FIDO Alliance Password-less Authentication Spec.

[Edited 2015-02-02]
Last month, the FIDO Alliance released specifications that attempt to remove passwords from authentication. A few years ago, Google was already “declaring war on passwords”, even publishing an interesting article in IEEE Security and Privacy: Authentication at Scale. While some improvements have been made, like Google Authentication for 2-factor authentication, it does not appear to be widely implemented.
</div><div>The FIDO Alliance, however, is looking to change that with their Universal Authentication Framework (UAF) and Universal Second Factor (U2F) standards.</div><div>
</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"></td></tr><tr><td class="tr-caption" style="text-align: center;">UAF and U2F process graphic from the FIDO Alliance</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;">
</div><div class="separator" style="clear: both; text-align: left;">Apparently a device with the UAF stack accepts either biometric input or a pin code to authenticate to UAF. UAF itself apparently keeps the user’s private key for associated websites. This key is used to send a login response when challenged.</div><blockquote class="tr_bq" style="clear: both; text-align: left;">A site or browser prepared to accept FIDO authentication can/will offer a user the option if a FIDO device is present. The first time a device is identified, a user will be offered the option to register their FIDO authenticator and use it. Subsequently, the registered device is automatically detected at the site and the user is presented with options for authentication, until/unless the user opts in or out. Please note that FIDO authentication is entirely device-centric. The authentication exchange occurs only between the FIDO device and the authenticating FIDO server, and the exchange is only in crypto.1</blockquote><div class="separator" style="clear: both; text-align: left;">U2F is not much different. It appears to be a USB or similar device much like PAM USB. Because the authentication is device-centric, backup pass codes to unlock the device are not interesting to an attacker (unless they can get local access).</div><blockquote class="tr_bq" style="clear: both; text-align: left;">Though a U2F device may store a password (really, it can be a 4-digit PIN) as a fallback for a user to unlock their own device locally (to effect changes, for example), this application can use a very simple, fixed password or code. In this way, the U2F PIN is not at all like OTP. The PIN available to a U2F user never needs to change, because it never does anything but allow a user to unlock the device locally. The PIN is only relevant to the FIDO device, so there is never the need to share to a server or a network, such as OTP must do. It has no value to a hacker, because it is meaningless to the server.1</blockquote><div class="separator" style="clear: both; text-align: left;">While this system may help with support for better authentication, of course there will have to be a ‘fall back’ method. Right now this comes in the form of backup one-time-passwords, which criminals have proven are easily stolen. Overall, this system appears to still be vulnerable to downgrade attacks (not every system will support this standard), and ultimately user error, but it does make things more difficult for mass attacks while still (potentially) being relatively easy for the end user.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">Rightly, the FIDO Alliance answers the question “What makes FIDO different?” The answer being that they are providing on online crypto / authentication framework. Luckily, the FIDO Alliance has some big names that should be able to support large-scale standards like this for a long time. If not, basic passwords are better than security systems that can’t be updated.</div><div class="separator" style="clear: both; text-align: left;">
</div><hr width="80%" />
1 Clarification provided by Suzanne Matick

2 min read


Just a quick reminder that the DFRWS US 2015 is coming up soon!

DFRWS 2015 will be held on  August 9-13, 2015 at the Hyatt Regency Philadelphia at Penn’s Landing, Philadelphia, PA USA

Important Dates

<ul><li>Paper and panel submission deadline: February 9, 2015 (any time zone).</li><li>Paper author notification: April 1, 2015</li><li>Final paper draft and presenter registration(*): April 30, 2015</li><li>Presentation and singleer abstract submission deadline: April 17, 2015 (any time zone)</li><li>Presentation notification: May 1, 2015</li><li>Conference dates: August 9-13, 2015</li></ul><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div>
</div><div>Topics of Interest</div>
<div><ul><li>Memory analysis and snapshot acquisition</li><li>Storage forensics, including file system and Flash</li><li>“Big data” approaches to forensic, including collection, data mining, and large scale visualization</li><li>Incident response and live analysis</li><li>Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection</li><li>Malware and targeted attacks: analysis, attribution</li><li>Network and distributed system forensics</li><li>Event reconstruction methods and tools</li><li>Mobile and embedded device forensics</li><li>Digital evidence storage and preservation</li><li>Data recovery and reconstruction</li><li>Multimedia analysis</li><li>Database forensics</li><li>Tool testing and development</li><li>Digital evidence and the law</li><li>Case studies and trend reports</li><li>Data hiding and discovery</li><li>Anti-forensics and anti-anti-forensics</li><li>Interpersonal communications and social network analysis</li><li>Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)</li></ul></div><div><div>The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: usa-papers (at) dfrws (dot) org</div></div>

1 min read

What is your password?

Jimmy Kimmel, a U.S. talk show host, commented on U.S. cyber security after the 2014 Sony attacks. To humorously demonstrate the problem, they employed a bit of social engineering on the streets to see if they could get random users’ passwords. While most people did not directly give their passwords, it was not hard to get them to reveal some personal information. This is one reason why Google wanted to switch to security keyfobs (which does not seem to have taken off). Linux, by the way, has had device-based authentication for a while that can be configured to log into the system, websites, etc. using almost any connect-able device.
<div class="separator" style="clear: both; text-align: center;"></embed></div><div>
</div><div><div>Luckily for hackers, fooling a mass of people online is much easier than this.</div></div></div><div>
</div><div>What can you do? Lifehacker has talked about how to pick a strong password, methods for creating passwords you will remember, and even a list of best password managers. But most of all, just don’t tell people your password.

Photo by BM5K</div>

~1 min read

Cybersecurity Tips for Business Travelers

I recently received an email from someone claiming to be from CNN, wanting to do a segment on cyber security for business travelers. They asked for some bullet points that tech-savvy travelers may be able to follow to protect themselves. I threw together some points that are common crime trends, or that I normally think about when travelling.

I am assuming the main concern is some type of hacking or data theft. I’m assuming some technical capability in my (general) recommendations below, and skipping some obvious pointers.

<ul><li>Coordinate an OFFLINE authentication system with your secretary or work, and use this authentication token any time you are talking about money transfers or bank details. Common threat now - hackers know when you travel and use the confusion to defraud the company.</li><li>The company should be running a VPN that works over ports 443 and/or port 80.</li><li>Attempt to understand common cyber threats (and their cause) in the country - are you vulnerable to local attacks?</li><li>Attempt to use systems that are NOT commonly used in the destination country. Target systems in Korea: Windows, IE, Android. Avoid these and your chances of being compromised are much lower. (Linux Live CD/USB is easy to use)
</li><li>Do you need to bring all of your work data with you? Can you copy only required documents to the system that you bring with you (threat minimization)? Wipe out the systems when you come back home.</li><li>Same as above for phones / mobile devices.
</li><li>For business systems incl. phones, use full drive encryption and remote wipe capabilities (don’t mess with location tracking services).</li><li>Use a procedure for backing up all your data that always requires two-factor authentication - no remembered logins (if ‘cloud-based’).</li><li>Be aware of how locals use credit cards. If they don’t trust using cards in their country/city, you probably shouldn’t either. In countries where point of sale (POS) attacks are trending, use cash.
</li><li>If possible (and trust-worthy) it may be better to use a local anti-virus while you are in the country.</li><li>Try to avoid accessing sensitive information over the internet. If not using a VPN, prefer mobile broadband. If all else fails, at least make sure a local wireless connection is using encryption.</li><li>Manually set your DNS to a trusted server.
</li></ul>These are some of the things I am thinking about on business trips abroad.

Cyber security abroad is really about common sense, and should not be that much different than cyber security at home. Try not to put sensitive information in risky situations, and if you have to, at least try to protect it (trusted VPNs, etc).

Photo by Yuri Samoiliv

2 min read

Online Child Exploitation Awareness Project

With the KITRI Best of the Best Information security program, we have been developing tools for Law Enforcement to use in the automatic detection of Child Exploitation Material (images). The new code and classifiers will be merged into the imageClassification github repository in the next few days, and you will be able to download and use it for free (FOSS). We also have an Autopsy 3 python module available here. If you use any of them, please lets us know how you got on.

However, during the project we realized we were focusing on helping Law Enforcement, who already have a pretty good idea of what online child exploitation is. We decided to start working with the Korean public to raise awareness about online child exploitation.

<div class="separator" style="clear: both; text-align: center;"></div>The project team (Outc4se) created a presentation about Online Child Exploitation, which was presented at a Seoul Tech Society event, Korea University, the Korean National Police University, and others. The overall reaction from the public (in my opinion) was a sullen interest. Some people wanted to ignore the problem, some people had questions. At the end of the presentation the group demonstrated their image classification project, and tried to give tips about what the public can to do protect themselves, their children and help combat online child exploitation.

Seeing that the general public had little awareness of the problem of child exploitation in general, the group set up a blog ( with some basic information about child exploitation, and associated research. We hope to keep adding information that the public can use to understand such a common and dangerous issue.

1 min read

[CFP] ICDF2C 2015

Call for papers for the 7th International Conference on Digital Forensics and Cyber Crime (ICDF2C)

Conferece Dates: October 6 - 8, 2015
Location: Seoul, South Korea
Paper Submission: 30 March, 2015 (any time zone)

<div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;">
</div><div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;">The International Conference on Digital Forensics and Cyber Crime (ICDF2C) brings together leading researchers, practitioners, and educators from around the world to advance the state of the art in digital forensic and cyber crime investigation. Keeping up with our international and collaborative nature at ICDF2C, we are proud to announce that ICDF2C 2015 will run jointly with the Korean Digital Forensic Society’s Annual Conference (KDFS 2015).</div><div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;">ICDF2C 2015 will be held October 6 - 8, 2015 in Seoul, South Korea. We invite contributions for completed research papers, research-in-progress papers, industrial talks, panel and tutorial proposals, and round table discussions. Research papers are evaluated through a double-blind, peer-reviewing process and accepted research papers will be published in printed proceedings by Springer-Verlang.
</div><div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;"></div><h3>Special Themes</h3>This year, we have two themes that we intend to embrace. Authors are encouraged to submit papers relating to these themes:
<ul><li>Usage, implications and investigation of the “Dark Web”</li><li>Case studies and investigation techniques relating to cryptocurrencies</li></ul>
<h3>SCOPE</h3>The Internet has made it easier to perpetrate crimes by providing criminals an avenue for launching attacks with relative anonymity. The increased complexity of global communication and networking infrastructure and devices makes investigation of cybercrimes difficult. Clues of illegal activities are often buried in large volumes of data that need to be sifted through in order to detect crimes and collect evidence. The field of digital forensics and cybercrime investigation has become very important for law enforcement, national security, and information assurance. Digital forensics and cybercrime investigations are multidisciplinary areas that encompasses law, computer science, finance, telecommunications, data analytics, policing and more. ICDF2C brings together practitioners and researchers from diverse fields providing opportunities for business and intellectual engagement among attendees.
<ul><li>The following topics highlight the conference’s theme:</li><li>Anti Forensics and Anti-Anti Forensics</li><li>Big Data and Digital Forensics</li><li>Business Applications of Digital Forensics</li><li>Civil Litigation Support</li><li>Cloud Forensics</li><li>Cyber Crime Investigations</li><li>Cyber Criminal Psychology and Profiling</li><li>Cyber Culture & Cyber Terrorism</li><li>Data hiding and steganography</li><li>Database Forensics</li><li>Digital Forensic Science</li><li>Digital Forensic Tool Testing and validation</li><li>Digital Forensic Trends</li><li>Digital Forensics & Law</li><li>Digital Forensics and Error rates</li><li>Digital Forensics novel algorithms</li><li>Digital Forensics Process & Procedures</li><li>Digital Forensics Standardization & Accreditation</li><li>Digital Forensics Techniques and Tools</li><li>Digital Forensics Triage</li><li>e-Discovery</li><li>Hacking</li><li>Incident Response</li><li>Information Warfare & Critical Infrastructure Protection</li><li>Law Enforcement and Digital Forensics</li><li>Machine learning and Digital Forensics</li><li>Malware & Botnets</li><li>Mobile / Handheld Device & Multimedia Forensics</li><li>Money Laundering</li><li>Network forensics</li><li>New chip-off techniques</li><li>Novel Digital Forensics Training programs</li><li>Online Fraud</li><li>Programming Languages and Digital Forensics</li><li>SCADA Forensics</li><li>Sexual Abuse of Children on Internet</li><li>Software & Media Piracy</li><li>Theoretical Foundations of Digital Forensics</li><li>Traditional Criminology applied to Digital Forensics</li><li>Philosophical accounts for Cyber Crime and Digital Forensics</li></ul>
<h3>RESEARCH PAPERS</h3>Papers describing original unpublished research are solicited. Submissions must not be concurrently under review by a conference, journal or any other venue that has proceedings. Papers in the topic areas discussed are preferred, although contributions outside those topics may also be of interest. Please feel free at any time to contact the conference general chair if you have questions regarding your submission.
<h3>BEST PAPER AWARD</h3>The program committee may designate up to three papers accepted to the conference as ICDF2C Best Papers. Every submission is automatically eligible for this award.
<h3>OTHER SUBMISSION CATEGORIES</h3>Submissions can be made in a number of categories: Completed research papers, research-in-progress papers, industrial talks, panel and tutorial proposals, and round table discussions. Please follow the following guidelines in preparing your submission.
<ul><li>Completed Research Papers: No longer than 10 pages (including abstract, figures, tables and references).</li><li>Research in Progress Papers: No longer than 6 pages (including abstract, figures, tables and references).</li><li>Industrial Talk: Typically a 1,000 word description of the proposed talk. All talks must be vendor neutral.</li><li>Round Table Discussion: Typically a 1,000 word synopsis of the topic area.</li><li>Panel Proposals: Typically a 1,000 word description, identifying the panelists to be involved.</li><li>Tutorial Proposals: Typically a 1,000 word description of topic(s), potential speakers, program length, and potential audience. Also, include proposer resume(s).</li></ul>
<h3>SUBMISSION INSTRUCTIONS</h3>Paper submission will be handled electronically. Papers must be formatted using Springer LNICST Authors’ Kit ( and submitted only through by going here:
<div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;">
All submitted papers will be judged based on their quality through double-blind reviewing. Authors’ names must not appear in the paper. All other submissions should be sent via email to the conference general chairs (Dr. Joshua I. James joshua at cybercrimetech dot com).
</div><h3>PUBLICATIONS</h3>Accepted papers will be published in the ICDF2C 2015 Conference Proceedings and by Springer-Verlag in the Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Tele-communications Engineering (LNICST) series.
<div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;">
The proceedings will be available both as paper-based copies and via Springerlink, Springer’s digital library. In addition, the content of the proceedings will be submitted for inclusion in leading indexing services, including DBLP, Google Scholar, ISI Proceedings, EI, CrossRef and Zentralblatt Math, as well as ICST’s own EU Digital Library (EUDL).
</div><div style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;">
Further, we are partnering with Elsevier’s “Digital Investigation: The International Journal of Digital Forensics & Incident Response” to invite expanded versions of specially selected papers for inclusion in their SCI-indexed publication.
</div><h2 style="background-color: white; border: 0px; font-stretch: inherit; margin: 0px 0px 0.5em; padding: 0px; vertical-align: baseline;"></h2>

4 min read