## Security Corner

April 28, 2010  1:38 AM

## Security Fun: Homophonic Cipher Security Challenge

Profile: Ken Harthun

Time to lighten up a bit. Well, some people may consider this anything but light; however, real Geeks enjoy this kind of thing. Consider this homophonic ciphertext:

32 25 00 75 67 94 63 57 96 43 73 90 91 97 90 45 92 52 00 34 24 42 78 17 92 19 04 97 65 16 06 57 64 04 92 81 05 63 69 65 99 27 05 38 65 07 91 83 62 41 83 95 23 55 29 96 96 54 83 43 39 07 63 06 65 17 83 89 90 63 26 79 51 46 30 52 07 63 88 59 07 66 17 65 57 27

Here’s the challenge: Decipher the message above and post the resulting plaintext in the comments. Everyone who gets it right wins free lifetime access to my Geek Toolkit (\$37 value). Hint: There are tools on the web that will decipher this if you know where to look.

If you don’t know what a homophonic cipher is, better do some homework. First, it’s a simple substitution cipher in which plaintext letters map to more than one ciphertext symbol. Typically, the highest-frequency plaintext symbols–such as the letter e in the English language–are given more equivalents than letters that appear less frequently. This makes it much more difficult to use frequency analysis to break the cipher. But this isn’t always the case. Take Poe‘s “The Gold-Bug” for a literary example where a whole set of symbols was invented to describe the location of buried treasure. See this Wikipedia entry for more information.

This won’t help you much, but here is the message “The quick brown fox jumps over the lazy dogz.” I put the extra z there because it’s the least-used letter in the English language and has only one substitution in a homophonic cipher, so that’s a clue. But e has 12 substitutions, so you won’t find that one. Here’s the ciphertext: 17 68 82 94 63 70 13 04 48 29 54 60 59 31 72 28 15 63 27 95 96 90 34 14 77 30 50 24 26 33 02 52 03 54 06 02.

Have fun!

April 26, 2010  8:03 PM

## Security Risk of Digital Copiers

Profile: Ken Harthun

As if we don’t already have enough to deal with, now we must add digital copiers to our list of security risks. Seems that most modern copiers (those manufactured 2002 or later) including Ricoh, Canon, Sharp and others, are loaded with secrets about the organization where they reside, the people who have used them, customers and competitors, even the fanny of that cute temp who got drunk at the office party. The reason? Nearly every digital copier built since 2002 contains a hard drive and that hard drive stores an image of every document copied, scanned, or emailed by the machine.

Ten days ago, CBS ran a segment on the Evening News entitled “Copy Machines, A Security Risk?” Watch the video here.

This past February, CBS News went with [John] Juntunen [of Digital Copier Security] to a warehouse in New Jersey, one of 25 across the country, to see how hard it would be to buy a used copier loaded with documents. It turns out … it’s pretty easy.

After buying four copiers, they started to examine them. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division. Another machine from the Buffalo Police Narcotics Unit revealed the targets of a narcotics raid. The third machine contained copies of pay stubs that revealed names, addresses and social security numbers. On the fourth machine from a New York insurance company, they found 300 pages of medical records that included prescriptions, blood test results and the like.

It’s not that the manufacturers of these products are negligent; all of them offer options to either encrypt or erase the documents. The problem is that the people who lease the copiers either don’t understand or don’t want to pay for the protection the options provide.

Ignorance is no excuse; failing to implement suitable security is negligence and a serious breach of federal privacy laws. Besides that, once a used copier leaves the warehouse, there’s no telling where it might end up. The CBS reporter gave this summary:

The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas – loaded with secrets on their way to unknown buyers in Argentina and Singapore.

How we lookin’? Not good.

April 26, 2010  12:16 AM

Profile: Ken Harthun

Remember these? Anyone who was old enough to receive mail in the last 20 years or so probably got several of them. Every sleeve had an unique registration number and password. The combination of the unique number and long password provided adequate security and prevented people from hacking a free AOL account.

This model is probably still valid today with one exception: The dictionary words AOL used would be hacked quickly with modern brute force tools.

But what if the password wasn’t made up of dictionary words? What if it was made up with nonsense words? Follow along please because this is another one of those brilliant solutions to the I-can’t-remember-a-complex-password problem.

Lewis Carroll, in his book “Through the Looking-Glass and What Alice Found There ,” 1872, composed a brilliant piece of nonsense poetry entitled “Jabberwocky.” Here are the first three stanzas:

`Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:
All mimsy were the borogoves,
And the mome raths outgrabe.

“Beware the Jabberwock, my son!
The jaws that bite, the claws that catch!
Beware the Jubjub bird, and shun
The frumious Bandersnatch!”

He took his vorpal sword in hand:
Long time the manxome foe he sought —
So rested he by the Tumtum tree,
And stood awhile in thought.

What absolutely glorious nonsense! And chock full of words that aren’t likely to appear in a dictionary attack. Oh, the possibilities. You could post this poem right there in your cubicle and with a few discreetly placed color coded dots come up with user names and passwords that no one could guess in a bazillion years. You don’t have to use your own name for a user name, you know. “Bandersnatch446″ works as a perfectly valid user name. Combine that with a couple of other nonsense words using AOL’s example, and you have an airtight winner. How about “Frumious-VorPal” for a password?

You know, security is serious business; both the white hats and black hats are very serious about their side of the game. Sometimes the best way to win is through sheer insouciance. Instead of insisting that your IT department use logon names like BillC, or JohnB, come up with something a bit more creative and less easy to guess. You can make it a standard pattern, just make it something unusual.

I’m going for brillig859/Toves-OutGrabe for my next user account.

April 24, 2010  1:16 AM

## Brute Force Data Destruction

Profile: Ken Harthun

What do you do when a long-time client, a non-profit organization subject to HIPAA regulations, has been stockpiling old hard drives until they can afford the cost of shredding them? Professional data destruction services charge anywhere from \$10 to \$25 or more per hard drive in addition to the pick-up fee. Here’s a video that shows a hard drive shredder (scroll down to the middle of the page). My client was looking at almost \$1200 and just couldn’t seem to find room in the budget. They needed a viable–and cheap–solution.

The least expensive option would have been to train a staff member on how to use an old PC to hook up the drives and run the HDDerase utility. (See How to Quickly & Securely Erase a Hard Drive.) For various reasons, the client wasn’t in favor of this; they wanted someone “in the know” to do it.

After determining that there was little likelihood of any truly sensitive data sitting on those hard drives, I suggested a brute force approach: Physically damage the drives, then take them to a community recycling center and dispose of them. The total cost of this approach would be around \$100. The client agreed.

The photo above shows the result of 3-4 sharp blows with the root-cutter end of a cutter mattock applied to the platter end of the hard drive case. The photo below shows the resulting damage to the platters.

You could argue that this isn’t enough destruction to meet regulatory security standards and you would be right. My rebuttal would be this: 1. There probably isn’t anything of value on those drives; 2. The cost of trying to recover anything on those drives would be prohibitive; and, 3. Where they’re going tomorrow, no one will know who owned those drives and wouldn’t care anyway if they did. Bottom line: The drives will be shredded and recycled as originally planned at a fraction of the cost.

Sometimes, it just takes a little common sense to deal with these issues.

April 22, 2010  1:25 AM

Profile: Ken Harthun

What?

You heard me. How many posts and articles are out there about passwords? Put “password” into Google and you’ll get 772,000,00 (isn’t it nice how Google always reports round numbers?) How many “password systems” are out there? Google says 329,000,000. Let’s try “unguessable password”; in that case, we get 2,520 results (in which I have two articles on page one). Now we’re getting somewhere.

But passwords are too complicated a concept for most. After all, Q2@*rr55iN9}, while being an unguessable and virtually uncrackable password, is not very practical unless you use a password manager like LastPass or RoboForm (which I do). How are you going to remember something like that?

Enter the passphrase: Something that is easily remembered, but hard to guess (yes, this has been covered ad nauseam, too). Believe it or not, you can use almost any personal information you want and yet create a virtually unguessable, uncrackable password.

Let’s create an identity for illustrative purposes:

Joe Blow
SS: 323-457-9999
Dog’s name: Rex
Wife’s name: Wilma

Assuming I’m a social engineer who knows all of this information, am I going to be able to guess this passphrase?

Blow-457RexB89Wilma5555

Nope. And neither will any modern Computer using any brute force algorithm in the lifetime of any entity in this universe. And you can write down a mnemonic for that password easily. Here’s a mnemonic for one of my passwords: Ken and Peggy got married in 1980! You’ll never guess the associated passphrase in a quintillion years, but I know exactly what it is.

As I said, passwords are too complicated. If you want to hide something, hide it in plain view. It’s all about trickery and misdirection.

Want to steal all of my money? Here’s my mnemonic for my main account password: Google Ken’s phone with a nickname.

What do you think?

April 21, 2010  12:36 AM

## Cybercrooks Target Chrome with Bogus Extension

Profile: Ken Harthun

Source: Flickr.com/photos/randyzhang/

We can now consider Google’s Chrome browser a rousing success. Cybercrooks have begun targeting Chrome users; a compliment, kind of.

The attack begins with a spam message that tries to dupe the unwary into trying an add-on that “helps you better organize your documents received in your email”. A write-up by BitDefender provides a full analysis including screen shots. One interesting note in the analysis:

Although the sham application has the same description as that of an original Google Chrome Extension, the first sign the more inquisitive users will get about it not being what they were looking for should be the fact that instead of the expected “.crx” extension, it features a flamboyant “.exe” tail.

The trojan modifies the Windows HOSTS to redirect any requests for Google or Yahoo pages to counterfeit, malware-laden versions of thoses sites owned by the crooks.

Repeat after me, I will not click links in spam, I will not click links in spam, I will not click links in spam.

April 18, 2010  1:42 PM

Profile: Ken Harthun

In a recent blog post entitled “Q1’10 spam & virus trends from Postini,” Google said that a recent spate of botnet take-downs (Waledac, Mariposa, Zeus) has not had a dramatic impact on spam levels. While spam and virus levels did fall below Q4’09 highs, Google’s analytics show that global spam levels were relatively steady during Q1’10.

It’s discouraging. This goes to show that there is no shortage of botnets out there; the criminal spammers simply buy, rent or deploy another botnet when an active one is taken down. Anti-spammers are not going to win this war: we need a fundamental change in all operating systems to make it possible for trusted authorities to remotely disable malicious code the minute it is discovered. Steve Gibson, in Security Now #244, discusses Apple’s approach:

…imagine if Microsoft…were able to just reach out and kill a trojan. Well, they don’t have the ability to do that because there’s nothing like this kind of grip and control that exists on the open platforms. Apple has that. And so I can see, yes, it’s a mixed blessing in that, as you say, Apple could kill off a competitive program. But to me there’s a tremendous advantage that, if something was discovered to be malicious, and arguably that would probably surface very quickly, for Apple to be able to just kill it off throughout the entire ecosystem, I mean, even the fact that that ability exists, I would argue, militates against developers bothering to create something malicious because they just know it’ll have an extremely short life…. The second it becomes known, it’ll get killed.

What do you think? Leave your comment.

April 16, 2010  2:56 PM

## Software for Secure Computing: dsCrypt

Profile: Ken Harthun

I found this nifty little encryption utility on Gizmo’s Freeware Reviews site and immediately fell in love with it. It’s lightweight (25K), fast and easy to use. Double click the single executable and a small box appears (see below). Click the “Mode” menu item to select encryption or decryption. Drag-and-drop files, even multiple selections, from Windows Explorer on dsCrypt’s window, or use the “Open” command to browse and select files.

Unlike some encryption tools, dsCrypt overwrites original files, does not create any temporary files, and erases the data and password memory allocation after use; any possible paging/swap file leftovers are nullified. It does not save your password in any form.

Another feature I like is the Secure PassPad. It employs a mouse operated, graphical keypad, which directly communicates with the application. Here’s the full list of features from the website:

– extensively tested and widely accepted algorithm
– BruteHalt® and exceptional resistance to brute-force password search
– inherent resistance to brute-force key search
– Secure PassPad® and immunity to keylogger-infested environments
– disclosed implementation and source code
– secure use of system resources
– verified data and file processing
– efficient user interface and operation
– speedy performance
– really small executable file
– self-contained and dependency-free
– installation-and-pollution-free
– freeware status and unrestricted distribution

I’m using dsCrypt to keep sensitive information on my thumb drive secure.

There is one drawback, however: If you send a dsCrypt-encrypted file to someone else, they’ll need dsCrypt on their end to decrypt it. When I need to send a single file to someone else, I use AxCrypt to make a self contained package.

April 15, 2010  1:51 AM

## Government Interception Attacks Against SSL

Profile: Ken Harthun

Researchers Christopher Soghoian and Sid Stamm have authored a paper, “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” that is truly disturbing.  Here’s the Abstract:

This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.

I have no problem with law enforcement agencies using their powers to deal with the bad guys, but this truly alarms me. If you read the paper, you’ll see why. Heck, just read this excerpt from the paper’s Introduction:

A pro-democracy dissident in China connects to a secure web forum hosted on servers outside the country. Relying on the training she received from foreign human rights groups, she makes certain to look for the SSL encryption lock icon in her web browser, and only after determining that the connection is secure does she enter her login credentials and then begin to upload materials to be shared with her colleagues. However, unknown to the activist, the Chinese government is able to covertly intercept SSL encrypted connections. Agents from the state security apparatus soon arrive at her residence, leading to her arrest, detention and violent interrogation. While this scenario is fictitious, the vulnerability is not.

Guess what? There’s an appliance being marketed to help facilitate this attack. The brochure is included in the report. But, there’s good news. These guys have developed a Firefox add-on (see the screen shot above):

In an effort to significantly reduce the impact of this attack upon end-users, we have created Certlock, a lightweight add-on for the Firefox browser. Our solution employs a Trust-On-First-Use(TOFU) policy, reinforced with enforcement that the country of origin for certificate issuing does not change in the future. Specifically, our solution relies upon caching CA information, that is then used to empower users to leverage country-level information in order to make common-sense trust evaluations.

Read the paper. Realize its implications. Then, change your habits accordingly. Believe me, until this add-on is released, I’m going to be very suspicious of any SSL connection.

April 13, 2010  1:16 AM

## Microsoft Decides to Forgo Steady State Development – 77 Million PCs at Risk

Profile: Ken Harthun

Thanks to Windows Secrets Newsletter for alerting me to this. I was responsible for implementing Windows Steady State (WSS) on a score of public computers including some that were used in credit union kiosks. Microsoft has decided to forgo development of Steady State on Windows 7 according to Microsoft forum moderator Sean Zhu in a March 10, 2010 post:

Hi…thank you for the feedback. I’d like to inform you that currently, there is no plan to develop compatible version of Windows SteadyState for Windows 7.

This creates an upgrade dilemma for many public institutions: Stay with Windows XP for now (extended support for XP SP3 lasts until April 2014) and continue to use Steady State, or upgrade to Windows 7 and invest considerable extra expense on implementing some semblance of WSS functionality using Group Policy and third party software? It’s a no-brainer to me.

Consider this: A study conducted by University of Washington Information School, funded by the Bill and Melinda Gates Foundation, reports “Nearly one-third of Americans age 14 or older–-roughly 77 million people–-used a public library computer or wireless network to access the Internet in the past year….  In 2009, as the nation struggled through a recession, people relied on library technology to find work, apply for college, secure government benefits, learn about critical medical treatments, and connect with their communities.”

What are you thinking, Microsoft? Do you listen to your users? I have similar sentiments to these forum posters:

“Seems Microsoft has made another blunder with windows 7, we have decided to stay with XP and notify users that until Microsoft updates WSS to run with windows 7 that we will stay with xp and advise them to do the same, we have withdrawn all support for 7 and are advising people to downgrade if they are stuck with 7,  Its simply not viable, especially in this economy to spend the extra tens of thousands of dollars on the extra staff that would be needed to support a OS that we have came to the conclusion that even Microsoft [isn’t] prepared to support fully.”

“Shame on MS for dumping such an essential OS feature for many IT environments. We have halted the upgrade to WIN 7 of around 12000+ PC  and will stay with XP until MS provides something equivalent to WSS in any upcoming OS.”

I don’t know what Microsoft charges for a Win 7 volume license for 12,000 PCs (can I get some help on that from someone?), but I’m sure it’s a significant amount.

Doesn’t make a whole lot of sense. But who am I to argue? I’m just a guy who will help save people money for the next four years–or until Microsoft figures this out.