Tuesday, March 4, 2014

Meet the seven people who hold the keys to worldwide internet security


It sounds like the stuff of science fiction: seven keys, held by individuals from all over the world, that together control security at the core of the web. The reality is rather closer to The Office than The Matrix

 James Ball
 The Guardian, Friday 28 February 2014 08.00 EST
Jump to comments (301)


Link to video: Who holds the seven keys to the internet?

In a nondescript industrial estate in El Segundo, a boxy suburb in south-west Los Angeles just a mile or two from LAX international airport, 20 people wait in a windowless canteen for a ceremony to begin. Outside, the sun is shining on an unseasonably warm February day; inside, the only light comes from the glare of halogen bulbs.
There is a strange mix of accents – predominantly American, but smatterings of Swedish, Russian, Spanish and Portuguese can be heard around the room, as men and women (but mostly men) chat over pepperoni pizza and 75-cent vending machine soda. In the corner, an Asteroids arcade machine blares out tinny music and flashing lights.
It might be a fairly typical office scene, were it not for the extraordinary security procedures that everyone in this room has had to complete just to get here, the sort of measures normally reserved for nuclear launch codes or presidential visits. The reason we are all here sounds like the stuff of science fiction, or the plot of a new Tom Cruise franchise: the ceremony we are about to witness sees the coming together of a group of people, from all over the world, who each hold a key to the internet. Together, their keys create a master key, which in turn controls one of the central security measures at the core of the web. Rumours about the power of these keyholders abound: could their key switch off the internet? Or, if someone somehow managed to bring the whole system down, could they turn it on again?

The keyholders have been meeting four times a year, twice on the east coast of the US and twice here on the west, since 2010. Gaining access to their inner sanctum isn't easy, but last month I was invited along to watch the ceremony and meet some of the keyholders – a select group of security experts from around the world. All have long backgrounds in internet security and work for various international institutions. They were chosen for their geographical spread as well as their experience – no one country is allowed to have too many keyholders. They travel to the ceremony at their own, or their employer's, expense.
What these men and women control is the system at the heart of the web: the domain name system, or DNS. This is the internet's version of a telephone directory – a series of registers linking web addresses to a series of numbers, called IP addresses. Without these addresses, you would need to know a long sequence of numbers for every site you wanted to visit. To get to the Guardian, for instance, you'd have to enter "77.91.251.10" instead of theguardian.com.
Read the rest of the article here:
http://www.theguardian.com/technology/2014/feb/28/seven-people-keys-worldwide-internet-security-web
Posted by at 3 comments:

Tuesday, February 25, 2014

Choosing a Secure Password

As insecure as passwords generally are, they're not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.

 By Bruce Schneier

 The best way to explain how to choose a good password is to explain how they're broken. The general attack model is what’s known as an offline password-guessing attack. In this scenario, the attacker gets a file of encrypted passwords from somewhere people want to authenticate to. His goal is to turn that encrypted file into unencrypted passwords he can use to authenticate himself. He does this by guessing passwords, and then seeing if they’re correct. He can try guesses as fast as his computer will process them – and he can parallelize the attack – and gets immediate confirmation if he guesses correctly. Yes, there are ways to foil this attack, and that's why we can still have four-digit PINs on ATM cards, but it's the correct model for breaking passwords.

 There are commercial programs that do password cracking, sold primarily to police departments. There are also hacker tools that do the same thing. And they're really good.

 The efficiency of password cracking depends on two largely independent things: power and efficiency.

 Power is simply computing power. As computers have become faster, they're able to test more passwords per second; one program advertises eight million per second. These crackers might run for days, on many machines simultaneously.  For a high-profile police case, they might run for months.

 Efficiency is the ability to guess passwords cleverly. It doesn't make sense to run through every eight-letter combination from "aaaaaaaa" to "zzzzzzzz" in order. That's 200 billion possible passwords, most of them very unlikely. Password crackers try the most common passwords first.

 A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords, things like "letmein," "temp," "123456," and so on. Then it tested them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!," and so on. It recovered about a quarter of all passwords with just these 100,000 combinations.

Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: "$" for "s", "@" for "a", "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.

 Modern password crackers combine different words from their dictionaries:
What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" --  is no longer good advice.  The password crackers are on to this trick.

 Read the rest here: http://boingboing.net/2014/02/25/choosing-a-secure-password.html
Posted by at 1 comment:

Risk Is Low And Business Is Booming In The Malware Market

AARTI SHAHANI
Stolen credit card data are sold on underground markets, along with the malware and tools the thieves need to steal the data themselves.
Stolen credit card data are sold on underground markets, along with the malware and tools the thieves need to steal the data themselves.
Elise Amendola/AP
Malware is malicious, bad software. It's the code that cybercriminals use to steal credit card numbers and bank accounts. And the bighack against Target showed how good these criminals are getting: They've built a thriving underground where credit cards go on sale before anyone even knows that a massive breach has happened.
On a recent day at a crowded Starbucks in downtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping — with a twist.
Pageler is not one of the cybercriminals. He's a former Secret Service agent who studied them and is now in the private sector, with a Bay Area company called DocuSign.
He takes me to the anonymous Tor network, to a website that requires a login. He doesn't want to reveal the name of the site because he doesn't want to tip off anyone. Being a trusted user on a criminal website takes work. It's a lot like eBay; you have to visit, buy and sell regularly, and get rated and reviewed by your peers.
"When they transact with you, no one's getting arrested, no one's getting burned," Pageler says. "So every time you make a transaction on the underground, you're just building your street cred."
Today, credit cards are on supersale. Pageler says that means a big breach just happened.
Strangely, platinum credit cards on the site are selling for less money than gold cards. Apparently people in the underground don't just look at credit limits; they do analytics to see, according to the data, what banks have the weakest security.
"For them, they'll know based on a bank ID number which bank it is, and where they're getting the best return on fraud," he says.
Pageler is showing me how a low-level operator would work this site. Say I wanted to launch an attack. Without any specialized coding skills, I could buy the package of services I need: A list of 10,000 emails, customized by age, gender, region, goes for just $79. To make sure the emails work, there's a "cleaning price" of $48, Pageler says.
For another $50, I get malware called a key logger, which will latch into a victim's operating system and follow every keystroke in search of strings that look like bank logins and account numbers.
Payment is made with an account that's like Paypal, except it is Internet cash that's hard to trace, and the servers are overseas, so American police can't really subpoena records.
I need one more thing, called a botnet — a vast network of computers under the control of a single bot master. For this, Pageler hands me off to his colleague, botnet specialist Tom Brandl, who shows me options as cheap as $16. He makes a simple analogy to the drug trade: "These would actually be the guys on the street corners, collecting money and distributing the drugs."
The bots send out emails, and between 5 percent and 10 percent of recipients open the attachment, which lets the crooks in. The bots crawl around waiting for bank passwords. Then they can drain the money to the overseas account.
Millions upon millions of unsuspecting computers — maybe even yours and mine — are part of botnets, making it nearly impossible to find the real criminal.
"If I'm the bank, I go back and say, 'Hey, I saw this login from this address.' I go to check that address, and it belongs to a grandmother in Sioux Falls. Basically the trail is dead at that point," Brandl says.
Giovanni Vigna, a professor at the University of California, Santa Barbara, who studies cybercrime, says it's basically a crime without risk.
"If you look at the size of what gets stolen, there are wildly varying estimates — we talk about billions, and you think about how many actual convictions there have been. It's amazingly low," Vigna says.
The incentives to join the underground are amazingly high. With just a couple hundred bucks, I could drain enough accounts to make $500,000 and grab data to resell on the hidden websites.
Posted by at No comments:

Monday, February 24, 2014

My university got hacked but it’s nothing specialArs Technica by Kyle Orland
Yes, my social security number was on display to everyone I handed my college ID card to. I was young and stupid.
Through my tenure as a student at the University of Maryland from 2000 to 2004, my social security number also doubled as my student identification number. I'd use this number and a password whenever I logged into the college's online management system, Testudo, which I did for everything from course selection and monitoring grades to signing up for basketball tickets. (Go Terps! 2002 National Champs whooo!) I vaguely recall having the option to change my student ID number to something else, but neither I nor anyone I knew ever went to the trouble of doing so.
This state of affairs comes to my mind at the moment because of an e-mail I got earlier this week telling me that my alma mater "was the victim of a sophisticated computer security attack that exposed records containing personal information." My name, social security number, and birthday are likely part of a cache of nearly 310,000 leaked records belonging to students and staffers going back to 1998.
After reading the e-mail, I immediately reverted to journalist mode; surely a security breach of over 300,000 computerized student records was the kind of story that would be relevant to the readers of this site. When I consulted with Ars Security Editor Dan Goodin on how to cover it, though, the response was pretty lukewarm.
Read 8 remaining paragraphs 
Posted by at No comments:

Thursday, February 20, 2014

This is the best opening paragraph in any news story ever
Boing Boing by Xeni Jardin  
Phil Toledano for The Atlantic magazine.
This has got to be the best lede of all time. And a great article, too. Caitlin Flanagan, writing about fraternities, law, liabilities, and corruption in the Atlantic magazine:
One warm spring night in 2011, a young man named Travis Hughes stood on the back deck of the Alpha Tau Omega fraternity house at Marshall University, in West Virginia, and was struck by what seemed to him—under the influence of powerful inebriants, not least among them the clear ether of youth itself—to be an excellent idea: he would shove a bottle rocket up his ass and blast it into the sweet night air. And perhaps it was an excellent idea. What was not an excellent idea, however, was to misjudge the relative tightness of a 20-year-old sphincter and the propulsive reliability of a 20-cent bottle rocket. What followed ignition was not the bright report of a successful blastoff, but the muffled thud of fire in the hole.
"The Dark Power of Fraternities" [The Atlantic]
Posted by at No comments:
Apple has Siri, and Microsoft is about to get Cortana
The Verge by Tom Warren  
Microsoft has been in a state of "shut up and ship" with Windows Phone for more than a year now. While the company has released a few minor updates to Windows Phone 8, its feature set hasn’t changed significantly from when Microsoft first introduced the mobile OS in October 2012. The software giant refuses to discuss or acknowledge an upcoming update, Windows Phone 8.1, but a recent software development kit leak has highlighted the huge number of feature changes that will arrive in the coming months and put Windows Phone more on par with iOS and Android. One of the main feature additions is Cortana, a personal digital assistant named after Microsoft's Halo game series.
Cortana first emerged after a Microsoft employee lost a phone running Windows Phone 8.1 last year. Sources familiar with Microsoft’s Windows Phone work have revealed to The Verge that Cortana will replace the built-in Bing search feature, which is currently launched through a dedicated hardware key, and acts as a digital assistant with a mix of Siri and Google Now functionality. We’re told that Cortana will take the form of a circular animated icon with the hue of your selected Windows Phone accent color, and will have a personality not dissimilar from Apple’s Siri. Cortana will animate when it’s speaking or thinking, and bounce around or frown with "emotion" depending on the queries involved. Cortana will be backed by data from services like Bing, Foursquare, and others to give it some of the contextual power of Google Now.
Cortana Notebook is Microsoft's privacy control
Central to Microsoft’s vision for Cortana is a Notebook feature that will allow Windows Phone users to control exactly what information is shared with the digital assistant. Notebook will allow the Cortana digital assistant to access information such as location data, behaviors, personal information, reminders, and contact information. We’re told it’s designed as a privacy feature to ensure Cortana doesn’t freely access information without a level of user control. While Cortana will learn things about users, it won't store them in the Notebook without asking you, and any information that's stored can be edited or deleted. Cortana will then use this information to provide answers to search queries by voice or text, and provide suggestions, alerts, and reminders. Cortana can greet you by name and ask if you need help, or you can ask it questions much like Siri.
Through search queries and just general phone usage, Cortana will learn more about a user and offer to store personal data like home and work locations and general interests in its Notebook. Cortana will also react to messages or emails that contain phrases like "let’s meet tomorrow at 8PM" and ask if you'd like to set up reminders or calendar entries. Cortana can also provide guidance on weather, stocks, directions, appointments, and music that’s contextual based on location and other data. As Cortana is a digital assistant, it will also be able to manage a do-not-disturb feature, similar to iOS, that’s designed to mute notifications. An "inner circle" of contacts will allow Cortana to manage notifications and phone calls during "quiet hours" when notifications are muted.
Although the initial Cortana digital assistant that will ship in Windows Phone 8.1 will have a lot of capabilities, Microsoft will need to extend it to third-party apps and its Windows and Xbox devices to improve its functionality in future. The real test of Cortana will be how well it works with voice commands and its ability to understand natural phrases and questions. Microsoft’s recent voice work with Xbox One is impressive, but it also requires that you follow a strict pattern of commands for it to work successfully. Microsoft will have to ensure Cortana is at least as good as Siri for the company to position this as full personal digital assistant.
Posted by at No comments:

Wednesday, February 19, 2014

The Username Is a Relic. Here’s How to Fix It

MAT HONAN
02.19.14 6:30 AM

From: http://www.wired.com/gadgetlab/2014/02/honan-billions/

 This has probably happened to you: You hear about some cool new app or game or service, rush to sign up, and discover that another person has already snagged the username you wanted. It’s a bummer and a bad first impression for a new service.
The username just wasn’t built to withstand what the Internet has become. It’s a vestige of an earlier era, when a large service had thousands of users. Today, despite the billions of people online, we’re still designing for the sparse old days.
“In the late ’90s, I would have thought MetaFilter might have like 10,000 users max,” says Matt Haughey, creator of the popular online community. Haughey was also an early designer for Blogger, one of the first democratized online publishing platforms. “For Blogger, I thought, this is pretty amazing, and wouldn’t it be great if millions of people used it? I thought, someday we might reach 5 million or so.”
Those kinds of numbers, ambitious at the time, seem like nothing now. Blogger, which was acquired by Google, currently hosts tens of millions of blogs; MetaFilter has upward of 60,000 accounts. But while we’ve built these systems to scale for machines, we’ve generally done a poor job of scaling them for humans. We haven’t really gotten our heads around what having much of the planet online means, and nothing reflects this better than the username quandary.
When online communities were just starting out, our digital watering holes relied on unique usernames—and not only for person-to-person interaction. The servers used them to ID people logging on. This became the established practice, and it wasn’t a problem in those early days, when it could take months or even years for the good names to get snapped up. Now that can happen in a day. Take the selfie-sharing service Shots of Me. It is … precious. But because Justin Bieber backs the company, his horde of Beliebers jumped on it almost instantly; within hours of the launch, I couldn’t get the username I wanted.
That sucks. One of the best things about the online world is how it lets us be whoever we want to be. We shouldn’t have to sacrifice that just because someone else got there first.
Facebook is handling this problem pretty well—an infinite number of John Smiths can use the service with no confusion. On Twitter, conversely, demand for its supply of usernames is so high that people routinely buy, sell, and even steal valuable handles—company names, first names, celebrity names, and so on.
The solution—and the key to Facebook’s success—is surprisingly simple: Identity online should take a cue from the physical world. You are more than your name; your face, your birthday, your location, and the company you keep all help others figure out who you are. “Oh, you’re Mat’s friend Joe from New York? That’s right, I remember you.” We can use all those same cues digitally, as Facebook does.
Yes, our data has to attach to unique identifiers to live on a server, but only the machines need to see those. They’re just like the Social Security numbers we use in meatspace to differentiate people with the same name.
Ultimately we’re all just numbers to computers anyway. It’s kind of counter­intuitive, but the best way to be whoever you want to be is to be nothing more than a number to everyone but your friends. That means there can always be more than one Mat Honan—which, trust me, is an awesome idea.
Mat Honan
Mat Honan is a senior writer for Wired's Gadget Lab and the co-founder of the Knight-Batten award-winning Longshot magazine.
Follow @mat on Twitter.
Posted by at No comments:
Subscribe to: Posts (Atom)