blog dds

2016.03.18

Verifying the Substitution Cipher Folklore

A substitution cipher has each letter substituted with another. Cryptography folklore has it that simple substitution ciphers are trivial to break by looking at the letter frequencies of the encrypted text. I tested the folklore and the results were not quite what I was expecting.

Continue reading "Verifying the Substitution Cipher Folklore"

2013.10.21

A Better Air Gap

Bruce Schneier recently published ten rules for setting up an air-gapped computer; a computer that even the NSA can't hack, because it's not connected to the internet. His rules are practical and make sense, but, given the number of vulnerabilities regularly found in modern operating systems, I think that they need strengthening.

Continue reading "A Better Air Gap"

2012.02.07

How to Decrypt "Secrets for Android" Files

Secrets for Android is a nifty Android application that allows you to securely store passwords and other sensitive data on your Android phone. Your data are encoded with your supplied password using strong cryptography and are therefore protected if your phone gets stolen. Although the application offers a backup and an export facility, I found both wanting in terms of the availability and confidentiality associated with their use.

Continue reading "How to Decrypt "Secrets for Android" Files"

2011.12.28

Pretend Invitations

Choosing between people you want to invite to a function and people you have to invite is sometimes difficult. Say Alice wants to invite Tom, Dick, and Harry to a party, but she'd actually prefer if Dick didn't show up. Here's how Alice can send invitations by email from an email-capable Unix system to achieve the desired result, while covering her scheming with plausible deniability.

Continue reading "Pretend Invitations"

2011.12.14

Apps are the New Users

Some facilities provided by mature multi-user operating systems appear arcane today. Administrators of computers running Mac OS X or Linux can see users logged-in from remote terminals, they can specify limits on the disk space one can use, and they can run accounting statistics to see how much CPU time or disk I/O a user has consumed over a month. These operating systems also offer facilities to group users together, to specify various protection levels for each user's files, and to prescribe which commands a user can run.

Continue reading "Apps are the New Users"

2011.01.06

Sophisticated Targeted Link Spam

What appeared to be an intelligent comment in one of my blog postings turned out to be targeted link spam. This is a worrying trend, because, although we can defend ourselves against mass attacks, we're very vulnerable to targeted strikes.

Continue reading "Sophisticated Targeted Link Spam"

2009.11.25

The Risk of Air Gaps

As some readers of this blog know, from this month onward I'm on a leave of absence from my academic post to head the Greek Ministry of Finance General Secretariat of Information Systems. The job's extreme demands explain the paucity of blog postings here. I'll describe the many organizational and management challenges of my new position in a future blog post. For now let me concentrate on a small but interesting technical aspect: the air gap we use to isolate the systems involved in processing tax and customs data from the systems used for development and production work.

Continue reading "The Risk of Air Gaps"

2008.10.08

An Inadvertent Denial of Service Attack

If you're wondering why this blog was down for the past few hours, here is the story. In an earlier blog post I listed a small script I'm using to lock-away door knockers who attempt to break into our group's computer by trying various passwords. If you like puzzles, read the script again and think how it could be used against us by isolating our computer from the entire world.

Continue reading "An Inadvertent Denial of Service Attack"

2008.01.07

The Relativity of Performance Improvements

Today, after receiving a 1.7MB daily security log message containing thousands of ssh failed login attempts from bots around the world, I decided I had enough. I enabled IPFW to a FreeBSD system I maintain, and added a script to find and block the offending IP addresses. In the process I improved the script's performance. The results of the improvement were unintuitive.

Continue reading "The Relativity of Performance Improvements"

2007.08.02

Location-Based Dictionary Attacks

I get daily security reports from the hosts I manage. Typically these contain invalid user attempts for users like guest, www, and root. (Although FreeBSD doesn't allow remote logins for root, I was surprised to find out that many Linux distributions allow them.)

Continue reading "Location-Based Dictionary Attacks"

2007.07.08

A Phone Exchange Rootkit

An article titled The Athens Affair appears in this month's IEEE Spectrum. In the article my colleague Vasilis Prevelakis and I provide an overview of the technical aspects of last year's cellphone wiretapping incident. An interesting aspect of the way the wiretapping took place is that it involved a rootkit that took advantage of the exchange's lawful interception capability.

Continue reading "A Phone Exchange Rootkit"

2007.04.16

Breaking into a Virtual Machine

Say you're running your business on a rented virtual private server. How secure is your setup? I wouldn't expect it to be more secure than the system your server runs on, and a simple experiment confirmed it.

Continue reading "Breaking into a Virtual Machine"

2007.02.16

Malware on the Fly

Apparently, rogue servers listening on the p2p Kad network intercept the search terms of queries and generate on the fly appropriate file names linking to files that contain malware.

Continue reading "Malware on the Fly"

2007.01.08

Why Key Fingerprints are Important

I admit it: I seldom verify the key fingerprint of a host I connect to against a fingerprint I have obtained through secure means. As things stand today, I consider it unlikely that somebody will stage a man-in-the-middle attack at the time I first connect to an unknown host. Today however I almost got bit.

Continue reading "Why Key Fingerprints are Important"

2006.12.13

Secure Passports and IT Problems

In 2003 Greece, in response to new international requirements for secure travel documents, revised the application process and contents of its passports. From January 1st 2006 passports are no longer issued by the prefectures, but by the police, and from August 26th passports include an RFID chip. The new process has been fraught with problems; many of these difficulties stem from the IT system used for issuing the passports. On December 12th, the Greek Ombudsman (human rights section) issued a special 22-page report on the problems of the new passport issuing process. The report is based on 43 official citizen complaints.

Continue reading "Secure Passports and IT Problems"

2006.12.01

(Not) Hacking the Digipass Go 3 OTP Dongle

My bank moved to two factor authentication solution, and thus required me to purchase from them a Digipass Go 3 dongle in order to authenticate my transactions. To register my dongle I keyed-in a five-digit code they gave me, and also the key's serial number appearing on its back. Given that Go 3 utilizes an open authentication framework, and a published algorithm for generating the one time password (OTP), could I utilize the key and the numbers I keyed in, for using the key in my own applications, of for cloning the dongle in my mobile phone or palmtop?

Continue reading "(Not) Hacking the Digipass Go 3 OTP Dongle"

2006.05.24

Security is a Problem of the Weakest Link

While attending the ICSE 2006 conference I stayed at the Tong Mao hotel. My room featured an impressive-looking safe: thick steel, two bolts, and a digital lock.

Continue reading "Security is a Problem of the Weakest Link"

2006.02.15

A Malfeasant Design for Lawful Interception

Earlier this month it was revealed that more than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year (see Wikipedia article). Apparently, the tapping was implemented by activating Ericsson's lawful interception subsystem installed at the Vodafone service provider. How could this happen?

Continue reading "A Malfeasant Design for Lawful Interception"

2005.11.09

US Military Removes Word Documents from the Web?

On August 25th 2004 the comp.risks forum run an article I submitted regarding the large number of Microsoft Word documents available on US milatary sites (sites in the .mil domain) through Google searches (23.50 "U.S. military sites offer a quarter million Microsoft Word documents"). The article documented how such documents could lead to the leakage of confidential data. A week later I setup a script to watch the number of Word documents available through Google searches to see if and when the military would recognise the threat those documents posed and remove them.

Continue reading "US Military Removes Word Documents from the Web?"

2005.05.19

Cats and Cigarette Lighters

On April 14th, the US Transportation Security Administration started enforcing a new ban on cigarette lighters. A month later, I saw the corresponding announcement posted on a check-in desk at the Samos international airport. At the same airport I also saw a free-roaming cat getting its food delivered directly on the tarmac. I entered my flight feeling a lot safer.

Continue reading "Cats and Cigarette Lighters"

2005.04.27

Solving Singh's Substitution Cipher

Many of us enjoy playing with encryption algorithms. Simon Singh, before a book promotion trip to Greece, published a "substitution cipher with a twist". I would consider solving a substitution cipher aimed at the general public unfair, but the "twist" made me curious.

Continue reading "Solving Singh's Substitution Cipher"

2004.10.05

Cracker Code Review

According to a popular myth, crackers are computer whiz kids: brilliant software developers who run circles around their "peers" in the corporate world. When my undergraduate student Achilleas Anagnostopoulos sent me a pointer to the source code of the Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow exploit, I decided to test the myth by performing a code review of the exploit's source code. The results are not flattering for the exploit's developers: no self-respecting professional would ever write production code of such an abysmally low quality. Sorry M4Z3R.

Continue reading "Cracker Code Review"

2004.08.31

U.S. military sites offer a quarter million Microsoft Word documents

I was Google-searching for the Air Force Operational Test & Evaluation Center publication "Software Maintainability - Evaluation Guide". To make my search more efficient I restricted it to military (.mil) sites, using the Google keyword "site:.mil". I was not able to find the publication I was looking for, but was surprised to see a number of Microsoft Word documents in the search results.

Continue reading "U.S. military sites offer a quarter million Microsoft Word documents"

2004.02.03

A Spam-resistant Email Network

I am really fed up with spam. Yes, I am behind a spamassassin filter, and it is getting less and less useful with every passing day. Many other interesting ideas (including ji's patent) have failed to catch on and provide significant relief. In a recent column in IEEE Spectrum Robert Lucky expressed his yearning for the days when email was only used by the elite in the know, the select few who "were on email".

Continue reading "A Spam-resistant Email Network"

2004.01.21

How Not to Conduct a Poll

Recently the ACM Council asked members to provide feedback on the issue of expanding legal protections for collections of data by means of an on-line poll. Opening the policy feedback decision-making process to the ACM membership promotes member participation and transparency. However, I have two serious reservations regarding the way the member feedback was requested.

Continue reading "How Not to Conduct a Poll"

2003.06.28

Security researcher beguiled by email spoof

One would expect someone who is reading and contributing to comp.risks since 1990 to know better, especially if he is also lecturing courses on IT security, and has written a couple of papers in the area. Maybe it was also a well deserved punishment for laughing at emails titled "Valuable business proposition" and "Renew your e-bay account" (who is so dumb so as to fall for these schemes?)

Continue reading "Security researcher beguiled by email spoof"


Creative Commons License Last update: Thursday, September 22, 2016 9:56 am
Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.