Everyone is well aware of retail runner up Target and their recent hacking. And this event couldn't have come at a worse time for them. Their systems were compromised over Thanksgiving weekend, the traditional start of the holiday shopping season, and stayed pwned for several weeks. Fortunately, they've plugged the holes and were able to continue on with their holiday sales season.
Meanwhile, banks around the country are taking steps to protect their customers' banking details. Apparently, in light of lessons learned from major breaches like Heartland Payment Systems, many found it less expensive to just reissue thousands to millions of new cards to any customers who may or even might not be affected. A major credit union here in Arizona is issuing new cards and numbers for 877 potentially compromised accounts.
While the stolen credit card information has already been put up for sale, Target insists that at least the PINs associated with debit cards were securely encrypted, specifically with Triple DES, or more properly, the Triple Data Encryption Algorithm, TDEA.
Triple DES is a block cipher, which means it encrypts blocks of data, 64 bits at a time, and does so in three passes, each with a different key based on the keying option used. Data Encryption Standard (DES), with only a 56 bit key, is too weak to protect data against brute force attacks by modern hardware and has been removed as a standard. Triple DES itself, by stacking up on the encryption with multiple keys, is considered secure enough against any practical attacks. It has, however, been replaced in most applications with Advanced Encryption Standard (AES).
Target wasn't specific as to which keying option of Triple DES was being used, though they made it clear that they never had any of the keys. Knowing which keying option was being employed could direct an attacker to a method of exploit. Since Triple DES encrypts with key one, decrypts with key two, and then encrypts again with key three, the most secure option is that all three keys are different. That usually isn't the way it's done in practice; typically the first and third key are the same. Obviously, if there's only a single key being used three times, the encryption simplifies to a single round of DES and that compatibility is, in fact, why Triple DES does encrypt-decrypt-encrypt instead of three rounds of encrypt.
So what attacks are available? Essentially a rainbow table attack. We can only hope that the payment processor who held the keys held more that one. Single key Triple DES is only DES and that could be broken in less that a day ten years ago. That's a trivial brute force attack today. Option two is the most commonly used method of implementing Triple DES and it's the one that encrypts with the first key, decrypts with a second key, then encrypts once more with the first key again. The issue is that the plaintext being encrypted, all those PINs, is such a small domain. PINs for debit cards are typically only four digits long. At best, 32 bits or half a block. Even worse, the Feistel algorithm that underpins DES and thus Triple DES operates on only a half block at a time. The fluff and random bits that fill out the block might be irrelevant when decrypting stolen debit card PINs. With such a limited domain, chosen plaintext and known plaintext attacks become available. Insanely resource intensive, but available.
As a shout-out, my cryptography professor at the University of Maryland, Lawrence C Washington, along with Wade Trappe, also a Maryland professor at the time, literally wrote the book on cryptography. I have the first edition. Maybe I should've gotten it signed by the authors; I hear signed first editions are valuable. Anyway, it's good to be a terrapin. Let's Go Maryland! Rah! Rah! Ra-ra-rah!
Friday, January 31, 2014
Friday, January 24, 2014
Thursday, January 23, 2014
And We're Back
You know how when something goes wrong, you can't necessarily tell what happened or who to blame for it. Like when a feature you think should be present isn't because a browser extension was blocking it? Yeah, just like that.
There was a problem then there was another different problem but now everything looks like it's working fine. So my blog has its shiny new Google+ badge right where it should be. Useful little temporally arranged blog archive. And a list of people who got suckered into thinking I have anything useful to say.
There was a problem then there was another different problem but now everything looks like it's working fine. So my blog has its shiny new Google+ badge right where it should be. Useful little temporally arranged blog archive. And a list of people who got suckered into thinking I have anything useful to say.
Just Broke Blogger
It was me. Obviously.
I was trying to change something in the layout of this blog and the whole thing crapped the bed for me. All I was doing was dropping the About Me section that had been so prominently featured at the top right and replacing it with a Google+ badge. And it all went to pot, or maybe just flew to Denver, and now my blog has neither my About Me or my Google+ badge.
I'll keep trying to get it back so visitors know who this blog belongs to but until then, that's an empty lonely corner up there.
I was trying to change something in the layout of this blog and the whole thing crapped the bed for me. All I was doing was dropping the About Me section that had been so prominently featured at the top right and replacing it with a Google+ badge. And it all went to pot, or maybe just flew to Denver, and now my blog has neither my About Me or my Google+ badge.
I'll keep trying to get it back so visitors know who this blog belongs to but until then, that's an empty lonely corner up there.
Thursday, December 19, 2013
Security Credit
Bottom line up front the way the generals like it. I take on
vulnerability, all the additional threat is against me, and I assume all
the risk. Just to have my job.
Executive summary because the bosses who wear stars on their camouflage at the office like those, too. There's a bit of utter stupidity to being a government employee. In my job I am required to hold a government travel card and government passport. That's right, I am required to increase my attack footprint [pdf] to have my job.
It isn't common, but if the government doesn't settle travel expenses in a timely manner, it hurts my credit. Just having it as an open account hurts my credit. And not just the temptation for me to use or misuse the account as that linked article is concerned about. It is yet another valid account for an attacker to break into and use for fraud. The card itself, that stupid chit of plastic, is an identity document which can be counterfeit. Speaking of misuse, done by me or anyone, it hurts my credit not my employer. If some waiter skims the card I have to dispute the fraud or it's my credit rating that gets destroyed. And yes, cards can and are misused in that very way even though they are clearly marked, "For Official Government Travel Only."
The entire program is adds vulnerability to me and I am required to assume all of the risk. I've voiced this to management as an employee and a security professional but the program and the requirement for employment remain unchanged.
Executive summary because the bosses who wear stars on their camouflage at the office like those, too. There's a bit of utter stupidity to being a government employee. In my job I am required to hold a government travel card and government passport. That's right, I am required to increase my attack footprint [pdf] to have my job.
Extra Credit
The points against the credit card are simple and straightforward enough for even a Treasury Department employee to understand. Even though this card is For Official Use Only [pdf], the government has no financial risk in this credit card. Externalities, they call it. It's open credit on my report, not theirs.It isn't common, but if the government doesn't settle travel expenses in a timely manner, it hurts my credit. Just having it as an open account hurts my credit. And not just the temptation for me to use or misuse the account as that linked article is concerned about. It is yet another valid account for an attacker to break into and use for fraud. The card itself, that stupid chit of plastic, is an identity document which can be counterfeit. Speaking of misuse, done by me or anyone, it hurts my credit not my employer. If some waiter skims the card I have to dispute the fraud or it's my credit rating that gets destroyed. And yes, cards can and are misused in that very way even though they are clearly marked, "For Official Government Travel Only."
The entire program is adds vulnerability to me and I am required to assume all of the risk. I've voiced this to management as an employee and a security professional but the program and the requirement for employment remain unchanged.
Papers, Please
Whether I travel outside the United States or not, frequently or not, I am required to hold an official government passport. An identity document which can be misplaced or stolen between trips or while traveling. And, just like with the credit cards, having a valid passport means an attacker can counterfeit a valid identity document for an attack.Bottom's Up
Bottom line at the bottom the way the generals like it. The entire pile of externalities, forcing the employee to assume all this additional risk as a condition of employment, should be redirected back to the organization.
Friday, December 13, 2013
Free Bird
My grocery store was having a sale just before Thanksgiving. Spend over a hundred dollars and get a free turkey. I didn't know about the sale when I went in for some routine stuff. I already had plans for the holiday that didn't involve my own turkey but it was a dozen pounds of ice so I accepted. Since the bird was frozen I put it into my freezer to keep for after the holiday.
After I got back from holiday travel I took the turkey out to thaw. If you've ever hosted a Thanksgiving dinner of your own you know that thawing the turkey is a traditional and oft-neglected critical step for many families. Anyway, after this chemical process of changing phase from ice to meat was completed, the turkey was ready to cook. I decided not to do another garbage can turkey, though. This gobbler got grilled.
Grilling is a simple chemical process to convert meat into delicious through the application of heat. I use a pretty simple set up with indirect heat in a worthless generic kettle grill best grill ever made. An indirect heat set-up has the meat in the center over a drip tray with the coals on either side. I also wanted a mesquite smoked flavor because that's traditional so I made arrangements for that. There's an accessory for my grill that holds wet wood chips. The wood for smoking is wet so it smokes instead of burning, of course. Then close the lid, leave the vents open, and enjoy responsible beverages for a few hours while the turkey cooks.
After I got back from holiday travel I took the turkey out to thaw. If you've ever hosted a Thanksgiving dinner of your own you know that thawing the turkey is a traditional and oft-neglected critical step for many families. Anyway, after this chemical process of changing phase from ice to meat was completed, the turkey was ready to cook. I decided not to do another garbage can turkey, though. This gobbler got grilled.
 |
| Grilled Gobbler |
Thursday, October 31, 2013
Halloween 2013
Just like last year, I got dressed up for Halloween. Actually, I got dressed up several times this year because there were more parties to attend than last year. Of course, there was the traditional visit to Bisbee, AZ. And my Boy Scouts will of course be having a costume party. Unfortunately, the rest of the guild couldn't make it to Bisbee due to not having the money (thanks for the shutdown, Congress) but we'll be getting together to cash the rain check on All Saint's Day.
You can see the difference from last year's article; I chose a different science fiction franchise to base my costume on this year. My girlfriend and I chose to be Leela and Fry, respectively, for this year. We could switch it around for next year. The big benefit is that this year's costume was much easier to assemble. It's just orange hair spray, a red jacket, white shirt, denim jeans, and a pair of Chucks. You can get it all on a single Amazon (no affiliate link here, sorry for the lack of spam) order. Wow, this is going to be a short article.
You can see the difference from last year's article; I chose a different science fiction franchise to base my costume on this year. My girlfriend and I chose to be Leela and Fry, respectively, for this year. We could switch it around for next year. The big benefit is that this year's costume was much easier to assemble. It's just orange hair spray, a red jacket, white shirt, denim jeans, and a pair of Chucks. You can get it all on a single Amazon (no affiliate link here, sorry for the lack of spam) order. Wow, this is going to be a short article.
 |
| Leela and Fry |
The Hair
My girlfriend used a more permanent purple dye for her hair but I chose a temporary orange hair spray. It washes right out with shampoo. Before the orange went on, I styled my hair to stand up in the front with generic extra-hold gel.
One tip, really do follow the directions regarding how far away to hold the spray can. Too close and the spray doesn't turn into aerosol right. It'll go straight through your hair and drip down the side of your head. Six to eight inches away got the best coverage.
The Clothes
White T-shirt, blue jeans, black Converse All-Stars and whatever red jacket isn't sold out. I had seen an article that recommended a particular jacket but it was sold out in red in my size so I chose a different one.
My girlfriend is in a white tank top and black yoga pants with big clonky boots. Leela's eye is a mask bought online. It's mesh like a window screen so she can see out of it and even covers the front of my girlfriend's glasses. Nibbler was bought online as well. We made Leela's gauntlet out of a foam sleeping pad and spray paint, with Velcro closure.
The tattoos aren't canon.
We had a great time this year and a lot of people recognized who we were supposed to be. Which really is the mark of a well-made costume.
Subscribe to:
Posts (Atom)