Archiv der Kategorie: Security

Digital Cold Reading: The CSS History Hack

English, IT, Phishing, Security, Wahrnehmung, ,

[See only posts in English]

Cold reading is a technique used by mentalists to simulate psychic powers and impress people. Essentially, the cold reader is supplying words and the other person supplies their meaning as well as hints for the reader.

The CSS history hack, which seems to impress quite a few people, is nothing more than the Web’s version of cold reading. Your impression is that any Web site can read your browser history. Now there is indeed an information leak and no Web site should get access to history information. But this leak is very small. It doesn’t reveal the history altogether to anyone daring to ask. The CSS history issue only gives us an oracle. We can ask the oracle whether a particular URL is in the history or not. So to find out that you’ve read this blog post we would have to ask the oracle about the precise URL of this post.

Nonetheless demonstrations of the history hack impress people. The trick is simple and similar to the cold reading technique. History hack demos use a set of URLs that leads to a hit for almost every Internet user on the world: Google, YouTube, Microsoft, Wikipedia, Flickr, Apple, Slashdot, Amazon, and so on. A mentalist would guess and suggest these until you start giving feedback on which to hook. The CSS history hack replaces this interaction with asking the oracle to avoid wrong guesses. The trick is really to use a set of Web sites that guarantees a hit, and use a minor information leak to remove the wrong guesses from the set that would spoil the effect. This works well with the top 20/top 50/top 1000 sites on the Web, but it won’t scale to arbitrary URLs.

Swiss Cheese Security

Classifier Security Model, English, Forschung, IT, Security, Unterwegs, , , , ,

I’m off for the New Security Paradigms Workshop in Oxford, where I will present what I currently call the Swiss Cheese security policy model. My idea is to model security mechanisms as classifiers, and security problems in a separate world model as classification problems. In such a model we can (hopefully) analyze how well a mechanism or a combination of mechanisms solves the actual problem. NSPW is my first test-driving of the general idea. If it survives the workshop I’m going to work out the details. My paper isn’t available yet; final versions of NSPW papers are to be submitted a few weeks after the workshop.

Production-safe Testing

English, IT, Safety, Security, Testlabor, , , , , ,

[See only posts in English]

Software testers increasingly have to deal with production systems. Some tests make sense only with production systems, such as Nessus-style vulnerability scanning. And an increasing number of systems is hard to reproduce in a test bed as the system is really a mashup of services, sharing infrastructure with other systems on various levels of abstraction.

Testing production systems imposes an additional requirement upon the tester, production safety. Testing is production-safe if it does not cause undesired side-effects for the users of the tested or any other system. Potential side effects are manifold: denial of service, information disclosure, real-world effects caused by test inputs, or alteration of production data, to name just a few. Testers of production systems therefore must take precautions to limit the risks of their testing.

Unfortunately it is not yet very clear what this means in practice. Jeremiah Grossman unwittingly started a discussion when he made production-saftey a criterion in his comparison of Website vulnerability assessment vendors. Yesterday he followed up on this matter with a questionnaire, which is supposed to help vendors and their clients to discuss production-safety.

The time is just right to point to our own contribution to this discussion. We felt a lack of documented best practice for production-safe testing, so we documented what we learned over a few years of security testing. The result is a short paper, which my colleague and co-author Jörn is going to present this weekend at the TAIC PART 2009 conference: Testing Production Systems Safely: Common Precautions in Penetration Testing. In this paper we tried to generalize our solutions to the safety problems we encountered.

The issue is also being discussed in the cloud computing community, but their starting point is slightly different. Service providers might want to ban activities such as automated scanning, and deploy technical and legal measures to enforce such a ban. They have good reason to do so, but their users may have equally good reason to do security testing. One proposal being discussed is a ScanAuth API to separate legitimate from rogue scans. Such an API will, however, only solve the formal part of the problem. Legitimate testing still needs to be production-safe.

Car-Security

English, Erich fragt, Forschung, Freundlich zum Nutzer, Safety, Security, Vertrauen

Yesterday I visited the CAST-Workshop on mobile security for intelligent cars, which ended with a very interesting discussion that illustrated the complexity of the problem and raised many interesting questions. First the speakers gave a good overview over the main research areas and important projects like Evita or SIM-TD, which is said to be the biggest field test world wide, that focusses on car-2-x-communication. Everybody agreed on the main distinctions (Safety vs. Security; in-car communication, car2car communication, etc.) and privacy issues were the main topic. As Frank Kargl  from the University of Ulm pointed out, the car has a strong connection to its owner and its movements might tell a lot about the individual. Already privacy concerns have entered the car world, because navigation tools send home gps information and companies like Tom Tom generate a large data collection.

Car-Security weiterlesen

Unterschätzte Risiken: Tresore

Nebenwirkung, Risiko, Security, Unterschätzte Risiken, Werkbank,

Kleine Geldbeträge gehören in die Schublade und nicht in einen teuren Tresor:

»In der Nacht zum Donnerstag sind Unbekannte in ein Freibad in Bad Hersfeld eingebrochen. Sie knackten den Tresor und verschwanden mit der Beute.

(…)

In dem Tresor befanden sich mehrere hundert Euro Bargeld. Die Täter entkamen mit der Beute. Der Sachschaden beträgt mindestens 6.500 Euro.«

(HR: Einbruch: Tresor in Schwimmbad ausgeräumt)

Das ist allerdings ein Einzelfall, den wir obendrein noch rückwirkend betrachten. Welches Risiko der ängstliche Tresorbenutzer und der unbekümmerte Schubladenverwender jeweils insgesamt eingehen, wäre noch zu überlegen.

Strategischer Datenverlust

Archivierung, Forschung, Fundbüro, Risiko, Security

Ob das eine großer Vertuschung ist oder nur eine aufgeblasene Nebensächlichkeit, möchte ich nicht beurteilen, ebenso wenig ob es sich um Schlamperei oder Absicht handelt:

»The world’s source for global temperature record admits it’s lost or destroyed all the original data that would allow a third party to construct a global temperature record. The destruction (or loss) of the data comes at a convenient time for the Climatic Research Unit (CRU) in East Anglia – permitting it to snub FoIA requests to see the data.«

(The Register: Global Warming ate my data)

Eine interessante Anregung zum Risikomanagement ist es allemal. Vielleicht ist der erwartete Schaden ja geringer, wenn die Daten einfach weg sind.

Zahlen-TV

Security

Das einzelgängerische Mathematik-Genie Maximilian Cohen ist nichts Geringerem als einer universellen Weltformel auf der Spur, die Zugang zu den endgültigen Zusammenhängen des Seins verschaffen soll. Auf der Grundlage zu Berechnungen der Pi-Funktion hofft er, dahin vorzustoßen, »was die Welt im Innersten zusammenhält«.

TV-Tipp: Pi, 3Sat 22:55 Uhr

http://www.schnitt.de/202,2310,01

SOX – the new security standard

English, Forschung, Freundlich zum Nutzer, Fundbüro, Gadget, Propaganda, Security

Sock security has been troubling me for a long time. Endless sundays I have spent with the fight against the single sock syndrom. But those days are over. Thanks to a colleague I have discovered sockstar, the revolutionary tool to improve the lower department of your wardrobe-BCM – a simple thing that just does what it should, if you manage to integrate it into your business processes… [end of commercial] http://www.sockstar.de/