The Caffeinated Penguin

musings of a crackpot hacker

Scary, scary security stuff

Posted By on February 21, 2009

Stuff from BlackHat

  1. SSL Man in the Middle attack which comes really close to being an undetectable sniffing of your SSL traffic. This is, of course, the problem with the “web of trust”, which was always the problem I had with using it for email. Let’s back up a step. If you want to go buy something from a shop, you have an idea that the shop is more reputable than the guy selling things out of the back of a van. Why? Think about it – there’s nothing intrinsically bad about people selling things out of tables and carts – look at street food vendors vs. restaurants. Folks are okay with both. Why aren’t shops the same way? The actual answer is not relevant – we have our own heuristic way of dealing with reputation, our own little warning bells. To an extent, some of this transcends to online shops as well – shady websites which look like a scam make you more nervous than ones which look proper. However, the real metric is word of mouth. Why do you trust Amazon? Because other people do? Because it’s so big? Isn’t that just the same as “because other people do”? Now, this is how the certificate web of trust works. You trust that a certificate is genuine because it is signed by someone who, at some level, you trust (or, more likely, Microsoft or Firefox trusts and includes by default in your browser). The problem with this attack is that you don’t really now who these people you are trusting are. So, the attack is predicated on the idea that they pretend to be someone trusted, make everything look right, and get everything that you would be sending to the website you thought you could trust (username, password, credit card information). For email, I don’t really like the web of trust. I like the “I know you. We’ve met. We’ve exchanged PGP keys.” Very short web. Of course, this doesn’t really work for e-commerce. Advice: Look at the “lock” icon in the bottom right of the browser really carefully.
  2. Another guy found vulnerabilities in various offline webapps. This is basically a problem with those apps and the complexity introduced by offline modes, and isn’t really so scary as the above – especially if you don’t use them.
  3. Finally, some researchers have found out that you can fool the facial recognition used to authenticate people to their laptops using the built in webcam by having a picture of the person. This is actually just like the old idea of lifting people’s fingerprints and using them to defeat fingerprint scanners. Biometrics is fine for one component of two-factor authentication, but simply not good enough to be your sole authentication method.

Comments

Loading Facebook Comments ...

Leave a Reply

Please note: Comment moderation is currently enabled so there will be a delay between when you post your comment and when it shows up. Patience is a virtue; there is no need to re-submit your comment.