Security

This is cute: PwdHash is a browser extension that will replace text entered into a password field with a hash of the password + domain name of the website. That lets you use a single password for different sites without revealing, say, your PayPal password to your bank and vice versa. As the creators point out, this is also pretty good protection against phishing scams (since they’ll collect the wrong password since their domain is different). It’s still vulnerable to pharming and other attacks that poison your DNS or webcache results, but their paper goes into all sorts of clever attacks that they do try to defend against, like Javascript and dictionary attacks.

(by way of the Mercury News)

Researchers at RUB and the University of Mannheim have a nice demonstration of how the recently discovered attack on the MD5 hash function can be used to fool someone into signing one document when they think it’s another:

Recently, the world of cryptographic hash functions has turned into a mess. A lot of researchers announced algorithms (“attacks”) to find collisions for common hash functions such as MD5 and SHA-1 (see [B+, WFLY, WY, WYY-a, WYY-b]). For cryptographers, these results are exciting – but many so-called “practitioners” turned them down as “practically irrelevant”. The point is that while it is possible to find colliding messages M and M’, these messages appear to be more or less random – or rather, contain a random string of some fixed length (e.g., 1024 bit in the case of MD5). If you cannot exercise control over colliding messages, these collisions are theoretically interesting but harmless, right? In the past few weeks, we have met quite a few people who thought so.

With this page, we want to demonstrate how badly wrong this kind of reasoning is! We hope to provide convincing evidence even for people without much technical or cryptographical background.

Their method is simple and clever. They use the newly discovered attack to generate two random strings that have the same hashed value (say R1 and R2). Then they put those at the start of a “high-level” document description language like PostScript and tack on something along the lines of “if the previous value was R1, print an innocuous message I can get signed, otherwise print the real message I want signed.” A well-known weakness to the MD5 algorithm is that if R1 and R2 have the same hash values then R1+some text will have the same hash value as R2+the same text here, so depending on whether they use R1 or R2 as their preamble they get two very different messages with the same hash value.

Today’s NYT article Social Security: Migrants Offer Numbers for Fee seriously reminds me of the “borrowed ladder” concept from the movie GATTACA:

Mr. Luviano, 39, obtained legal residence in the United States almost 20 years ago. But these days, back in Mexico, teaching beekeeping at the local high school in this hot, dusty town in the southwestern part of the country, Mr. Luviano is not using his Social Security number. So he is looking for an illegal immigrant in the United States to use it for him — providing a little cash along the way.

According to an article in today’s Wired, the discussions with Frank Moss at this year’s CFP conference actually had an impact. The State Department is now moving towards embracing the Basic Access Control security scheme, which essentially encrypts communication with the RFID chip using a key obtained by physically scanning a page on the passport itself. Definitely a step in the right direction.

One bit of the Wired article is wrong (or at least misleading) though:

Moss said the German government and other members of the European Union had embraced BAC because they planned to write more data to the chip than just the written data that appears on the passport photo page. Many countries plan to include at least two fingerprints, digitized, in their passport chips.

At CFP, Moss said the US passport RFID chip would include not only the written data the passport’s main page but also a digital photograph, which presumably isn’t significantly fewer bits than a couple fingerprints (not that I’ve looked up the specs to check sizes).

I’d not heard the term “two-factor authentication” before, but it turns out it’s just using two passwords, one you make yourself and one you get from somewhere else. The little key-fobs that give you a new password every 60 seconds is an example, as are the less technological printed list of one-use passwords that have been around for years. In the latest Crypto-Gram, Bruce Schneier argues that two-factor authentication “solves the security problems we had ten years ago, not the security problems we have today.” In particular, it does nothing to stop phishing (Man-in-the-middle) attacks or trojan horses.

I suppose solving security problems from ten years ago is better than not solving those problems, but at best it should be viewed as a stop-gap (and the cost of rolling out such measures should be weighed with that in mind).

Update 3/18/05: as a commenter pointed out, two-factor authentication isn’t really the use of two passwords so much as two authentication methods. I was basically paraphrasing the PC World article, and I should really know better.

Bruce Schneier links to a paper on refinements to bumping, a lockpicking technique for pin-and-tumbler locks where you insert a specially filed-down key and give it a quick whack to bounce the top pins out of the way. The principle is the same as a lockpick gun, though the authors claim it works better.

I haven’t played with lockpicks since my undergrad days, but I’ll probably play around with their method and see how well it works. The biggest question I have is how much wear and tear this method causes to the lock vs. other methods — the paper suggests some ways to limit damage to the lock but it still seems like it’d be worse than the lockpick gun since the driving force is side-long (into the lock) rather than straight up. Still, it’s got to be better than raking the lock. (I remember back when I was an undergrad at MIT there was one door in particular that needed its locks replaced every couple years due to the number of people raking it — most of the better pickers didn’t rake for just that reason.)

This is a cute hack — these guys are able to “fingerprint” a networked device just by looking at how quickly its clock loses or gains time compared to the true time (its clock skew).

Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

Link by way of Mitch Kapor, who unlike me isn’t so enamored by the elegance of their technique to ignore the obvious security and privacy implications.

Firefox 1.01 has been released with several security patches, including a fix for the IDN phishing attack reported a couple weeks ago.

Sounds like the security violation that led to the posting of Paris Hilton’s private list of celebrity phone numbers was pretty straight-forward: they Googled the answer to her secret question (what’s your favorite pet’s name?) to “recover” her password on T-Mobile’s online web account. Ironically enough, Bruce Schneier blogged about this very problem just last week.

There’s a nasty phishing exploit that was made public yesterday that lets anyone fake any domain including SSL certificates. The problem comes out of international domain name support and the fact that the English letter a and the Cyrillic letter а look almost identical. It affects pretty much every web browser except IE and Lynx, which don’t support international domain names yet. (If you installed the IE plugin for IDN support, you’re still vulnerable.)

The phishing attack is really simple. Domain names can now include non-Latin characters, which are mapped back into a “common name” so it’s backwards-compatable. So, for example, the Latvian domain name in http://tūdaliņ.lv translates into the common name http://xn--tdali-d8a8w.lv/. So all you have to do is register something like the domain www.xn--pypal-4ve.com and then send people to the innocuous-looking www.pаypal.com. (Course, if you’ve already fixed your browser you won’t be able to follow the link anymore….) If you look carefully or if your browser isn’t displaying this page as Unicode you can see the letter а is in a different font (in fact, it’s a Cyrillic “a”).

Temporary fix for Firefox:

1. Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the config page.
2. Scroll down to the line beginning network.enableIDN — this is International Domain Name support, and it is causing the problem here. We want to turn this off — for now. Ideally we want to support international domain names, but not with this problem.
3. Double-click the network.enableIDN label, and Firefox should change it to false. (If you get a dialog box, just change it to false yourself.)

You can check to see if you’re vulnerable by going to the website http://www.shmoo.com/idn/

Update: It turns out the fix I listed does not work in at least some versions of Firefox (sigh). The user preference gets set all right, but for some reason Firefox ignores it. Tech.Life.Blogged has posted both a somewhat kludgy workaround that at least disables IDN support until you install a new plug-in, and a nicer fix that just involves installing the AdBlocker extension and configuring it to block URLs that contain characters outside of the normal ASCII.

Longer term we really need a preference that paints the address-bar or otherwise warns us when a domain contains characters from more than one language set — that’d solve both the problem of pаypal and the equivalant domain that’s all Cyrillic except for the Latin character a.

Update 2/15/05: Sounds like one of the original authors of IDN, Paul Hoffman, has proposed something that goes one better than what I was proposing: highlight characters from different languages in different colors. That way it’s not a “warning” (and constant false alarm for languages that routinely mix character-sets) but still stands out if you weren’t expecting it. (Thanks to Boing Boing for the link.)

Update 2/26/05: Firefox 1.01 has been released with a fix — now punycode appears on the URL line as the encoded www.xn--pypal-4ve.com (it can be changed back to the old display in the configuration). While not as pretty as Hofflan’s solution, it’ll work. Note also that Shmoo has stopped hosting https://www.pаypal.com, though they still have a test link up at http://www.shmoo.com/idn/.