Verifying the Substitution Cipher Folklore
A substitution cipher has each letter substituted with another.
Cryptography folklore has it that simple substitution ciphers
to break by looking at the letter frequencies of the encrypted text.
I tested the folklore and the results were not quite what I was expecting.
Continue reading "Verifying the Substitution Cipher Folklore"
A Better Air Gap
Bruce Schneier recently published
ten rules for setting up an air-gapped computer;
a computer that even the NSA can't hack,
because it's not connected to the internet.
His rules are practical and make sense, but,
given the number of vulnerabilities regularly found in modern operating systems,
I think that they need strengthening.
Continue reading "A Better Air Gap"
How to Decrypt "Secrets for Android" Files
Secrets for Android
is a nifty Android application that allows you to securely store
passwords and other sensitive data on your Android phone.
Your data are encoded with your supplied password using strong
cryptography and are therefore protected if your phone gets stolen.
Although the application offers a backup and an export facility,
I found both wanting in terms of the availability and confidentiality
associated with their use.
Continue reading "How to Decrypt "Secrets for Android" Files"
Choosing between people you want to invite to a function and people you
have to invite is sometimes difficult.
Say Alice wants to invite Tom, Dick, and Harry to a party, but she'd actually
prefer if Dick didn't show up.
Here's how Alice can send invitations by email from an email-capable
Unix system to achieve the desired result,
while covering her scheming with plausible deniability.
Continue reading "Pretend Invitations"
Apps are the New Users
Some facilities provided by mature multi-user operating systems appear arcane today. Administrators of computers running Mac OS X or Linux can see users logged-in from remote terminals, they can specify limits on the disk space one can use, and they can run accounting statistics to see how much CPU time or disk I/O a user has consumed over a month. These operating systems also offer facilities to group users together, to specify various protection levels for each user's files, and to prescribe which commands a user can run.
Continue reading "Apps are the New Users"
Sophisticated Targeted Link Spam
What appeared to be an intelligent comment in one of my blog
postings turned out to be targeted link spam.
This is a worrying trend, because, although we can defend ourselves
against mass attacks, we're very vulnerable to targeted strikes.
Continue reading "Sophisticated Targeted Link Spam"
The Risk of Air Gaps
As some readers of this blog know,
from this month onward I'm on a leave of absence from my
to head the
Greek Ministry of Finance
General Secretariat of Information Systems.
The job's extreme demands explain the paucity of blog postings here.
I'll describe the many organizational and management
challenges of my new position in a future blog post.
For now let me concentrate on a small but interesting technical aspect:
the air gap we use to isolate the systems involved in processing
tax and customs data from the systems used for development and production
Continue reading "The Risk of Air Gaps"
An Inadvertent Denial of Service Attack
If you're wondering why this blog was down for the past few hours, here is
In an earlier blog post I listed a small script
I'm using to lock-away door knockers who attempt to break into our
group's computer by trying various passwords.
If you like puzzles, read the script again and think how it
could be used against us by isolating our computer from the entire world.
Continue reading "An Inadvertent Denial of Service Attack"
The Relativity of Performance Improvements
Today, after receiving a 1.7MB daily security log message containing
thousands of ssh failed login attempts from bots around the
world, I decided I had enough.
I enabled IPFW to a FreeBSD system I maintain, and added a script
to find and block the offending IP addresses.
In the process I improved the script's performance.
The results of the improvement were unintuitive.
Continue reading "The Relativity of Performance Improvements"
Location-Based Dictionary Attacks
I get daily security reports from the hosts I manage.
Typically these contain invalid user attempts for users like
guest, www, and root.
(Although FreeBSD doesn't allow remote logins for root,
I was surprised to find out that many Linux distributions allow them.)
Continue reading "Location-Based Dictionary Attacks"
A Phone Exchange Rootkit
An article titled The Athens Affair appears in this month's
In the article
my colleague Vasilis Prevelakis and I
provide an overview of the technical aspects of last
year's cellphone wiretapping incident.
An interesting aspect of the way the wiretapping took place is that
it involved a rootkit
that took advantage of the exchange's
Continue reading "A Phone Exchange Rootkit"
Breaking into a Virtual Machine
Say you're running your business on a rented
virtual private server.
How secure is your setup?
I wouldn't expect it to be more secure than the system your server runs
on, and a simple experiment confirmed it.
Continue reading "Breaking into a Virtual Machine"
Malware on the Fly
Apparently, rogue servers listening on the
intercept the search terms of queries and generate on the fly
appropriate file names linking to files that contain malware.
Continue reading "Malware on the Fly"
Why Key Fingerprints are Important
I admit it: I seldom verify the key fingerprint of a host I connect to
against a fingerprint I have obtained through secure means.
As things stand today, I consider it unlikely that somebody will
stage a man-in-the-middle attack at the time I first connect to
an unknown host.
Today however I almost got bit.
Continue reading "Why Key Fingerprints are Important"
Secure Passports and IT Problems
In 2003 Greece, in response to new international requirements for secure travel documents, revised the application process and contents of its passports. From January 1st 2006 passports are no longer issued by the prefectures, but by the police, and from August 26th passports include an RFID chip. The new process has been fraught with problems; many of these difficulties stem from the IT system used for issuing the passports.
On December 12th, the Greek Ombudsman
(human rights section) issued a special 22-page report on the problems of the new passport issuing process.
The report is based on 43 official citizen complaints.
Continue reading "Secure Passports and IT Problems"
(Not) Hacking the Digipass Go 3 OTP Dongle
My bank moved to two factor authentication solution, and thus required me to purchase
from them a Digipass Go 3 dongle in order to authenticate my transactions.
To register my dongle I keyed-in a five-digit code they gave me,
and also the key's serial number appearing on its back.
Given that Go 3 utilizes an
open authentication framework,
and a published algorithm
for generating the one time password (OTP), could I utilize the key and the
numbers I keyed in, for using the key in my own applications, of for cloning
the dongle in my mobile phone or palmtop?
Continue reading "(Not) Hacking the Digipass Go 3 OTP Dongle"
Security is a Problem of the Weakest Link
While attending the ICSE 2006 conference I stayed at the Tong Mao hotel.
My room featured an impressive-looking safe:
thick steel, two bolts, and a digital lock.
Continue reading "Security is a Problem of the Weakest Link"
A Malfeasant Design for Lawful Interception
Earlier this month it was revealed that more than 100 mobile phone numbers
belonging mostly to members of the Greek government and top-ranking
civil servants were found to have been illegally tapped for a period
of at least one year (see
Apparently, the tapping was implemented by activating Ericsson's
lawful interception subsystem installed at the Vodafone service provider.
How could this happen?
Continue reading "A Malfeasant Design for Lawful Interception"
US Military Removes Word Documents from the Web?
On August 25th 2004 the comp.risks forum
run an article I submitted
regarding the large number of Microsoft Word documents available
on US milatary sites (sites in the .mil domain) through Google
(23.50 "U.S. military sites offer a quarter million Microsoft Word documents").
The article documented how such documents could lead to the leakage
of confidential data.
A week later I setup a script to watch the number of Word documents
available through Google searches
to see if and when the military would recognise the threat those
documents posed and remove them.
Continue reading "US Military Removes Word Documents from the Web?"
Cats and Cigarette Lighters
On April 14th, the US Transportation Security Administration
started enforcing a new ban on cigarette lighters.
A month later,
I saw the corresponding announcement posted on a check-in desk
at the Samos international airport.
At the same airport I also saw a free-roaming cat getting its food delivered
directly on the tarmac.
I entered my flight feeling a lot safer.
Continue reading "Cats and Cigarette Lighters"
Solving Singh's Substitution Cipher
Many of us enjoy playing with encryption algorithms.
Simon Singh, before a book promotion trip to Greece,
published a "substitution cipher with a twist".
I would consider solving a substitution cipher aimed
at the general public unfair, but the "twist" made me curious.
Continue reading "Solving Singh's Substitution Cipher"
Cracker Code Review
According to a popular myth, crackers are computer whiz kids:
brilliant software developers who run circles around their
"peers" in the corporate world.
When my undergraduate student Achilleas Anagnostopoulos sent me a
to the source code of the
Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
exploit, I decided to test the myth
by performing a code review of the exploit's source code.
The results are not flattering for the exploit's developers:
no self-respecting professional would ever write production code of
such an abysmally low quality.
Continue reading "Cracker Code Review"
U.S. military sites offer a quarter million Microsoft Word documents
I was Google-searching for the Air Force Operational Test & Evaluation
Center publication "Software Maintainability - Evaluation Guide". To
make my search more efficient I restricted it to military (.mil) sites,
using the Google keyword "site:.mil".
I was not able to find the publication I was looking for, but was surprised
to see a number of Microsoft Word documents in the search results.
Continue reading "U.S. military sites offer a quarter million Microsoft Word documents"
A Spam-resistant Email Network
I am really fed up with spam. Yes, I am behind a spamassassin filter,
and it is getting less and less useful with every passing day. Many other
interesting ideas (including ji's patent) have failed to catch on and
provide significant relief. In a recent column in IEEE Spectrum
Robert Lucky expressed his yearning for the days when email was only used by
the elite in the know, the select few who "were on email".
Continue reading "A Spam-resistant Email Network"
How Not to Conduct a Poll
Council asked members to provide feedback on the issue of expanding
legal protections for collections of data by means of an on-line poll.
Opening the policy feedback decision-making process to the ACM membership
promotes member participation and transparency.
However, I have two
serious reservations regarding the way the member feedback was requested.
Continue reading "How Not to Conduct a Poll"
Security researcher beguiled by email spoof
One would expect someone who is reading and contributing to comp.risks
since 1990 to know better, especially if he is also lecturing courses on
IT security, and has written a couple of papers in the area. Maybe it
was also a well deserved punishment for laughing at emails titled
"Valuable business proposition" and "Renew your e-bay account" (who is
so dumb so as to fall for these schemes?)
Continue reading "Security researcher beguiled by email spoof"