2009-06-01:

Random security thoughts

security:easy:blog:rant
Recently while reading some press news / blog posts, a few things came to my attention, which I would like to discuss (as in "rant about them") in this post.

The first thing will be about news/posts about password/e-mail/user info leaks. From time to time I encounter a blog/news about some case where a company's/website's user/password/etc database has been disclosed due to a human error, external break-in or some internal issue. Such blog posts/news usually contain a screen shot of the leaked user/password list, with the passwords being blurred, pixelized, or some other graphical filter has been used on them. At the same time, the news author says that it is a very bad thing when such critical information gets disclosed, and the human responsible for the security of the database has not done his job well at all.
And now the funny thing: blur, pixelisation, and some other filters are (almost) like hash functions! They are not necessarily reversible, but if one compares a blured/pixelized charset (char by char) with the blurex/pixelized string, he can tell when the match occurs. So yes, doing a simple char by char (or in some cases 2 chars at once, which is a worse scenario for the attacker, but still quite easy) brute force attack the attacker can learn what the original string was. So, using some software (not to hard to write, and I'm sure that if someone knows how to write a CAPTCHA breaker, that he also knows how to write such a blur-breaker - it's basically the same thing... and guess what, some spammers do break CAPTCHA with software) an attacker can use such a screen shot to gain peoples password/usernames, and do some bad things with it. I'll just add that from some time there is a video on the net about a photoshop script that does the thing I've just written about (brute forces and compares): the video.
So, summarizing, the company data was disclosed once, and then the blog post/news author discloses it the second time, without even knowing it! That is not a good thing to do.
What the news/post author should do is either use a filled black rectangle to black-out the password, making sure that neither the password length, nor the letter sizes are disclosed, or just switch the passwords to asterisks on the password list before taking a screen shot.

The second thing is a little more delicate. I've read recently that on there was some incident in the public swimming pool - mainly a guy has been running around with his camera, taking pictures of different people. Since (almost) nobody likes his/hers swimming-pool pictures running freely on the net (I'm not saying that that was the intention of that guy, but it is one of the thing that can happen to a picture), people have alerted the security guards, who have taken care of the issue.
And now a quote (from memory, I don't have it written down): "We have solved the issue - the intruder has deleted the photos from his camera".
Wait? What?! What does it mean "deleted the photos"? Does it mean "he has overwritten each byte of the photos 10 times with random bytes?" (I think that 1 time would be enough, but whatever). Or maybe it means "he has clicked 'erase' on his camera, that caused an entry in the FAT table to be marked as 'removed'"? Why, now why do I thing it is the later?
So what... now the "intruder" gets back to his house, runs GenericUndeleteSoftware, and possesses the photos anyway? That issue was NOT solved in that case...
However as I said, this is a delicate situation, since the security guards are not authorized to touch ones belongings (at least in Poland), and additionally, they are not obligated to know about camera filesystems internals. And there are also some other things like - could the police do it? should they tell some expert to do it? should they have a court ruling? what about the freedom of speech? And so on ;) But it's lawyer stuff, so I won't continue on this matter ;>

By the way...
If you'd like to learn SSH in depth, in the second half of January'25 we're running a 6h course - you can find the details at hexarcana.ch/workshops/ssh-course


I'll quote a line from a bash.org-like Polish site called kretyn.com (the translation is mine):

<dersik> I like to lend my camera to friends. Now, thanks to card undelete software I have plenty of home made porn.

And that would be all.
On the Polish side of the mirror I have also ranted about some other case, but since it was a highly-Polish case, I don't think anyone would be interested in it ;)
If you are, you can try your luck with google translate, or force me to translate it anyway ;)

Take care!
G.C.

Add a comment:

Nick:
URL (optional):
Math captcha: 8 ∗ 7 + 10 =