CISA provides no solutions, just new excuses. The new Australian smartcard system is a total disaster & why Google’s URLs are so crazy.
Plus some great questions, our answers, a rockin’ round up & much, much more!
Thanks to:
Direct Download:
HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent
RSS Feeds:
HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed
Become a supporter on Patreon:
— Show Notes: —
CISA: “Cybersecurity Information (Over)Sharing Act“
- On Tuesday afternoon, the Senate voted 74 to 21 to pass a version of CISA that roughly mirrors legislation passed in the House earlier this year, paving the way for some combined version of the security bill to become law.
- CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA.
- But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy.
- The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.”
- Critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology (CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.
- CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”
- On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer.
- If only there were an easier way, we are told, for companies to share so-called “indicators of compromise”
- In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data.
- How Krebs’ Sees it: the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation.
- The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches.
- Rather than encouraging companies to increase their own cybersecurity standards, the professors wrote, “CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network.”
- CISA Security Bill Passes Senate With Privacy Flaws Unfixed
- Additional Coverage: ThreatPost
Australian PLAID Crypto, ISO Conspiracies, and German Tanks
- PLAID (Protocol for Lightweight Authentication of ID), the Australian ‘unbreakable’ smart card identification protocol has been recently analyzed in this scientific paper
- Technically, the protocol is a disaster. In addition to many questionable design choices, we found ways for tracing user identities and recover card access capabilities. The attacks are efficient (few seconds on ‘home’ hardware in some cases), and involve funny techniques such as RSA moduli fingerprinting and… German tanks. See this entry on Matt Green’s crypto blog for a pleasant-to-read explanation.
- PDF: Unpicking PLAID: A Cryptographic Analysis of an ISO-standards-track Authentication Protocol
- “when a reader queries the card, the reader initially transmits a set of capabilities that it will support (e.g., ‘hospital’, ‘bank’, ‘social security center’). If the PLAID card has been provisioned with a matching public key, it goes ahead and uses it. If no matching key is found, however, the card does not send an error — since this would reveal user-specific information. Instead, it fakes a response by encrypting junk under a special ‘dummy’ RSA public key (called a ‘shill key’) that’s stored within the card. And herein lies the problem.”
- “You see, the ‘shill key’ is unique to each card, which presents a completely new avenue for tracking individual cards. If an attacker can induce an error and subsequently fingerprint the resulting RSA ciphertext — that is, figure out which shill key was used to encipher it — they can potentially identify your card the next time they encounter you.”
- “To distinguish the RSA moduli of two different cards, the researchers employed of an old solution to a problem called the German Tank Problem. As the name implies, this is a real statistical problem that the allies ran up against during WWII. The problem can be described as follows: Imagine that a factory is producing tanks, where each tank is printed with a sequential serial number in the ordered sequence 1, 2, …, N. Through battlefield captures you then obtain a small and (presumably) random subset of k tanks. From the recovered serial numbers, your job is to estimate N, the total number of tanks produced by the factory.”
- But the story behind PLAID’s standardization is possibly even more disturbing. PLAID was pushed into ISO with a so-called “fast track” procedure. Technical loopholes made it possible to cut off from any discussion the ISO groups responsible for crypto and security analysis. Concerns from tech-savvy experts in the other national panels were dismissed or ignored.
- The author of the post contacted ISO and CERT Australia before going public with our paper, but all we got was a questionable and somewhat irate response (PDF) by PLAID’s project editor (our reply here). Despite every possible evidence of bad design, PLAID is now approved as ISO standard, and is coming to you very soon inside security products which will advertise non-existing privacy capabilities.
- The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a “cryptography” product can be approved at ISO without undergoing any real security scrutiny.
- A Few Thoughts on Cryptographic Engineering: Attack of the Week: Unpicking PLAID
- Bruce Schneier: Amateurs Produce Amateur Cryptography
Unguessable URLs for security and privacy
- This post on Bruce Schneier’s blog talks about how Google uses unguessable URLs to protect the photos you post
- Additional Coverage — The Verge: Google secures photos using public but unguessable URLs
- If you look at some of your private photos in “Google Photos”, you can right click on a photo, and copy the source URL
- That is a public URL, that anyone can access, if you share it
- The photos are available to anyone who types in the right string of characters
- The key is that that string of characters, is very long
- “So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you’d have to work through 1070 different combinations to get the right one, a problem on an astronomical scale.”
- “There are enough combinations that it’s considered unguessable, It’s much harder to guess than your password”
- The same applies to facebook photos. If I have access to someone else’s photo, but the person I want to share it with does not (even have a facebook account), I can copy the source URL, rather than the facebook viewer URL, and share it with them
- Because traffic to and from Google Photos, and Facebook, is encrypted with HTTPS, someone cannot get the URLs of those photos by sniffing your traffic
- They could get the data from your browser history, or in other ways if your machine was compromised, but in those cases they’d have access to the photos anyway
- The only real problem here is that it can be hard to ‘revoke’ access to a photo. If you give this unguessable but public URL to someone, they can share it as much as they want, completely outside of your control
- Also, because CDNs and caches are used, even if you delete a photo, it might still be accessible by that URL, if someone already knows it
- Schneier notes: “It’s a perfectly valid security measure, although unsettling to some”
Feedback:
-
Encrypting Windows Workstations. Want to use Bitlocker, but some machines don’t have a TPM chip.
- Buy your copy at: https://www.zfsbook.com/
Round up:
- Number of VPN servers at risk due to weak DH keys may be fewer than originally thought
- British Gas leak sees 2,400 customer passwords posted online
- Updates on the VMWare GPL violation law suite
- Top German official infected by highly advanced spy trojan with NSA ties
- Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks
- Rockwell patches PLCs that could be exploited via a malicious URL
- The impact of Netflix’s open source software development
- CEO Pride may get in the way of Cyber Security. TalkTalk as an example: “Our cybersecurity is head and shoulders above the competition” followed by “we have no legal obligation to encrypt customer bank details”
- New technology can steal your face
- Are Russians tapping undersea cables?
- TrueCrypt has critical vulnerability. Allows privilege escalation. While not a problem with the crypto, this could allow an attacker to take over your machine and gain access to the decrypted data
- US DoD and Military still using deprecated SHA-1 in TLS certificates