Monday, 16 December 2013
It turns out that NSA agents aren't the only ones after your personal information. It probably comes as no surprise that law enforcement is also interested in information about individuals. So much so that law enforcement agencies have filed nearly a million requests for information in a single year.
We know this from inquiries made by Massachusetts Senator Edward Markey, which were published on his website. It includes replies from all the major carriers: AT&T, T-Mobile, Cricket, CSpire, Sprint, US Cellular, and Verizon. Taken all together, there were at least 946,288 requests for information from law enforcement last year. This is a low figure, since Sprint declined to respond publicly and some carriers—like Verizon—could only provide estimates.
What Kind of Information?
The kind of information, how it was obtained, and the circumstances surrounding the disclosures vary wildly. One of the main focuses of Senator Markey's questioning focused on so-called "cell tower dumps." This includes the record of all cellphone users who have connected to a designated cell tower, or towers, during particular times. In their response to Senator Markey, AT&T said that the average time frame was one hour and 20 minutes.
While there are clear differences, this sounds an awful lot like the full-spectrum information sucking that recently put the NSA in the headlines. Other information included location data, actual wire-taps, voicemails, and text messages among others. Many of the wire-tap requests were a product of our old friend CALEA.
Most of the wireless carriers take pains to emphasize that they are merely following the letter of the law. Many of the requests they fill are the results of subpoenas and court orders signed by judges. However, there are exceptions where law enforcement has merely to prove that the information is needed under "emergency circumstances." No warrant, apparently, required.
Law enforcement is able to obtain this information through a 1986 piece of legislation called the Electronic Communications Privacy Act, or ECPA. The law allows police to obtain electronic communications that are older than 180 days without a warrant.
Gregory Nojeim,Senior Counsel at the Center for Democracy and Technology, explained the rather topsy-turvy nature of the current ECPA legislation. Under the law, police can use subpoenas to obtain less sensitive data, and detailed information like email logs requires a court order. "For content, though, ECPA permits law enforcement access without any judicial authorization in many circumstances, and that needs to change because content is such sensitive information," Nojeim told SecurityWatch.
"Have no doubt, police see our mobile devices as the go-to source for information, likely in part because of the lack of privacy protections afforded by the law," said ACLU's legislative counsel Christopher Calabrese in a press release
"The idea that police can obtain such a rich treasure trove of data about any one of us without appropriate judicial oversight should send shivers down our spines," said Calabrese.
In our previous blog post titled Solutions to current antivirus challenges, we discussed several methods by which security companies can tackle the exploit problem. In this post, we provide more detail on the most exploited applications on Microsoft Windows platforms and advise a few steps users can (and should) take to further strengthen their defenses.
Exploitation TargetsThe following applications are the ones most targeted by attackers through exploitation:
- Web browsers (Microsoft Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox and others).
- Plug-ins for browsers (Adobe Flash Player, Oracle Java, Microsoft Silverlight).
- The Windows operating system itself – notably the Win32 subsystem driver – win32k.sys.
- Adobe Reader and Adobe Acrobat
- Other specific applications
One of the most dangerous scenarios for an everyday user is the use of exploits by attackers to remotely install code into the operating system. In such cases, we usually find that the user has visited a compromised web resource and their system has been invisibly infected by malicious code (an attack often referred to as a “drive-by download”). If your computer is running a version of software such as a web browser or browser plug-ins that are vulnerable to exploitation, the chances of your system becoming infected with malware are very high due to the lack of mitigation from the software vendor.
In the case of specific targeted attacks or attacks like a “watering hole” attack, when the attacker plants the exploit code on websites visited by the victim, the culprit can use zero-day (0-day) vulnerabilities in software or the operating system. Zero-day vulnerabilities are those that have not been patched by the vendor at the time they are being exploited by attackers.
Another common technique used in targeted attacks is to send the victim a PDF document “equipped” with an exploit. Social engineering is also often used, for example by selecting a filename and document content in such a way that the victim is likely to open it.
While PDFs are first and foremost document files, Adobe has extended the file format to maximize its data exchange functionality by allowing scripting and the embedding of various objects into files, and this can be exploited by an attacker. While most PDF files are safe, some can be dangerous, especially if obtained from unreliable sources. When such a document is opened in a vulnerable PDF reader, the exploit code triggers the malicious payload (such as installation of a backdoor) and a decoy document is often opened.
Another target which attackers really love is Adobe Flash Player, as this plug-in is used for playback of content on all the different browsers. Like other software from Adobe, Flash Player is updated regularly as advised by the company’s updates (see Adobe Security Bulletins). Most of these vulnerabilities are of the Remote Code Execution (RCE) type and this indicates that the attackers could use such a vulnerability for remotely executing malicious code on a victim’s computer.
In relation to the browser and operating system, Java is a virtual machine (or runtime environment JRE) able to execute Java applications. Java applications are platform-independent, making Java a very popular tool to use. Today Java is used by more than three billion devices. As with other browser plug-ins, misusing the Java plug-in is attractive to attackers, and given our previous experience of the malicious actions and vulnerabilities with which it is associated, we can say that as browser plug-ins go, Java represents one of the most dangerous components.
Also, various components of the Windows operating system itself can be used by attackers to remotely execute code or elevate privileges. The figure below shows the number of patches various Windows components have received during 2013 (up until November).
The “Others” category includes vulnerabilities which were fixed for various Operating System components (CSRSS, SCM, GDI, Print Spooler, XML Core Services, OLE, NFS, Silverlight, Remote Desktop Client, Active Directory, RPC, Exchange Server).
This ranking shows that Internet Explorer fixed the largest number of vulnerabilities, more than a hundred vulnerabilities having been fixed in the course of fourteen updates. Seven of the vulnerabilities had the status ‘is-being-exploited-in-the-wild at the time of patching’: that is, they were being actively exploited by attackers. The second most-patched component of the operating system is the infamous Windows subsystem driver win32k.sys. Vulnerabilities in this driver are used by attackers to escalate privileges on the system, for example, to bypass restrictions imposed by User Account Control (UAC), a least-privilege mechanism introduced by Microsoft in Windows Vista to reduce the risk of compromise by an attack that requires administrator privileges.
Mitigation techniquesWe now look in more detail at the most exploited applications and provide some steps that you can (and should) take to mitigate attacks and further strengthen your defenses.
Windows Operating SystemModern versions of Microsoft Windows – i.e., Windows7, 8, and 8.1 at time of writing – have built-in mechanisms which can help to protect user from destructive actions delivered by exploits. Such features became available starting with Windows Vista and were upgraded in the most recent operating system versions. These features include:
- DEP (Data Execution Prevention) & ASLR (Address Space Layout Randomization) mechanisms introduce an extra layer of complication when attempting to exploit vulnerabilities in applications and the operating system. This is due to special restrictions on the use of memory which should not be used to execute code, and the placement of program modules into memory at random addresses.
- UAC (User Account Control) has been upgraded from Windows 7 onward and requires confirmation from the user before programs can be run that need to change system settings and create files in system directories.
- SmartScreen Filter helps to prevent the downloading of malicious software from the Internet based on the file’s reputation: files known to be malicious or not recognized by the filter are blocked. Originally it was a part of Internet Explorer, but with the release of Windows 8 it was built into the operating system so it now works with all browsers.
- Special “Enhanced Protected Mode” for Internet Explorer (starting from IE10): on Windows 8 this mode allows the browser’s tabs to be run in the context of isolated processes, which are prevented from performing certain actions (a technique also known as sandboxing). For Windows 7 x64 (64-bit) this feature allows IE to run tabs as separate 64-bit processes, which help to mitigate the common heap-spray method of shellcode distribution. For more information, refer to the MSDN blog (here and here).
PDF filesIn view of the high risks posed by the use PDF documents from unsafe sources, and given the low awareness of many users and their reluctance to protect themselves adequately, modern versions of Adobe Reader have a special “Protected Mode” (also referred to as sandboxing) for viewing documents. When using this mode, code from the PDF file is prevented from executing certain potentially dangerous functions.
By default, Protected Mode is turned off. Despite the active option Enable Protected Mode at startup, sandbox mode stays turned off because Protected Mode setting is set to “Disabled” status. Accordingly, after installation it is strongly recommended that you turn on this setting to apply to “Files From Potentially Unsafe Locations” or, even better, “All files”.
Please note that when you turn on protected view, Adobe Reader disables several features which can be used in PDF files. Therefore, when you open the file, you may receive a tooltip alert advising you that protected mode is active.
If you are sure about the origin and safety of the file, you can activate all of its functions by pressing the appropriate button.
Adobe Flash PlayerAdobe, together with the manufacturers of web browsers, has made available special features and protective mechanisms to defend against exploits that target the Flash Player plug-in. Browsers such as Microsoft Internet Explorer (starting with version 10 on Windows 8.0 and later), Google Chrome and Apple Safari (latest version) launch the Flash Player in the context of specially-restricted (i.e. sandboxed) process, limiting the ability of this process to access many system resources and places in the file system, and also to limit how it communicates with the network.
Timely update of the Flash Player plug-in for your browser is very important. Google Chrome and Internet Explorer 10+ are automatically updated with the release of new versions of Flash Player. To check your version of the Adobe Flash Player you can use this official Adobe resource. In addition, most browsers support the ability to completely disable the Flash Player plug-in, so as to prohibit the browser from playing such content.
Internet BrowsersAt the beginning of this article we already mentioned that attackers often rely on delivering malicious code using remote code execution through the browser (drive-by downloads). Regardless of what browser plug-ins are installed, the browser itself may contain a number of vulnerabilities known to the attacker (and possibly not known to the browser vendor). If the vulnerability has been patched by the developer and an update for it is available, the user can install it and without worrying that it will be used to compromise the operating system. On the other hand, if the attackers are using a previously unknown vulnerability, in other words one that has not yet been patched (zero-day), the situation is more complicated for the user.
Modern browsers and operating systems incorporate special technologies for isolating application processes, thus creating special restrictions on performing various actions, which the browser should not be able to perform. In general, this technique is called sandboxing and it allows users to limit what a process can do. One example of this isolation is the fact that modern browsers (for example, Google Chrome and Internet Explorer) execute tabs as separate processes in the operating system, thus allowing restricted permissions for executing certain actions in a specific tab as well as maintaining the stability of the browser. If one of the tabs hangs, the user can terminate it without terminating other tabs.
In modern versions of Microsoft’s Internet Explorer browser (IE10 and IE11) there is a special sandboxing technology, which is called “Enhanced Protected Mode” (EPM). This mode allows you to restrict the activity of a process tab or plug-in and thus make exploitation much more difficult for attackers.
EPM has been upgraded for Windows 8. If you are using EPM in Windows 7 x64, then this feature will cause that browser tabs are run as 64-bit processes (on a 64-bit OS Internet Explorer runs its tabs as 32-bit processes by default). Note that by default EPM is off.
With this option turned on, the processes of browser tabs work as 64-bit, making them difficult to use for malicious code installation (or at least harder for heap-spraying attacks). Starting with Windows 8, Enhanced Protected Mode has been expanded in order to isolate (sandbox) a process’s actions at the operating system level. This technology is called “AppContainer” and allows the maximum possible benefit from the use of the EPM option. Internet Explorer tab processes with the EPM option active work in AppContainer mode. In addition, Windows 8 EPM mode is enabled by default (IE11).
Note that before November Patch Tuesday 2013, which includes MS13-088 update (Cumulative Security Update for Internet Explorer: November 12, 2013) Microsoft supported EPM as default setting for IE11 on Windows 8+. But this update disables EPM for IE11 as default setting. So, now if you reset advanced IE settings («Restore advanced settings» option) to ‘initial state’, EPM will turn off by default.
Google Chrome, like Internet Explorer, has special features to mitigate drive-by download attacks. But unlike Internet Explorer, sandboxing mode for Chrome is always active and requires no additional action by the user to launch it. This feature of Chrome means that tab processes work with restricted privileges, which does not allow them to perform various system actions.
Notice that almost all of the user’s SID groups in the access token have the “Deny” status, restricting access to the system. Additional information can be found on MSDN.
In addition to this mode, Google Chrome is able to block malicious URL-addresses or websites which have been blacklisted by Google because of malicious actions (Google Safe Browsing). This feature is similar to Internet Explorer’s SmartScreen.
When you use Java on Windows, its security settings can be changed using the control panel applet. In addition, the latest version contains security settings which allow you to configure the environment more precisely, allowing only trusted applications to run.
To completely disable Java in all browsers used in the system, remove the option “Enable Java content in the browser” in Java settings.
EMETMicrosoft has released a free tool for users to help protect the operating system from malicious actions used in exploits.
The Enhanced Mitigation Experience Toolkit (EMET) uses preventive methods to block various actions typical of exploits and to protect applications from attacks. Despite the fact that Windows 7 and Windows 8 have built-in options for DEP and ASLR, which are enabled by default and intended to mitigate the effects of exploitation, EMET allows the introduction of new features for blocking the action of exploits and enable DEP or ASLR for specified processes (increasing system protection in older versions of the OS).
This tool must be configured separately for each application: in other words, to protect an application using this tool, you need to include that specific application in the list. In addition there is a list of applications for which EMET is enabled by default: for example, the browser Internet Explorer, Java and Microsoft Office. It’s a good idea to add to the list your favorite browser and Skype.
Operating System UpdatesKeeping your operating system and installed software promptly updated and patched is good practice because vendors regularly use patches and updates to address emerging vulnerabilities.
Note that Windows 7 and 8 have the ability to automatically deliver updates to the user by default. You can also check for updates through the Windows Control Panel as shown below.
Generic Exploit BlockingSo far, we have looked at blocking exploits that are specific to the operating system or the applications you are using. You may also want to look at blocking exploits in general. You may be able to turn to your security software for this. For example, ESET introduced something called the Exploit Blocker in its seventh generation of security products with its anti-malware programs ESET Smart Security and ESET NOD32 Antivirus. The Exploit Blocker is a proactive mechanism that works by analyzing suspicious program behavior and generically detecting signs of exploitation, regardless of the specific vulnerability that was used.
ConclusionAny operating system or program which is widely used will be studied by attackers for vulnerabilities to exploit for illicit purposes and financial gain. As we have shown above, Adobe, Google and Microsoft have taken steps to make these types of attacks against their software more difficult. However, no single protection technique can be 100% effective against determined adversaries, and users have to remain vigilant about patching their operating systems and applications. Since some vendors update their software on a monthly basis, or even less frequently, it is important to use (and keep updated) anti-malware software which blocks exploits.
Why is Cryptolocker so noteworthy?One specific ransomware threat that has been in the news a lot lately is Cryptolocker (detected by ESET as Win32/Filecoder). The perpetrators of Cryptolocker have been emailing it to huge numbers of people, targeting particularly the US and UK. Like a notorious criminal, this malware has been associated with a variety of other bad actors – backdoor Trojans, downloaders, spammers, password-stealers, ad-clickers and the like. Cryptolocker may come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component.
You may wonder why the big fuss over this one particular ransomware family – in essence, it is because Cryptolocker’s authors have been both nimble and persistent. There has been a concerted effort to pump out new variants, keeping up with changes in protection technology, and targeting different groups over time.
Since the beginning of September, the malware authors have sent waves of spam emails targeting different groups. Most of the targeted groups have been in the US and the UK, but there is no geographical limit on who can be affected, and plenty of people outside of either country have been hit. Initially emails were targeting home users, then small to medium businesses, and now they are going for enterprises as well.
The malware also spreads via RDP ports that have been left open to the Internet, as well as by email. Cryptolocker can also affect a user’s files that are on drives that are “mapped”, which is to say, they have been given a drive letter (e.g. D:, E:, F: ). This could be an external hard-drive including USB thumb drives, or it could be a folder on the network or in the Cloud. If you have, say, your Dropbox folder mapped locally, it can encrypt those files as well.
At this point, tens of thousands of machines have been affected, though it is estimated that the criminals have sent millions of emails. Hopefully the remainder of recipients simply deleted the malicious emails without opening them, rather than them sitting unopened, waiting to unleash more pain.
Those people that have been affected have had a large number of their files encrypted. These files are primarily popular data formats, files you would open with a program (like Microsoft Office, Adobe programs, iTunes or other music players, or photo viewers). The malware authors use two types of encryption: The files themselves are protected with 256-bit AES encryption. The keys generated by this first encryption process are then protected with 2048-bit RSA encryption, and the malware author keeps the private key that would allow both the keys on the user’s machine and the files they protect, to be decrypted. The decryption key cannot be brute-forced, or gathered from the affected computer’s memory. The criminals are the only ones who ostensibly have the private key.
What can you do about it?On the one hand, ransomware can be very scary – the encrypted files can essentially be considered damaged beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you keep ransomware from wrecking your day:
1. Back up your data
The single biggest thing that will defeat ransomware is having a regularly updated backup. If you are attacked with ransomware you may lose that document you started earlier this morning, but if you can restore your system to an earlier snapshot or clean up your machine and restore your other lost documents from backup, you can rest easy. Remember that Cryptolocker will also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores that you have assigned a drive letter. So, what you need is a regular backup regimen, to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.
The next three tips are meant to deal with how Cryptolocker has been behaving – this may not be the case forever, but these tips can help increase your overall security in small ways that help prevent against a number of different common malware techniques.
2. Show hidden file-extensions
One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
3. Filter EXEs in email
If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (“*.*.EXE” files, in filter-speak). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected, of course) or via cloud services.
4. Disable files running from AppData/LocalAppData folders
You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule.
5. Use the Cryptolocker Prevention Kit
The Cryptolocker Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities. This tool is updated as new techniques are discovered for Cryptolocker, so you will want to check in periodically to make sure you have the latest version. If you need to create exemptions to these rules, they provide this document that explains that process.
6. Disable RDP
The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits. For instructions to do so, visit the appropriate Microsoft Knowledge Base article below:
These next two tips are more general malware-related advice, which applies equally to Cryptolocker as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications too.
8. Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection. And at this point, most malware relies on remote instructions to carry out their misdeeds. If you run across a ransomware variant that is so new that it gets past anti-malware software, it may still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.
If you find yourself in a position where you have already run a ransomware file without having performed any of the previous precautions, your options are quite a bit more limited. But all may not be lost. There are a few things you can do that might help mitigate the damage, particularly if the ransomware in question is Cryptolocker:
9. Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finish encrypting your files. If you disconnect yourself from the network immediately (have I stressed enough that this must be done right away?), you might mitigate the damage. It takes some time to encrypt all your files, so you may be able to stop it before it succeeds in garbling them all. This technique is definitely not foolproof, and you might not be sufficiently lucky or be able to move more quickly than the malware, but disconnecting from the network may be better than doing nothing.
10. Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. But, again, you have to out-smart the malware. Newer versions of Cryptolocker can have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to to replace your malware-damaged versions. Cryptolocker will start the deletion process whenever an executable file is run, so you will need to move very quickly as executables may be started as part of an automated process. That is to say, executable files may be run without you knowing, as a normal part of your Windows system’s operation.
11. Set the BIOS clock back
Cryptolocker has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. (The price may vary as Bitcoin has a fairly volatile value. At the time of writing the initial price was .5 Bitcoin or $300, which then goes up to 4 Bitcoin) You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72 hour window is up. I give this advice reluctantly, as all it can do is keep you from having to pay the higher price, and we strongly advise that you do not pay the ransom. Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.
Finally, it should be noted that the recent rash of ransomware attacks has generated a lot of breathless news coverage, mainly because it is a departure from previous trends in financially motivated malware (which tended to be stealthy and thus not data-damaging). Ransomware can certainly be frightening, but there are many benign problems that can cause just as much destruction. That is why it has always been, and always will be, best practice to protect yourself against data loss with regular backups. That way, no matter what happens, you will be able to restart your digital life quickly. It is my hope that if anything good can come out of this ransomware trend, it is an understanding of an importance of performing regular, frequent backups to protect our valuable data.
Your next PC password could be President Bill Clinton kissing a fish – and that disturbing mental image, and similar surreal “story images” could be the key to creating strong passwords across multiple accounts, according to Carnegie Mellon researchers.The system relies on “story sentences” – a person, an action, an object – which can be memorised easily, using pictures as cues, the researchers say. The user carries an app with images as a reminder of “stories” – and the key is remembering combinations. It’s based on techniques used by memory experts.
The picture here illustrates the system – Person (Clinton), Action (Kiss), Object (Fish). There is, of course, no suggestion that the former President may engage in “improper sexual relationships” with goldfish.
“People can use “public cues” (eg a photo of Bill Gates) to help them to remember their passwords without writing them down in plain text. These cues could be stored in an app on a smartphone,” ZDNet wrote in its report. The user remembers how the images combine, and uses this to memorise sequences of letters (ie three letters from each word, or a similar pattern).
The researchers say that memorizing nine of these stories could allow users to create secure passwords for more than 100 acccounts, with ‘reminders’ stored in a smartphone app. A thief, however, wouldn’t be able to work out the combinations, thus the system is secure. Blocki himself has memorised 43 stories.
“If you can memorize nine stories, our system can generate distinct passwords for 126 accounts,” Jeremiah Blocki, a Ph.D. student at the university said.By reusing and recombining within the app, users will “rehearse” the stories, thus helping them remember, Blocki says. The app works as a memory prompt, and was based on cognitive research into memory retention, and repetitive “rehearsal”. Blocki’s paper is available in full here.
The researchers say they were inspired by ”Moonwalking with Einstein,” a 2011 bestseller, which described the world of competitive memorization – and which described the concept of Person-Action-Object, or PAO, and how it’s used in such contests to memorize long sequences of letters and numbers, according to Phys.org.
“For instance, photos of President Bill Clinton, a piranha and someone kissing might result in a story, “Bill Clinton kissing a piranha,” or “President smooches a fish,” the researchers say. “By taking the first letter from each word, or the first three letters from the first two words, the user could generate part of a password.”
Blocki says that the system is initially harder work for the user, and that using the app daily or every two days helps the passwords to “sink in”, but that after some time in use, normal password use would be enough for users to remember the details they needed. Blocki said users can rely on as few as nine photo/story pairs, though he personally has opted to use 43 stories to maintain greater security.
“The most annoying thing about using the system isn’t remembering the stories, but the password restrictions of some sites,” said Blocki, referring to sites which require numbers or special characters as part of passwords.
“In those cases, I just make a note to, for instance, add a ’1′ to the password,” he said. ”The security is inherent in the passwords themselves and the notes don’t affect that.”Writing down such notes is often considered bad practice, but Blocki claims that as the story links are known only to the user, his system is secure even if some photos are compromised, or if a number, for instance, is known.
ESET Senior Research Fellow David Harley says that the system offers the “germ of an idea”, but that the patterns generated may not be sufficiently random to beat advanced password-cracking software.
Harley says, “The story building approach is a standard mnemonic technique – in fact, there’s a related XKCD cartoon http://xkcd.com/936/ - but I remember stumbling across something slightly similar in a psychology experiment at university in the early 70s.
“Essentially, I found myself able to remember a long string of essentially unconnected words by inventing a story. It was surprisingly effective: I could still bring it to mind many months afterwards without rehearsing it, and I’m not even a particularly visual thinker, so my ‘story’ was less reliant on visual elements. These days, though, I’m happy if I can finish the day remembering which day it is…”
“One problem that tends to come up with solutions that focus on memorization techniques rather than maximizing entropy is that they tend to make assumptions about the randomness of the resulting passphrase and the equivalence of randomness and entropy that aren’t necessarily true. In this case, the idea seems to me to be that the user chooses a pattern for selecting fragments, but the sort of pattern envisaged (first letter of each word, first three letters of the first two words) is not random, even if it doesn’t make a ‘real’ word. ‘Cracking’ software is rather good at detecting patterns that may not be obvious to a human reader, and if I’m reading this correctly, entropy is further reduced by using case-insensitive alphabetical characters only.”
“Blocki is actually flagging some of the techniques used to make a password harder to guess as, and recommending a ‘add a number’ strategy that a security expert probably wouldn’t suggest, knowing that one technique cracking software is likely to use is to substitute numbers for the final one or two characters of a password. That’s because not only are users known to add numbers to a password to pad it out to a required minimum, as he suggests, but they also append numbers to save them from having to change an expired password to something completely different.”
“There’s the germ of a good idea here, but the researchers need to think a bit more about how passwords are actually cracked. The technique described here sounds more like an attempt to defeat a human trying to guess – like they always do it in the movies – than a serious attempt to circumvent automated password cracking. Perhaps a little less psychology and a little more computer science in the mix would improve the recipe. Entropy-boosting restrictions do tend to annoy end users, but I’m not convinced that this approach is adding more entropy than it’s removing.”
Twitter has reacted to yet another user revolt, performing an unwilling U-turn on changes – made just hours previously – to how blocked users are handled.
Twitter's changes on Thursday afternoon meant users would not know immediately that they had been blocked, and could still view the tweets of the person who had blocked them and also mention them in tweets, although the user would not be notified about the mention. But following feedback, the micro-blogging firm has reverted to its previous policy where a blocked user will be able to tell they have been blocked, and unable to see the profile of the person who blocked them.
The company said the decision was "not ideal". "In reverting this change to the block function, users will once again be able to tell that they've been blocked," Michael Sippey, Twitter's vice president of product said in a blog post, citing "fear of retaliation" as a strong reason for making user-blocking actions harder to discover. "Some users worry just as much about post-blocking retaliation as they do about pre-blocking abuse," he continued, but admitted "we never want to introduce features at the cost of users feeling less safe".
He said Twitter would now explore other options to protect users from retaliation. Despite the change, several workarounds for persistent offenders exist, including logging out or creating another account. This means the only way a user can truly protect their account is by making their timeline private, so only approved users can view it.
Twitter's 2013 has been heavily marked by its handling of the abuse scandal, which began during the summer, with many high-profile members reporting rape and death threats, with seemingly no way to instantly block their harrassers. Twitter took several months to add an instant abuse-repoting button to all of its platforms, provoking ire from politicians, the police and the general public.
Since becoming a publicly traded company in November, Twitter's response to such user feedback will be closely monitored by financial analysts, who will be nervous of any potential legal and ethical stumbling blocks that could affect the firm's reputation and share price.