ITS Blog

IT Security blog – about up to date topics on IT security

Some of you might have already heard, that I successfully finished my master in IT Security. I had the opportunity to write my master thesis at the emsec chair at Ruhr University Bochum.
The content focused on a better way to guess passwords which are combined out of several words. The interested reader can download the thesis. I would like to thank to persons for their support during this thesis. First my mentor Markus Dürmuth, he supported me in a lot of ways.
The second and most important person, to thank, is my wife Silke. During the Thesis she always supported me with the right words.

On 7th of June Frank Stajano was giving a talk on Pico. Pico is basically his answer to the question “how we could get rid of passwords”. There was one thing that made me really sad about his talk, it was that Pico does not exist yet. At the moment it is an idea about a device which will help us to get rid of the passwords and the problems around them. Let me try to picture his idea:

One of the main concepts is, that the future user is carrying a device with him, which can communicate to the computer/device/what ever in front of him via radio signals. This device is called Pico. Pico will have (at least) two buttons, one for giving credentials and one for creating new credentials. Additionally Pico will have a camera to take pictures. If the user now is going to login to … whatever, he is presented a picture with a QR Code. This QR Code will have a hash of a certificate together with some nonce. The device where the user is going to login will send out a public key together with the nonce. If the user wants to login, he takes a picture of the QR code and verifies that QR Code and public key are matching. If they match Pico checks if there are already credentials for this system (identified by the public key). The user can now push the button to login on the device and identifies himself to the system.

You should now ask, and how does the user authenticate himself to Pico? The answer to this is both easy and brilliant, he does this by carrying around some devices, which he calls Picosiblings. Small devices which are used as tokens, communicating with Pico. Each token will give Pico some information about the Key Pico is internally using. only if there are k out of n siblings available Pico is able to access the identities stored in the memory.

Unfortunately to describe everything in the details which would be needed to see how sexy his solution is, I would have to create a blog of its own to describe it. Therefore I suggest:

  • take a look on the video of the conference
  • talk and listen to him.

At this point, I can only say thank you for the talk and Frank, put me on top of the list of betatesters as soon you need one.

Additional information:

Yesterday (8. oct 2011) evening the Chaos Computer Club (CCC) made a press announcement. Some time ago they got a copy of the so called “Bundestrojaner”, a Trojan horse developed to enable the police to listen to your phone call performed over a computer and the Internet. Ever since this software was in the political discussion there was a big controversy about if the state is allowed to install maleware on your computer. At the end it went to the federal constitutional court (in german: “Bundesverfassungsgericht”, BVerfG). The BVerfG then decided that there need to be strict rules, if such a software is used. First a judge has to approve it. Second the software has to be designed that it can only record/transmit the phone call and can not do other things.

Now the CCC got their hands on a trojan horse where they strongly believe that it is the “Bundestrojaner”. They analysed the software and found that this trojan horse can

  • access the microphone
  • access the camera
  • load additional software
  • execute this loaded software

beside the recording/transmitting of phone calls. With this functionality the police would be able to create their own evidences just in case they do not find enough, by simply creating a small software that then changes the needed files ….

BTW in germany we do not have an exclusion of evidence illegally obtained…

For further information:

Two days ago a popular news site (wiwo) posted an article that the German defense minister stated a warning about the usage of Smart phones during combat operations. As he pointed out the department of defense is not prohibiting the use of smart phone in general, but it is left to the single department to prohibit this use. It is also statet that especially in the headquarters not everyone knows about the dangers coming from these phones.

So lets have a look at smart phones:

Most of the smart phones have a build in GPS receiver and at least the android phones are able to use WLAN hotspots to identify your position. Therefore they make connections to databases on the net to get the current position of the hotspots. An attacker can triangulate this communication to get the position of a single mobile phone.

Another way to track someone would be to bring some malware or  “special app” on the phone which simply sends the current position to your server, this would be a even more convenient way to track someone.

A third approach could be to get such a smart phone. At least some of them are storing a history where you have been recently. If such a phone would be captured by an attacker he could easily find out where the base camp of the soldiers has been.

So soldiers… please turn off your phone or better leave it in your base. By that means it will not get lost…

Today and Yesterday I attended a security conference called Passwords11. It was a conference where a lot of people were talking and discussing everything about passwords and even, how we could possibly get rid of them. At this point in time, I would like to give a big THANK YOU to Per Thorsheim, who on one side was organizing the conference on his own, on his own spare time and on the other hand gave us some sight seeing at the end.

In the next couple of days I will write something about most likely all articles and as soon as the video recordings are ready I will link them here. I still can not believe that it is already over. But the good news are, there will be a password12, and most likely others will follow. If you did not follow the live stream, you missed a lot, for example I saw the first time in real live a cold boot attack. To get the full picture you will have wait till the videos and articles are ready.

Since today I have an additional domain for this site:

I had some discussion with a colleague of mine, about my domain. He mentioned, that people would not expect/believe that I am writing mostly in English, especially since the main domain was/is

So I took the opportunity to add a more international domain to this site.

Just as a reminder to you. Passwords11, a conference in Norway is just taking place. Have a look at the live stream of the conference.

Live Stream


No comments

Derzeit wird leider nur der englischsprachige Teil des Blogs aktualisiert.

Openwall just released the 1.7.7 Jumbo 5 patch of John The Ripper to download

From Openwall: “This patch integrates lots of contributed patches adding support for over 40 of additional hash and cipher types (including popular ones such as NTLM, raw MD5, etc.), as well as some optimizations and features. Most likely, this is the only patch you may need to apply. Requires OpenSSL 0.9.7+.”

John the Ripper (JTR) is one of the most popular password cracking tool. If you are going to break passwords this software is the reference against which you should compare your software.

Besides working on passwords I got the opportunity to have a look at a Java Crypto Card from Giesecke & Devrient, the Mobile Security Card. This MicroSD Card is a Java Based mobile security card, which can be programmed with the JavaCard 2.2.2 Development Kit. For the moment I am setting up a development environment and following a tutorial from Msec. I already learned a lot how the communication with smartcards is done.

The card is Common Criteria EAL 4+ certified, which means the card is Methodically Designed, Tested, and Reviewed [see wikipedia]. One of the interesting facts was that the card was delivered without an applet deployed to it.

Stay tuned what the outcome will be.