Some governments around the world, frightened by the interception of two bombs directed to the United States, decided to introduce stricter security measures for air transportations. To my sincere disappointment, the decisions made illustrate the complete helplessness and lack of "security thinking" of the tops.

In particular, the following additional measures were put in place:

As a precaution Britain said it was banning air passengers from taking large toner cartridges onto planes as hand luggage, while Nigeria said it would improve the scanning of cargo bound for the United States.

Okay, the terrorists will never be able to bring bombs on board inside toner cartridges anymore. They have nothing to do but use laptops, smartphones, pocket radios, Kens and Barbies and electric guitars for this purpose. The terrorists originating from Nigeria will just buy two tickets, from Nigeria to, say, Moldova (to bypass improved cargo scanning), and, further, from Moldova right to the United States.

Germany said it had suspended passenger flights from Yemen, and was considering expanding a cargo flight ban to other unnamed countries.

Wow. If Moldova won't accept flights from Nigeria, I know the country to use instead ;).

Britain said it was also banning all air freight sent from Somalia, adding to a ban on Yemen cargo flights imposed at the weekend.

Just another shot at the sky.

All the above cases share the same problem. There is a number of holes in the fence the attackers can reach the rancho through. Having caught the attackers by the hand getting through one of that holes, the government patches it... but does not consider the other holes, even though they are pretty close to the patched one. Disallowing to bring cartridges on board with a hand luggage, as well as rejecting flights from Yemen and Somalia, will change nothing. There is nothing that stops terrorists from simply using hand stuff of other kind and different countries to reach their goals. This is so obvious that I tend to think that either the governments have nothing to oppose to the terrorists with, or... well, nevermind.

Thanks to cracksinthepavement.com for the picture.

Fundamental vulnerability in PDF

Florian Zumbiehl discovered a fundamental flaw in the PDF standard that makes it possible to create valid digital signatures over an arbitrary content.

The flaw allows an attacker to create a pre-defined document with two different contents (say, one "visible" to the signer and another one "hidden"), make the signer sign the "visible" content, and then substitute it with the "hidden" one without invalidating the signature. I should note that signing should be performed with special software that "knows" about the flaw and the "Janus" feature of the document, and can sign it in the proper way to make content substitution possible in the future.

As far as I am aware of the way the Acrobat works, it cannot be used to perform such an attack on the signer. However, the flaw itself is extremely serious and may lead to various problems in future. For instance, one can attack their own signature and then insist on revoking it, arguing that the signature was attacked by a third party.

When the head matters

In one of the previous posts I said that the key is the most vulnerable part of the cryptosystem. Today I will concern the topic that is raised from time to time in press, that is understood by everyone and that is nevertheless ignored by everyone. It is the problem of password choosing.

I assume that the reader is a smart person who never writes his passwords down. If you do, you are free not to read the following.

Password is the cryptographic key that is stored in your head. Exactly as in the case with cryptographic key, the attacker will do his best to reduce the number of potential keys he had to try to break the system. Initially he has several good chances to win:

1. The attacker has to try much fewer cases to guess a password than to guess a key. Just compare: to guess a 8 byte key the attacker has to try 2^64 different cases. To guess a 8 character password consisting of alphanumeric characters (letters, numbers and other readable stuff like question marks, ampersands and plus symbols) the number of cases is limited by 2^52.
2. In contrast to keys, passwords usually consist of non-random characters. Many users create passwords basing on their names, or the names of their wives, husbands, children, pets, or other existing words. This fact also narrows the set of potential passwords to try.

Passwords are usually broken using dictionary attacks. Roughly speaking, the dictionary is a list of words that are consequently tried by an attacker. In this case the “word” term is used in sense of “a sequence of alphanumeric characters”, i.e. the dictionary includes not only the natural language words, but also other sequences of characters that potentially can form a password.

In real world everything is worse. Modern dictionaries and password cracking software are much more complex. In our days the dictionaries are generated dynamically basing on the various information know about the owner of the password, such as his or her name, date of birth, friends’ names, favorite drinks and so on. Skilled psychologists are involved in dictionary creation in order to reduce the number of words in it as much as possible and to find out the most likely passwords.

As you see, the attacker has a good chance to guess a password if the latter is not strong enough. That’s why it is important to follow the following rules when choosing a password:

a) The password must contain both letters and digits (and other printable characters, such as brackets, if the environment supports them),

b) The password must be long. Forget about passwords shorter than 10 characters. The 10-character password provides the same protection level as 64-bit symmetric encryption algorithm like DES. But who does use DES today?

c) The password must look absolutely random. It should not be actually random – you may use some rule to produce it (e.g., it may consist of the second letters of the words of your favorite song in college).

d) Invent your own password creation rules. Do not listen to recommendations such as to replace “E” with “3”, “g” with “9”, "l" with "1" and so on. Remember that hackers follow such recommendations too when create dictionaries ;).

It’s a good idea to use a password keeping software. There are several reasons for using it.

First, instead of keeping your passwords in [not fault-free] mind, you keep them in strongly encrypted form and even an iron won’t help an attacker to get it from you ;).

Second, there’s no risk of accidental disclosure of a password – the password is never displayed in readable form and is passed to the applications via the clipboard.

Third, most of such products support strong passwords generation.

There are dozens (if not hundreds) password keeping software products on the market today. Our company used to distribute our own password keeper, KeyLord, but we do not distribute it anymore. Of the existing tools, KeePass keeper is a good choice. Besides other positives, its source code is open, so you can be sure that your passwords are really encrypted with a strong cipher and are not silently sent somewhere via the Internet.

Good luck and keep your passwords well!