wrong summit of the pyramid ... that the correct summit -- that all of our students, every high school graduate should know -- should be statistics: probability and statistics. (Applause)

I mean, don't get me wrong. Calculus is an important subject. It's one of the great products of the human mind. The laws of nature are written in the language of calculus. And every student who studies math, science, engineering, economics, they should definitely learn calculus by the end of their freshman year of college. But I'm here to say, as a professor of mathematics, that very few people actually use calculus in a conscious, meaningful way, in their day to day lives. On the other hand, statistics -- that's a subject that you could, and should, use on daily basis. Right? It's risk. It's reward. It's randomness. It's understanding data.

I think if our students, if our high school students -- if all of the American citizens -- knew about probability and statistics, we wouldn't be in the economic mess that we're in today. Not only -- thank you -- not only that ... [but] if it's taught properly, it can be a lot of fun. I mean, probability and statistics, it's the mathematics of games and gambling. It's analyzing trends. It's predicting the future. Look, the world has changed from analog to digital. And it's time for our mathematics curriculum to change from analog to digital. From the more classical, continuous mathematics, to the more modern, discrete mathematics. The mathematics of uncertainty, of randomness, of data -- and that being probability and statistics.

In summary, instead of our students learning about the techniques of calculus, I think it would be far more significant if all of them knew what two standard deviations from the mean means. And I mean it. Thank you very much. (Applause)

I could not agree more. The world is discrete for me, and very few of the problems that I encounter succumb to integration.

Protecting Your Information in the Age of WikiLeaks

2010-12-23T07:38:00.000-08:00

This is the title of a webcast invitation that I recently received from Symantec. The Wikileaks saga is quickly impacting the infosec landscape, probably because the issue is so visible to all levels of senior management. The webcast is described as follows

In the wake of the intense media attention around the WikiLeaks disclosures, you may be asking yourself, "What steps can I take to help my company avoid this same fate?"

Symantec has been working with customers who are concerned about preventing these same issues and we’ve developed a set of best practices that can help defend against these types of breaches. We’d like to share with you some of the techniques that might be useful to help you uncover similar activity on your own systems. In this live webcast we’ll:
Discuss the threat agents and modes of data loss you should be most concerned about
Recommend counter-measures to protect your critical information against these risks
To learn more about how your organisation may be at risk and steps you can take to defend your information, register today.

2011 InfoSec Predictions from Zscaler Labs

2010-12-23T07:22:00.000-08:00

Its not only the season of giving and but forecasting as well, and I recently received the following Information Security Predictions from Zscaler Labs

Flash mob hacktivism – we’ll see more attacks similar to Operation Payback, where like-minded strangers quickly organize and attack corporations or government entities in the name of a cause

Niche malware designed to harvest confidential information from IP-connected devices such as printers and SCADA systems will grow

Cloud-hosted botnets will grow

We’ll hear about more indirect data breaches, where not it’s the company affected that was breached, but rather a third-party vendor or organization

Social networks will become the main communication medium for attackers

The Information security market will continue to shrink

An interesting list - more about trends than fundamentals - and you can find more details on the Zscaler blog.

Over 1,000 visits this month to old AES-256 post

2010-12-23T07:01:00.000-08:00

Just a note to say that my Are AES 256-bit keys too large? post from July 2008 has been visited over 1,000 times this month. For the last few years it has been my most popular post by far, and I once referred to it as one of my Pareto posts. Probably what happened this month is a link to the post found its way onto some social channel, like Twitter, and just mushroomed from there. It just shows that content really has no use-by date in Web 2.0.

Tutorial on Buffer Overflows

2010-12-14T08:48:00.000-08:00

Nice tutorial on this perennial security problem from Patrick Schaller of ETH, Zurich.

Internet Privacy as a Venn diagram

2010-12-07T11:47:00.001-08:00

From Flowing Data:

Snakes in Suits – the risks from psychopaths in the workplace

2010-12-06T13:34:00.001-08:00

A telling presentation from Holly Andrews at a recent IRM meeting on dealing with psychopaths in the workplace (and yes the boardroom), derived from the 2006 book Snakes in Suits: When Psychopaths Go to Work. The presentation describes how workplace psychopaths burrow into positions of power, and amongst other things, assume more risk than is sensible. There is a wonderful process chart which shows how such people operate

Transitional organisations can be seen as ideal “feeding grounds” for psychopaths since

There are fewer constraints and rules allow the psychopath freedom in acting out their psychopathic manipulation

The fast changing environment provides stimulation for the psychopath whilst serving to cover up their failings

There is the potential for large rewards in terms or money, power, status and control

Just over 100,000 reads of my Scribd documents

2010-10-28T08:48:00.001-07:00

Just a note to say that the total number of read of my documents on Scribd just passed 100,000! The categories are given below, mostly PDFs and a few PowerPoint presentations.

BP and Trial by PageRank

2010-09-14T15:35:00.001-07:00

Over at the NSIS, Alex has a post (downgraded to a rant?) which begins with berating Gideon Rasmussen for calling the BP Deepwater incident a Black Swan, and ends up discussing flaws in corporate governance. Alex correctly describes the incident as a “tail event”, both low probability and high impact but still “on the curve”. True Black Swans are events for which prior distributions are “completely uninformative”, and they belong on a totally different curve to expectations and models.

Even so, for me a Black Swan aspect of the incident has been the subsequent reputational damage to BP. This has not been a trial by public media, but trial by social media and ultimately, trial by PageRank. In web 2.0 there is no such thing as yesterday’s news, or yesterday’s newspapers wrapping up today’s fish and chips. Links are just as good today as they were yesterday, and continue to remain search-worthy far into the future as long as PageRank deems them to be so. Holding steady at approximately two thirds of the search market, Google via PageRank has become the default arbiter of Internet truth.

A recent article called What Big Brands are spending on Google from Advertising Age showed that BP’s spending on Google Ads increased dramatically, to almost $3.6 million dollars in June, up from its regular budget of less than $60,000.

That’s almost a 6000% increase in spending at the height of the BP counter-PageRank campaign, and such unpredictable jumps are the calling cards of Black Swans. From the article

Before BP could stem the oil gusher at the bottom of the Gulf of Mexico, it unleashed $100 million in ad spending, largely on network TV, to stem the damage to its image. But it also started spending heavily where it had never spent much before: buying ads in Google's search results.

BP was essentially paying Google AdWords to distract Google PageRank - trial by PageRank and forgiveness by AdWords. What’s that saying about judges and juries again?

Keyword Spamming with Infographics

2010-09-10T14:20:00.001-07:00

Infographics have become more popular, and BuzzFeed has produced an infographic describing how infographics are used to generate keyword spam. The trick to stopping the spam appears to be adding a NO FOLLOW tag in the html code of the embedded infographic.

References to Homomorphic Encryption

2010-09-10T14:01:00.001-07:00

Homomorphic encryption is the basis of Craig Gentry’s recent breakthrough in encrypted search. Helger Lipmaa has a large collection of papers on homomorphic encryption here, as well as other cryptographic topics. Knock yourself out.

Five Lectures on Anonymous Communications

2010-09-10T13:37:00.001-07:00

George Danezis has put together a great series of lectures on modern anonymous communications, available from his Conspicuous Communication blog here. The lectures cover

Basic definitions & unconditional anonymity with DC-networks.
Long-term attacks on anonymity systems (Statistical / Disclosure) and their Bayesian formulation.
Mix networks and anonymity metrics.
The Bayesian traffic analysis of mix networks.
Low-latency anonymity with onion routing and crowds.

About 150 slides of material.

How to render SSL Useless – video version

2010-09-05T13:45:00.001-07:00

A while back I posted on the How to render SSL Useless deck from Ivan Ristic of SSL Labs (now with Qualys) on common mistakes in the deployment of SSL. There is now a video of Ivan presenting this deck at a recent OWASP conference, available at ThreatPost.

HeadHacker Social Engineering site

2010-09-05T13:01:00.001-07:00

I just came across HeadHacker, a site devoted to social engineering, run by a former colleague Dale Pearson. The site looks great and Dale will be a speaker at the upcoming hashdays conference in Lucerne this November.

Will there be an IT Risk Management 2.0?

2010-09-05T11:39:00.001-07:00

This is the title of a short talk I gave recently at an OWASP chapter meeting in Zurich. The audience was small but engaged, and I went over time by quite a bit. I need to develop the talk further but it is a decent v1.0.

The Blank Swan

2010-08-28T11:58:00.001-07:00

There is a new book, published in April, called The Blank Swan: The End of Probability. This is a clever title and the front photo is wonderful as well.

The book seems to be saying that financial market processes simply cannot be captured using the conventional notions of probability. The author writes in summary

The current crisis has led us to a conceptual impasse regarding the financial market. No prediction model can apply to the market …

Probability has to be discarded and a new category has to emerge instead, which will mediate contingency …

In fact, the market has nothing to do with Wall Street or with the investment banks. Market-making is a creative activity. The market is a category of thought that is independent of ideology. It replaces probability altogether and discarding the market, like the philosophers of the radical change claim we should do, is like discarding probability!

Not a very positive review from Reading the Markets, who found the book quite hard to read. There is some discussion on a Wilmott mailing list as well.

Searching an Encrypted Cloud

2010-08-28T07:58:00.001-07:00

There is a post over at the Enterprise Search blog with some pointers to encrypted search, including my own overview. There is a link to a whitepaper from Seny Kamara and Kristin Lauter of the Microsoft Research Cryptography Group, proposing an architecture for a virtual private storage service which supports the following properties

confidentiality
integrity
non-repudiation
availability
reliability
efficient retrieval
data sharing

Cool A5/1 back-clocking graphic

2010-08-28T04:18:00.001-07:00

Below is part of a graphic which depicts the A5/1 state space generated when checking if the correct key has been determined from a rainbow table lookup. Once a key candidate has been found using the rainbow tables, the A5/1 cipher needs to be advanced (forward clocked) and undone (back-clocked) to verify that the candidate key is correct.

The grey paths represent states that are not accessible through forward clocking, and the green paths have many ancestor states leading to the same key stream. Red paths have few ancestor states leading to the same key stream. The graphic is from the A5/1 rainbow table generation project led by Karsten Nohl.

GPU Judgement Day for short Passwords

2010-08-27T14:55:00.001-07:00

Researchers from the Georgia Tech Research Institute have announced that the power of GPU processors now poses a real threat to password security, and by implication, to the security of critical IT infrastructure. Top of the line GPU devices now process at the rate of 2 Teraflops second, which is around 30% of the computing power the fastest computing cluster could muster 10 years ago for a price tag of over $100 million. Given that the main GPU manufacturers have made their devices programmable through standard C libraries, password cracking has become democratized.

The researchers state that 7 character passwords are now totally insecure against exhaustive attacks and recommend 12 characters, drawn from the full 94 printable keyboard characters. GPU processors can also be used to generate rainbow tables for offline password cracking, which was the approach taken recently by Karsten Knol to building rainbow table using CUDA nodes.

Of course, applying GPU devices to password creaking is not new, and Elcomsoft has made a name for itself using high-end gaming chips to recover and benchmark passwords. I am a little surprised that the researchers did not mention this. In any case, Elcomsoft has a great blog and you can find a good presentation on GPU password cracking here.

From my post The spin on passwords for AES

Adding spin to password-based computations is a workaround to the unpleasant fact that human habits and memory are vastly outmoded in today's IT environment. Everything is getting faster, better and cheaper - except us. Passwords remain the most toxic asset on the security balance sheet, but don't expect a bailout any time soon.

De-obfuscating the RC4 layer of Skype

2010-08-27T13:59:00.001-07:00

Sean O'Neil, a security developer (or at least an amateur one), has posted code that is binary-compatible with an obfuscated version of RC4 that is used to protect Skype control traffic (user searches, profiles, contact lists). O’Neil says that the obfuscated version of RC4 is keyless and serves no useful security purpose, but its presence is intended to render Skype incompatible with other messaging clients, effectively making it a proprietary system. Even though Skype was intending to open its APIs to all desktop clients soon enough, O’Neil sees himself as buster of Skype’s 10 year monopoly.

The story is being widely reported in the press (see links below), and it is easy to assume that the general security of Skype has been compromised, especially when O’Neil’s own post carried the title Skype’s Biggest Secret Revealed. But the secret was disentangling the modified version of RC4 from Skype’s operation. User privacy remains protected since full strength versions of AES-256, RSA-1024 and RSA-2048 are used to encrypt session traffic. The code itself is surely obfuscated since the source is over 2800 lines of C, when 50 or so is enough to implement RC4.

The full implications of the discovery are still playing out, and whether losing their biggest secret poses a serious issue for Skype. O’Neil is promising to release more details at the Chaos Communication Conference in Berlin this December.

Uno, dos, DDoS

2010-08-26T02:18:00.000-07:00

Here is a Flash rendering of a FreeMind map I made from the excellent post Surviving Cyber War: A Primer on DDoS by Richard Stiennon, which appeared last November. The post traces the history of DDoS, looks at the people and technologies involved, and tells the story of the unlikely (then) 25-year-old hero Barrett Lyon.

IT Security Trends FreeMind map from 2008

2010-08-25T14:38:00.001-07:00

I recently uploaded a large FreeMind map that I collected over 2008, in an effort to get a handle on the stream of security articles, reports and incidents taking place back then. In short there was a torrent and it remains much the same today. I think you might find the ad hoc classification of material useful, as well as the groups of sources.

Note that links to items from FIRST (Forum of Incident Response and Security Teams) are now broken since their once excellent news service has been discontinued.

All sources for my security and risk FreeMind maps are available here.

12 bits of default entropy for Speedport WPA routers

2010-08-25T03:08:00.000-07:00

The H has reported that the default WPA key settings for the Speedport W 700V ADSL Wi-Fi routers are weak since at most 4096 guesses are required to recover the key. The key is mostly populated with a collection of fixed fields (for example keys always begin with the prefix "SP-") and other public information such as the MAC address of the router. The devices are apparently supported by all major German Telecoms, and presumably popular amongst the 26 million or so German households that have wireless. Of course the owners of the routers can change the default WPA key, but its a safe bet to assume that most people probably need to be reminded of this precaution. Germany's top criminal court recently made it illegal to offer wireless services that are not protected by a password, which is not a good sign that strong passwords are the norm.

How to reason about IT Security Risks

2010-08-25T02:01:00.000-07:00

I have been meaning for some time to post a link to this wonderful paper from late 2007 on the top information security risks for the then coming year. The paper was a collaborative work from several groups of security professionals, led by Gary Hinson, keeper of the fantastic NoticeBored site of security awareness material. The paper is excellent in that it clearly separates threats, vulnerabilities and impacts, and then creates risks as scenarios from the interplay of these three collections, with controls coming as final recommendations. The whole approach just seems so clean and sensible, and demonstrates the distinctions amongst risk terms which sometimes get lost in our daily language.

Now added to my IT Risk collection on Scribd, thanks to Gary Hinson for removing the copyright protection.

Recent PhD Thesis on IT Risk Management

2010-08-24T13:30:00.001-07:00

The 2008 PhD thesis of Domenico Salvati from the Laboratory for Safety Analysis at ETH, Zurich, on the Management of Information System Risks is available online. Salvati presents a structured approach to the IT risk management process which has some novel differences as compared to the more familiar frameworks. The thesis contains a long examples on computing the risk of a brute force password attack, and the risk of phishing attacks. The work has a very practical flavour as Salvati was sponsored by Credit Suisse for the thesis, as part of ZISC.

You can find a short bio on Domenico as part of the upcoming hashdays security and risk conference in Zurich.

Evidence that the McEliece Cryptosystem is resistant to Quantum Computing Attacks

2010-08-19T15:15:00.001-07:00

A paper was posted on the preprint server Physics arXiv showing that the McEliece public key cryptosystem is resistant to efficient quantum algorithms based on the ideas of Shor’s algorithm, which famously yielded an efficient method for factoring integers. From the abstract

Quantum computers can break the RSA and El Gamal public-key cryptosystems, since they can factor integers and extract discrete logarithms. If we believe that quantum computers will someday become a reality, we would like to have post-quantum cryptosystems which can be implemented today with classical computers, but which will remain secure even in the presence of quantum attacks. In this article we show that the McEliece cryptosystem over rational Goppa codes resists precisely the attacks to which the RSA and El Gamal cryptosystems are vulnerable---namely, those based on generating and measuring coset states.

Shor’s algorithm is a general method for computing the period of certain functions, and it can be applied to computing the orders of elements modulo a composite number for example (see my post Quantum Computing: are you Shor? for some details). Shor’s algorithm is not directly applicable to the McEliece cryptosystem since it is based on a hard problem from coding theory, and is not obviously solvable by computing periods of functions. The new paper seems to demonstrate that no connection will be found.

However the authors caution that there may be another quantum approach distinct from the principles of Shor’s algorithm that efficiently breaks the McEliece cryptosystem. On the other hand, there is a growing consensus that NP-complete problems do not have efficient quantum algorithms (see the diagram in this post), and the McEliece cryptosystem is based on an NP-hard problem (which means it is at least as hard as an NP-complete problem).

There is also a nice background post on the physics arXiv blog.

Password preferences of Spanish speakers

2010-08-17T04:38:00.001-07:00

Imperva recently announced an update to their analysis of the 32 million passwords that were exposed by the RockYou site earlier this year. The update is concerned with a specific analysis of the spanish passwords included in the breach, of which there were just over 2 million. Imperva together with Spanish marketing firm Agua Marketing found the following breakdown of password preferences – note that almost half of the passwords are based on personal names.

The full report in Spanish is here.

Short cryptography lecture from Scott Aaronson

2010-08-15T14:16:00.001-07:00

Here is a short cryptography lecture from Scott Aaronson, delivered as part of his Quantum Computing Since Democritus course given at the University of Waterloo, Fall 2006. The lecture gives a short text-based overview of crypto from mainly a complexity point of view, and discusses some of the implications of the “P = NP?” question for crypto.

Recent spike in reads of AES posts

2010-08-03T04:29:00.001-07:00

Just a note to say that over the last few days there has been a jump in reads on a few of my AES posts, in particular for Are AES 256-bit keys too large? and AES-256 and Reputational Risk. I can't find any obvious reason why, however these posts do appear amongst the top google search results for "aes 256" or "aes-256".

Detecting SSL/TLS legacy session Renegotiation

2010-06-11T15:26:00.001-07:00

Back in November I posted on The TLS Renegotiation Attack for the Impatient, which I hoped was a plain English explanation of this new weakness in SSL and TLS (at the end of the post you can find less plain explanations and links). The weakness was quickly addressed by the IETF a few months later. There is a new review of the attack from nCircle and also a link to the detailed steps that can be taken to specifically detect servers which still run legacy versions of the protocols susceptible to the attack.

The half-life of a YouTube video is 6 Days

2010-05-29T03:35:00.001-07:00

A very interesting chart from Business Insider which shows that a YouTube video gets half its views in the first 6 days of it being published, down from 14 days in 2008. By way of comparison, computer vulnerabilities have a half-life closer to 30 days, meaning that our video attention span is much shorter than our patching cycles.

The data is provided by TubeMogul.

An advance in Encrypted Search

2010-05-27T05:43:00.000-07:00

I recently posted in The Search for Encrypted Search an overview of the breakthrough last year made by Craig Gentry of IBM to search data while it is in encrypted form. The breakthrough was largely theoretical since the required computational overhead to support encrypted search is huge, which for example would increase the time for a Google search by roughly a factor of a trillion.

In such cases, it is always an open question as to whether the breakthrough will stand as an unimprovable milestone, or be the beginning of series of improvements towards a practical solution. We now have the first evidence that we are dealing with the latter case for encrypted search.

A press release from the University of Bristol in the UK reports that

Nigel Smart, Professor of Cryptology in the Department of Computer Science at the University of Bristol, will present a paper in Paris this week [Friday 28 May], which makes a step towards a fully practical system to compute on encrypted data. The work could have wide ranging impact on areas as diverse as database access, electronic auctions and electronic voting.

Professor Smart said: “We will present a major improvement on a recent encryption scheme invented by IBM in 2009.”

“Our scheme allows for computations to be performed on encrypted data, so it may eventually allow for the creation of systems in which you can store data remotely in a secure manner and still be able to access it.”

Together with Frederik Vercauteren, from the Katholieke University Leuven in Belgium, Smart has simplifed Gentry’s scheme so that it becomes more practical - not totally so, but an improvement. More information should be available after the paper is published.

A look back at posts in May 2009

2010-05-26T08:40:00.001-07:00

This time last year I made some of my favourite posts. First I celebrated that I had reached about 1,000 visits and 2,000 page views a month, and now I am about double that.

Rethinking Thresholds for Account Lockouts was a simple post asking if the 3-strikes-your-out password policy makes sense. I posted my second Password Roundup #2, and reviewed from Qualys their study on The Half-life of Vulnerabilities is still 30 Days.

I also developed some thoughts why web app bugs don’t get fixed in The $28,000 Question: Project vs. Production Risk, after Jeremiah Grossman estimated that 28,000 well-spent dollars could fix the bugs at many sites.

On the crypto side I broke some news about The cost of SHA-1 collisions reduced to 2^{52}, and took a look at AES-256 and Reputational Risk. The AES post is now on the first page of a Google search for “aes 256” and has brought a steady flow of visits since last May, 1346 in total. I also asked if anyone could verify that the Total Internet computational power = 2^{85} operations, a statement I read in an ECRYPT report. I ended up contacting the authors and nope, no one knows where is came from. Sounds possible though.

I also posted The Sub-Time Crisis in Web 2.0, my thoughts on information overload in Web 2.0. I only used half the text I typed in from my written notes.

How To Password Protect Your Pen Drive

2010-05-26T08:15:00.001-07:00

A nice how-to article on protecting USB drives with a password and encryption using Windows Vista or 7 and Bitlocker.

Do you carry sensitive data in your pen drive? Then you should carefully keep your pen drive. Oh! You mean you are not that careful too. Then I would suggest that you should password protect your pen drive. Yes folks, you can do this by a simple method. This is an added advantage to Windows Vista and Windows 7 users that they can easily password protect their pen drives with the help of BitLocker Drive Encryption. Its an inbuilt feature of both of these operating systems.

iPhone, iPad, iBoard, iMat

2010-05-26T08:02:00.000-07:00

This is just great.

Shark Fin Posts

2010-05-26T08:01:00.000-07:00

I have been making daily posts this month, partly to see what people read on a given day, and what they keep on reading. Quite a few of the posts turn out to have a hit graph that looks like a shark fin. Here is the one for What is the LINPACK rating of Conficker?

What the graph shows is that there are no hits before the post is published (of course!), then a spike when it first appears and for a few days after, ending in just a few hits by a week later or so. After that it’s up to Google, industrious visitors or self-referential posting to raise the hits again.

Google could help enforce new German wireless protection law

2010-05-26T01:00:00.001-07:00

A German court has ruled that home users are responsible for creating password-protected home wireless networks, and failing to do so could result in a fine a 100 euros. The rulings stems from a case where a musician sued the owner of a home WiFi network for illegally downloading his music, but since the network owner was away on holiday, the open network was being used by another third party.

The maximum fine of 100 euros (or about $120) is about the same as a hefty speeding ticket, and with 26 million WiFi enabled German households, that could add up. All those Google Street View spycars could help out with enforcement of the law, since they have been collecting wireless information anyway.

Whit Diffie does the Can Can

2010-05-25T01:00:00.001-07:00

In Not so sunny for Whit Diffie I briefly posted on his unexpected exit from Sun soon after their acquisition by Oracle, and taking up a visiting academic position in the UK. Computerworld recently reported that Diffie has now landed a new position as vice president at ICANN, managing the security of their networks.

It seems he was just a bit too late to give his blessing to the recent commissioning of DNSSEC on each of the 13 authoritative names servers of the Internet. However there will be a formal key ceremony in June which may require a cryptographic high priest, or he may yet bag one of the coveted 14 crypto officers roles, to whom key recovery shares will be entrusted.

He also does a good impression of Gandalf the Brown.

Security Bloggers Network under attack?

2010-05-24T14:50:00.001-07:00

Update: This is a hoax mail leading to a rogue site, so please don't click it. Check out the Lijit blog for details (via Alan).

Just got this from Lijit, the hosting firm for SBN

Facebook juggernauts towards 500 million users

2010-05-24T01:00:00.000-07:00

AllFacebook.com has observed that, based on linear projections of current sign-up rates, Facebook will pass the 500 million user milestone by the end of June. Using population data published by the CIA, we will therefore soon have the situation where only China and India as countries will have more people than Facebook (1.33 and 1.56 billion respectively). Projecting further, Facebook will have twice as many people as the US by year end (around 600 million), and approximately a billion dollars in revenue as well.

It remains to be seen whether the current privacy backlash against Facebook introduces unpleasant non-linearities into these projections. A recent informal poll taken by Graham Cluley of Sophos, found that almost two thirds of the 1588 respondents are considering leaving Facebook. If we round up the respondents to an even 1600, and noting that Facebook has more than 320 million users currently, the survey represents a sample of less than 0.0005% of all users (that’s just 5% of 1% of 1% of the total). Even so, PC World has reported the survey under the headline Study: 60 Percent of Facebook Users Mulling to Quit which, I hope you will agree, is a bit grandiose. This is an example of how the non-linearities of reputational risk start accruing against a company with widespread and sustained bad press - and more will follow.

Privacy may yet be the Black Swan of Facebook.

Password Strength Infographic

2010-05-23T01:00:00.000-07:00

Interesting password graphic from CXO. I am not quite sure what the people axis is meant to show, or exactly what social class is represented by a Douche. In any case, the examples were verified by Google’s password strength meter, and give a good visual the password spectrum (click to enlarge).

Y2Gay: gay marriage from the database perspective

2010-05-22T01:00:00.000-07:00

This is a quite interesting post which the author describes as a “stream of consciousness about equal parts nuptial rights and Structured Query Language”. The author is actually taking a serious look at how to redesign your database to accommodate gay (same sex) marriages, with quite a few amusing digressions. After outlining 14 detailed steps to follow for the transformation, the conclusion is that

Perhaps the simplest solution would be to ban marriage outright. Or, better yet, to declare everybody as married to everybody else. But then what would the database engineers do all day?

There are 145 comments as well.

Why have there been so many Natural Catastrophes of late?

2010-05-21T01:00:00.001-07:00

The Freakanomics blog reports that Foreign Policy magazine has responded to concerns that we are living in particularly harrowing times, experiencing more than our share of natural disasters. But FP reports that we are not. What we actually have is a heightened awareness that these events are occurring thanks to rapid and prolonged media coverage.

Based on U.S. Geological Survey records dating back to 1900, the Earth experiences 16 major earthquakes per year on average, where a major quake is one whose magnitude is 7.0 or more. There were only 6 major quakes in 1986 but 32 in 1943. And this year? 6 so far, so we might be headed for an above average year, but not an extreme year. However there is an increase in the loss of life from earthquakes (650,000 people last decade) due to the expansion of urban sites into fault zones. This is another factor which increases media coverage of these tragedies.

Conficker, RSA and RC4

2010-05-20T01:00:00.000-07:00

I was reading the excellent paper An Analysis of Conficker's Logic and Rendezvous Points from SRI and was surprised to learn that Conficker botnet updates are distributed at its rendezvous points as encrypted and signed binaries using RC4 and RSA (the “R” in both cases here stands for Ron Rivest). Both the A and B variants of Conficker use these checks to ensure that the updates have been created by the Conficker authors – just like any other software vendor issuing updates and patches. The paper depicts the update process as follows

So each Conficker client carries an RSA public key E for signature verification. A Windows binary file F is encrypted and signed as follows

Hash F to produce a 512-bit hash M
Encrypt F with RC4 using M as the key
Sign M using private key D

A Conficker client authenticates the encrypted binary as follows

Using the embedded public key E, compute the signature verification to recover M
Decrypt the encrypted binary using RC4 and M as the key
Verify that the hash of F is in fact M

For Conficker A, the RSA key is 1024-bits and 2048-bits for Conficker B, both of which are listed in the paper. That’s a large public key for Conficker B but it is dwarfed by the 512-bit symmetric key used in RC4. Yes RC4 can support such huge key sizes, and I will explain in a future post how this is possible.

Phishing and scamming in the new Top Level Domains

2010-05-19T01:00:00.000-07:00

Earlier this month was the historic event of non-Latin domain names being introduced on the Internet by ICANN. While half the global internet population does not have a Latin language as their mother tongue, sites can now have Arabic names for example and eventually Chinese, Thai and Tamil.

At the blog of security company Sûnnet Beskerming they have a post which points out some security risks associated with the new non-Latin names

A risk, which isn't immediately obvious, is that this opens up a new world of opportunity for scammers and phishers to register domains that will visually appear very similar to legitimate sites in the address bar, but which will have a base address significantly different, thanks to being registered in a non-Latin script. By relying on alternate character rendering, this could cause problems for users who may not be able to determine the slight differences between otherwise similar looking characters. It also means that software and tools designed to help detect phishing or XSS attacks will have to expand their repertoire significantly to interpret and assess a much broader range of character and rendering sets.

The opportunities for typosquatting will probably multiply, and the Register recently reported this market to be worth almost half a billion dollars annually now. You can read more about this market in Measuring Typosquatting Perpetrators and Funders by Tyler Moore from Cambridge University.

Two universities rethink Gmail migration plans

2010-05-18T01:00:00.000-07:00

The University of California at Davis (UCD) and Yale University were considering moving their email systems onto Gmail, but both have put those plans on hold for the moment. The CIO of UCD, Peter Siegel, said that he was not prepared to risk the security or privacy of the school’s 30,000 faculty and staff.

Yale has delayed a more general migration to Google apps, including Gmail, citing security and privacy concerns over cloud-based management of their data. Michael Fischer, a computing professor, said that

Google stores every piece of data in three centers randomly chosen from the many it operates worldwide in order to guard the company’s ability to recover lost information — but that also makes the data subject to the vagaries of foreign laws and governments, Fischer said. He added that Google was not willing to provide ITS with a list of countries to which the University’s data could be sent, but only a list of about 15 countries to which the data would not be sent.

So there is a concern that the personal data of students and faculty is being stored outside US jurisdictions. However neither UCD or Yale ruled out migrating to Google cloud applications once there was adequate transparency for the protection of data.

10 Reasons Why Microsoft's Internet Explorer Dominance is Ending

2010-05-17T01:00:00.000-07:00

It has been widely reported recently that Microsoft’s share of the global browser market has fallen below 60% for the first time. If this trends continues then Firefox is forecasted to overtake IE by Christmas 2012. Don Resinger at eWeek has given his reasons why IE is losing market share (and also mind share) as follows

The European Union
Microsoft's complacency
Internet Explorer's security
Rebounding from IE 6
The features aren't there
The Google conundrum
The united fight against Microsoft
The educated user
No-names are actually doing well
Microsoft is still lost on the Web

Numerical Palindromes

2010-05-16T01:00:00.000-07:00

Someone at work put up the following pattern on a whiteboard

1 x 1 = 1
11 x 11 = 121
111 x 111 = 12321
1111 x 1111 = 1234321
11111 x 11111 = 123454321
111111 x 111111 = 12345654321
1111111 x 1111111 = 1234567654321
11111111 x 11111111 = 123456787654321
111111111 x 111111111 = 12345678987654321

So squaring a number that is all 1’s gives a numerical palindrome. Why?

Well there is a nice simple visual answer

Great Security white papers and briefs from Damballa

2010-05-15T08:33:00.000-07:00

Security provider Damballa has a great collection of what papers and briefs for download. I have listed a few below, most of which have already been uploaded to Scribd

Also don’t forget the recommendation I made on the technical overview at Compass Security, a Swiss company, about a year ago.

6 Hot And Sought-After IT Security Skills

2010-05-15T01:00:00.000-07:00

Dark Reading has reported a short list of desirable skills in IT Security, partly because the “IT security job market is booming”. Apparently you’re quite marketable (particularly in the US) if your resume includes

Incident-handling/response
Compliance know-how
Risk management
Business acumen
Government security clearance
Leadership experience

Frankly, I think if you had a sufficient quantity of skill number 4 you would not be in IT Security.

Privacy degradation at Facebook

2010-05-14T14:02:00.001-07:00

The EFF has an article on the changes to the privacy policy at Facebook over the last few years noting five significant changes (downgrades) since 2005. In short Facebook has flipped from a private social network to one where your data is largely public by default, mainly since Facebook can profit by selling this information to advertisers and business partners.

Here is the 2005 privacy language

No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

and the April 2010 version

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection

Quite a change. Matt McKeon has produced an interesting interactive infographic to depict privacy erosion on Facebook over the last 5 years

1733 default vendor passwords now online

2010-05-13T16:38:00.000-07:00

cirt.net has made 1733 default passwords for almost 400 vendors available online as a searchable database, complete with a FireFox plugin. Changing default passwords is security basics but its not always followed. Last year an Australian student wrote a worm which compromised jailbroken iphones with SSH installed where the default password had not been changed.

The Swan Song of Mark Curphey

2010-05-13T01:00:00.000-07:00

About two months ago Mark Curphey (Security Buddha), in a confessional post, informed us all of his intentions to move on from IT Security, and reinvent himself 2.0-style into web technology, agile development, social software and user experience. He gave his reasons for moving on as follows

For the last few years I have grown increasing disillusioned with the security industry to the point where after nearly two years of thinking and talking about it I have decided that it’s time for me to move on. There is a long list of frustrations and I have seriously thought about a last detailed shot over the bow with some home truths as I see them. The reality is it will probably not be productive. I had commentary about the security circus and the clowns, ring masters and performance artists that play in the big top; commentary about the lack of genuine computer science that finds its way into security; commentary about the lack of business science that is being adopted (why aren’t security people obsessed by Freakonomics?); commentary about the sad fact that for the most part we are still doing “the same old shit” 15 years after I first started (the definition of insanity is to do the same thing twice and expect a different result); commentary about the farce of PCI (and related standards) and people caring about trivial issues (easy to understand and sensationalist in nature) when looming holes that could have major impacts go unnoticed …….I could go on. People thinking they need “purple dinosaur” features in their security software because some marketing spin says so and commentary about the sheer FUD being pumped out by the marketeers. I have watched an industry spin out of control largely paying lip service to the term risk and watched sectors of it become largely irrelevant outside of their own self-fulfilling set of prophesies. When things go right no one notices (at least outside of security) and when things go wrong everyone points fingers. That’s a tough place to be impactful and remain positive.

A tough place to be impactful and remain positive. Mark’s new blog is here, and he still seems to have a few comments to make on security yet.

Some quotes from my first 200 posts

2010-05-12T01:00:00.001-07:00

My 200th post was sent the No Tricks blog yesterday, and to celebrate here are 30 or so quotes I quickly selected out of those posts.

The No Tricks Blog Name

The American basically asked "Why are you guys doing so much better than us?". The Japanese businessman is shown extending his fingers and counting off as he says "Your managers are greedy, your workers are lazy, and ...". But before he can finish even just the most obvious reasons, the American interrupts impatiently and says "I know, I know! But what's the trick?"

Does IT Security matter?

Excel is your new best friend

Goodbye Yellow Brick Road

We can also stop beating ourselves up on the point that the weakness of IT Risk is the absence of data - the real weakness is poor modelling, and the decisions based on the output of such models.

Anonymity at the Edge

Mr. Egerstad has stated that there is no security flaw with Tor - the real threat comes from user expectations that their message contents are being protected end-to-end by Tor, when in fact encryption is only applied to internal Tor network communication.

A Blackish Swan for Debian Crypto

Flaws related to encryption always make good copy, and on occasion, strike at the heart of our fundamental beliefs in security. When encryption falters the whole edifice of security seems shaken.

Are AES 256-bit keys too large?

This may seem an odd question given that since the mid 70's discussions about cryptographic keys have been mainly concerned about their potential shortness.

The Cold Boot Attack

The Princeton team asked Nature the simple question of whether DRAM is cleared on power loss, and the simple answer is no.

Long Tail of Vulnerability for A5/1

A5/1 has operated unchanged for the last 21 years but it has now reached its cryptographic end-of-life, engulfed by the march of Moore's Law.

Quantum Computing: are you Shor?

Intel's leading chip line, the x86, has steadily progressed from 286, 386, 486, Pentium and so on, but quantum computers will not be "1000-86" devices - unimaginably faster versions of what we have today.

Risk Factors for AV Scanning

Kapersky has decided to make AV scanning more efficient not by making it faster but by doing less, as determined by risk-based criteria.

Some Black Swans in IT Security

It is common that once the torch of enterprise risk management is kindled in the higher corporate echelons, it is passed down the ranks and settles with IT Security people to assume responsibility for the management of IT Risk. And these people are ill-equipped to do so.

The spin on passwords for AES

Perhaps this reasoning prevailed at Adobe when they recently upgraded their document encryption scheme from AES-128 in v8 to AES-256 in v9. However Adobe later had to announce that v9 in fact offers less security against brute force attacks as compared to v8. What went wrong? They forgot about the spin.

Not One in a Million, but a Million and One

Risk management is about making decisions today that will protect us from the uncertainty of the future. We are not looking for one in a million (the expert) but rather a million and one (the power of many).

Moore's Lore and Attention Crash

We feel more informed, more empowered, and more enamoured with the promise of the omnipotent web. The web 2.0 narrative has worked its magic and we tacitly commit into a seemingly virtuous circle of information inflation.

Twitter as your Personal Content Proxy

Navigation and search are just for people who don't have any friends.

Scoble's Law of Twitter

Disconnect from Twitter when you are receiving more than one tweet per second.

The Positive Trust Model and Whitelisting

The AV blacklisting industry has reached a point of diminishing returns - the marginal value of producing additional signatures is minimal, but the underlying model can offer no more advice than to simply keep doing exactly that.

The Wisdom of a Random Crowd of One

It could be said that PageRank is one part brilliance and two parts daring.

“One Way Hash” Arguments

Often business has the “snappy intuitively appealing arguments without obvious problems” - plus Excel … Snappy and plausible usually wins out over lengthy, detailed and correct.

The Relegation of Security to NFR Status

The observation here is that the security function is no longer called upon to critically underwrite the security risks of a project, with the option to reject.

Marcus Ranum and the Points of No Return

Compound this disconnect between management and technical people over hundreds of thousands of projects at the corporate, national and international levels, spanning the last 3o years, and you have the disaster Ranum is describing (and lamenting).

The Sub-Time Crisis in Web 2.0

The worst case scenario for Web 2.0 is that we are heading for a singularity, precipitated by dividing our attention into informational units effectively rated at zero content.

AES-256 and Reputational Risk

Imagine you posed the following question to a group of top physicists. You asked them to present you with ideas for new research projects where they could assume that the budget included all the money that we have, all the money that has ever been, and the total financial assets of the world for the next 10 million years. Would the resulting proposals be credible?

AES-256 puts cryptanalysts on the same research agenda.

A Risk Analysis of Risk Analysis

So for complex decisions that potentially have the greatest impact in terms of costs and/or reputation, in exactly the circumstances where a thorough risk assessment is required, transparency rather than rigour is the order of the day.

How will my loved ones break my password?

Doctorow remarks that the surprising outcome of this process was the realisation that we are missing a well-known service for handling key escrow in an era of military grade encryption being available to home users.

Thoughts on the Cult of Schneier

I don’t really think that there is a cult in operation over Bruce Schneier, but rather a hero was found when security as an industry needed to believe in heroes.

The Size of our Security World

When I look back at crypto now it seems of similar consequence to the proportions of the Sun and Antares - not merely because my professional interests have changed, but in the vast equation that constitutes ERM, crypto is a variable with minor weighting. Its gravitational force is largely exerted on specialists, and rapidly declines (much faster than the inverse square law) beyond that sphere. It's just a pixel on the football-field sized collage of ERM.

How big is 2^{128}?

So that’s 1,000 years of computation by a cluster that would envelope the earth to a height of one metre.

The TLS Renegotiation Attack for the Impatient

There are many posts and news articles of late on the TLS Renegotiation Attack. I had hoped that just by skimming a large number of these that some process of web osmosis would magically transfer an understanding of this vulnerability to me.

Not so sunny for Whit Diffie

In the short term (and maybe the longer term as well) Diffie sees the cloud as a matter of trust. He advises to pick your supplier like you pick your accountant.

The Internet Repetition Code

For each of us the web is a noisy channel, which we express through the need to search, subscribe, aggregate, recommend, post, tweet – in short a great cull of what finds its way onto our screens.

Security Muggles

And while the traits of detail, accuracy and correctness are necessary for IT activities, they are fundamentally at odds with the type of messages and opinions that senior managers are expecting.

The USB Password Vulnerability

Some articles and posts have focussed on verifying passwords in software as the culprit, which is partly true, but the real issue is not software but insecure programming of software.

In Search of Encrypted Search

Gentry has estimated that building a circuit to perform an encrypted Google search with encrypted keywords would multiply the current computing time by around 1 trillion.

The Tab Power Law for Firefox

2010-05-11T01:00:00.000-07:00

Mozilla has released its 2010 Q1 analyst report on the state of the internet. The report was created to "provide a high-level view of key metrics on an ongoing basis and to share some interesting insights". Well, its a little short at 12 well-spaced pages, and the summary bullets are not that exciting

Firefox’s worldwide market share hovering near 30%
Firefox adoption is growing most dramatically in Russia
People start their work day earliest in Hawaii and Wyoming; latest start to the day is in New York
People in South American like applying Personas (themes) to their browser; people in Antarctica love add-ons

For me the most interesting observation was the number of open tabs people work with in FireFox, as shown in the graph below.

Most people use 2 to 3 tabs, however the maximum observed value was over 600! Also, since the median is 2.9, over half the people use almost 3 or more tabs. The graph above clearly has a power law structure, and in this case, quite a long tail.

Elliptic Curves in ASCII

2010-05-10T01:00:00.000-07:00

There is a new Internet draft on Fundamental Elliptic Curve Cryptography Algorithms by D. McGrew of CISCO and K. Igoe of the NSA. The NSA author might seem out of character for that particular 3-letter agency, but it's no secret that elliptic curves are the NSA’s preferred form of public key system over RSA. It is somewhat impressive that the authors would even attempt to write up such a complex mathematical topic using the ASCII formatting that the Internet Society has insisted on for several decades now. ASCII used to be the lowest common denominator for formatting in the 70’s, but surely now it is HTML or PDF.

Be that as it may, the document is well written and builds up elliptic curves from the basics of modular arithmetic, groups, finite fields before defining elliptic groups. Of course not all types of curves are examined – the document would need to be much longer than 20 pages – but it is self-contained. The section on the security of elliptic curves is a quite short however. After developing the required terminology and background, the authors focus on defining a method for elliptic curve signatures based on the work of two Japanese researchers Koyama and Tsuruoka. This signature variant was probably chosen to avoid any intellectual property issues with more well-known methods that are heavily patented, particularly with respect to efficient implementations.

An interesting read as long as you can handle sustained Courier font. If you are looking for some more background on elliptic curves for security please take a look at Luther Martin’s posts at Voltage, and 4 are listed below ASCII girl

What are the CISO's most useful instruments?

2010-05-09T08:58:00.000-07:00

Matthew Hackling, provider of outlandish security punditry from an Australian perspective, has posted a suggested list of artefacts that a CISO should have to act as the conduct of the information security symphony in an organisation,

Audit issue register (lead violin, sometimes a bit too screechy)
Enterprise risk register
Significant business unit risk registers
Compliance requirement register (the timpani)
Mapping of compliance requirements to your Information Security Management System (ISMS)
Control testing management reports and database
Management reporting template
Existing enterprise security plan and perhaps security plans of significant business units
List of business units by criticality
List of business processes by criticality within business units
List of business applications by criticality with function descriptions
Current security budget
Business case template and submission procedures
Document map of ISMS with status of documents within it (approved, under review, drafted, not started)
Organisation chart
List of security projects with budget and status
List of business projects by criticality to business success
Enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
Data classification scheme

Infographic on Afghan scenarios with Prezi

2010-05-08T15:50:00.000-07:00

I, like quite a few other people, posted on the recent NYT article which showed a horrendously complex PowerPoint slide created to depict the situation in Afghanistan, and the challenges facing US military decision makers.

Another more informative view of the Afghan predicament can be found at a German site called The Afghan Conflict, which appears to be the result of collaboration between Marc Tiedemann and several colleagues to produce a visual map of possible scenarios in the conflict. From the site

When we started researching this topic we very quickly saw, that the debate whether to pull out the troops, staying or even enforcing is not too much about arguments, it’s a battle of possible scenarios. Every side seems to have their own positive and negative visions of how things will happen in the future if certain steps are done. The resulting map The Afghan Conflict - A Map of Possible Scenarios is the attempt of a summary of the most popular possible scenarios around the afghan conflict, according to a pullout or stay of the Allied troops. And is based on interviews with journalists, politicians and political foundations.

The resulting scenario map is quite large and the authors have not tried to compress it onto a single PowerPoint slide for convenience of presentation (double click the image below to see a larger version).

The scenario map is available as a poster but also as a Prezi animation which allows you to navigate across the scenarios and zoom in and out of detail (I cannot find a way to link to the Prezi animation directly so you will have to view it from the The Afghan Conflict site). I will have more to say about Prezi in future posts, and it appears to be a good navigation tool for complex “infoscapes” like the Afghan situation. In the meantime please take a look at the showcase presentations at the Prezi site.

OpenSAMM Assessment Spreadsheet v0.4 available

2010-05-08T01:00:00.000-07:00

OWASP has a project called OpenSAMM, or the Open Software Assurance Maturity Model (SAMM). There is an audit framework for OpenSAMM, implemented as a spreadsheet with about 80 questions, grouped into collection of business functions and security practices. You can get the spreadsheet here.

Cute Cloud Computing graphic

2010-05-07T04:00:00.000-07:00

(source)

Projection: Firefox overtakes IE by Christmas 2012

2010-05-07T01:00:00.001-07:00

It has been widely reported that the global market share for Microsoft’s Internet Explorer has fallen below 60%. While pundits, commentators and technologists discuss the future of IE, Zack Whittaker at ZDNet has done “a bit of maths” and produced the following extrapolation, showing FireFox passing IE market share around December 2012.

Assuming Zack has done his Excel sums correctly, the prediction is still pure data extrapolation. The last year has been extremely unfavourable for IE with its security flaws and the playing out of the European anti-trust case against Microsoft. Redmond may still be able to turn the prediction around.

When we understand that slide, we’ll have won the war

2010-05-06T01:00:00.000-07:00

The title is a comment reported in the NYT by Gen. Stanley A. McChrystal, the leader of American and NATO forces in Afghanistan, when shown the PowerPoint slide below (see a larger version here)

The slide was meant to depict the complexity of American military strategy in Afghanistan, and it seems to have over-succeeded. Apparently PowerPoint is not just an obsession with business managers but also with senior military commanders as well. But behind all the PowerPoint jokes are "serious concerns that the program [PowerPoint] stifles discussion, critical thinking and thoughtful decision-making”. The following observation is quite insightful

[PowerPoint] slides impart less information than a five-page paper can hold, and that they relieve the briefer of the need to polish writing to convey an analytic, persuasive point. Imagine lawyers presenting arguments before the Supreme Court in slides instead of legal briefs.

But even with mounting reservations over the ability of PowerPoint to usefully represent military situations, no one is forecasting any change – it is just too embedded in the military, as it is elsewhere. And while “no one is suggesting that PowerPoint is to blame for mistakes in the current wars”, it takes a great deal of time with PowerPoint to keep a war going, let alone end it.

The power limit of Cloud Computing

2010-05-05T01:00:00.001-07:00

In February I posted on Lew’s law, a prediction by former SUN CTO Lew Tucker stating that IT expenses will increasingly track to the cost of electricity. Tucker gave a keynote presentation on The Ultimate Cost of Computing at the recent Cloud Connect conference, where he gives some more insights into his views on the evolving cost model for cloud computing.

Tucker begins by stating that the driving forces of cloud computing are technology and the market, symbolised by Gordon Moore and Adam Smith (the author of the invisible hand of the market). He shows that Moore’s law, the doubling of computing power every 1 – 2 years, continues to be achieved by the microprocessor industry as a whole, with computing power increasing by a factor of one million over the last 40 years.

In the last few years these gains have been supported by multi-core processors, issues with power consumption, chip cooling and production costs invalidate the assumption that smaller components are the most cost effective strategy to increase processing capability. The future probably then lies with more chips of a given complexity rather than with chips of increased complexity. So Moore's Law may actually be maintained but not for the reasons that Moore predicted (increased chip density).

A key question for Lew is whether cloud service providers can pass on the benefits of Moore’s law to customers. Already the cost per hour of a CPU (instance) has dropped from $1 to less than two hundredths of a cent over the last 15 years.

But what are the real costs of cloud computing? Are faster computers the deciding factor? Apparently not - it's administration and power consumption.

Cloud computing wins by leveraging automation, virtualization, dynamic provision, massive scaling and multi-tenancy, which all lead to power becoming the dominant cost (mainly for scaling and cooling). And data centre power consumption has already doubled in the last 5 years

So Lew’s law can now be started as

In the cloud, the cost of computing will continue to fall bounded only by cost of energy

Being an ex-SUN man, Lew must take some delight in this final slide

Conficker and your health

2010-05-04T01:00:00.000-07:00

A USB stick inserted into a terminal in one of its car parks is being blamed for a massive Conficker infection of Waikato hospital in New Zealand that broke out last December. Over a 3 day period this incident infected 3,000 computer on the hospital network, impacting around 5,000 hospital staff. A full report on the incident is still forthcoming, but a USB-borne strain of Conficker is expected to be named as the culprit. A similar incident occurred in the server of the NHS in Leeds earlier in the year.

A look back at posts from April 2009

2010-05-03T01:00:00.001-07:00

As April has just passed by, let’s take a quick review of what I was blogging about in that month last year

There were a couple of posts on entropy, the first NIST, Passwords and Entropy a review of NIST’s approach to specifying password policies based on entropy and the second On the Entropy of Fingerprints, which found some research to indicate that password entropy is much lower than fingerprint entropy.

I also had a bit to say about a “rant” in Marcus Ranum and the Points of No Return where Ranum stated that the cumulative effect of many business-driven IT decisions taken over the last three decades have rendered a grand IT failure all but inevitable. I followed that post up with The Relegation of Security to NFR Status which examined the weakened position of security, and IT in general, in decision-making processes.

There was a wonderful post by Julian Sanchez on his Climate Change and Argumentative Fallacies blog where he coins the term “one way hash” arguments, by which he means the asymmetric amount of effort required to pose a plausible argument as opposed to the effort required to debunk it. I think we face the same problem in IT risk and security as I said in “One Way Hash” Arguments.

I also reposted The Data Centric Security Model (DCSM) with a link to the full document on Scribd, as the old link stopped working. The document remains very well read with about 3,000 views in total today. Some security documents on Scribd gave links to other documents I uploaded, and you can see all the categories here (called collections by Scribd).

I announced in ENISA and Security Awareness that I would be speaking at an upcoming ENISA conference, which was a very successful get together. My slides can be found here and let me point you to a great awareness presentation from Robert Hadfield of British Airways, which has just over 1700 views on Scribd.

Zero Knowledge Proofs was a longish non-technical introduction to this complex topic, and it has remained one of my posts that has a steady number of readers. I also started Password Roundup #1, with my intention to create a series of posts on password issues, which always figure regularly in security news. I got around to a second round-up about a month later but have stalled since then – not due to lack of material. Instead of waiting for me, please take a look at the Reusable Security blog by Matt Weir which is devoted to password issues and analysis.

Finally, I started to post some of the FreeMind maps I create to gather my thought son more detailed posts in Three Security maps in FreeMind and Flash. Since then I have published all my FreeMind maps, including some that don’t relate directly to articles.

Crowdsourcing CAPTCHA cracking

2010-05-02T01:00:00.000-07:00

The NYT has reported on the practice of outsourcing the breaking of captchas to people in Bangladesh, India and China. The work is neither glamorous nor well-paid at 80 cents to $1.20 per 1,000 solved captchas, however there seem to be enough takers nonetheless. The work is farmed out through online exchanges like Freelancer.com, where for example an operator in Bangladesh runs an operation turning out captcha solutions 24 hours a day, seven days a week.

Macduff Hughes, an engineering director at Google says that “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.” So we should see captchas as a deterrent rather than a foolproof way of distinguishing people from malware. In fact if people are being employed to break these little authentication puzzles then they are working as intended – to make sure that a person is behind the answer – unfortunately malware is masking a mechanical turk. The inventors of captchas probably did not expect that solving these puzzles could be farmed out so easily using Web 2.0 technology.

The bigger threat probably comes from the direct computer solution to captchas, which can be scaled and provide solutions in real time. I recently posted on the very thorough analysis of the Koobface botnet at abuse.ch, including a section on its captcha breaking network. The captchas are broken in at most 3 minutes, and in many cases just a few seconds. There is also evidence presented by Webroot that audio captchas are also being broken in real time by automated means.

1-in-300 Facebook accounts hacked, and now for sale

2010-05-01T13:57:00.000-07:00

There are several reports stating that one and half million Facebook accounts are for sale on an underground forum by a hacker calling himself Kirllos, which equates to about 1 account in 300 being up for grabs. VeriSign's iDefense group estimates that almost half of the accounts have been sold already.

Kirllos' is asking $25 for 1,000 users with less than 10 friends or $45 for those with eleven or more. This is quite cheap given that e-mail IDs and passwords typically go for between $1 and $20 per account, and credit card and bank account credentials can go up to $30 for credit cards and $850 for bank accounts.

As usual, Facebook users should check their passwords.

What is the LINPACK rating of Conficker?

2010-05-01T07:46:00.001-07:00

Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar, gave a keynote presentation on Cloud Computing for Criminals at the recent Cloud Connect conference. Joffe presents some figures which show that the computational size of the Conficker botnet dwarfs the current commercial offerings, based on measuring the number of systems, the number of CPUs and available bandwidth. For Conficker these values are given (estimated?) as

6,400,000 systems
18,000,000+ CPUs
28 Terabits of bandwidth

These corresponding measures for Google are 500,000 systems, 1,500,000 CPUs and 1,500 Gbps of bandwidth, with Amazon and Rackspace providing significantly less resources. So Conficker is a massive ad hoc computational structure. But is Conficker really like a cloud service? Joffe says yes because

It’s available for rent
Choose your geographies
Choose your networks
Choose your bandwidth
Choose your OS Version
Choose your specialty (DDoS, Spam, Data Exfiltration)

and further the vendor has good qualifications

Much more experience (1998)
Larger footprint (Millions of systems)
Unlimited new resources (New malware)
No costs
No moral, ethical, or legal constraints

This all reminds me of a mail post by Peter Gutmann from 2007 called, World's most powerful supercomputer goes online, referring to the Storm botnet

This doesn't seem to have received much attention, but the world's most powerful supercomputer entered operation recently. Comprising between 1 and 10 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system, BlueGene/L, with a mere 128K CPU cores. Using the figures from Valve's online survey

http://www.steampowered.com/status/survey.html

for which the typical machine has a 2.3 - 3.3 GHz single core CPU with about 1GB of RAM, the Storm cluster has the equivalent of 1-10M (approximately) 2.8 GHz P4s with 1-10 petabytes of RAM (BlueGene/L has a paltry 32 terabytes). In fact this composite system has better hardware resources than what's listed at http://www.top500.org.

This may be the first time that a top 10 supercomputer has been controlled not by a government or megacorporation but by criminals. The question remains, now that they have the world's most powerful supercomputer system at their disposal, what are they going to do with it?

And I wonder what the LINPACK rating for Storm is?

And I wonder what the LINPACK rating is for Conficker?

No Tricks

Crypto from Tesco

Xobni becomes Smartr

Yoda Pie Chart - there is no Try

150,000 reads of my Scribd documents

The Other Binomial Expansion

SHA post as SPAM magnet

Fibonacci Pigeons

These aren’t the key management systems you are looking for

Liability for Risk Decisions

PageRank Increment for No Tricks

Jesus and spending a trillion dollars

Can you win the lottery too many times?

An unexpected business model for Angry Birds

All Eyes on Facebook

A short touching remark on 9/11

The “Half-life” of a bitly link is about 3 hours

Two victories for Randomness

Green IT Swiss Data Center presentation

US Grade Inflation Study

A 10% Tipping Point Threshold

iPhone Passcode Bias

DIPK Graphic

Block Cipher Bible coming

A Loch Ness Month

ISACA Risk Assessment Guidelines

No Tricks recently passed 50,000 visitors

How many users does Twitter have?

Freehaven papers on Anonymity

Trust and security in the cloud

iPad Competition is Toast

An example of redundancy in English

24 minutes with Bill Gates on career choices

Calculus vs. Probability

Protecting Your Information in the Age of WikiLeaks

2011 InfoSec Predictions from Zscaler Labs

Over 1,000 visits this month to old AES-256 post

Tutorial on Buffer Overflows

Internet Privacy as a Venn diagram

Snakes in Suits – the risks from psychopaths in the workplace

Just over 100,000 reads of my Scribd documents

BP and Trial by PageRank

Keyword Spamming with Infographics

References to Homomorphic Encryption

Five Lectures on Anonymous Communications

How to render SSL Useless – video version

HeadHacker Social Engineering site

Will there be an IT Risk Management 2.0?

The Blank Swan

Searching an Encrypted Cloud

Cool A5/1 back-clocking graphic

GPU Judgement Day for short Passwords

De-obfuscating the RC4 layer of Skype

Related articles by Zemanta

Uno, dos, DDoS

IT Security Trends FreeMind map from 2008

12 bits of default entropy for Speedport WPA routers

How to reason about IT Security Risks

Recent PhD Thesis on IT Risk Management

Evidence that the McEliece Cryptosystem is resistant to Quantum Computing Attacks

Related articles by Zemanta

Password preferences of Spanish speakers

Short cryptography lecture from Scott Aaronson

Recent spike in reads of AES posts

Detecting SSL/TLS legacy session Renegotiation

The half-life of a YouTube video is 6 Days

An advance in Encrypted Search

A look back at posts in May 2009

How To Password Protect Your Pen Drive

Related articles by Zemanta

iPhone, iPad, iBoard, iMat

Shark Fin Posts

Google could help enforce new German wireless protection law

Whit Diffie does the Can Can

Related articles by Zemanta

Security Bloggers Network under attack?

Facebook juggernauts towards 500 million users

Password Strength Infographic

Y2Gay: gay marriage from the database perspective

Why have there been so many Natural Catastrophes of late?