Firesheep

Encrypting user data is essential, however some websites are choosing to only protect user passwords instead of all information being passed through the network. This has left many sites and users vulnerable to HTTP session hijacking, which allows attackers to control websites that have been accessed on an open network. The security risks of unprotected wireless networks are nothing new, and a controversial Firefox add on shows just how easily someone’s account can be hijacked. The program is called Firesheep, and was created in order to show the vulnerabilities found in many popular websites such as Facebook and Amazon.

Firesheep is primarily a packet analyzer, a program that captures data packets being sent over a network. These programs are commonly used to find and debug problems within the network, but can also be used maliciously to obtain personal information.  When a network is unsecure, any unencrypted data that is sent over the network is easily readable by the user of a packet analyzer. Although user information such as credit card numbers and passwords are generally encrypted, the information Firesheep uses to hijack your account is not.

After a person logs onto a website, their username and password are verified, and the website sends a cookie to the user’s web browser. This cookie is then sent back whenever the user communicates with that website, allowing the person to remain logged in. Using a packet analyzer, someone could obtain this cookie as it is sent over the network and use it to communicate with the website. Since this is the same cookie as the user, on the same network, the hijacker can now use the website as the logged in user. Firesheep allows users to “test” this process on a number of websites with an easy to use interface.

When Firesheep is used on an open network, any user cookies being sent are captured and displayed by the plugin. The hijacker can then access these accounts by double clicking on the session icon. Although this program was created to demonstrate the vulnerability of unsecured networks, it is most likely being used to spy on people at the local Starbucks. Since Firesheep was created, Google and Facebook have made the switch to HTTPS, however only Google has made it standard. Facebook users need to switch their account by going to Account Settings, then clicking “enable secure browsing” in the Account Security pane. 

Public Key Encryption

Although private key encryption is a secure way to keep information confidential, it can be a problem ensuring that the private key is transferred without being intercepted. Since the only foolproof way to exchange these private keys is in person, many people have turned to the use of public key encryption. In public key encryption, a public key and private key are used in combination to provide security to a message. The use of a public key encryption makes it much easier for people to communicate confidentially since it removes the need to exchange a private key before a message is sent.

In public key encryption, there is a public key that can be known to anyone, even an attacker. This public key is only used to encrypt messages, which can then be sent to the receiver securely. After the message is encrypted using the public key, a private key is used for decryption. Since only the person receiving the message has access to the private key, they can be assured that no one else will be able to decrypt the messages being sent.

One analogy of public key encryption involves mail being sent from one person to another securely. Imagine Alice wants to send a secure message to Bob, making sure that only Bob will be able to read this message. To do this, Alice asks Bob to send her his padlock through the mail. Alice then uses Bob’s padlock (public key) to lock the message, and sends it to Bob. Since Bob is the only one who has the (private) key to the padlock, he can be sure that no one else will be able to intercept Alice’s message.

Even though public key encryption eliminates the need to securely transfer private keys, it requires very large keys to encrypt and decrypt the data. This causes public key encryption to take much longer, and use more computing resources than symmetric encryption. Public key encryption is also less secure than symmetric encryption because all public key systems can hypothetically be cracked using brute force attacks. In order to combine the advantages of both systems, a hybrid encryption system called PGP (Pretty Good Protection) was created.

In PGP, a session key is added to the encryption process, adding another level of security. The session key is a unique key created every time you use PGP to encrypt data. When a message is sent using PGP, the plaintext is encrypted using the session key, creating the ciphertext. The session key is then encrypted using a public key and sent along with ciphertext to the receiver. When the message arrives, the private key is used to decrypt the session key, which is in turn used to decrypt the message. This system provides the speed of a private key system with the easy usability of public key encryption.

In my post about private key encryption, I discussed the keys used for encryption and decryption, and how long it would take for someone to brute force attack these keys. Although both types of encryption systems use keys, the types of keys used for each are very different. Even though a 56bit key in symmetric encryption can be broken in 250 days, the same 56bit key in the public key system can be cracked in a much shorter time. This means that public key encryption users much choose the proper key size depending on the amount of resources available, along with the amount of protection desired. A smaller key size could be used for less private information, while data such as credit card numbers should be handled with a much larger key. Users of public key encryption must always choose between better performance or better security. 

Private Key Encryption

When it comes to encryption, there are two different types of systems that can be used to ensure message integrity. The first is private key encryption, in which both the sender and receiver use only one key to encrypt and decrypt data. The second is public key encryption, which uses both a public and private key to secure the message. In this article I will explain private key encryption and the amount of security that it provides. I will also show how the modern encryption key is theoretically impossible to crack.

In private key encryption, both the sender and receiver use the same key to encrypt and decrypt the message being sent. This requires the sender and receiver to both have the secret key, which can become a problem if the people communicating are a far distance away from each other. Since this secret key can be used to encode and decode the message being sent, the people using this private key must have securely transferred the key from one person to another without anyone intercepting it. The most common form of private key cryptology used today is the AES (Advanced Encryption Standard), which replaced its predecessor, DES (Data Encryption Standard). The U.S. government has recently stated that AES provides enough security to encrypt classified and top secret information.

One reason the government finds AES secure enough to protect their data is due to large key sizes. The larger the key used to encrypt the data is, the longer it will take for someone to find the key. Finding an encryption key by testing every combination of numbers allowed in the key is called a brute force attack, and is theoretically impossible with the larger key sizes that are used in encryption today. When DES was first implemented, it contained a 56bit encryption key. This meant that an attacker would need to guess 2⁵⁶ combinations since each bit can be either 1 or 0 and there are 56 different bits. At the time it seemed that this was improbable, but the 56bit key became more and more crackable as computer processing power increased.

Since the DES was quickly becoming outdated, the AES was created to take its place. The AES is much more sophisticated, including the option for 128bit, 192bit, or 256bit encryption key. To show how secure these keys are, a contest was created that rewarded anyone able to crack these encryption keys a cash prize. A worldwide network of computer users and groups operating with the website distributed.net have been the most successful in cracking these keys. In 1997, the group broke the 56bit encryption key in 250 days. (One year later it was broken in 22 hours) In 2002, the group managed to crack the 64bit key after working for almost 5 years. When you think about how much longer it took to crack a key that was only 8bits larger, it is easy to see how a 256bit encryption key is theoretically impossible to crack.

To give another example of how hard a 256bit key is to crack, cryptologist Burt Kaliski came up with this analogy: Imagine a computer that is the size of a grain of sand, with the capability to calculate encryption keys at the speed of light. Now, create a network of these computers that covers the earth to a height of one meter. This network of computers would be able to crack a 128bit encryption key in roughly 1000 years. At the current time, it would take two planets full of computers to brute force a 256bit key. Since brute force cracks are theoretically impossible, attackers have turned to other methods of intercepting or corrupting data. Many of these techniques involve social engineering and side-channel attacks.

Sources:

http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html

http://encyclopedia.jrank.org/articles/pages/6872/Public-Key-vs-Secret-Key-Encryption.html

Cryptology

Happy New Year’s everyone. In the next week I want to start discussing the topic of encryption and the different ways in which people’s information is kept secure. In order to do that however, I need to cover some basic concepts of cryptology. Cryptology is the practice of keeping information secret, and has been used since the invention of an alphabet. Since there are entire courses and majors devoted to cryptology and encryption, I will try to explain these concepts in a way that’s simple to understand.

Although the main idea of cryptology is to ensure the content of a message is confidential, there are other aspects of message integrity that must be taken into consideration. Along with ensuring the message is unreadable (encrypted), the sender and receiver also want to be sure the message has not been altered in any way. It is also important to make sure the message was actually sent by the person that the message claims it was sent from.

When a message is encrypted, the original content (plaintext) is made unreadable using an encryption algorithm. This algorithm encrypts the message into ciphertext, which cannot be read by any intruder or eavesdropper. Since the encryption algorithms are known by everyone, including would be attackers, there is another step that must be taken to prevent intruders from decrypting the message. This is why special keys are needed to decipher the original message. There are both private-key and public-key cryptology systems, and I will explain the advantages and disadvantages of both in upcoming posts.

Another important topic in secure communication is authentication, which ensures that the sender of a message is indeed who they claim to be. Authentication also ensures that the message has not been altered in any way since it was sent. The main way that messages are authenticated uses something called a digital signature. Digital signatures are created by using encryption along with other authentication techniques to provide a (theoretically) unforgeable signature that authenticates the message integrity.

In the next week I will explain the different types of encryption, along with the advantages or disadvantages of each type. I will also explain the different ways in which data is authenticated, including a detailed explanation of digital signatures and certificates. Along with these topics, I will also explain how personal information is stored confidentially in a database.

Denial-of-Service Attacks

One of the most popular news stories this month involves Julian Assange and the website WikiLeaks. Assange was granted bail in England yesterday, but must remain in the country pending a Swedish appeal. Assange’s bail was set at £200,000 (around $315,000), and many people are showing their support by donating money to WikiLeaks. Last week, many companies decided to halt donations the WikiLeaks claiming that the website promoted illegal activities. This refusal to donate money spawned a group of cyber attacks on the company websites of Paypal, Amazon, MasterCard and Visa. The type of attacks used are called DoS (Denial of Service Attack) or DDoS (Distributed Denial of Service Attack), and cause a website to become inaccessible to any users. In this post I will explain how DoS and DDoS attacks work, and what this recent attack on major websites means for Internet security.

DoS and DDoS attacks are caused when a website’s network is flooded with various requests, causing the CPU usage to reach 100 percent. This is achieved by sending large packets of data multiple times until the CPU cannot process any more of the requests. Since the CPU can no longer handle any tasks related to the website, users trying to access the page will be unsuccessful. The difference between these two types of attacks is simply the number of attacking computers being used, with the distributed denial-of-service using more than one computer. These types of attacks can be led by one person, or collectively with a group of people. The latter was demonstrated last week when some users of the website 4chan decided to organize a DDoS attack on the websites refusing to help WikiLeaks.

4chan is an image board that allows users to anonymously discuss topics and post images to the site. The users of 4chan are known for their involvement in various Internet pranks and attacks, mainly using DDoS attacks to disable targeted websites. These attacks are part of something called “Operation Payback”, which began after many torrent-downloading sites were taken down. In retaliation, the members of Operation Payback organized denial-of-service attacks on anti-pirating websites and organizations. The group has continued to show its “strength”, resulting in the recent attacks on the Paypal, MasterCard, and Visa websites. Although DDoS attacks from 4chan’s users is nothing new, the method in which the attack was conducted presents a new security threat to the Internet.

Denial-of-service attacks were originally conducted using the “ping of death” technique, which sent on oversized ping package to a targeted computer. Older computers were unable to handle these packages, causing them to crash. Since this type of attack today would not affect modern computers, newer types of DoS attacks have been created. One reason the recent attacks on MasterCard and Visa were so “successful” involves a new method of DDoS using the tool LOIC. The Low Orbit Ion Cannon is a stress tester for networks and floods the targeted website with various requests and pings.

The idea that a relatively small group of people was able to take major websites down for a number of hours is somewhat scary, but in the end no one’s information was obtained and purchases could still be made (for some users). Participating in a DDoS attack is illegal, and some of the people involved in the recent 4chan attack have been arrested and questioned in the last few days. Although the FBI probably wont spend too much time and money hunting down these activists, it makes you wonder what a larger more organized group of attackers could be capable of.

Christmas Scams

Since the Christmas season is coming soon, many people are scrambling to get the best gifts for their friends and family. Most people have turned to online shopping due to its convenience, but the online marketplace is often a haven for spammers and scammers who want to get your info. Although most people have realized how to spot fake e-mails and offers, there are still many people out there who should learn how to identify a scam when they see it. In this post, I will explain the most common ways that scammers attempt to obtain personal information, and the ways that shoppers can protect against this. The bottom line when it comes to an online offer: If an offers seems too good to be true, it probably is.

The most common form of Christmas scams involve some sort of gift certificate, promise of free merchandise, or charity websites. These links often take the user to a fake website which will attempt to steal personal information. These websites are called phishing sites, and many of these pages look like legitimate businesses or charities. Some sites will ask the user to sing up for an account using their an email address and password. This is problematic because many people use the same password for different accounts. The real danger comes when a user enters their credit card info on one of these pages, only to have it stolen by the host of the site.

The easiest way to avoid these scams is by sticking to reputable and trusted sites such as Ebay or Amazon. Stay away from sites that offer free products or prices that seem too good to be true. Customers should also check for a “trustmark” on the website address that ensures the page is reputable. All secure sites will begin with https (s for secure) instead of the normal http. Another thing to remember while shopping this holiday season is that online orders should never be placed on an unsecure network. Information sent over unsecure networks can easily be stolen, so never buy products in areas with unprotected connections.

Along with these classic phishing scams, the holidays also provide an opportunity to take advantage of social network users. Users of Facebook and Twitter have been tricked into giving up social security numbers and passwords with promises of well paying work-at-home jobs and free gift cards. One of the most recent scams takes the user to a Twitter look-alike and asks the user to sign in. Once they obtain the users login, they are free to spam the same message to your friends on twitter. Attackers are also targeting people through text messages and instant messages, making these scams one of the most common during the holiday season. 

Poste Español

Bienvenidas a todos. Para este poste, quiero escribir solamente en español. Yo tomé muchos años de español cuando yo estaba en escuela, y yo quiero practicarlo. Tengo que buscar algunos de las palabras en Internet, pero yo no utilizar un translatador cada vez. Para la semanas proximas, escribiré más articulos españoles y describo la seguridad de computadoras que están en las paises que hablan español.