Greatest security breakthrough?

Ask Dr. SecurityDEAR DR. SECURITY: I am sending you this email in an unfortunate state of complete sobriety (given that it is after quitting time here). Should I over indulge however, Gmail has my inebriated back, so to speak. While adjusting my settings I came across this feature which can be enabled: Mail Goggles by Jon P

Google strives to make the world’s information useful. Mail you send late night on the weekends may be useful but you may regret it the next morning. Solve some simple math problems and you’re good to go. Otherwise, get a good night’s sleep and try again in the morning. After enabling this feature, you can adjust the schedule in the “General” settings page.”

Apparently this is built on the theory that drunk (tired?) people can’t do math – something any tip-dependent bartender knows all too well.  Some basic questions came to mind when I saw this innovative computer security functionality and I decided to contact you, my favorite security blogger, to get some input.

  1. Does the non-scalability of this platform prevent it from accurately blocking access to the intoxicated math elite, while at the same time, wrongfully exclude the math illiterate?
  2. Could this type of faculty-based access control could be used to prevent a much wider array of offending internet behavior?
  3. Will I soon have to demonstrate SAT math section mastery to perform basic Google searches?
  4. Is there any way this type of faculty-based security could be implemented to to prevent politicians who can’t do math from accessing federal funds?

This seems to me to be the greatest breakthrough in computer security so far!

Let me know what you think — GOGGLES FAN.

Continue reading

Simple things are the hardest

My eldest son decided that he’d consolidate all of his banking with a single institution. Probably got some swell interest rates or maybe even a toaster for doing it. Whatever the incentive, he did it. As you might expect this involved moving money from one place to another, albeit electronically. So far so good, everything seemed to occur swimmingly. Several months go by and he gets this invoice from one of his previous banks saying that he has failed to maintain the minimum balance in his account so they have charged him penalties which has resulted in his account being overdrawn. After quite a while on the phone speaking to the helpful and courteous (that’s sarcasm) help desk staff, he finally manages to convince them that he had closed that account several months ago. According to the bank representative here’s what happened: immediately after he had withdrawn the complete balance of his account, the monthly interest was accrued, therefore his account had $0.01 (a penny) in it so it could not be closed.

Aside from the completely boneheaded software error (or was it an error? Imagine if his balance had had 6 or 7 zeros following) he was glad that that was cleared up. Not so fast there lawyer boy, now they had to figure out what to do with that offending penny. My son suggested several seemingly common sense solutions like “keep it as a tip”, or “donate it to charity” or “just forget about it”. Unfortunately none of those ideas were compliant to bank policy or even possible given the bank’s accounting systems. Finally they figured it out. They sent him a certified check for $0.01 via overnight courier. He did in fact receive the check and dutifully signed for it. Rather than spend his windfall, this check now decorates the wall above his desk.

Where do you start with a story like this? Well if you’re me, which I was last I checked, you tell the story to your wife. In my case, she responded with “that’s pretty typical, let me tell you what happened with me last week.” Holy automated banking fail, Batman! Has the quality of banking service and support personnel declined dramatically to the point where only morons are doing the job? Or perhaps the quality of the software that handles the automation has all been outsourced to idiots. Actually I’m dubious of each of the aforementioned rhetorical questions, since my experience hasn’t been with stupid or even ignorant support staff or banking software developers. I suspect that the complexity of the systems has reached the point where no single operator – or even developer understands it completely enough to handle corner cases.

Mike Janke at the Last In – First Out blog recently had this entry about technology we don’t understand.

What are the consequences of building a society where we rely on technology that we don’t understand? Is lack of stewardship one of those consequences?

Should we expect ordinary computer users, who  understand almost nothing of how their computers work, to operate their computers in a manner that protects them and us from themselves and the Internet?

Back in the day (I mean way, way back) my wife’s grandmother was a chief teller at a bank. She knew absolutely everything about that bank’s accounting systems. All of which were paper and gray matter based of course. It would be inconceivable that:

a. she would allow something as silly as leaving a penny in an account a customer was trying to close or

b. That she couldn’t rectify the error immediately if such a thing had occurred.

Of course that was a long time ago, before people were separated from the actual physical reality of their bookkeeping systems by numerous layers of abstraction and indirection. My wife’s grandmother was capable of understanding the entire system end-to-end and had the experience (something like 30 years) to know all of the tiniest details. I doubt that any human alive now is capable of understanding a major bank’s accounting systems end-to-end. And ironically, because of the rate of technology advancement, 30 years of experience is a liability rather than an asset when it comes to making sense of modern software systems.

So when does it make sense to spend $30 and 4+ hours to send out a $0.01 check? Any time it happens. Hard is the new simple.

Abusing PDFs

My last post was all about how to secure PDF documents. So it’s only fair that I point you to information to undermine that good advice. To be fair and balanced. And leave no good deed unpunished.

Belgian security blogger and hacker extraordinaire Didier Stevens recently posted this entry all about hiding data in PDF files.

My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.

Essentially the trick is to manipulate the PDF keyword /EmbeddedFiles which points to the dictionary of embedded files such that it is not recognized by the PDF reader as a valid keyword.

As names defined in the PDF specification are case sensitive, changing the case changes the semantics: /Embeddedfiles has no meaning, and thus the PDF reader ignores it and doesn’t find the embedded file.

And voila! The embedded file is not displayed by the PDF reader.

Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.

But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…

The PDF language offers so many features to hide and obfuscate data!

Thanks Didier for news we can abuse.