Last month, the FIDO Alliance released specifications that attempt to remove passwords from authentication. A few years ago, Google was already “declaring war on passwords”, even publishing an interesting article in IEEE Security and Privacy: Authentication at Scale. While some improvements have been made, like Google Authentication for 2-factor authentication, it does not appear to be widely implemented.
</div><div>The FIDO Alliance, however, is looking to change that with their Universal Authentication Framework (UAF) and Universal Second Factor (U2F) standards.</div><div>
</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"></td></tr><tr><td class="tr-caption" style="text-align: center;">UAF and U2F process graphic from the FIDO Alliance</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;">
</div><div class="separator" style="clear: both; text-align: left;">Apparently a device with the UAF stack accepts either biometric input or a pin code to authenticate to UAF. UAF itself apparently keeps the user’s private key for associated websites. This key is used to send a login response when challenged.</div><blockquote class="tr_bq" style="clear: both; text-align: left;">A site or browser prepared to accept FIDO authentication can/will offer a user the option if a FIDO device is present. The first time a device is identified, a user will be offered the option to register their FIDO authenticator and use it. Subsequently, the registered device is automatically detected at the site and the user is presented with options for authentication, until/unless the user opts in or out. Please note that FIDO authentication is entirely device-centric. The authentication exchange occurs only between the FIDO device and the authenticating FIDO server, and the exchange is only in crypto.1</blockquote><div class="separator" style="clear: both; text-align: left;">U2F is not much different. It appears to be a USB or similar device much like PAM USB. Because the authentication is device-centric, backup pass codes to unlock the device are not interesting to an attacker (unless they can get local access).</div><blockquote class="tr_bq" style="clear: both; text-align: left;">Though a U2F device may store a password (really, it can be a 4-digit PIN) as a fallback for a user to unlock their own device locally (to effect changes, for example), this application can use a very simple, fixed password or code. In this way, the U2F PIN is not at all like OTP. The PIN available to a U2F user never needs to change, because it never does anything but allow a user to unlock the device locally. The PIN is only relevant to the FIDO device, so there is never the need to share to a server or a network, such as OTP must do. It has no value to a hacker, because it is meaningless to the server.1</blockquote><div class="separator" style="clear: both; text-align: left;">While this system may help with support for better authentication, of course there will have to be a ‘fall back’ method. Right now this comes in the form of backup one-time-passwords, which criminals have proven are easily stolen. Overall, this system appears to still be vulnerable to downgrade attacks (not every system will support this standard), and ultimately user error, but it does make things more difficult for mass attacks while still (potentially) being relatively easy for the end user.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">Rightly, the FIDO Alliance answers the question “What makes FIDO different?” The answer being that they are providing on online crypto / authentication framework. Luckily, the FIDO Alliance has some big names that should be able to support large-scale standards like this for a long time. If not, basic passwords are better than security systems that can’t be updated.</div><div class="separator" style="clear: both; text-align: left;">
</div><hr width="80%" />
1 Clarification provided by Suzanne Matick↩
Just a quick reminder that the DFRWS US 2015 is coming up soon!
DFRWS 2015 will be held on August 9-13, 2015 at the Hyatt Regency Philadelphia at Penn’s Landing, Philadelphia, PA USA
<ul><li>Paper and panel submission deadline: February 9, 2015 (any time zone).</li><li>Paper author notification: April 1, 2015</li><li>Final paper draft and presenter registration(*): April 30, 2015</li><li>Presentation and singleer abstract submission deadline: April 17, 2015 (any time zone)</li><li>Presentation notification: May 1, 2015</li><li>Conference dates: August 9-13, 2015</li></ul><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div>
</div><div>Topics of Interest</div>
<div><ul><li>Memory analysis and snapshot acquisition</li><li>Storage forensics, including file system and Flash</li><li>“Big data” approaches to forensic, including collection, data mining, and large scale visualization</li><li>Incident response and live analysis</li><li>Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection</li><li>Malware and targeted attacks: analysis, attribution</li><li>Network and distributed system forensics</li><li>Event reconstruction methods and tools</li><li>Mobile and embedded device forensics</li><li>Digital evidence storage and preservation</li><li>Data recovery and reconstruction</li><li>Multimedia analysis</li><li>Database forensics</li><li>Tool testing and development</li><li>Digital evidence and the law</li><li>Case studies and trend reports</li><li>Data hiding and discovery</li><li>Anti-forensics and anti-anti-forensics</li><li>Interpersonal communications and social network analysis</li><li>Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)</li></ul></div><div><div>The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: usa-papers (at) dfrws (dot) org</div></div>
Jimmy Kimmel, a U.S. talk show host, commented on U.S. cyber security after the 2014 Sony attacks. To humorously demonstrate the problem, they employed a bit of social engineering on the streets to see if they could get random users’ passwords. While most people did not directly give their passwords, it was not hard to get them to reveal some personal information. This is one reason why Google wanted to switch to security keyfobs (which does not seem to have taken off). Linux, by the way, has had device-based authentication for a while that can be configured to log into the system, websites, etc. using almost any connect-able device.
<div class="separator" style="clear: both; text-align: center;"></div><div>
</div><div><div>Luckily for hackers, fooling a mass of people online is much easier than this.</div></div></div><div>
</div><div>What can you do? Lifehacker has talked about how to pick a strong password, methods for creating passwords you will remember, and even a list of best password managers. But most of all, just don’t tell people your password.
Photo by BM5K</div>
I recently received an email from someone claiming to be from CNN, wanting to do a segment on cyber security for business travelers. They asked for some bullet points that tech-savvy travelers may be able to follow to protect themselves. I threw together some points that are common crime trends, or that I normally think about when travelling.
I am assuming the main concern is some type of hacking or data theft. I’m assuming some technical capability in my (general) recommendations below, and skipping some obvious pointers.
<ul><li>Coordinate an OFFLINE authentication system with your secretary or work, and use this authentication token any time you are talking about money transfers or bank details. Common threat now - hackers know when you travel and use the confusion to defraud the company.</li><li>The company should be running a VPN that works over ports 443 and/or port 80.</li><li>Attempt to understand common cyber threats (and their cause) in the country - are you vulnerable to local attacks?</li><li>Attempt to use systems that are NOT commonly used in the destination country. Target systems in Korea: Windows, IE, Android. Avoid these and your chances of being compromised are much lower. (Linux Live CD/USB is easy to use)
</li><li>Do you need to bring all of your work data with you? Can you copy only required documents to the system that you bring with you (threat minimization)? Wipe out the systems when you come back home.</li><li>Same as above for phones / mobile devices.
</li><li>For business systems incl. phones, use full drive encryption and remote wipe capabilities (don’t mess with location tracking services).</li><li>Use a procedure for backing up all your data that always requires two-factor authentication - no remembered logins (if ‘cloud-based’).</li><li>Be aware of how locals use credit cards. If they don’t trust using cards in their country/city, you probably shouldn’t either. In countries where point of sale (POS) attacks are trending, use cash.
</li><li>If possible (and trust-worthy) it may be better to use a local anti-virus while you are in the country.</li><li>Try to avoid accessing sensitive information over the internet. If not using a VPN, prefer mobile broadband. If all else fails, at least make sure a local wireless connection is using encryption.</li><li>Manually set your DNS to a trusted server.
</li></ul>These are some of the things I am thinking about on business trips abroad.
Cyber security abroad is really about common sense, and should not be that much different than cyber security at home. Try not to put sensitive information in risky situations, and if you have to, at least try to protect it (trusted VPNs, etc).
Photo by Yuri Samoiliv
With the KITRI Best of the Best Information security program, we have been developing tools for Law Enforcement to use in the automatic detection of Child Exploitation Material (images). The new code and classifiers will be merged into the imageClassification github repository in the next few days, and you will be able to download and use it for free (FOSS). We also have an Autopsy 3 python module available here. If you use any of them, please lets us know how you got on.
However, during the project we realized we were focusing on helping Law Enforcement, who already have a pretty good idea of what online child exploitation is. We decided to start working with the Korean public to raise awareness about online child exploitation.
<div class="separator" style="clear: both; text-align: center;"></div>The project team (Outc4se) created a presentation about Online Child Exploitation, which was presented at a Seoul Tech Society event, Korea University, the Korean National Police University, and others. The overall reaction from the public (in my opinion) was a sullen interest. Some people wanted to ignore the problem, some people had questions. At the end of the presentation the group demonstrated their image classification project, and tried to give tips about what the public can to do protect themselves, their children and help combat online child exploitation.
Seeing that the general public had little awareness of the problem of child exploitation in general, the group set up a blog (http://bob-safekids.blogspot.kr/) with some basic information about child exploitation, and associated research. We hope to keep adding information that the public can use to understand such a common and dangerous issue.