House key versus user authentication

key_goldI got an interesting question regarding the technologies we use for authentication that I will discuss here. The gist of the question is that we try to go all out on the technologies we use for the authentication, even trying unsuitable technologies like biometrics, while, on the other hand, we still use fairly simple keys to open our house doors. Why is that? Why is the house secured with a simple key that could be photographed and copied and it seems sufficient nevertheless? Why then, for example, the biometrics is not enough as an authentication mechanism by comparison?

Ok, so let’s first look at the house key. The key is not really an identification or authentication device. It is an authorization device. The key says “I have the right to enter” without providing any identity whatsoever. So the whole principle is different here: whoever has the key has the authorization to enter. That’s why we protect the key and try not to give it to anyone – obtaining the key or obtaining a copy of the key is equivalent to obtaining an authorization to perform an action, like using the house.

Now, even if you do have a key, but you obtained it without the permission, that does not make you the owner of the place. You are still an intruder, so if someone happens to be around, they will identify you as an intruder and call the police who will be able to verify (authenticate) you as an intruder with an improperly obtained authorization (key). So we have deterrents in place that will provide additional layers of protection and we do not really need to go crazy on the keys themselves.

Should we have an authentication system compromised, however, the intruder would not be identified as such. On the contrary, he will be identified and authenticated as a proper legitimate user of the system with all the authorizations attached. That is definitely a problem – there is no further layer of protection in this case.

In the case of the house, passing an authentication would be equivalent to producing a passport and letting police verify you as the owner of the house, then breaking down the door for you because you lost your key. Well, actually, issuing you with a copy of the key, but you get the point. The false authentication runs deeper in the sense of the problems and damage it can cause than the authorization. With wrong authorization you can sometimes get false authentication credentials but not always. With improper authentication you always get improper authorization.

Facebook “joins” Tor – good-bye, privacy!

Multiple publications are touting the announcement by Facebook of a Tor-enabled version of the social networking website as nothing short of a breakthrough for anonymous access from “repressed nations”. They think that the people around the world who wish their identity and activity online to remain hidden will now have a great time of using Facebook through Tor.

In my point of view, the result is just the opposite. The users of Facebook sign in and are tracked across a multitude of collaborating sites. Using Facebook through Tor will actually disclose completely the identity and the activity of the person using it. This information will become available across several user-tracking websites. The user will completely lose the anonymity they so strongly desired.

Mozilla Firefox Lightroom-578-80
Lightbeam for Firefox shows tracking of the user through different websites and tracking networks and how they share information with each other.

Facebook previously denied access to its social network through the Tor network citing security concerns. Surely, you do not think they decided to provide Tor access because they decided to be nice to those few who use Tor? Facebook is a commercial company under control of United States government and don’t you forget it. The move to bring in a few thousand Tor users is unlikely to have any positive impact on their business but will require to provide additional infrastructure. Therefore, Facebook is acting selflessly and causing themselves trouble for no commercial gain. I view such a move as extremely suspicious. Most likely, the company’s network will be used in online operations to unmask the identity of Tor users.

Of course, the proper way to keep your privacy online is to never use any social networks of any kind and discard every session after a short period and when switching activities. Searching for movie tickets? Use a session and discard it when done. Looking up the hospital’s admission hours? Discard when done. In any other case, the network of tracking sites will connect the dots on you. If you are to use the Facebook in the same session, your identity is revealed instantly and all of that activity will be linked to the real you.

We released too much of our privacy to the Internet companies already. They are now slowly dismantling the last bastions, one of which is the Tor network, under the pretense of fighting online crime. Facebook, having a history of abusing its customers, should not be trusted on these matters. Their interest is not in protecting your privacy, they will betray you for money, rest assured.

More on WordPress xmlrpc denial of service attacks

disable-xmlrpcThe attacks on WordPress using xmlrpc.php service are rather common. I already mentioned that you could filter out unwanted user-agents using the redirect capability of Apache. That would, however, take care only of obvious cases, where you see that this particular user-agent could not possibly be your reader. What do we do if the user-agent looks normal?

Well, if you do not need your xmlrpc services, you could block it off completely with mod_rewrite for all access:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_URI} ^/xmlrpc.php.*$
 RewriteRule .* - [F,L]
 </IfModule>

This will return a 403 for all requests. It is basically equivalent to what you did with “files” directive where you specify “Deny all” for a file path. This will block all access to xmlrpc completely though, for all purposes, so you will not be able to use the service at all. Which is not always acceptable.

But the good news is that the set of rules is extensible with other conditions and you could block only the requests with particular user-agent again now. For example:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{REQUEST_URI} ^/xmlrpc.php.*$
 RewriteCond %{HTTP_USER_AGENT} ^.*NET CLR.*$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla/5.0.*Windows.*NT.*6.*$
 RewriteRule .* - [F,L]
 </IfModule>

And so this becomes an extensible list of rules. You check your logs, see suspicious requests and add them to the list of rules. Stack the additional rules with [OR] flag at the end of the condition line.

Now we have a set of rules that blocks some of the accesses to the xmlrpc based on the user-agent reported by the attacker. We could also add filtering by referrer or IP ranges and so on. The arms race, you get the picture.

In the news

I do not often want to comment the news so today is a special day.

The first piece is an article on the popular subject of NSA Web Surveillance quoting some well-known people starts off on a good direction but gets derailed somehow into recommending obscurity for security. Strange as it is we really should consider anonymizing our access to the Internet. The problem is though that we cannot anonymize the most important part of our Internet access where we real need our real identity and that is the part that delivers most information about us. Sorry, it is not going to work.

I was wondering earlier what the situation of Canada is in relation to the NSA scandal and the article on Canada’s part in NSA plan revealed that we cannot count on Canada to be impartial in the matter. They are in on it and quite likely Blackberry is no better choice than other U.S. controlled mobile phones.

I cannot remember when was the first time I heard that “passwords are dead”, it must have been years and years ago but this same mantra is repeated over and over again every year. Now the passwords are dead at Google. Well, tell you what, long live passwords!

And suddenly Vint Cerf, one of the guys at the beginnings of the Internet, is preaching for the devil. He is working for Google, of course, so his opinion that we all should “give up a degree of privacy in order to be protected” is likely Google’s, not his own. On the other hand, if you ask me I would say he should watch what he says, people believe him more or less unconditionally and his moral obligation is to not peddle the loss of privacy for all of us.

Here you go. I seem to disagree with nearly all of the news today. Which is good news!

What are NFC cards and how are they protected?

Ever since I posted an initial article “Hack NFC Door Locks” I see a steady stream of people that come with queries like “what’s the protection of an NFC card” and “how do you hack a protected NFC card”. Obviously, there is something out there interesting enough for people to begin inquiring.

What is an “NFC card”? As opposed to an “NFC device”, an NFC card is simply a contactless smart card. The NFC protocol allows for a great flexibility in choosing what you may name an NFC card and nearly anything in the vicinity and proximity card world can be termed an NFC card.

Most of the time though you will be dealing with the good old Type A and Type B cards from the ISO 14443 standard. Unless you are in Asia and then the chances are high you will be facing a Sony FeliCa card. There is nothing NFC about any of them except the new name. They are all good old contactless smart cards.

Now, to the question that actually interests most of the people seeking enlightenment, the protection of those smart cards can vary. What kind of protection is used depends more on the system that specified what kind of a card will be used there. So if we are talking about door locks we are likely to see the cheapest MiFare cards that can actually be broken comparatively easily. When we are in some banking applications, we are likely to see high-end smart cards with seriously mean security features.

Since NFC cards are “just” smart cards, you must be looking for the information on how to deal with the smart cards and all of that will be applicable to the NFC cards. The low end is fairly simple, often the system does not use encryption, the cards may be read out and copied with very little effort. In more serious systems the cards usually do not let themselves to investigation erasing the content at the least suspicion of a break-in.

The protection mechanisms may include (and this is not an exhaustive list, just off the top of my head):

  • Constant time execution of all routines
  • Checks of the execution state at regular intervals and at critical operation beginning and end
  • Encryption of all of the memory content or sensitive areas like key storage
  • Encryption of input and output, sometimes double encryption
  • No debug and error output, just lock up in case of an error
  • Sensors for temperature, light, voltage, current
  • Protective mesh over and in between layers of the chip with cut sensors
  • Stabilizers of current consumption and noise generators
  • Scrambled and encrypted buses and memory content
  • Parallel execution to compare results against tampering
  • Randomized circuit layout

Basically, there are two things there: (1) protection of the hardware against tampering and side channel analysis and (2) protection of the software against induced faults and side channel analysis. Typically, the designers work hard to make sure you have to defeat both to get any meaningful results. So to get a go at the smart card security, you are better off to search for a security lab that does smart card security evaluations and ask them to work for you.

I always assumed there are tons of literature on the subject although right now a quick search on Amazon proved me wrong, there is only a handful of books. Maybe I should write more on smart card security?..

Password recovery mechanisms – Part 1

Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them but one are wrong. Let’s see how it is done.

Part 1 – Secret questions

A widespread mechanism is to use so-called “secret questions”. This probably originates with the banks and their telephone service where they ask you several questions to compare your knowledge of personal information with what they have on file. In the times before the internet this was a fair mechanism since coming up with all the personal information was a tough task that often required physically going there and rummaging through the garbage cans to find out things. Still, some determined attackers would do precisely that – dumpster diving – and could gain access to the bank accounts even in those times.

Right now this mechanism is, of course, total fallacy. The internet possesses so much information about you … It is hard to imagine that questions about your private life would remain a mystery to an attacker for long. Your birthday, your dog, your school and schoolmates, your spouse and your doctor – they are all there. It is hard to come up with a generic question that would be suitable to everyone and at the same time would not have the answer printed on your favorite social network page.

And even if it is not. Imagine that the secret question is “what’s your dog’s name?” How many dog names are there? Not as many as letter combinations in a password. And the most common dog names are probably only a handful. So it is by far much easier to brute force a security question than a password.

This mechanism of secret questions and answers is antiquated and should not be used.

There is a variation where you have to provide your own question and your own answer. This is not better. Most people will anyway tend to pick up the obvious questions. The attacker will see the question and can dig for information. The answer will usually be that one word that is easy to brute force. So, no good.

And, by the way, what should you do when you are presented with this folly on a website you use? Provide a strong password instead of the answer. Store that password in whichever way you store all the other recovery passwords. All other rules for password management apply.

So much for secret questions. In the next part, we will see how to do password recovery with a secondary channel.