The proof-of-concept involved induced short-duration transient faults, which resulted in recovery of private key bits. The remaining phase-space was explored on an eighty-one node cluster, and yielded a 1024-bit RSA key in approximately one-hundred hours. So far, this is difficult to induce, but the researchers state “If environmental conditions (such as high temperatures or voltage manipulation by an attacker) slow down the signal propagation in the system, it is possible that signals through the critical path do not reach their corresponding registers or latches before the next clock cycle begins.” (Pellegrini, A., Bertacco, V. & Austin, T. 2010)

Pellegrini, A., Bertacco, V. & Austin, T. (2010) ‘Fault-Based Attack of RSA Authentication’, University of Michigan [Online]. Available from: http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf (Accessed 5th March 2010).

“There could be child pornography, there could be bomb-making recipes,” said one detective. “Unless you tell us we’re never gonna know… What is anybody gonna think?”

Clearly an attempt to coerce the suspect into releasing decryption keys. In this case the key was relating to Hard Disk Drives ETC., but it also seems to be a law that could be applied to content encryption mechanisms, such as PGP or GnuPG.

Now this is where things start to get a little sticky. HDD encryption is self-contained, in that unlike typical E-Mail or Voice encryption, we are not sharing a portion of the key material with anyone else, it’s limited by a physical boundary. Yet with E-Mail encryption this boundary does not exist, because it needs to work over a public network.

A sender will need to encrypt a message meant for a recipient with their public key, in order for the recipient (and hopefully only the recipient) to be able to decrypt the message with their private key. So in order to facilitate confidentiality, integrity and authenticity most users of PGP / GnuPG will make their public-keys available, on web-sites, on Facebook, or on key-servers… Can you see where this is leading? I wonder, how easy it would be for some nefarious sort to target a specific recipient with an e-mail encrypted with their public key (so only the private key can be used to decrypt it) implicating them in a crime via the subject heading, as the subject is not typically encrypted, and carbon-copying the nearest Police Service.

Better still, if such a person is going to do this, why would they not get more return for their time by searching the various key servers for all submitted keys for those in the United Kingdom, and then send a variation of the e-mail to them, carbon-copying the Police Service again. I wonder how many people would submit to relinquishing their keys in this case, compared to those that had either lost the keys, or refused to relinquish the keys. As Bruce Schneier states:

But if you’re guilty of something that can only be proved by the decrypted data, you might be better off refusing to divulge the key (and facing the maximum five-year penalty the statue provides) instead of being convicted for whatever more serious charge you’re actually guilty of.

There is of course the issue that assurance of identity is not provided through this form of e-mail encryption, so so one could simply register keys in other peoples names, and then perform the attack against them. This implies that they have the corresponding private key, which — of course — they don’t, because it’s probably the first they’ve heard of e-mail encryption. This could also be seen as a refusal to relinquish decryption keys. A similar demonstration / protest was made when the law was originally being bandied about.

To make this concrete, consider an exploit that affects 1% of users annually, and they waste 10 hours clearing up when they become victims. Any security advice should place a daily burden of no more than 10/(365 × 100) hours or 0.98 seconds per user in order to reduce rather than increase the amount of user time consumed. This generates the profound irony that much security advice, not only does more harm than good (and hence is rejected), but does more harm than the attacks it seeks to prevent, and fails to do so only because users ignore it. In the model we set forward it is not users who need to be better educated on the risks of various attacks (as Adams et al. [21] suggest), but the security community. Security advice simply offers a bad cost-benefit tradeoff to users.

I just can’t fault logic such as this, and I’m sure we’ve all noted how confusing security awareness has become over the years for users. As Security professionals, we all read the advice that gets communicated to them through various channels, and we may find it pointless and lacking. Serving only to confuse the user or entirely fail to engage them in the first instance… Or worse, be utterly incorrect or at least fail to be applicable. Try as we might, we should eventually realise that users are not good at detecting fraud, nor are they good at doing our jobs for us!

Does this mean all security advice is useless? No, just a vast majority of it. In my opinion, an awareness programme should be cohesive and bespoke for each user population, for each organization to meet the top issues for that organization. It’s also important controls are in place to reduces the requirement for the secondment of users’ time to the security team. The awareness programme should be short, entertaining and designed to get users thinking about transferable security checks and balances, which they can then apply to their own processes.

Printers, or multi-functional devices sitting in general access office space can be a significant attack vector for anyone wishing to harvest some data. Due to the increased demand in usage, just about all office printers have a local hard disk drive to free up spooling resources at the server. However, spooling is done at the server because it’s assumed to be in a physically secure area, now with printers performing additional spooling on non-volatile media, the data sent for printing is no longer protected by enhanced physical security that comes with a dedicated data-center or communication’s room. Leaving physical access open to general employees and third-party contractors.

At this point, one should consider whether certain departments should participate in such schemes, or have their own dedicated printing facilities in a physically secure location. One should consider hard disk drive encryption to counter any casual, opportunist, or uninformed attack… Perhaps in certain environments we start implementing tamper-resistant hardware along the lines of ATMs, for example; pitting memory modules to mitigate against cold-boot attacks.

Simply changing the permissions of /var/mobile/Applications/<id>/Documents, and /var/mobile/Applications/<id>/tmp to 775, and then re-booting your iPhone should be enough to fix the issue. In order to do that, you’ll first need SSH access to your iPhone.

However, the nearest thing up until this point has either been the ZX Spectrum Ghostbusters game, or running around in a jump-suit at fancy dress parties… And when everyone thinks you’ve come as Aneka Rice, you know it’s time to stay indoors, and turn on your PS3.

This game has just caught the image and appeal of the franchise very well. All the original Ghostbusters team provide voice talent, and the story was written by Dan Aykroyd and Harold Ramis. The graphic are great, without being over-done, the photon-beams are very faithful, the trapping is great, and the abuse of the physics engine lends well to modeling psycho-kinetic capable entities. See, I’m even sounding like one of the team.

The only niggle I have is that wrangling ghosts with a joy-pad just doesn’t translate that well, sure it’s fun, but it would probably be more fun if a friend could tie some rope to my hands whilst I’m playing, and occasionally drag me around the room whilst I was attempting to capture ghost in-game. But then we start drawing up analogies with the Aneka Rice gag… Perhaps this is a game which would lend itself to a fishing-reel like controller, or at least something with a little more buzz or force-feedback than a wireless controller.

Either way, it’s still a hoot, and I’m looking forward to trying some on-line play, once I complete the single-player game!

I’ve also added the WordPress Facebook Connect plugin to the blog, and after my small hiatus will probably assess the effort required in porting that plugin to bbPress. It will — of course — be shared with the community if I decide to port it.

I’ve created a relevant signature, and added it to this blog. It will make it’s way into a future release of the WordPress Web Tripwire Plugin.