Hacking Cars Wirelessly

You may have noticed the net creeping into more and more of your devices.  It’s certainly common knowledge that computers have been making their way into more and more of our everyday objects: Clothing, glasses, gift cards and cars, but those computers are really only a first step, the next naturally being plugged in to our ever growing network infrastructure.  With wireless connectivity then comes the ability for those objects to communicate with the outside world, and with this being a security blog, you must know where I’m headed.

Whereas computers have been deeply embedded into cars for 30 some-odd years now, it’s only recently that those computers are able to communicate externally.  Now, with Bluetooth and ‘telematics’ (OnStar services) wireless technologies making their way into more and more vehicles, more and more of those vehicles are now prone to remote hack attacks.  What’s truly unsettling is that by hijacking a vehicle via these attacks, the attacker is provided a wide array of integral, safety critical car components to manipulate; from steering, to acceleration, to braking, at the click of a button.

Those interested in seeing the attacks in motion can attend or tune into the Defcon hackers conference this coming weekend, where researchers from security firm IOActive will be demonstrating using a 2010 Toyota Prius and Ford Escape.  Budgeted with an $80,000 grant from DARPA, the researchers have documented everything required to perform the attacks and what may be necessary to make cars more resistant.

As stated in the researchers’ report, “By examining the CAN [controller area networks] on which the ECUs communicate, it is possible to send proprietary messages to the ECUs in order to cause them to take some action, or even completely reprogram the ECU… ECUs are essentially embedded devices, networked together on the CAN bus. Each is powered and has a number of sensors and actuators attached to them”, it’s revealed that the networks in these vehicles makes no attempt to authenticate the incoming messages, which may or may not contain directives that change the vehicles behavior.  This way, the vehicles computers essentially take orders from anyone, regardless of the origin of the signal.

Proper authentication is undoubtedly integral to maintaining safety of all kinds when dealing with network connectivity.

 

Read more

Shadow Passwords

Why would any self-respecting password want or even need to have a shadow?  The short answer is quite simple and is because a password is usually not secure enough on its own from being guessed by brute force.

Passwords are usually kept in a hashed state in a table available to anyone.  On the Unix platform this is the “/etc/passwd” file.

“To test a password, a program hashes the given password with the same “key” (salt) that was used to hash the password stored in the /etc/passwd file (the salt is always given as the first two characters of the password). Because the hashed passwords are not “decryptable”, authentication takes place by comparison. If the /etc/passwd/ file password matches the hashed login password, the user is granted access.” 1

This approach is reasonably secure but, there are ways to “crack” the passwords such as with a “dictionary attack”.  A dictionary attack takes all possible password variations, hashes each of them and compares the hashed value until one that matches the hashing in the /etc/passwd/ file is found.

“For a good password, these types of attacks can take a long time (since, on most systems, there are literally over 10,000 trillion possible passwords). However, many users choose common words, combinations of common words, or variants on personal data for their passwords. These are easily cracked, often within a few hours.” 1

This weakness can be reduced by using an additional file known as the shadow password file.

“The actual hashed passwords, along with expiration data, are kept in a file that can only be read or used by root (the Unix Administrator account). Processes which require access to the shadow password file must be owned by root or be granted root level permissions before access is obtained, which provides much greater security against password snooping.” 1

Simply put, the passwords from the /etc/passwd file are moved to another file which is only accessible by an administrator, usually /etc/shadow.  This protected file is the “shadow password” file.  If a would be attacker can no longer access the hashed passwords, the brute force “guessing” cannot happen.

 

  1. http://kb.iu.edu/data/aezz.html
  2. http://searchsecurity.techtarget.com/definition/shadow-password-file

 

Yahoo’s Risky Plans to Release Inactive Accounts (Update)

Two weeks ago we reported on Yahoo’s latest and frankly scary plans to release the plethora of inactive accounts that exist under their services so that others may acquire them.  Why would you want them? Well, now’s your chance to grab that elegant ‘albert@yahoo.com’ name you missed out on, and abandon that ugly, hard to remember alternative you ended up with, i.e. ‘albert2018471’.  Should you though?

This situation has Yahoo walking a fine line between convenience and insecurity, and although they’ve since described more about their strategy, and insist it will all be done safely, it’s a convoluted one, with possibly still some loose ends.

Starting last Monday, the rush for recycled Yahoo IDs had begun.  Users can now go to wishlist.yahoo.com and request up to five account names they would like to own, which will then be requited on a first come, first serve basis.  For now, only one recycled account is available per user.  As we’d previously reported, the lucky winners of available addresses will then receive them on August 14th if they still wish to claim them.

Undoubtedly fueled by the widespread criticism of their move to redistribute previously used accounts, Yahoo also released statements on Monday detailing their methods to prevent them from being used as an aid in identity theft.  In collaboration with Facebook, Yahoo announced, they have developed a special email header field called ‘Require-Recipient-Valid-Since’, which will serve as a way to validate whether the would-be receiver of that message is a previous, or current account holder.

Detailed in a blog post, Yahoo describes how the email header field works:

If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.

They go on to state that Facebook will be implementing this as well, and that the idea is a new standard to be published with the IETF (Internet Engineering Task Force).

Is their revamped approach one that makes this situation a safe one? It certainly does a good job of patching up some security holes, but I can’t imagine the solution is all-encompassing of the many ways to exploit this event.  For example, not every social media or financial website (though, they should,) maintains a record of the ‘last confirmed’ usage date of its registered accounts.

Email is, these days, largely considered a form of credentials and is used on countless sites as a mechanism to in some way authenticate with that site.  That said, is this a responsible move on Yahoo’s part, regardless of how they try and secure it? Time will tell.

Password Stretching

Is password stretching something that happens when your waist line gets too big for the original password?  No, of course not, but it does “expand” the size of the password known by the user.

Password stretching is designed to help increase the strength of a “user chosen” weak password.  Stretching the password makes a brute force attack (trying all combinations of characters to come up with all possible passwords) more difficult.  It won’t be impossible, but having the stretching in place will make the verification of each password take longer.  The user that knows the password will only see a slight delay, but a “criminal” user would have to endure that delay for every password combination they attempt.

So, how does this password stretching work?

Password stretching starts by passing the original password into an algorithm.  It is imperative that the algorithm always takes a certain amount of time to apply every time.  A couple of seconds for a user that knows their password shouldn’t be a cause for alarm, but compound that couple of seconds with the massive number of passwords a brute force attack would deliver and you have some significant backup.  The output of the algorithm is the “stretched” password.  This much longer password has to be large enough to make it nearly impossible to be guessed by a brute force attack.  We are talking at least 128 bits.  Finally, there has to be no way of calculating the “stretched” password in a shorter manner.  Otherwise, a would be hacker could find a way around the obstacle imposed by the password stretching algorithm.

Salting a password has been discussed in a previous blog article and is commonly used in conjunction with password stretching to further increase the strength of the password.

If you are interested, here are more resources on Password Stretching:

http://blog.zoller.lu/2012/06/storing-password-securely-hashses-salts.html

http://world.std.com/~reinhold/HEKSproposal.html

http://strem.in/stream/show/1332

Your Password is Obsolete

Your password is obsolete, or so says this infographic we’d like to share, with data compiled by Backroundcheck.org earlier year.  We’re certainly no strangers to this topic, and had even posted our own take on the subject even earlier this year in January, titled The Death of the String Password.  Though, we certainly can’t take credit for the idea either, as Bill Gates was quoted as predicting similar things as early as the RSA Security conference in 2004.  Gates had said that “There is no doubt that over time, people are going to rely less and less on passwords” when speaking about the oncoming popularity of two-factor authentication technologies.

Says the infographic: “Some say 2012 may have been the year the password broke.  With password leaks and dumps becoming common occurrences our lives are simply becoming too easy to crack.  The string of characters you use as a password can’t protect you anymore.”  And they’re right, especially with the onset of cloud computing and having dozens of online accounts – it’s a wonder the arrays of difficult to remember mixes of captials, symbols and numbers have lasted us this long in the first place.  It’s simply impractical, and increasingly unsafe.

Whereas a series of replacements for the password have been suggested over the years, from picture passwords, to ‘fastwords’ and biometrics, it would seem that two-factor with (hardware or software) tokens have for now grabbed the attention of most organizations hoping to remain secure and progressive with their authentication systems.  As we’ve also previously reported, Google, Twitter, and other major enterprises have already been in the process of introducing (and hoping to enforce as the default) two-factor authentication options that employ OTPs and TOTPs generating authenticators.

Have a look at the infographic and see for yourself just why your password isn’t protecting you anymore.

Yahoo's Risky Plans to Release Inactive Accounts

Shortly, search engine behemoth Yahoo! Inc will be making a large push to release and reset the Yahoo! Account IDs for users whom have been inactive for longer than the previous 12 months.  What does this mean? Well, it means a few things, some good, and most bad.

The good, as Yahoo! puts it, is that users will finally score the “opportunity to sign up for the Yahoo! ID they’ve always wanted.”  This means that during the release, all the nice, convenient, ‘high-demand’ usernames that have been spoken for all this time will begin to become available again.  Now, the unfortunate account holder for albert9330399@yahoo.com can hope to acquire that far nicer and simpler albert@yahoo.com account.  By mid this month, users can start filing claims on the certain Yahoo IDs they want, and will come to find whether they’ll be receiving it by mid August.  Yahoo! claims they will be taking the necessary steps to ensure the transition is secure as was said in this statement last month:

“Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”

But can they really ensure a totally safe and secure recycle process? They can cover things on their end, sure, by erasing personal data and mailboxes, but that’s only a portion of what makes this shift such a hazardous one.  The real issue remains across the remnants of the previous uses of that account on the Internet.  Chances are, those previously used IDs were used to register for other accounts that are unaware a transition has taken place.  Holders of those newly acquired previously used addresses can then scour the net for sites on which it was previously registered, and then gain access by completing the popular ‘Forgot Password – An email has been sent with a password reset link’ process.  Once the hacker identifies some personal information within that account, or perhaps even an alternative address still in use by the previous owner, they’ve breached the first line of identity theft defense, and are free to traverse and likely access the remaining links in the users identity chain.

It’s especially disconcerting to think that Yahoo! is the one that will be handing out these opportunities by the thousands next month.

Read More

Possible First Password Breach

Have you ever wondered how long passwords have been around and when the first time it was discovered that they are not as secure as once first thought?

Some say the computer password was first invented at MIT in the mid-1960s.  Further back than that, Shakespeare started his famous Hamlet play off with Barnardo identifying himself to Francisco with the phrase “Long live the King”.

Fast forward 300+ years back to MIT and we understand that passwords were perhaps first used by the massive time-sharing computer called CTSS to control access.

According to Fernando Corbató (the man who led the CTSS project), even though the MIT computer hackers were breaking new ground with much of what they did, passwords were pretty much a no-brainer. “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files.  Putting a password on for each individual user as a lock seemed like a very straightforward solution.”1

In 1962, it is believed that perhaps the first data breach occurred on this now ancient CTSS project.  Alan Scherr wanted a way to increase his allotted time on the CTSS.  This is how he remembers it:

“There was a way to request files to be printed offline by submitting a punched card,” he remembered in a pamphlet written last year to commemorate the invention of the CTSS. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.”1  Imagine that happening today.  Not with all the gyrations and fancy storage today’s passwords are subject to.  We have come a long way since 1960.

“To spread the guilt around, Scherr then handed the passwords over to other users.  One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab’s director Robert Fano, and leaving “taunting messages” behind.”1

Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”1

It’s always interesting to pick your head up once in a while and take a look back at where we have come from.  If the trail isn’t too windy and hilly, we can see quite a ways behind us.  Or in this case how well history was documented and preserved.

REFERENCES

  1. http://www.wired.com/wiredenterprise/2012/01/computer-password/

What are Picture Passwords?

Picture passwords are quite a break from the normal password consisting of alpha-numeric and symbols that are typed into an authentication dialogue.  There are no lengthy and complicated sequences of characters to memorize.   Instead, a user looks at a picture of their choice and touches the picture with patterns and gestures they setup themselves initially.  Logging in every morning by touching a picture of your favorite person, thing or action doesn’t sound nearly as daunting as memorizing and typing a traditional password.  Here are some thoughts on what others are saying about this relatively new security technology.

“By using one of your own photos from your computer on a touchscreen system, Picture Password prompts users to set up three gestures users can draw with their finger, combining a tap, a line drawn, or a circle drawn. After creating the specific combination of user-determined drawn patterns, a password is set requiring only a fingertip and no typed passwords which Microsoft says is exponentially more secure.”1       

“You can use a picture password in Windows 8 and Windows RT, so that even signing in to your PC is more personal. Because you choose the picture and the shapes you draw on it, the combinations are infinite—a picture password is actually more secure from hackers than a traditional password. You can draw a picture password directly on a touchscreen with your finger, or you can use a mouse to draw your shapes.”2

“Picture Password Lockscreen allows you to unlock your phone by drawing gestures such as points, lines, and circles on your chosen images. It frees users from the traditional and less secure unlock methods because there are close to an infinite number of combination of gestures. It provides an effective layer of protection against the two most common methods of illegal access gaining to a device- brute-force password hacking and shoulder-surfing. Forget PIN codes or patterns, you can now draw points, lines, and/or circles to unlock your phone.”3

Windows 8 on a touch screen device supports picture passwords as do the iPhone, Blackberry and other popular hand held devices.

 

How usable is it?

Time will tell for sure, but at first thought, touching a screen in a pattern that only you know does sound like it would be very usable.  Here is the introduction to a research paper that believes and tries to verify the same opinion:

“Users gain access to cash, confidential information and services at Automated Teller Machines (ATMs) via an authentication process involving a Personal Identification Number (PIN). These users frequently have many different PINs, and fail to remember them without recourse to insecure behaviours. This is not a failing of users. It is a usability failing in the ATM authentication mechanism. This paper describes research executed to evaluate whether users find multiple graphical passwords more memorable than multiple PINs. The research also investigates the success of two memory augmentation strategies in increasing memorability of graphical passwords. The results demonstrate that multiple graphical passwords are substantially more effective than multiple PIN numbers. Memorability is further improved by the use of mnemonics to aid their recall. This study will be of interest to HCI practitioners and information security researchers exploring approaches to usable security. Author Keywords Usable security, user authentication, graphical passwords.”6

 

How secure is it?

As with all security implementations, the technology is only as secure as the way they are used.  Picking a random picture that shows nothing about your life or personality might make it harder for an attacker to guess your password.  Definitely coming up with patterns and gestures that are not intuitive, but easy for yourself to remember will also make using picture passwords secure.

People have plenty of pros and cons to wave at this topic.  Here are just a few:

 

“Potential weakness: predictable passwords. I expect the primary weakness is likely to be that users choose a “picture password” that is guessable or predictable. If the user chooses a predictable set of locations/gestures, someone may be able to guess the “picture password”.”4

“Because human beings live and interact in an environment where the sense of sight is predominant for most activities, our brains are capable of processing and storing large amounts of graphical information with ease. While we may find it very hard to remember a string of fifty characters, we are able easily to remember faces of people, places we visited, and things we have seen. These graphical data represent millions of bytes of information and thus provide large password spaces. Thus, graphical password schemes provide a way of making more human-friendly passwords while increasing the level of security.”5

 

REFERENCES:

  1. http://agbeat.com/social-media/evolution-of-the-password-algorithm-uses-pictures-not-typed-words/
  2. http://windows.microsoft.com/en-us/windows-8/picture-passwords#1TC=t1
  3. https://play.google.com/store/apps/details?id=com.TwinBlade.PicturePassword&hl=en
  4. http://security.stackexchange.com/questions/20228/how-secure-is-windows-8s-picture-password-login
  5. http://rutgersscholar.rutgers.edu/volume04/sobrbirg/sobrbirg.htm
  6. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.106.1477