Wednesday, April 20, 2011
#
A simple question...
Recently somebody asked me if it would be legal for a (mental) health care professional, e.g. Robert Smith, to send a client, e.g. John, the following e-mail:
Dear John,
Thank you for submitting your homework.
I have read it and added some comments
to it. You can read the comments on the
following site:
https://secured.site.example/login?id=ao87fsadfalksdf8usaflj
Robert Smith
And as additional question: does it matter if Robert Smith omits his family name?
... with a simple answer ...
In the Netherlands this mail would be illegal in almost all cases. The mere fact that John is under treatment by Robert Smith can contain information over the medical status of John. So that information should be protected according to the Dutch law on medical secrecy (for Dutch: that is part of the 'Wet op de Geneeskundige Behandel Overeenkomst', WGBO). And an e-mail is in the Netherlands not considered to be protected enough. The professionals family name is irrelevant here: with or without name the mail will reveal the relation.
... and a lot more to it.
But looking at it on a higher level, there is something fundamental underneath this question. The whole concept of medical secrecy is based on idea that a patient can sneak into the treatment room and that whatever happens in the treatment room stays in there. The introduction of e-health and e-mental health solutions changes the concept of treatment: you do parts of the treatment at home, or any other place where you happen to be. The world is now becoming one big treatment room, smashing the idea that we can keep information nicely controlled inside the treatment room. Even when both the health care professional and client do their best to keep the content of the treatment confidential (what is quite well possible), the fact that the treatment is going on, is almost impossible to hide. And protecting the content of the treatment itself will be hard in e-health settings. It needs a lot of work and knowledge from patient too.
So does e-health mean the end of medical secrecy? That would be a cynical paradox. Medical secrecy is important to ensure anybody feels free to ask for help, whatever the problem is. E-health can also vastly lower the barriers to ask for help. Killing medical secrecy would be an undesirable by-product of e-health.
This paradox once more underlines the need to rethink the concept of privacy. We can't keep information to our selves, it is out there whether we want it or not. We need to go back to the question why we want information about ourselves to be secret. From there on we might redefine 'privacy' from centered around 'having information' to centered around 'acting on information'. It is the only way to go.
Thursday, March 31, 2011
#
Atomic industry disinformation while the disaster happens
Last weeks, I have been following the accidents at the Fukushima 1 nuclear power plant closely. Overall there is a severe lack of details on what was happening at the plant. For a big part that is caused by the situation on the plant itself: the parts that matter most right now are inaccessible because of the high radiation levels. So it is impossible for anybody to completely asses the situation. Right in the beginning two organizations stepped into the information vacuum and offered good overviews of the available data: the Japanese Atomic Industrial Forum (JAIF) and World Nuclear News, the news channel of the World Nuclear Association (WNA). These organizations where the first to present exact data and analysis. But at the moment of the first hydrogen explosions at the plants, it became clear the JAIF and WNA were of little value. Let me explain that a bit:
In a nuclear plant there are two potential sources of hydrogen: splitting water by radiation and as by product when zirconium (used as casing for the uranium) reacts with steam and starts to burn. The first one is a small, but steady, source of hydrogen. I doubt if it would be enough to cause the explosions we have seen. So the reaction with the zirconium is the most likely suspect. But that reaction only happens at extreme high temperatures, temperatures close to the melting point of steel and just a little below the temperature needed to melt the zirconium itself. So once the reactors said 'boom', we could know almost for sure that some fuel rods had melted. And melting the fuel rods is by definition a meltdown. Although JAIF quickly admitted 'the integrity of the fuel was damaged', it took them two more weeks to use the word 'meltdown' for the situation in one of the reactors. What about the two other reactors with 'damaged fuel integrity'?
Experts with insight in the operation of nuclear reactors, like the JAIF and the WNA, could have known that the spent fuel pools could become a problem too: they can judge how much heath the spend fuel still emits and thus how long those pools can last without cooling. The operators know how much heat the spend fuel generates and the dimensions of the pool are also known. Once you know those two variables, it is trivial to calculate how long it takes for the water to start boiling and how long it takes before the water is boiled away if you can't cool the pools. The experts from the JAIF and WNA could easily foresee the problems with the spend fuel pools and should have warned for it. But contrary happened: The spend fuel pool of reactor 4 caused an hydrogen explosion, so the fuel rods in there must have boiled dry and must have been extremely hot and burning. Still the JAIF states the fuel integrity is 'possibly damaged'. Well, they are damaged for sure. 'Possibly damaged' would even for the spend fuel in reactor 3 be an understatement, that fuel is 'probably damaged', although JAIF just notices 'damage suspected'. The fuel of reactor 3 contains the highly radio-toxic plutonium, so extra precaution should be in place there. Not warning for the spent fuel pools is severe, because the spent fuel pools have only one containment: the outer building, while the reactors have three. So accidents with the spent fuel are far less contained.
For the next piece of disinformation, it is important to know there are three layers of shielding around the reactor: the inner shielding is the 'pressure vessel', an thick steel reactor vessel designed to operate under pressure and high temperatures. Around it is the 'containment vessel' an thick concrete bunker, build as extra shielding and to keep the nuclear fuel in, if the pressure vessel fails. The containment vessel is in its turn placed in the reactor building, a more or less normal industrial building. The JAIF reports the 'reactor pressure vessel structural integrity' as unknown for reactors 1-3. The containment vessel structural integrity' is reported as 'not damaged (estimation)' for reactor 1 and 3 and as 'damage and leakage suspected' for reactor 2. But looking at the pressure readings of reactor 3 there is something strange: the pressure inside the pressure vessel is lower then the pressure in the containment vessel, while water is injected into reactor 3 all the time. If that water can't go anywhere, the pressure should rise, like it did in reactor 1. But in reactor 3 the pressure stays low, partly even below the atmospheric pressure. That means the water can flow away to a lower point. Not very surprising: out of the pressure vessel, through the containment vessel and out of the reactor building are pipes to turbine building. And indeed: in the basement of the turbine building there is a pool of extremely radioactive water. The injection of the water has resulted in washing damaged fuel out of all containments into a different building. The valves that should have stopped that, must have failed. So the status of the containment vessels, as reported by the JAIF, are irrelevant here. What is relevant, is that the core of the reactor is washed out of its containment. But the JAIF and the WNA don't tell us.
Finally the JAIF has some reassuring words on the level of radioactive contamination around the plant. In each report they mention the radiation levels at the gate of the plant, which is raised, but not alarmingly. But there are more readings, readings from TEPCO on the site and other readings in the wide area around the plant. These readings are reported selectively and the readings given are often very outdated. Other sources, like the Japanese national television (NHK), report many more readings and those readings are much more alarming.
So even in the middle of the crisis the atomic industry is downplaying the risks. Evident damage is not mentioned, radiation readings are presented selectively and irrelevant reassuring information is presented. And this adds up to the bad track-record the atomic industry already has.
Saturday, February 26, 2011
#
While securing computer systems, quite often the usage of passwords is the weakest point of the security: it is hard to choose (and remember) a password that is not easy to guess. In all places where passwords are used, you can (at least theoretically) also use cryptographic keys. Cryptographic keys are, compared to passwords, much and much more secure: they are almost impossible to guess. They only have a big disadvantage: they are stored on a computer. If that computer falls in the wrong hands, the keys are compromised too. Of course, you can protect your cryptographic key with a password, but then we are back at the problem we started with.
Fortunately security engineers can pull one more trick out of their sleeves: smart cards. And I must say, I love them. By putting the cryptographic keys on a smart card, you can keep them separated from the computers you use them on. With more advanced smart cards the keys never have to leave the card: the card does the calculations needed to prove what needs to be proven and passes the results back to the computer. Such cards are also extremely hardened against attempts to read out the keys by examining the chip on it. And finally: these cards need a password to unlock, but after three failed passwords the card locks up. So an attacker only has three attempts to guess the password after that there is at least a big laboratory and a lot of experimenting needed to let the card reveal its secrets.
As I said, I love smart cards, I use them on a daily basis. I use them to unlock the encrypted data on my computer, I use them to log in on other computers and I use them to secure and authenticate my e-mail. But recently my faith in smart cards got some damage: while making the website thealiceandbobsuicide.org I realized smart cards add an other layer of abstraction to the picture. A password (if not sniffed or stolen by a key logger) indicates the right human is interacting in the system. With a smart card the right human interacts with the smart card and the smart card interacts with the other systems. Now we must not only trust in the computer, but also in the smart card. And so it becomes more and more impossible to verify what all these components are doing and whether they can be trusted. The technological advancedness of the smart cards are also their Achilles' heel: adding more technology results in less trust, not more.
So where to go from here? I don't know. But if we ever want to trust our computers, we need to make it more easy to audit them and not add more complexity to them.
Beste Politievakbond, beste Gerrit van de Kamp,
Met enige verbijstering heb ik kennis genomen van de uitspraken van Gerrit van de Kamp over het inbouwen van een achterdeur in encryptie systemen. Van de politievakbond had ik meer kennis van zaken en een kritischer houding verwacht.
Er zijn namelijk een aantal redenen waarom dit een uiterst slecht voorstel is:
- Het zal niet helpen om de grote vissen te vangen:
Het verleden heeft aangetoond dat, ondanks wettelijke maatregelen, encryptie zonder achterdeur altijd beschikbaar zal blijven voor degenen die daar gebruik van willen maken. Kijk bijvoorbeeld maar naar de geschiedenis van de veel gebruikte encryptieprogramma's pgp / gnupg. De Amerikaanse overheid heeft lang de verspreiding en het gebruik er van proberen tegen te houden. Dat bleek niet alleen onmogelijk, het was zelfs de beste aanbeveling voor pgp: als de overheid er zo bang voor is, dan moet het wel goed zijn. Een crimineel die echt een zware misdaad begaat, zal liever een straf voor het gebruik van illegale encryptie riskeren dan de straf voor de begane misdaden.
Daarbij bestaat er ook iets als 'ontkenbare encryptie', dat is software die de versleutelde gegevens zo opslaat dat niet aan te tonen is dat er versleutelde gegevens aanwezig zijn, of dat er meer gegevens aanwezig zijn dan de gegevens waarvoor een sleutel is overhandigd. Er bestaan dus al systemen die het mogelijk maken deze maatregel te omzeilen zonder dat het aantoonbaar is. Een crimineel hoeft dan zelfs niet de straf op illegale encryptie te riskeren.
- Het maakt legale toepassingen zo goed als onmogelijk:
Stel je eens voor: je rechercheert aan een groot, gevoelig onderzoek. Gelukkig heb je een laptop, zodat je, waar je ook bent, je de essentiële gegevens bij de hand hebt. Op die manier kan je ook makkelijk nieuwe notities toevoegen aan het dossier. Natuurlijk is die laptop voorzien van sterke encryptie, je wilt niet dat als de laptop in verkeerde handen valt, de gegevens ook in verkeerde handen vallen. Zou dit nog kunnen als de producent van de encryptie software ook toegang kan krijgen tot de gegevens? Want wie zegt dat daar geen lek zit? Of zelfs als dat in overheidshanden is, wie zegt er dan dat er daar geen lek zit? En over welke overheidsinstelling in welk land hebben we het dan eigenlijk? Het legitieme nut van de encryptie neemt snel af op deze manier.
En er is nog een manier waarop dit gevaarlijk is: de achterdeur hoeft maar een keer uit te lekken en alle systemen die er gebruik van maken komen in gevaar. Dat dat geen denkbeeldig risico is, bewijst wat er met veel ADSL-modems is gebeurd: de providers willen op afstand updates of aanpassingen kunnen doen aan zulke modems. Dat bespaart de klanten veel gedoe en maakt het makkelijker om de klant een goed werkende verbinding te bezorgen. Daartoe bouwen veel fabrikanten van ADSL-modems een achterdeur in in hun modem. Het is al meerdere keren gebeurd dat iemand in staat bleek die achterdeur te achterhalen (de technieken daarvoor zijn vrijelijk beschikbaar). Daarmee verkreeg die persoon in een keer toegang tot alle ADSL-modems van dat model. Een achterdeur creëert een gigantisch veiligheidsrisico en maakt de encryptie zo goed als onbruikbaar.
- Het bedreigt de democratische grondslag van onze maatschappij:
In een democratie is het niet alleen belangrijk dat de overheid de burgers beschermt tegen kwaadwillende burgers, maar juist ook dat de overheid de eigen beperkingen kent en de burgers beschermt tegen machtsmisbruik door de overheid. Dat wordt niet alleen via de stembus gedaan, maar ook door de trias-politica (de scheiding van de wetgevende, opsporende en rechtsprekende macht) en via het waarborgen van burgerrechten. Die burgerrechten beschermen de burger tegen inbreuken van wie dan ook, maar vooral van de overheid, die immers het geweldsmonopolie heeft. Zaken als briefgeheim, beroepsgeheim en verschoningsrecht zijn essentiële maatregelen voor het waarborgen van een democratie. Een overheid die niet respecteert dat burgers een privé domein hebben en maatregel op maatregel stapelt die dat privé domein verkleint, bouwt langzaam de democratie af. De geschiedenis (meer en minder recent) leert dat dat voert tot machtsmisbruik en uiteindelijk revolutie. Ik zou het waarderen als ons dat bespaart blijft.
- Het voorstel is vernietigend voor het imago van de politie:
In mijn professionele praktijk maak ik regelmatig analyses van de incidenten die plaats hebben gevonden en de maatregelen die nodig zijn om de risico's te verkleinen. De praktijk heeft mij geleerd dat het grootste risico niet van hackers afkomstig is, maar van overijverige opsporingsambtenaren die zonder de daarvoor voorgeschreven procedures te volgen proberen om met dreigementen gegevens op te vragen. Dat heeft vaker tot problemen gevoerd dan alle pogingen tot digitale inbraak bij elkaar. Ik waarschuw mijn klanten dan ook niet alleen voor hackers, maar juist ook voor de politie. Veel mensen die zich bezig houden met computerbeveiliging herkennen dit beeld: de grootste bedreiging komt van de opsporingsdiensten, terwijl die opsporingsdiensten juist zouden moeten bijdragen aan de beveiliging. In mijn praktijk kan ik inmiddels zeggen dat het middel erger is geworden dan de kwaal.
Zoals ik al had laten zien, getuigt het voorstel van weinig inzicht in de digitale praktijk. Dat vind ik zeer teleurstellend voor een vakbond van politie-medewerkers. Nog kwalijker is dat het voorstel vooral machteloosheid van de politie uitstraalt. Het zegt: "Wij hebben het klassieke rechercheren verleerd en vallen daarom nu terug op een gevaarlijke en ineffectieve maatregel." Ik ga er vanuit dat juist een politievakbond niet wil dat de politie het imago van incompetent en gevaarlijk uitstraalt.
met vriendelijke groet,
Winfried Tilanus
Wednesday, January 12, 2011
#
Introduction
To determine if a password is strong enough, two things need to be
known:
- the amount of randomness of the password
- the amount of randomness that is needed
Randomness of the password:
Human text is just slightly random. When typing text in lower ascii
characters the randomness of the text is estimated at 2-3 bits per
character (see RFC 1750). The 26 lowercase ascii characters represent
4.7 bits each ( log(26)/log(2) = 4.7 ). So just because a human has
choosen these characters, 40% to 60% of the randomness is lost.
This makes that the amount of randomness of a human chosen password
can be estimated with:
b = log(c)/(log(2)*2)
where:
c is the size of the character set chosen from
and
b is the amount of random bits per character
Randomness needed:
RFC 1750 gives a nice example of calculating the randomness needed.
It makes the following assumptions:
- One guess of the password takes 6 seconds (for example because of
a delay in the login system).
- An attempt to brute-force the password will be detected within a
month.
- A chance of guessing the password of 1 in 1000 per attempt is
acceptable.
This translates to 500,000 tries before the attack is detected. Taken
the acceptable chance of 1 in 1000, the password needs to be randomly
chosen out of 500,000,000 possibilities, which equivalents 29 bits of
random data.
More generic the equation is:
b = log((d*86400)/(s*c))/log(2)
where:
b is the needed amount of bits
d is the amount of days before detecting an attack
s is the delay in seconds when reattempting to login
c is the acceptable chance of a successful attack (as fraction)
Some examples of this calculation:
|
Detection (Days) | Delay (sec) | Chance (1 in) | Randomness needed
|
|---|
| 1 | 60 | 1,000 | 21
|
| 7 | 10 | 1,000 | 26
|
| 7 | 30 | 10,000 | 28
|
| 31 | 5 | 1,000 | 29
|
| 7 | 60 | 1,000,000 | 34
|
| 14 | 10 | 100,000 | 34
|
| 21 | 20 | 1,000,000 | 37
|
| 31 | 1 | 1,000,000 | 42
|
Two scenario's seem realistic to me:
- low-security system
A system like this is not very intensively monitored and you don't
want to set a long delay in case of a wrong password. This results
in a detection time of 31 days, a delay of 5 seconds and an
acceptable chance of 1 in 1,000. The amount of randomness needed is
29 bits for such a system.
- high-security system
A system like this is much more intensively monitored. Detection
within 7 days is likely. At the same time it is acceptable to
increase the login delay to 30 seconds or more in case of many
failing attempts. At the same time the acceptable chance is much
lower, 1 in 1,000,000. In these conditions the amount of randomness
needed is 35 bits.
So how long should the password be?
Please make your calculation for yourself! Take a look at your local
circumstances, acceptable risks etc. Choosing the length of a
password is also seeking a balance between security and nagging your
users. Having said that, I can answer this question for the two
servers described above:
low-security server:
| When using: | characters needed:
|
|---|
| numeric only | 18
|
| lower only | 13
|
| upper only | 13
|
| symbols only | 12
|
| lower + numeric | 12
|
| upper + numeric | 12
|
| upper + lower | 11
|
| lower + symbols | 10
|
| upper + symbols | 10
|
| lower + upper + numeric | 10
|
| lower + upper + symbols | 10
|
| lower + upper + numeric + symbols | 9
|
high-security server:
| When using: | characters needed: |
|---|
| numeric only | 22 |
| lower only | 15 |
| upper only | 15 |
| symbols only | 15 |
| lower + numeric | 14 |
| upper + numeric | 14 |
| upper + lower | 13 |
| lower + symbols | 12 |
| upper + symbols | 12 |
| lower + upper + numeric | 12 |
| lower + upper + symbols | 11 |
| lower + upper + numeric + symbols | 11 |
Dictionaries
This story is nice, but anybody who has ever played with a password
cracker like john the ripper, knows that there are nice lists with
passwords that are used very commonly. Using these dictionaries
increases the chance of success dramatically. According to the
calculations above, the password "August2008" has a randomness of
approximately 32 bits. That is equivalent to a chance of
1 in 4,000,000,000 of guessing the password in one guess. When using
a dictionary, a chance of 1 in 1000 would be more realistic. So when
combinations that are likely to be part of a dictionary attack
are part of the password, its randomness should be decreased.
However, this is not hard science, just like composing the
dictionaries themselves is a combination of statistics, experience
and intuition. Thereby is it language dependent: commonly used names
or the month of a year are different for each language.
Wrapping it up in a script
Note: the script described here is part of HelpIM
First of all we check the password against the blacklist of
'forbidden' combinations. Any part of the password that matches one
of these regexes is discarded for the further calculation of the
strength.
The amount of randomness of what is left of the passward can now be
calculated by multiplying the length by a factor depending on the
characters used. To calculate this factor we first need to know the
size of the character set where the password is chosen from:
| when using: | adds to character set size:
|
|---|
| space | 1
|
| numeric | 10
|
| lower | 26
|
| upper | 26
|
| symbols | 32 |
Now the amount of random bits per character can be calculated by
the formula mentioned earlier:
b = log(c)/(log(2)*2)
The randomness of the password can now be calculated by multiplying
the length of (what is left of) the password by randomness per bit.
This score is compared with a minimal amount of randomness for the
site. On base of this a percentage and a color is calculated for a
nice strength-bar.
Problems with this way of calculating:
- This way of calculating is very dependant on the quality of the
dictionaries used. Choose them with care!
- Diacritical and other non-ascii characters are not accounted for,
although these make the password much stronger (but are quite clumpsy
to use in a password, unless you use a localized keyboard containing
them).
Monday, November 15, 2010
#
I have been blogging before about privacy: privacy is not about what others (might) know about you, it is about something different: One of the mechanisms you use to influence how others relate to you is by determining what information others have about you. The context of the information is everything. Privacy is violated by using information in a total different context, by creating a different relation by it. So in a personal setting you might say: "I will blow the airport sky high", just to express your anger, while you know that saying that at the airport security is a bit of a different context where you relate a bit different to the people present...
So what if you say exactly that on twitter, like Paul Chambers did? Twitter is mostly used for personal messages. It is not the place where communicate to security officials. So the messages you send should be interpreted, and kept, in that context. Unfortunately that is not what happened to Paul Chambers, as everybody knows. His words where meant for the private realm, where part of the personal relations he maintained by twitter. Prosecuting him for twittering "I will blow the airport sky high", is taking his words seriously out of context and abusing those words are meant for.
Apparently there are people constantly looking on media like twitter for tweets like these. And apparently they think they should act on tweets like these. Twitter is personal and if you take that to court like this, you are violating privacy. Stop that, or I will blow you sky high.
Tuesday, November 09, 2010
#
In my previous post, I introduced Teus Hagens research on the security of SSL on sites in the Netherlands. Although it was quite shocking to discover that there are still major counseling sites that don't use SSL, the story isn't finished yet.
Even when a site has SSL, the configuration might allow insecure operations. In short several things might go wrong:
- The certificate can carry a wrong name, can be expired or can be issued by an authority that is not recognized by the browser.
- The configuration can allow old, broken, ciphers or it can allow too short key-lengths that allow brute forcing.
- The configuration can allow old, broken, protocols.
Each of these can effectively render the SSL useless. So you would expect the admins of SSL-sites to carefully configure the SSL on their site. Unfortunately they don't. The research of Teus Hagen has shown that one third of all sites in the Netherlands has serious flaws in their SSL. In healthcare and online counseling it is even worse: of the 40 assessed sites, over half of all sites has serious flaws. Only 7 sites reach an acceptable lever of security, with only passing with an 'A'.
So, using SSL is not the whole story, it should be implemented in the right way. And unfortunately not many people are aware of this.
Wednesday, November 03, 2010
#
In the upcoming NLUUG autumn conference on security and privacy, there will be a presentation of Teus Hagen on SSL security.
For people not very familiar with SSL a short introduction: SSL protects (or should protect, more on that in part 2) communication on the internet against eavesdropping. Basically all communications on the internet can be eavesdropped. This problem becomes a lot more urgent when using open wireless access-points or badly secured access-points. Also people with access to network equipment in the same building can easily eavesdrop the traffic. Think about your boss, your system-administrator or anybody with a bit technical skills in your home. The (correct) usage of SSL effectively eliminates the possibility to eavesdrop.
For psychosocial support sites confidentiality is very important. You don't want your boss to know about your alcohol problem. And believe me, you don't want your daddy to read over your shoulder when you chat with a counselor about him abusing you. So SSL is what you want for psychosocial support sites.
Teus Hagen wanted to see if SSL is deployed correctly in practice. If not so, the security of SSL can vastly decrease. For his paper he researches several kind of sites, including sites for psychosocial support. And because I work a lot with security in psychosocial support, I went of to compose a list of sites in the Netherlands he should test. Well: the results where shocking: More then a quarter of the sites that I thought Teus should test, didn't use SSL. No security for him to test, because there is no security at all on those sites!
I will mention some noticeable sites without SSL:
- http://shginfo.nl/ This is the site of the most important organization against domestic violence in the Netherlands. In many ways they set the best-practice. They thought quite well on how they can avoid that it becomes obvious to others when somebody visited the site. But they don't use SSL.
- http://www.113online.nl/ A major initiative for suicide prevention, including online counseling. SSL is available, but by default it is off.
- http://www.korrelatie.nl/ general first line aid, also online, one of the major players in the Netherlands. No SSL.
- http://www.kindertelefoon.nl/ the Dutch child helpline. They also offer chat and forum. No SSL.
- http://www.minderdrinken.nl/ online treatment for alcohol addiction. No SSL.
- http://optijderbij.nl/ Psychological/Psychiatric institution. They do a big part of the intake online, including a lot of diagnostics. All without SSL.
What struck me, when looking at the sites, was the pattern in it, or to be precise: the lack of it. Many sites were only partially protected with SSL. There were for example several sites that offered a SSL protected chat, but that had an e-mail form or a forum that wasn't protected at all. I also encountered several large organizations that operated multiple support sites. They had some of their sites protected with SSL and others not. Overall, it seems to be quite arbitrary what is protected and what not. Looks like a lack of policy. And a lack of regulation...
Tuesday, May 04, 2010
#
The Dutch news agency 'ANP' reported that on the April the 27th three suspects of card-fraud had their first hearing in court. Several media publicized the news (in Dutch). The suspects are part of an international operating group of criminals and the investigations spread over several European countries.
One detail of the news caught my attention: the skimming was done by replacing the card-readers used for two-factor authentication at internet banking. The catch: these readers can't read the magnetic strip of the card at all, they only talk to the chip on the card. And exactly this chip is introduced to make skimming impossible. So I decided to dig a bit deeper in this case.
Lets start with a bit background: originally the European payment cards all had only only a magnetic strip, just like the cards in the USA today. To be able to offer extra services, the payment companies and banks decided to introduce chips on their cards. Last years, to stop the fast rise of skimming, payment cards the European payment companies and banks have decided to speed-up the introduction of the chips, because the chip should provide better protection against skimming.
An other use of the chip on the banking cards is two-factor authentication for internet banking. The two-factor authentication for internet banking is done by placing the card a special reader. This reader has two modes of operating: identifying and signing. For identifying, the PIN entered on the keypad of the reader is passed to the card. If the PIN is valid the card returns an one-time-password to the reader, that displays it on its screen. Signing is done quite similar except that after entering the PIN you also need to enter one or more numbers given by your bank. One of them can be the amount of the transaction. This way, even when the computer you are banking from is compromised, you can notice it when you do your on-line banking.
To understand what the criminals did, a final piece of background information is needed: many banks in the Netherlands have in their offices terminals where customers can log in to their internet banking account. This is a service for customers who can not or do not want to do their internet banking at home. Beside each terminal there is a card-reader to do the authentication.
So what did the criminals do? They simply switched the card-readers in the bank-office for compromised readers. After some time they returned to read out the data collected from the chips and the PINs entered in the reader. That data was used to steal money from the customers accounts. So far the facts that have been confirmed by both the prosecutor and the ABN-Amro bank.
The impact of this theft for the security of internet banking and the use of the chip is quite dramatic:
- There are such things as 'compromised readers' and they are used by criminals. Because the reader is an essential step in creating safety while internet banking, you should guard your reader like you would guard your payment card.
- You can't trust the facilities in offices of your bank any more. Doing your internet banking in the office of your bank is just as insecure, or even maybe more insecure, than doing it in an internet cafe.
- And last but not least, the chip cards, widely presented as solution for skimming, apparently is not that resilient against skimming after all. It can be skimmed about as easy as the old magnetic strip.
That last point needs some more investigation: how is it possible that a chip that is designed to cryptographically guard its secrets, reveals its secrets so easily? I asked the ABN-Amro bank, the one who's cards were skimmed, for details on this incident but they refused to give any comments on this incident except that 'the e.dentifier' (the name they gave their card-reader) is still safe – a statement proven to be false by this incident. So I have to make an educated guess. One possible answer comes from the the security research group of the computer laboratory at the university of Cambridge (UK). Their weblog lightbluetouchpaper.org contains a wealth of information on the security of payment cards. This posting and this paper (pdf) seems to deal with exactly this attack: They describe a possibility to skim the type of chip that is used by the ABN-Amro bank: EMV for payments and EMV-CAP for internet banking (see note 1). Before all the cryptography kicks in, the card sends some identification numbers. If the identification number send by the chip is the same as the one used on the magnetic strip, then that number can be used to counterfeit the magnetic strip. Such a copied card can be used in any ATM that doesn't support the chip, for example any ATM in the USA. On many newer cards these two numbers are different, but it is unknown how many cards are in use where these numbers are the same. And if they are the same, skimming the card is easy.
So what really happened is open to speculation. But there are three ways the criminals could get to the money:
- By using the magnetic strip. In this case the chip revealed enough information to counterfeit the magnetic strip. To make this possible, the ABM-Amro has used the same identification number for both the chip and the magnetic strip.
- By using internet banking. In this case the chip revealed enough information to reproduce the challenge and response for the internet banking. That would mean the EMV-CAP protocol used by the chip for internet banking is big time broken.
- By using the chip. In this case the criminals managed to counterfeit an EMV-chip. That would mean that the whole EMV-protocol is even bigger time broken.
I go for the first one. That one is the most probable because this weakness is documented and it is known more banks have made the same error. It is 'just a little' screw-up by ABN-Amro.
But what really annoys me in the whole case, is lack of information from ABN-Amro (and other banks in similar cases). As customer, I want to be able to asses the risks connected to modern payment systems. I want to know when my card is extra vulnerable, I want to know what situations to avoid. I asked them, beside a lot of other questions, to confirm my suspicion and I asked them what cards are vulnerable, but they refused to give any comments. I had to find out from the newspaper that this all took place months ago and it is unknown if there are more cases of skimming the chip. Banking is all about trust, but there is little to trust like this.
note 1
ABN-Amro made the transition from a card reader produced by the Belgic firm Vasco to a new card reader, produced by the Swedish firm Todos. I couldn't get any confirmation yet which card reader, the old one from Vasco or the new one from Todos was compromised. In this press release (which tries to counter the paper 'Optimized to Fail' but doesn't address the problem I describe) Todos reveals the new card reader uses the EMV-CAP protocol. It is almost certain the old reader by Vasco uses the same protocol, the ABN-Amro cards can be used for example also in the reader of the Rabobank. Also note that the ABN-Amro originally didn't use the signing-function to authorize transactions, but the one-time-password function. This was against the guidelines of Vasco and opened the road for the 'banking in silence' trojan. See this blog from me in (in Dutch).
History
4 May 2010: original release
5 May 2010: added the confirmation of the use of EMV-CAP and the note about the different versions of the card reader
Sunday, December 27, 2009
#
This summer, two Dutch art projects should have caught the attention of anybody trying to understand privacy. The first project was I Love Alaska, a set of 13 mini movies. These mini movies consist out of the search queries one AOL user entered during a three month period. These queries were among the queries of 650.00 AOL users publicised by AOL for research. The movies show not only the queries, but also comment (a little) on them. They tell the tale of an unhappy, maybe slightly neurotic, woman who betrays her husband but doesn't get any happier from it. The movies are quite unnerving: they don't only show facts about the woman, but also give a deep insight in her feelings. It is not only unnerving to see what can be known about somebody, it is also unnerving because by watching these movies you become part of this act of privacy violation. You aren't supposed to know this.
The second project is the expostion It Could Be You. Two artists followed during two months the online activities of a young woman named Lot. They condensed all the information they found in one exposition room. They even rebuild her apartment (based on pictures Lot posted). Finally they invited Lot for the opening of the exposition. And while Lot was very much aware of all the information she did share and did not share, she was furious about this 'stealing of her live'. She felt (and still feels) violated
Of course, these two art projects raise the question whether it is allowed to violate somebodies privacy like this, even if it is an art project. But that is not the point I want to make here. I believe these two projects can teach us an important lesson, even though the artists might not have realized it themselves:
In both projects there was no privacy violation before the artists did their project. The violation started when the information about both woman was taken out of its context and introduced in a new context. Each art project created a bunch of new relations between its subject and new people. Existing relations were changed because of it. All of this because of the new presentation of the information.
The information changed from context and that violated the privacy. The judgement of the importance of the information somebody has about us is based on the relation to that person. Taking the information into another context and so changing the relations to other people equals violating privacy.
Privacy is not about what is known about us, but about what is done with that information
Sunday, December 13, 2009
#
Ever since I started working on my presentation at HAR2009, I kept thinking about why people put (very) private things on the internet, visible for everybody. Because of my starting point in my presentation, privacy is a function of the identity creation process and that process is always bound to a relation, I came up with the answer that people put the information about themselves online with a relationship in mind. Their exhibitionistic behaviour is caused by not overseeing what other relations might be based on that information.
Recently I came across several other views on that. They all had in common that they stated that the modern youth has an attitude of sharing. You share everything and take action when you notice the information is misused. If you still keep running into problems because of the information you shared, then you couldn't oversee what could be done with the information about you.
Thinking it over, I think these two views really are the same: in both cases we can't oversee where the information about us is going and what will be done with it. The information about us, travels faster then our ability to comprehend what can and will be done with it. Still we want to share, because the benefits of it have been proven to be bigger than the damages we experience.
And indeed, we do live in a time where the "I have no secrets"-attitude has brought us big advantages. It is a new paradigm on the value of information. Was the old paradigm that information needed to be secret and protected to be valuable, the new paradigm says information becomes valuable when it is shared and increased. In the old paradigm the ethics were based on the ownership of information. In the new paradigm of sharing information, that kind of ethics are obsoleted: the information is out there and there is hardly any owner any more, even when it comes to information about persons. So where should we base our ethics of handling information in the new paradigm on? I believe it should be the responsible use of information: acknowledge the power that comes with the information and make sure that that power is balanced. Every unbalance of power is a potential abuse. And don't put yourself in a position where abuse is a far too tempting option.
Een recente discussie over disk encryptie deed me terugdenken aan wat ons een jaar of twee geleden is overkomen:
We zaten in de auto terug van een weekje weg toen de politie belde: er was ingebroken in ons huis. Oplettende buren hadden onraad geroken en de politie gewaarschuwd. Het huis was een grote puinbak, we zijn nog twee weken weken bezig geweest met opruimen. Dat waren ook twee weken van boosheid: "wat ben jij een *** om voor een grijpstuiver van ons huis zo een troep te komen maken". Uiteindelijk viel de schade mee. Er was een oude digitale camera, een computermonitor, een palmtop, wat elektrisch gereedschap, oorbellen en een laptop gestolen. Omdat we netjes verzekerd zijn, kregen we alles vergoed. Maar vooral: de laptop was voorzien disk encryptie. Met disk encryptie wordt er een kluis van je harde schrijf gemaakt. Je moet die kluis eerst met een wachtwoord openen, voordat er verder van de schrijf gelezen kan worden. Dat scheelde een boel zorgen: ik wist dat de inbreker of de heler zonder het password niets van wat op de computer stond kon lezen.
Tot mijn grote opluchting had de inbreker mijn desktopcomputer laten staan. Die was niet voorzien disk encryptie. Als mijn desktopcomputer meegenomen was, had ik de schade niet kunnen overzien. Persoonlijke mailtjes, privé foto's, alles over mijn financiën, bestanden van mijn werk, gegevens over mijn bankpassen, wachtwoorden... ik zou niet eens kunnen opnoemen wat er allemaal op stond. Welke wachtwoorden zou ik moeten veranderen? Welke pasjes zouden er geblokkeerd moeten worden? Welke foto's zouden er opduiken op het internet? Ik zou een heleboel mensen moeten waarschuwen, van zowel mijn werk als privé. En ik zou veel langer dan die twee weken bezig zijn geweest om de schade te herstellen.
Wat een opluchting kan disk encryptie toch zijn, ik wil niet meer zonder....
Update 21 jan 2010: zie ook: https://www.bof.nl/2009/12/17/tip-bescherm-je-gegevens-met-encryptiesoftware/
Sunday, November 29, 2009
#
One of the obstacles for the migration to IPv6 is the big number of clients that think they have IPv6 connectivity, where they don't have any in reality. To such clients a part of the internet seems to be unbelievable slow, they have to wait for their browser (or other program) to time-out in IPv6 before they get anything in. About a quarter percent of all clients has IPv6 connectivity, about a tenth percent of all clients thinks it has IPv6 connectivity, where they don't have any in reality. (see this research)
So many sites don't want to loose that tenth percent of the users and wait with implementing IPv6 until the clients are fixed. But something worse might be the case: sites that advertise they are reachable by IPv6, but aren't. These sites have the same extreme slowing effect, but on the quarter of a percent users that do have correct IPv6 connectivity. And that is exactly the minority I am in. Each time I stumble upon such a site, I ask the owner politely to fix their IPv6 connectivity. Almost always the owner makes sure the problem is fixed in a reasonable time.
Today I unfortunately came across an owner who could not get his IPv6 connectivity fixed. So I created something I call the IPv6 hall of shame. It is a corner in my firewall were I reject sites with a chronic broken IPv6 connectivity: A line telling to reject connections to that IPv6 address. That causes my firewall to tell my programs the site is unreachable by IPv6, so the programs don't have to wait and wait before they come to that conclusion themselves. That fixes it for me, but of course the site stays broken...
Sorry Adam from http://www.emergentchaos.com/, I know it is not your fault, but you are the first to enter my IPv6 Hall of Shame.
Update march 16, 2010: Today I could remove emergentchaos from my hall of shame: they have a new hostingprovider and could fix their site
Thursday, November 26, 2009
#
Scott McIntyre, the security officer of XS4ALL, had in his presentation at HAR2009 some hilarious words on cloud security:
Manager: Where is the data?
Sysadmin: In the cloud
Manager: But WHERE is the data?
Sysadmin: In the cloud
Manager: Just tel me, WHERE is that?
Sysadmin: It is in the cloud
Last week ENISA published a report on cloud security. The report makes clear why Scot McIntyres objection is still going strong: a security policy requires clarity over what data is stored where, what protections and controls are in place and how the data is disposed at the end of its lifetime. Many vendors of cloud-services don't tell much about these issues. And if you are working in an environment that requires certifications, then you are totally left alone: these certifications usually aren't applicable to SaaS or cloud computing. Let alone that there are any cloud computing vendors out there that are certified.
But there is hope: the report is co-written by a lot of these vendors. So they acknowledge the problem and they are even asking for certifications for cloud computing. Great! At the next Hxx conference in 4 years, the conversation Scott made up can continue:
Sysadmin: I finally know where the data is and how it is protected!
Manager: Thanks, but get the data out of the cloud. We have something better by now.
At this years SecTor conference a security firm accommodated a 'wall of shame', a site were the details of attendees that didn't connect securely to the outside world, were published. Although this was announced on forehand (and has been done before on other conferences), it caused quite an outrage. See Andrew Hays blog for more details.
The complainers gave several arguments why this was wrong:
- It was illegal.
- The conference tries to interest more executives to the field, this scares them of.
- The network suggested the attendees could protect themselves, but were 'lured' into it, there was a false sense of privacy.
- The wall of shame was accomodated by a private firm, the conference organisers should not trust a third party with something like this.
Well I think these arguments are a bunch of crap and the bottom line is: a lot of security experts were caught with their pants down and are unable to deal with it.
Let me explain that a bit:
- Bad guys don't care if something is illegal or not. Laws can't replace security.
- This was a perfect showcase why network security is so important and I can't imagine a better way to educate executives.
- Security experts should not be fooled by a false sense of security, they should know what is really secure and what isn't.
- And once your data has been breached, you should be happy you were told it was breached: usually you have to find out the hard way. Who breached it doesn't change the fact that your data was breached at least once.
Anyway: anybody who connects while on the road, should have the security measures against exactly this attack already in place.
The reaction of the complaining security experts is very disappointing. There are only two sensible reactions to something like this: lick your wounds and make sure it never happens again or say the risk isn't big enough to mitigate it. Security experts should know better then start crying over the injustice done.
The real problem is that conferences like these are crowded with vendors of magical boxes that should mitigate exactly this problem and a lot of the visitors make their living out of implementing network security. And now they are caught with their pants down: they aren't protected themselves! So either the products they sell don't mitigate the problem they are supposed to mitigate, or their products are so user unfriendly that they don't use it themselves or they make their business out of mitigating a risk they don't really regard a risk themselves. Either way, this incident is showing there is something fundamentally flawed with the security that is sold on conferences like these. And more severe: these "security experts" aren't up to admitting it.
(old post written on 2009-10-21 for another forum)