* Posts by Anon Ymous 42

6 publicly visible posts • joined 17 May 2018

Low Barr: Don't give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

Anon Ymous 42

Onee, Tb shpx lbhefrys!

Onee, Tb shpx lbhefrys!

Dev's telnet tinkering lands him on out-of-hour conference call with CEO, CTO, MD

Anon Ymous 42

In 1979, as a high school student I was asked to write the attendance program. Each home-room had a punch card for each student. Those absent at home-room would have their cards sent to the main office, these were then fed into the card reader and two lists generated. One for all the teachers so they knew who was absent, the other to the nurse who badgered parents for excuses. I wrote the program so that any card with my last name never end up as an entry on the nurses list. Skip homeroom and I could skip any class that day. I never got busted because I never abused it. After I went to collage my brother, 5 years younger figured this out quickly and got busted within the first 2 months he later arrived at the high school.

Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

Anon Ymous 42

Re: This is easy to fix.

The protection is two-fold. The identity cert contains the signed identifier of the device that is trying to be added, this identifier can’t be changed without being noticed because the root private key that signed the identity cert is kept securely at Apple. The second protection is that Man in the Middle is mitigated, while normal TLS can be more easily MiTM, when using mutual TLS where a client cert is used (the burned in device identity cert), by simply validating the chain (the same root controlled by Apple mentioned above) a MiTM situation can be very easily detected. Again search ”Apple SCEP over the air" to get in depth info, I’m only suggesting that MDM use the same mechanism that secures this SCEP protocol. Using Mutual authentication with this "burned in" identity cert (with proper signature verification and chain checking) is all that is needed.

Anon Ymous 42

This is easy to fix.

While the recommendation to move away from predictable serial numbers is still a good one, the MDM enrollment need only incorporate the device identity certificate that is burned into each device. Any device after a 5S has the private key protected by the secure element. Use of signing and chain checking can very effectively secure the existing protocol. Do searches on Apple’s over the air support of the SCEP protocol to get more info about this embedded cert.

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats

Anon Ymous 42

Re: It's not an PGP or S/MIME issue - yes it is, but it can be fixed.

So the attack is based on the use of CBC which has been used for a number attacks on a number of cyphers for several years. URL’s in HTML mail, or even OCSP/CDP’s in plaintext emails where the email client doesn’t do full chain checking are the back channel.

The fix is to use cyphers that don’t use CBC. Your email client may need an update to support more recent non-CBC cyphers, and for S/Mime your cert needs to specify new ciphers in S/mime capabilities that doesn’t use CBC. Not trivial, but not tremendously difficult.

Biometrics: Better than your mother's maiden name. Good luck changing your body if your info is stolen

Anon Ymous 42

Biometrics are better than alternatives

Most Biometric systems use the concept and store a Biometric template and not the actual biometric. This is done for a number of reasons (the biometric changes as you grow for example). This also means that the Biometric itself (fingerprint, eye scan, etc) is not actually stored. Which means any compromise of the system doesn't provide the data needed to do a future match.

Additionally each Biometric sample is different every time. You read your fingerprint twice and these are two unique different samples, even though both samples are from the same finger. Most Biometric systems will store a hash of each sample so they can easily determine if a sample was 'replayed' or seen before.

So in general the theft of your biometric is not as simple as capturing your fingerprint, voice, eyescan and replaying this. Biometrics are not infallible, but are far better than other options available, particularly if initial enrollment is done in a face to face situation (like a drivers license or US Customs entry point).

MFA can be phished and/or man in the middled, KBA can be learned easily with very small amount of detective work. Estonia's smartcard solution is very strong, but expensive for hardware and doesn't work well on mobile devices. Apple's implementation of both TouchID and FaceID is done properly on the most recent devices (6S or later) because of it's use of a secure element (which in concept is similar to the protection that the Estonia solution provides).