Why Building security backdoors into software is a bad idea

This should be obvious, but on the surface, to reasonable people, this seems reasonable. If bad people are doing bad things and the police can get enough evidence to approach a court, they can get a wire-tapping order, which will allow them to intercept any communications in the mail, or telephone that will allow them to gather evidence against the criminals.

TLDR; the basic idea is flawed and it puts individuals at risk.

This seems like an invasive but reasonable approach to protect public safety, and why software should be different? Why should there not be a master key that opens the encryption locks that criminals are using to conduct their nefarious activities? It is just those pesky software companies preventing the police from protecting us from criminals, who want to do us harm. We should make them change and allow the police to view these hidden communications. This seems reasonable, at least until you think about it.

This basic premise assumes that the ones controlling the master key or even the company that makes the software are infallible, there could never be any bugs, and there could never be anyone in those organisations who could be bribed or coerced to reveal the key, an overworked, stressed, or sleep-deprived individual could never mishandle it. This is building an intentional flaw in a defence, like the infamous drain in Helms Deep from the Lord of the Rings.

and that ended well for the men of Rohan.

This also assumes that the organisation that wants the protection can instruct the organisation that makes the software to make this weakness, and that criminals would not just use something else. True the government could restrict sales of the software to disallow the sale of software without the backdoor in force, but again this assumes that criminals are only going to use software that is legal within that region, because of course criminals are well known for following the law. The basic idea is flawed and it puts individuals at risk.

Q&A video answers from the F-Secure Lab experts about Online Banking Security

This is really just a re-post of the videos in the F-Secure Forum, but if you have not watched them yet or really have any questions on Online Banking Security then you really should watch these. All of these videos are on F-Secure’s Youtube channel, though to be honest most of the stuff does seem to just be advertising and how to use their software, these videos however are genuinely interesting.

  • Video 1. How do I remember strong passwords

  • Video 2. Are ATM’s Secure?

  • Video 3. Online banking and shopping. Mikko and Sean tell what precautions they take.

  • Video 4. What happens if you get robbed by an online criminal?

  • Video 5. Mikko and Sean’s opinion on various online banks

  • Video 6. Credit card data in recipts

  • Video 7. How Common is online criminality?

  • Video 8. Is is safe to use a smartphone for online banking?

  • Video 9. I get a warning whenever I log onto my online bank…

  • Video 10. A question about the ATM skimmers and iTunes fraud…

A Tragic Story of Mat Honan’s Digital Life being destroyed….

Seriously read this article, and I mean the whole article “How Apple and Amazon Security Flaws Led to My Epic Hacking” and shudder as to how easily it could happen to you.

For those that do not know Mat Honan (@mat) he is a senior writer for the Wired.com magazine, and he recently had his digital life turned upside down, when someone, quite interestingly through linked Google, Amazon and iCloud accounts, destroyed his digital life.

First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

One of the people involved in the hack “Phobia” contacted him later to discuss the hack, what made this story more horrifying is when he explains how easy it was to do.

So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.

Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

And as he later correctly points out

If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.

The most tragic part is that he is kicking himself that he did not back up his data resulting in him permanently loosing the pictures of his daughter, maybe he, and everone else should have watched the master of commedy, John Cleese’s video Institute for Backup Trauma.

A silver lining to this story was the realization of my own vulnerability, and that I and I hope you too needed to take steps to rectify the problem.

Learning about GUID’s

I have a have been puzzling over a problem where I need to create one-time keys to access a system. My question is, is this secure to use a Globally unique identifier or GUID for this key. The consensus is generally yes.

While section 6 “Security Considerations” of the RFC 4122 standard states

Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access)

For the particular use case there appears to be a consensus in the community that this is “secure enough”, it is used every day whenever you get a link in an email to reset you password. They typically use a Guid to identify the request, and as the Guid becomes invalid once it has been used, even if someone did steal your id, it would only be good for one request assuming it has not timed out (many services have a timeout of 30 minutes for these Guids to be used) or already been used which would cause the authentication to fail.

Guids are also apparently guessable because they are designed for uniqueness (i.e. using the current date and MAC address of the machine as the seed) to produce a 128-bit integer, this makes the identifier predictable which could be a problem. A problem which is easily overcome by doing a simple trick used in cryptography, add a random salt, using a cryptographically strong randomization. A person could predict the Guid potentially, but more unlikely to predict the Guid and the random value. Then if you add in Transport level security of sending the information over SSL to prevent someone listening in (though if it is being sent it is being used so would be immediately invalid).