Blog

3x kloppen

Posted by: Dennis Vermoen

Posted on 25 Jul 08

A study by the University of Michigan showed that a lot of online banking sites have security flaws. This article reminded me of a flaw that I (i.e. as a client) found on the Postbank website while filling in one of the forms.

In a form, I was supposed to enter my personal details, credit card number and monthly income. However, the form was not protected using SSL. I tried to inform the bank about this issue. After some useless email conversations with the customer service, I informed someone of the public relations department. They seemed to take the issue seriously:

Thanks for reporting this issue. We understand that sending personal information over an unencrypted connection is not desired and we agree that this can be improved. Therefore, we intend to enable SSL for these forms. A list of required actions is currently under development. This action was already started. This project has priority but also takes time. So, in the near future you can expect https in the address bar while filling out a form.

(Received on July 16, 2007; translated from Dutch)

You can see the result (after more than one year!) for yourself:

These are just two examples. More forms are not using SSL.

No Comments

The Onion

Posted by: Gerrit van der Bij

Posted on 22 Jul 08

Onion Routing is the art of obfuscating the origin of an IP connection by using a network of anonymous machines on the internet. Like an onion, you need to remove layer after layer before getting to the core.

TOR (The Onion Network, see www.torproject.org) provides this service free of charge. This works fine if you like to visit a site but not have your visit easily traced back to your internet connection. But what if you want to have a site and not reveal the location of the internet connection? Well the Onion people thought of that, and came up with a domain name service on the onion network. It does not support user friendly names such as www.mysecretwebsite.onion but uses hashed strings (e.g. xsERasd90DFG5jsder.onion) that is passed on to the onion access point without resolving it to an IP address.

You might think that obfuscating your server location might make it difficult for attackers to target or block your system. But honestly, attackers would just attack you on the TOR network, and make it impossible for you to track them down. What's more, it will be more difficult to distinguish a genuine website from a fake one. You might just make it easier for phishermen to attack you. Please consider this when you're about to play with onion routing. And remember this: Internet onions can still be peeled, it only takes more effort!

3 Comments

Hidden Risks - not just banks

Posted by: Nick Towner

Posted on 21 Jul 08

Last week, the Institute of International Finance (http://www.iif.com/), which is the association of most of the world's largest banks, published a report listing reforms they propose to tackle the current credit crisis and restore confidence in the markets. They also accept their share of responsibility for the current situation. Amongst the causes of the present difficulties, they cite a change in the dominant business model at the banks from "buy and hold" to "originate to distribute": credit that banks used to retain on their books was converted into increasingly complex market products and traded. As the report itself says: "For the originate-to-distribute model to work effectively, however, all participants must observe high standards of risk management and disclosure and have in place sound incentive structures." -but these requirements were not met and it all went spectacularly wrong. My question is this: are there other sectors making exactly the same mistake which may soon follow the banks into crisis? ICT departments and companies across the world which once produced everything they sell increasingly outsource in ever longer supply chains. Software is being built out of more and more thin layers and small building blocks. The end customer doesn't even know who all the participants are, let alone whether their risk management, disclosure and incentive schemes are up to standard. When a supply chain contains hidden risks, the overall risk cannot be assessed, and the consequences can be severe. The banks have learned this the hard way. Who's next?

No Comments

Analysis of TrueCrypt's plausible deniability

Posted by: Eloi Sanfelix Gonzalez

Posted on 17 Jul 08

TrueCrypt (http://www.truecrypt.org/) is an open source file system encryption application. It provides the user with the ability to mount encrypted volumes and also to have hidden volumes. These hidden volumes are only shown if the user supplies the correct password, and TrueCrypt claims that it is impossible to even notice that they exist if the password is not known.

In this paper (http://www.schneier.com/paper-truecrypt-dfs.pdf), which will be officially presented at HotSec 2008, people from the University of Washington and Burce Schneier (http://www.schneier.com) analyse how Operating Systems and applications can break the plausible deniability features of TrueCrypt 5.1a, and probably any other similar Deniable File System.
This is an interesting and easy to read article showing how criptographic properties can be easily broken by *side channel* information if this possible leakage is not taken into account. They look at Windows recent items folders, application auto-save features and indexing applications like Google Desktop.

In the current version of TrueCrypt, version 6.0 published a few weeks ago, the tool also provides complete Operating System deniability by means of hidden Operating Systems, which would solve the problem.

1 Comment

Extensive cashcard fraud discovered in Heerenveen, The Netherlands

Posted by: Amanda van den Berg

Posted on 17 Jul 08

Although shopkeepers were extensively warned last year on outdated cashcard terminals and practices of skimming criminals, cashcard fraud still takes place: More than 200 people were tricked by fraud criminals. The victims used their cashcards for transactions at a garden center in Heerenveen. People paid by cashcard, however the terminal was manipulated and at the same time their cashcard was copied. All 2000 cashcards used for payments on this terminal have been blocked. As far as can be seen now, not all cards have been copied. The criminals have used the copied cards in different countries in Europe and the United States to obscure thousands of euros from the account of the victims.

No Comments