Andrew Breese

Musings of a professional geek

Tag Archives: security

Humble Bundle on Cybersecurity and Crypto

Heads-up on a great Humble Bundle on crypto, security, hacking, and all sorts of related topics. As a pay-what-you-like deal it’s amazing given these books are worth. I’m really keen to read Threat Modeling: Designing for Security and Cryptography Engineering: Design Principles and Practical Applications; that is my bed side reading set for months to come. Offer ends around the end of July, and found via Bruce Schneier’s blog.

Thwarting hackers with “honey encryption”?

A Boston Globe blog reported that a trickier approach to dealing with hackers might be a better approach. Essentially make the data messy and it will not be as desirable. It certainly sounds interesting as a concept. Brainiac wrote “rather than trying to block hackers, maybe it’s better to distract them.”

The approach is built into a new piece of software called Honey Encryption, created by Ari Juels and Thomas Ristenpart, and it works on a simple model. After hackers steal a trove of encrypted data, they hunker down to crack the code. It can take them thousands of tries before they’re able to guess the right cryptographic key, and Honey Encyyption makes them pay for each failed attempt.

Each time hackers enter the wrong password, Honey Encryption adds a piece of fake data to the dataset—by the time hackers finally get access to the data, it’s swimming with so many fake credit card numbers, for example, they’ll have no idea which ones are real.

Pardon? I think the readers might be missing a key aspect of the information here. This is a very specific circumstance and very unlikely frequency where this is plausible.

For this approach to work the “honey encryption” software needs to be running with the stolen data-set.  In fact it is unlikely that the data would be stolen at all, rather it is being attacked on it’s normal infrastructure. Frequently when data is stolen the database itself is extracted on mass; the encryption used on the information in the database is broken later. A hacker is not going to willingly run an application which does Honey Encryption on the data they are trying to hack. Is the assumption that the software for accessing the encrypted data is somehow packaged with the data in the DB? Huh? No! This means that for the times where the hack attempt is happening on the system live this approach might work, but otherwise it does not apply.

The same software could also alert very quickly to the admin teams that a potential attack is in progress too. This is the approach taken with the “honey words” concept, where a dataset is setup with a number of “deliberately bad” datasets for each user account so that when the hacker tries to decrypt the data an alert or action is triggered. That makes a heap of sense.

So this approach adds junk data into a live system to increase the ratio of bad data to good data for when it gets stolen? Yes, and as long as the good data is not altered by the “honey” then the end user is not affected, but the system owners can know of a potential exposure. Interesting.

Refs:

Aus Gov Loses Online Privacy Alert Data in Snailmail

45,000 Facebook passwords stolen by Ramnit wor...

A package of user data which included usernames and passwords for the Stay Smart Online website was lost sometime after 11 April, due to a package being lost in the post.

Just a thought: News like this can hurt the folks involved, please be aware the screw-ups happen. I’d say after a health does of “what in hell” the people involved might learn a huge amount about how the simplest mistakes can bring down all the best intentions. AusCert is a not-for-profit group that (very likely) has the interests of the internet community at its heart.

However, a sane person could not make up this screw-up…

You see, the DBCDE was in the process of switching contractors that handled the alert system and needed the information transferred from the one to the other. Someone, somewhere, made the brilliant decision to burn usernames, email addresses, hashed passwords, and password reminders to a DVD for easy transport. Can’t trust the tubes of the web, after all, as there be hackers out yonder. The contractor, AusCERT (information security experts), then sent it via the Australia Post.

Pardon me while I pick up my jaw. Beyond the worry is not a small amount of irony, not so much because of Stay Smart’s tagline but because AusCert should know better.

Stay Smart Online — The Australian Government’s cybersecurity website provides information for Australian internet users on the simple steps they can take to protect their personal and financial information online.

AusCert — is the premier Computer Emergency Response Team (CERT) in Australia and a leading CERT in the Asia/Pacific region. AusCERT operates within a worldwide network of information security experts to provide computer incident prevention, response and mitigation strategies for members and assistance to affected parties in Australia.

I mean no disrespect when I say I hope the damn DVD was encrypted. The list of users were those who wished to be subscribed to the government’s privacy breach alert system. Ahem. Read more of this post

%d bloggers like this: