Suramya's Blog : Welcome to my crazy life…

May 19, 2023

KeePass exploit helps retrieve cleartext master password – Fix ETA July 2023

Filed under: Computer Security,My Thoughts,Tech Related — Suramya @ 8:06 PM

Security is hard to do and no matter how careful you are while coding every software will have bugs in it and some of these bugs have major security implications. Keepass which is a very popular password manager is vulnerable to extracting the master password from the application’s memory, allowing attackers who compromise a device to retrieve the password even with the database is locked. The bug is being tracked as CVE-2023-32784.

The issue was discovered by a security researcher known as ‘vdohney’ who has unfortunately also published PoC code that exploits the vulnerability called the “KeePass Master Password Dumper” on GitHub.

KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass’s memory. Apart from the first password character, it is mostly able to recover the password in plaintext. No code execution on the target system is required, just a memory dump. It doesn’t matter where the memory comes from – can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), various crash dumps or RAM dump of the entire system. It doesn’t matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it’s been since then.

Tested with KeePass 2.53.1 on Windows (English) and KeePass 2.47 on Debian (keepass2 package). PoC might have issues with different encodings (languages), but that’s not confirmed as of now (see issue #3). Should work for the macOS version as well. Unfortunately, enabling the Enter master key on secure desktop option doesn’t help in preventing the attack.

The attack does require either physical access to the system or the system would need to be infected with Malware that give an attacker remote access with the ability to perform thread dumps. They can also extract the password from the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.

The fix for the problem is in the works and the initial testing looks promising. Personally I think that the security researcher should have waited to release the PoC code till the fix is available but to each their own I guess.

Source: Bleepingcomputer.com: KeePass exploit helps retrieve cleartext master password, fix coming soon

February 20, 2023

Fixing SSL error 61 on Citrix Workspace on Debian

Filed under: Computer Security,Computer Tips,Linux/Unix Related,Tech Related — Suramya @ 9:38 PM

Was trying to connect to a Citrix Workspace and kept getting the following error “You have not chosen to trust “Entrust Root Certification Authority – XX”, the issuer of the security certificate (SSL error 61)“. I have hit this error in the past and had fixed it but couldn’t find my notes from how I had fixed it back then, so I had to resort to searching on the web based on vague memories of how I had fixed. After a bit of effort I found two solutions that people had suggested:

Solution 1:

Create a symbolic link pointing the /opt/Citrix/ICAClient/keystore/cacerts directory to /usr/share/ca-certificates/mozilla/ , using the command below as root:

mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts.bak
ln -s /usr/share/ca-certificates/mozilla/ /opt/Citrix/ICAClient/keystore/cacerts

Unfortunately, this didn’t resolve the problem for me.

Solution 2:

The second solution people recommended was to link /opt/Citrix/ICAClient/keystore/cacerts directory to the /etc/ssl/certs/ directory, using the command below as root:

mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts.bak
ln -s /etc/ssl/certs/ /opt/Citrix/ICAClient/keystore/cacerts

After I linked the directory to /etc/ssl/certs things immediately started working without errors. This time I am blogging about it so that the next time I don’t waste time trying to find the solution.

– Suramya

February 2, 2023

KeePass vulnerability that allows anyone with write access to the config file export all stored passwords

Filed under: Computer Security,Tech Related — Suramya @ 5:17 PM

Keepass is an Open source password manager that I have been using for a few years. For me the main attraction was that the password database is stored locally instead of using a cloud based solution. Although, you can configure it to save the password file on a cloud store if you want.

Recently a security ‘vulnerability’ has been found in KeePass that allows someone with access to the system where keypass is installed to export the entire password database to clear-text without any user intervention. Basically if an attacker has write access to the XML configuration file they can add an export trigger to get cleartext passwords as and when they are used. There is an ongoing dispute where it is being debated that this is technically not a vulnerability in KeePass as anyone with write access to the configuration file already has enough access to perform more powerful attacks. The issue has been assigned a CVE-2023-24055.

“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

Personally, I think that while it does follow that physical access equals root access, there should be some notification / mechanism that gets triggered when the XML configuration file is modified outside the KeePass interface. Something like an alert that tells you that “The XML configuration file was directly modified. Please ensure that no extra triggers are installed” (or words to that effect). This way even if an attacker gets access to the system, they can’t easily get access to stored passwords would hopefully be protected with another password.

Source: Naked Security: Password-stealing “vulnerability” reported in KeePass – bug or feature?

January 17, 2023

I hacked the Tamil Nadu eGovernment site and all I got was this lousy blog post

Filed under: Computer Security,Computer Tips,Tech Related — Suramya @ 1:20 AM

Finally doing a writeup of how I found that the eGovernment portal of Tamil Nadu had a major bug with a huge privacy impact as it leaked user documents with sensitive information (Personally Identifiable
Information) to the public. This issue was reported and has been fixed as well so am sharing this information so that others are aware of this issue and help them avoid similar problems in sites they manage going forward.

This whole saga started when I had to apply for an epass to enter Tamil Nadu and noticed that the link sent to download the PDF copy of the pass did not require any password to access. The link to download the data was something like: https://tnegov.in/xxxxxx where xxxxxx was a 6 character code. It looked like they might be vulnerable to an parameter enumeration attack so I wrote a quick script to try calling the URL with various sequential codes starting with AAAAAA and moving up. To my surprise within 30 seconds of me running the script I found another person’s personal document (https://tnegov.in/AAAABY) accessible over the web without any authentication. This URL gave me a PDF file that contained a “First Graduate Certificate” (Given to the first person in a family that graduates) for a lady in Virudhunagar District in Tamil Nadu.

Since I had proven that the private information was being leaked, I immediately killed the script and reported it to the Tamil Nadu CERT team using their web form and the same was also sent via email to info.cert@tn.gov.in on 12th March 2021.

A day later I got a call from the CERT team asking for more details. The lady I spoke with asked me a few questions about what I found and wanted additional information about me. The question she got stuck at was “Where are you currently working?” As I was on a work break since I doing my Degree in Cyber security I told her that I was not working anywhere but was a student. She was really confused and kept asking the question in different ways. After a few attempts she finally believed that I was studying Cyber Security and told me that they would look into this.

I expected them to take immediate action since this was a major privacy blunder but nothing happened and it was complete radio silence from them so I emailed them again a month later (29th April) asking for an update with another followup email sent in May with no response to either.

On 21st May I looped India CERT in the mail chain to escalate and wasn’t too hopeful of a quick response. Interestingly they replied within 24 hours asking for a PoC and screenshot of the issue, so I responded with a copy of the script I had written along with the PDF file containing the PII that I had found.

After that I didn’t get any communication from the team and I got busy with exams and classes so I didn’t follow up. However, every so often I would try to access the URL and it would still give me a PDF download. In October over 7 months after I first reported it I finally got an error when trying to download the data from the site. Now I get a 404 message stating that the page can’t be found. (The site gives too much detail in the error message but that is a different story and something for me to look at when I get some free time).

The overall experience was quite poor as in spite of the immediate response to the first notification of the issue they didn’t give me any details on the ETA for the fix or let me know once the issue was resolved. Which would have made it more streamlined and I wouldn’t have had to check frequently that the issue was resolved. If nothing else an email thanking for reporting the issue would have been nice, although I have seen that other agencies / sites giving bug bounty to people reporting such issues.

If you are hosting a site that allows users to generate data/files that can be downloaded the following should be kept in mind:

  • When creating links to the generated files, don’t use sequential ID’s for the files as it makes it easy to iterate through. Instead create long randomized strings for the ID’s to make them harder to guess
  • Add some form of authentication before allowing the download, something like a emailed link or SMS OTP to validate identity before allowing a download. For example the Nagaland Government site for ILP forces you to authenticate with an OTP before allowing you access to the document
  • Add some checks for bruteforce attempts to guess file paths and block them.

Well this is all for now. I have a few more of these that I will be sharing over the next few months once I verify that the issue is resolved and safe to disclose.

– Suramya

October 20, 2022

I am a Certified Threat Intelligence Analyst (CTIA) now

Filed under: Computer Security,My Life — Suramya @ 10:17 AM

I’m happy to share that I’ve obtained a new certification: CTIA (Certified Threat Intelligence Analyst) from EC-Council.


Certification Number Certification Name Issue Date Expiry Date
ECC8907421563 Certified Threat Intelligence Analyst October 17, 2022 October 16, 2025

With this I have completed 4 out of the 5 certifications I am eligible for after my degree in Cyber Security. The last one is CHFI and I will be attempting that shortly.

Well this is all for now, will write more later.

– Suramya

October 7, 2022

I am now a CEH (Certified Ethical Hacker)

Filed under: Computer Security,Linux/Unix Related,My Life — Suramya @ 6:23 PM

Gave my CEH (Certified Ethical Hacker) exam on 3rd Oct and have successfully cleared it.


Certification Number Certification Name Issue Date Expiry Date
ECC8907421563 Certified Ethical Hacker October 3, 2022 October 02, 2025

The exam was interesting and required a bit of memorization but over all not bad. I do wish they allow us to access the books or use the tools on the computer. I have a hard time remembering the parameters for commands and there were a few questions in there about what parameter would you use to do x. Normally I would do a man command before running it but here I had to remember the commands so it was a bit more annoying and required some extra effort to memorize, other than that the questions were great and required a lot of thinking and knowing the system.

Well this is all for now, will write more later.

– Suramya

October 4, 2022

Workaround for VPN Unlimited connection issues with latest Debian

Filed under: Computer Security,Linux/Unix Related,Security Tools,Tech Related — Suramya @ 5:58 PM

VPN’s are a great way to ensure that your communication remains private when using a pubic internet connection such as when you are connected to an Airport or Coffee shop Wifi. Plus they are good for getting access when a site is blocked where you are, for example in India VideoLan.org the main site for VLC Media player has been blocked for a while. I primarily use VPN Unlimited on all my systems as I have a lifetime subscription though I also have other VPN’s that I use sometimes.

Unfortunately, the native VPN Unlimited application for Linux has stopped working a while ago due to a compatibility issue with SSL. When I upgraded to the latest version of Debian back in July 2022 it suddenly stopped working with the following error message:

vpn-unlimited: symbol lookup error: /lib/libvpnu_private_sdk.so.1: undefined symbol: EVP_CIPHER_block_size

Reinstalling the software didn’t resolve the issue and neither did a search on the internet help. When I reached out to support they told me that Debian 11 wasn’t yet supported and they didn’t have an ETA for the new version to be released. They did recommend that I manually create & download an openvpn config from their site that would allow me to connect to the VPN manually using OpenVPN instead of the App. Unfortunately, the config generated didn’t work either as it would fail to connect with the following error message in the logs:

Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.0845]vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: starting openvpn
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.0847] audit: op="connection-activate" uuid="833a72d8-a08a-474e-a854-c926cd6c694a" name="VPN Unlimited" pid=2829 uid=1000 result="success"
Sep 21 02:56:55 StarKnight kded5[2780]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: 2
Sep 21 02:56:55 StarKnight kded5[2780]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: 3
Sep 21 02:56:55 StarKnight NetworkManager[233850]: 2022-09-21 02:56:55 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless
"allow-compression yes" is also set.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: Cannot load certificate file /home/suramya/.local/share/networkmanagement/certificates/E87E7A7D6DA16A89C7B4565273D3A792_hk_openvpn/cert.crt
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: Exiting due to fatal error
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.1095] vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: dbus: failure: connect-failed (1)
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.1095] vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: dbus: failure: connect-failed (1)

After a little more back and forth with the support team (which was extremely responsive and quick) which in turn reached out to their developers we identified the issue with the OpenVPN config. The fix for this will be deployed to all their servers by the end of this month. In the mean time I was given a workaround that resolved the issue for me. To fix the issue add this line to your OVPN file under the VPN section:

tls-cipher=DEFAULT:@SECLEVEL=0

More information on this is available in the OpenVPN forum. Keep in mind that this is not a really secure configuration and if you are working on something really top secret you should use another VPN till the issue is actually fixed instead of this workaround as it is not secure.

However, just wanted to share this here for others who might be having this same issue. Hope this helps.

– Suramya

August 8, 2022

Using Behavioral Biometrics for User Authentication as added security measures – Advantages and Disadvantages

Filed under: Article Releases,Computer Security,My Thoughts — Suramya @ 11:59 PM

In this paper we explore how users can be uniquely identified using biometrics other than fingerprints, facial recognition, iris recognition etc on a continuous basis. We explore the use to techniques such as typing style, computer use style to see if we can create a model to uniquely identify a user based on the way they type and use the computer. As this method allows a system to constantly reauthenticate a user based on characteristics that are almost impossible to fake we look at the complexity of how this can be integrated as a security measure for secure systems. We also look at the pros and cons of implementing this authentication mechanism and explore potential problems this system generates for the user and administrators. Specifically, we look at how the system would deal with users who are sick, under medication or stress that could change their usage patterns and is it worth the expense and privacy issues to implement such a system.

Introduction and background

User authentication is the process of verifying the identify of a user or process trying to access a system, online service, connected device, infrastructure resources etc. Traditionally authentication is done by having the user provide one or more of the following:

  • Something they know
  • Something they have
  • Something they are

Let’s look at each of these one by one. The oldest way of authentication to computer systems is using usernames and passwords. The first password protection system was implemented in 1961 by Fernando J. Corbató at MIT (Workos, 2020). This allowed the system to identify users based on a secret password that only they knew. The first set of passwords were stored in plain text, but then password encryption was implemented so that users could not read the passwords for other users.

However, passwords can be leaked or guessed. In the past few years there have been major leaks of authentication data which have been decrypted and sophisticated password crackers have been created that can crack passwords based on dictionary attacks and brute force attacks. To safeguard against this attack vector another authentication mechanism was created that authenticates users based on something they have with them. This can include hardware keys, smartcards etc and these hardware devices would contain an embedded certificate that can be used to uniquely identify the holder.

The final method of authentication is something you are, which is provided by Biometric authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, face scans, and voice analysis. Fingerprints, Face Scans and iris scans are the most widely used biometric method in use today.

Multifactor Authentication
When a system uses a combination of one or more of the authentication methods described in the previous section the system is said to be using Multi-factor Authentication (MFA). The key point to remember is that a system is only considered to be using MFA if the authentication factors are in at least two of the categories. So if the authentication mechanism uses a password and a second pin to authenticate, it won’t count as MFA because both are things that you know.

Weaknesses in the current User Authentication methods

The current user authentication methods have several weaknesses that make it easy for attackers to compromise and bypass the checks. Complex passwords are harder to crack or guess than simple passwords, but they are harder for users to remember. So, users tend to use the same passwords across multiple sites or use passwords that are simple to remember. Unfortunately, passwords that are simple to remember are also easy to guess.
Another risk is that an attacker can compromise a site or server using vulnerabilities in the OS, services or applications running on it. Once they have access, they can gain access to the stored passwords for all users and depending on the encryption scheme used the passwords for user accounts can be guessed quickly. This is an attack vector that has been seen frequently over the past few years with password lists for major sites such as LinkedIn (Morris, 2021) and Yahoo (Goel & Perlroth, 2016) etc being compromised and leaked.

Hardware tokens or smart cards can be cloned, copied or stolen. If the card is not deactivated when it is lost or stolen an attacker can use it to gain access to restricted resources. Tools to create copies of smartcards are available easily in the market (Benchoff, 2016) using which an attacker can clone the cards quickly.

Biometrics was touted as an authentication mechanism that is almost impossible to bypass but unfortunately the hype didn’t match reality. Fingerprint authentication systems have been compromised using copies of fingerprints lifted from glasses, door knobs etc transferred to jello, Glycerin and gelatin. (Barral & Tria, 2009)

Facial recognition systems have been fooled by photographs and cosmetics. Researchers have also used the StyleGAN Generative Adversarial Network (GAN) to create master faces that can be used to impersonate 40% of the population. (Shmelkin et al., 2021)

Voice authentication systems have been bypassed using voice recordings and AI based ‘deep fake’ technologies. Amazon recently showcased technology that allows Alexa to impersonate the voices of people based on a few minutes long voice recording of the person being impersonated.

Similar bypasses have been found for all authentication mechanisms in use currently and thus researchers have been exploring new authentication mechanisms which would be harder to bypass and fool. One such field being explored in behavioral biometrics and we will explore the field, it’s implications, the pros and cons of the tech in this paper.

Introduction to Behavioral Biometrics

Behavioral biometrics is the study and use of uniquely identifying and measurable patterns in human activities that can include keystroke dynamics, gait analysis, mouse use characteristics, signature analysis etc. The field postulates that a user can be identified based on these characteristics just as uniquely as they can be using physical biometrics.

Another advantage of using Behavioral Biometrics over physical biometrics is that it doesn’t require specialized equipment to collect the data. Data can be collected using existing hardware and only requires software analysis and processing which makes it cheaper to implement to a certain extent and we will look at this in more detail later in the paper.

Behavioral Biometrics can include the following:

Keystroke Dynamics:

According to the studies, if a group of users is asked to type the paragraph of text, each of them will type the text slightly differently with different delays between each character being typed, and different rhythms for the text. This allows a system to identify the user based on how they type including criteria such as:

  • The user’s typing speed
  • Time elapsed between each consecutive keystroke
  • The time that each key is held down
  • The frequency with which the number pad keys are used
  • The timing and sequence of the keys used to type a capital letter
  • The Error Rate in typing, such as using the Backspace keys and words repeatedly mistyped by the user.

As each person would type the password slightly differently the system can use it to identify the authorized user and block attackers who might have gained the password for a given user.

Cursor Movement:

This uses the tracking speed, clicks and path taken by the mouse cursor movement during use to create a profile for the active user. This would be useful if the user uses the same set of applications frequently, if they are using a varied set of applications that keep changing then this would not be accurate.

Finger pressure on keypad:

This analyses the pressure on the keyboard to create a user profile. This is a lot more relevant for mobile devices and other devices with a touchscreen interface as the allow us to capture pressure details easily without extra hardware.

Posture:
Every person has a different way of standing and a sufficiently trained system can look for differences in how the person sits in front of the computer and their posture while using the system.

Gait:

Gait analysis attempts to identify a person based on their walking style, which includes movements such as stride length, posture, and speed of travel etc.

Each of the methods we listed above can potentially be used to continuously re-validate a logged in user.

Historical use of Behavioral Biometrics for authentication

Historically, behavioral biometrics have been in use since the 1860s when experienced telegraph operators were able to identify individual operators by the way they would send the signals. In World war II allied officers used it to validate the authenticity of messages they received based on how they were sent. (Das, 2020) Similarly, other organizations used this ability as well as an extra validation layer when communicating instructions over telegraph.

The Military has also used gait recognition to identify imposters in their base who are trying to impersonate authorized personnel to gain access to sensitive information.

Current state & the Future for Behavioral Biometrics

The behavioral biometrics market revenue totaled ~US$ 1.1 Bn in 2020, according to Future Market Insights (FMI). The overall market is expected to reach ~US$ 11.2 Bn by 2031, growing at a CAGR of 23.6% for 2021 – 31. (Future Market Insights, 2021)

As we can see, an increasing number of institutes, financial companies, website owners are using behavioral biometrics in their systems to detect fraudulent usage. The Royal Bank of Scotland uses it to monitor visitors to their websites and apps, others use it in their applications to monitor and authenticate users as an extra verification layer. (PYMNTS.com, 2018)

With the increase in processing capacity, sensor sensitivity and processing algorithms systems can make more accurate identifications of individual users. This allows systems to detect bots, password sharing/compromise.

Ecommerce sites have increasingly started incorporating this technology into their setup to prevent fraud. It can also potentially allow systems to make an educated judgment about the visitor’s gender and age to show appropriate products.

Considering the advantages and minimal hardware investment we will only see an increase in the use of Behavioral Biometrics for authentication in the future.

Advantages of using Behavioral Biometrics for authentication

Behavioral Biometrics have the following advantages that make them attractive for companies and institutes to implement:

  • Flexibility: The data being analyzed is not limited to currently identified sets that we have discussed so far. Since most of the processing being done is on the software side the organization can easily add additional behavioral data to be analyzed and processed.
  • Convenience: This a major plus point for the technology is that it is a passive layer of security. This allows it to work without interfering with the user workflows. This removes a major obstacle in incorporating security into the system as the traditional security setups decrease the usability of the system.
  • Efficiency: They can be applied in real-time to detect fraudulent use and the system can be run against historic data as well to detect improper use after fact.
  • Security: Behavioral characteristics are hard to replicate and thus incorporating this additional layer of security improves the security of the system.

Disadvantages of using Behavioral Biometrics for authentication

As with all systems there are some disadvantages of using a Behavioral Biometric system for authentication as well. If we are using the Keystroke analysis then the text being entered has to be long enough for the system to generate a profile and match it so if we are only using it as an additional validation step during password entry and the user’s password is too short, then the system might not be able to create and match a profile.

Another problem is that a user’s behavior can change drastically due to various valid reasons and that can cause access issues when the algorithm is unable to account for the changes. Some of the reasons can include:

  • Illness or Injury: If a person is injured or unwell then their usage patternswill change
  • Stress
  • Pregnancy
  • Sleep deficiency
  • Caffeine deficiency or overindulgence
  • Tiredness: If a user logs back in after a session in the gym their usage patterns are going to differ from the pattern before their gym session
  • Time of day: Some people are more active during certain times of day so their usage patterns will vary based on the time of the day.
  • Distractions: If the user is distracted while working , or example, if they are on a call and working at the same time. Their behavior patterns will be different.
  • Location: If the person logs in from a different location and are working with a different setup their metrics are going to be different. For example the profile when using an egronomic keyboard in office vs using a laptop keyboard while working remotely will be drasticly different and the system will have a hard time creating a consolidated profile for such users.

Another major issue with this technology is the Privacy implications. If we are implementing a system that monitors every keystroke and mouse movement and logs it for analysis then that has a serious privacy implication as sensitive data that shouldn’t be logged such as medical information, personal account passwords, other sensitive information etc can get logged as well. Once the data is logged there is a possibility of data leaks or a breach of the security system which would expose the collected information to an attacker.

Depending on the user’s location collection of this kind of data can be illegal due to rules such as the GDPR (Krausová, 2018), the California Consumer Privacy Act (CCPA) and other such rules. They will also limit the information that can be transmitted across state & country boundaries which can be a concern for multinational companies.

Finally incorporating the processing required for behavior analysis on the local system can be resource intensive which might make the setup infeasible for older machines. If the processing of the data is consolidated at a central location then the usage data would need to be transmitted to the location over the network that can potentially max out the bandwidth and depending on network congestion cause unacceptable delays in the processing and access.

Results and Recommendations

Based on our review of the current state of Behavioral Biometrics in the industry and the technological state of the system/algorithms we find that the technology does help increase the security of the system by adding an additional layer of security to the system. However, it is not yet mature enough to deploy for general commercial implementation and should only be used for securing highly sensitive systems and infrastructure where the security considerations outweigh the limitations identified earlier in the paper.
Once the technology is more mature and the issues identified earlier have been mitigated it can slowly be incorporated in the general computing world as an optional additional layer of security. At no point should this be used as the only layer of security for any system.

Conclusion

Behavioral Biometrics as a security measure is a technology still in its early stages of use and implementation and while it does add an additional layer of security the current limitations do not justify a general release and implementation in general use computing. The system should only be implemented in systems such as classified military systems, critical corporate servers containing highly sensitive information etc where the benefits or security concerns outweigh the disadvantages of using a technology that still needs to mature more.

References

Alzubaidi, A., & Kalita, J. (2016). Authentication of smartphone users using behavioral biometrics. IEEE Communications Surveys & Tutorials, 18(3), 1998–2026. https://doi.org/10.1109/comst.2016.2537748

Araujo, L. C. F., Sucupira, L. H. R., Lizarraga, M. G., Ling, L. L., & Yabu-Uti, J. B. T. (2005). User authentication through typing biometrics features. IEEE Transactions on Signal Processing, 53(2), 851–855. https://doi.org/10.1109/tsp.2004.839903

Banerjee, S. P., & Woodard, D. (2012). Biometric authentication and identification using Keystroke Dynamics: A survey. Journal of Pattern Recognition Research, 7(1), 116–139. https://doi.org/10.13176/11.427

Barral, C., & Tria, A. (2009). Fake fingers in fingerprint recognition: Glycerin supersedes gelatin. Formal to Practical Security, 57–69. https://doi.org/10.1007/978-3-642-02002-5_4

Benchoff, B. (2016, January 18). Emulating and cloning smart cards. Hackaday. Retrieved June 27, 2022, from https://hackaday.com/2016/01/18/emulating-and-cloning-smart-cards/

Bo, C., Zhang, L., Li, X.-Y., Huang, Q., & Wang, Y. (2013). Silentsense. Proceedings of the 19th Annual International Conference on Mobile Computing & Networking – MobiCom ’13. https://doi.org/10.1145/2500423.2504572

Das, R. (2020, October 14). A behavioral biometric – keystroke recognition. A Behavioral Biometric – Keystroke Recognition. https://resources.infosecinstitute.com/topic/a-behavioral-biometric-keystroke-recognition/
Future Market Insights. (2021, October). Behavioral biometrics market. Future Market Insights. https://www.futuremarketinsights.com/reports/behavioral-biometrics-market

Goel, V., & Perlroth, N. (2016, December 14). Yahoo says 1 billion user accounts were hacked. The New York Times. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html

Krausová, A. (2018). Online behavior recognition: Can we consider it biometric data under GDPR? Masaryk University Journal of Law and Technology, 12(2), 161–178. https://doi.org/10.5817/mujlt2018-2-3

Morris, C. (2021, June 30). LinkedIn data theft exposes personal information of 700 million people. Fortune. https://fortune.com/2021/06/30/linkedin-data-theft-700-million-users-personal-information-cybersecurity/

PYMNTS.com. (2018, August 15). What’s behind the rise of behavioral biometrics? PYMNTS.com. Retrieved June 27, 2022, from https://www.pymnts.com/fraud-prevention/2018/behavioral-biometrics-uk-banks-authentication-security-privacy/

Shmelkin, R., Friedlander, T., & Wolf, L. (2021). Generating master faces for dictionary attacks with a network-assisted Latent Space evolution. 2021 16th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2021). https://doi.org/10.1109/fg52635.2021.9666968

Workos. (2020, September 5). A developer’s history of authentication – WorkOS. A Developer’s History of Authentication. https://workos.com/blog/a-developers-history-of-authentication

Note: This was originally written as a paper for one of my classes at EC-Council University in Q2 2022.

– Suramya

August 6, 2022

Post Quantum Encryption: Another candidate algorithm (SIKE) bites the dust

Filed under: Computer Security,Computer Software,Quantum Computing — Suramya @ 8:23 PM

Quantum Computing has the potential to make the current encryption algorithms obsolete once it gets around to actually being implemented on a large scale. But the Cryptographic experts in charge of such things have been working on Post Quantum Cryptography/Post Quantum Encryption (PQE) over the past few years to offset this risk. SIKE was one of KEM algorithms that advanced to the fourth round earlier this year and it was considered as an attractive candidate for standardization because of its small key and ciphertext sizes.

Unfortunately while that is true researchers have found that the algorithm is badly broken. Researchers from the Computer Security and Industrial Cryptography group at KU Leuven published a paper over the weekend “An Efficient Key Recovery Attack on SIDH” (Preliminary Version) that describes a technique which allows an attacker to recover the encryption keys protecting the SIKE Protected transactions in under an hours time using a single traditional PC. Since the whole idea behind PQE was to identify algorithms that are stronger than the traditional ones this immediately disqualifies SIKE from further consideration.

Abstract. We present an efficient key recovery attack on the Supersingular Isogeny Diffie–Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.

The attack exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known. The auxiliary points in SIDH have always been an annoyance and a potential weakness, and they have been exploited for fault attacks, the GPST adaptive attack, torsion point attacks, etc.

This is not a bad thing as the whole testing and validation process is supposed to weed out weak algorithms and it is better to have them identified and removed now than after their release as then it becomes almost impossible to phase out systems that use the broken/compromised encryption algorithms.

Source: Schneier on Security: SIKE Broken

– Suramya

June 5, 2022

Hacking a computer using Ham radio transmissions is now possible!

Filed under: Computer Security,Computer Software,Tech Related — Suramya @ 11:59 PM

Hacking a computer by getting them to listen to a Ham Radio station broadcast seems like the plot of a bad movie or TV series about ‘hackers’ but this is not a fictional story. It is now in fact possible to hack a WinXP & Windows 10 computer over the air, All we need to do is ensure that the target is using WinARPS on their computer to listen to the broadcast and then they are fair game.

I am in awe of this finding because figuring out how to generate radio packets that will cause a memory overflow/corruption and then figure out who to generate the packets in a way that allows you to get RCE (Remote Code Execution) requires phenomenal hacking skills and understanding of the underlying systems.

WinARPS is unlikely to get a fix for the issue because the author no longer has an environment to build/test the software as the last update to the code was back in 2013. However the author is aware of the problem and who knows they might get the environment working again and fix the issue.


Video demo of the issue on a Windows 10 machine (Credit: Coalfire.com)

This bug does show us that we can have the world’s most protected / isolated system but if there is any way to get external information/input then the system can potentially be attacked.

You can read the full walk through of the process at: Hacking Ham Radio: WinAPRS – Part 5

– Suramya

Older Posts »

Powered by WordPress