2009.11.25
The Risk of Air Gaps
As some readers of this blog know,
from this month onward I'm on a leave of absence from my
academic post
to head the
Greek Ministry of Finance
General Secretariat of Information Systems.
The job's extreme demands explain the paucity of blog postings here.
I'll describe the many organizational and management
challenges of my new position in a future blog post.
For now let me concentrate on a small but interesting technical aspect:
the air gap we use to isolate the systems involved in processing
tax and customs data from the systems used for development and production
work.
Continue reading "The Risk of Air Gaps"Last modified: Wednesday, November 25, 2009 6:30 pm
2008.10.08
An Inadvertent Denial of Service Attack
If you're wondering why this blog was down for the past few hours, here is
the story.
In an earlier blog post I listed a small script
I'm using to lock-away door knockers who attempt to break into our
group's computer by trying various passwords.
If you like puzzles, read the script again and think how it
could be used against us by isolating our computer from the entire world.
Continue reading "An Inadvertent Denial of Service Attack"Last modified: Wednesday, October 8, 2008 10:10 am
2008.01.07
The Relativity of Performance Improvements
Today, after receiving a 1.7MB daily security log message containing
thousands of ssh failed login attempts from bots around the
world, I decided I had enough.
I enabled IPFW to a FreeBSD system I maintain, and added a script
to find and block the offending IP addresses.
In the process I improved the script's performance.
The results of the improvement were unintuitive.
Continue reading "The Relativity of Performance Improvements"Last modified: Monday, January 7, 2008 11:58 am
2007.08.02
Location-Based Dictionary Attacks
I get daily security reports from the hosts I manage.
Typically these contain invalid user attempts for users like
guest, www, and root.
(Although FreeBSD doesn't allow remote logins for root,
I was surprised to find out that many Linux distributions allow them.)
Continue reading "Location-Based Dictionary Attacks"Last modified: Thursday, August 2, 2007 10:01 am
2007.07.08
A Phone Exchange Rootkit
An article titled The Athens Affair appears in this month's
IEEE Spectrum.
In the article
my colleague Vasilis Prevelakis and I
provide an overview of the technical aspects of last
year's cellphone wiretapping incident.
An interesting aspect of the way the wiretapping took place is that
it involved a rootkit
that took advantage of the exchange's
lawful interception
capability.
Continue reading "A Phone Exchange Rootkit"Last modified: Friday, July 13, 2007 1:58 pm
2007.04.16
Breaking into a Virtual Machine
Say you're running your business on a rented
virtual private server.
How secure is your setup?
I wouldn't expect it to be more secure than the system your server runs
on, and a simple experiment confirmed it.
Continue reading "Breaking into a Virtual Machine"Last modified: Monday, April 16, 2007 10:14 pm
2007.02.16
Malware on the Fly
Apparently, rogue servers listening on the
p2p
Kad network
intercept the search terms of queries and generate on the fly
appropriate file names linking to files that contain malware.
Continue reading "Malware on the Fly"Last modified: Friday, February 16, 2007 1:40 pm
2007.01.08
Why Key Fingerprints are Important
I admit it: I seldom verify the key fingerprint of a host I connect to
against a fingerprint I have obtained through secure means.
As things stand today, I consider it unlikely that somebody will
stage a man-in-the-middle attack at the time I first connect to
an unknown host.
Today however I almost got bit.
Continue reading "Why Key Fingerprints are Important"Last modified: Monday, January 8, 2007 2:35 pm
2006.12.13
Secure Passports and IT Problems
In 2003 Greece, in response to new international requirements for secure travel documents, revised the application process and contents of its passports. From January 1st 2006 passports are no longer issued by the prefectures, but by the police, and from August 26th passports include an RFID chip. The new process has been fraught with problems; many of these difficulties stem from the IT system used for issuing the passports.
On December 12th, the Greek Ombudsman
(human rights section) issued a special 22-page report on the problems of the new passport issuing process.
The report is based on 43 official citizen complaints.
Continue reading "Secure Passports and IT Problems"Last modified: Wednesday, December 13, 2006 1:25 pm
2006.12.01
(Not) Hacking the Digipass Go 3 OTP Dongle
My bank moved to two factor authentication solution, and thus required me to purchase
from them a Digipass Go 3 dongle in order to authenticate my transactions.
To register my dongle I keyed-in a five-digit code they gave me,
and also the key's serial number appearing on its back.
Given that Go 3 utilizes an
open authentication framework,
and a published algorithm
for generating the one time password (OTP), could I utilize the key and the
numbers I keyed in, for using the key in my own applications, of for cloning
the dongle in my mobile phone or palmtop?
Continue reading "(Not) Hacking the Digipass Go 3 OTP Dongle"Last modified: Friday, December 1, 2006 12:19 am
2006.05.24
Security is a Problem of the Weakest Link
While attending the ICSE 2006 conference I stayed at the Tong Mao hotel.
My room featured an impressive-looking safe:
thick steel, two bolts, and a digital lock.
Continue reading "Security is a Problem of the Weakest Link"Last modified: Wednesday, May 24, 2006 4:49 am
2006.02.15
A Malfeasant Design for Lawful Interception
Earlier this month it was revealed that more than 100 mobile phone numbers
belonging mostly to members of the Greek government and top-ranking
civil servants were found to have been illegally tapped for a period
of at least one year (see
Wikipedia article).
Apparently, the tapping was implemented by activating Ericsson's
lawful interception subsystem installed at the Vodafone service provider.
How could this happen?
Continue reading "A Malfeasant Design for Lawful Interception"Last modified: Wednesday, February 15, 2006 1:45 pm
2005.11.09
US Military Removes Word Documents from the Web?
On August 25th 2004 the comp.risks forum
run an article I submitted
regarding the large number of Microsoft Word documents available
on US milatary sites (sites in the .mil domain) through Google
searches
(23.50 "U.S. military sites offer a quarter million Microsoft Word documents").
The article documented how such documents could lead to the leakage
of confidential data.
A week later I setup a script to watch the number of Word documents
available through Google searches
to see if and when the military would recognise the threat those
documents posed and remove them.
Continue reading "US Military Removes Word Documents from the Web?"Last modified: Sunday, November 13, 2005 4:16 pm
2005.05.19
Cats and Cigarette Lighters
On April 14th, the US Transportation Security Administration
started enforcing a new ban on cigarette lighters.
A month later,
I saw the corresponding announcement posted on a check-in desk
at the Samos international airport.
At the same airport I also saw a free-roaming cat getting its food delivered
directly on the tarmac.
I entered my flight feeling a lot safer.
Continue reading "Cats and Cigarette Lighters"Last modified: Thursday, May 19, 2005 3:06 pm
2005.04.27
Solving Singh's Substitution Cipher
Many of us enjoy playing with encryption algorithms.
Simon Singh, before a book promotion trip to Greece,
published a "substitution cipher with a twist".
I would consider solving a substitution cipher aimed
at the general public unfair, but the "twist" made me curious.
Continue reading "Solving Singh's Substitution Cipher"Last modified: Wednesday, April 27, 2005 10:16 am
2004.10.05
Cracker Code Review
According to a popular myth, crackers are computer whiz kids:
brilliant software developers who run circles around their
"peers" in the corporate world.
When my undergraduate student Achilleas Anagnostopoulos sent me a
pointer
to the source code of the
Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
exploit, I decided to test the myth
by performing a code review of the exploit's source code.
The results are not flattering for the exploit's developers:
no self-respecting professional would ever write production code of
such an abysmally low quality.
Sorry M4Z3R.
Continue reading "Cracker Code Review"Last modified: Tuesday, October 5, 2004 10:47 pm
2004.08.31
U.S. military sites offer a quarter million Microsoft Word documents
I was Google-searching for the Air Force Operational Test & Evaluation
Center publication "Software Maintainability - Evaluation Guide". To
make my search more efficient I restricted it to military (.mil) sites,
using the Google keyword "site:.mil".
I was not able to find the publication I was looking for, but was surprised
to see a number of Microsoft Word documents in the search results.
Continue reading "U.S. military sites offer a quarter million Microsoft Word documents"Last modified: Tuesday, August 31, 2004 2:11 pm
2004.02.03
A Spam-resistant Email Network
I am really fed up with spam. Yes, I am behind a spamassassin filter,
and it is getting less and less useful with every passing day. Many other
interesting ideas (including ji's patent) have failed to catch on and
provide significant relief. In a recent column in IEEE Spectrum
Robert Lucky expressed his yearning for the days when email was only used by
the elite in the know, the select few who "were on email".
Continue reading "A Spam-resistant Email Network"Last modified: Thursday, February 5, 2004 10:27 am
2004.01.21
How Not to Conduct a Poll
Recently the
ACM
Council asked members to provide feedback on the issue of expanding
legal protections for collections of data by means of an on-line poll.
Opening the policy feedback decision-making process to the ACM membership
promotes member participation and transparency.
However, I have two
serious reservations regarding the way the member feedback was requested.
Continue reading "How Not to Conduct a Poll"Last modified: Wednesday, January 21, 2004 4:38 pm
2003.06.28
Security researcher beguiled by email spoof
One would expect someone who is reading and contributing to comp.risks
since 1990 to know better, especially if he is also lecturing courses on
IT security, and has written a couple of papers in the area. Maybe it
was also a well deserved punishment for laughing at emails titled
"Valuable business proposition" and "Renew your e-bay account" (who is
so dumb so as to fall for these schemes?)
Continue reading "Security researcher beguiled by email spoof"Last modified: Friday, September 26, 2003 11:17 am
