Courtesy Peter Bright, ArsTechnica
Photocopiers exist to produce close enough replicas of original documents. Traditionally, they just spit out the result onto paper. Most copiers these days can operate as (generally rather large) scanners, generating PDFs, TIFFs, or other electronic representations. But some Xerox copiers have recently been found to produce scans that, well, aren’t that close to the originals at all. The copiers are producing documents that look superficially similar to the originals but switch around numbers apparently at random.
German computer scientist David Kriesel wrote about the problem last week. He scanned some construction plans with a Xerox WorkCentre 7535 and noticed that the photocopier was resizing the rooms in his floorplans. One room annotated as being 21.11 square meters (roughly 277 square feet) got shrunk to 14.13 square meters (152 sq. ft.). So, too, did a room that should have been 17.42 square meters (187.5 sq. ft.). In both cases, the photocopier was taking the numbers from a third room—one that really should be 14.13 square meters—and using them for the other two rooms.
Further investigation revealed that this was not an isolated incident. A table of prices also came out wrong: a price of €65.40 ($86.71) became €85.40 ($113.22).
Kriesel currently speculates that this is an artifact of the compression being used. The scanned output can generally use any of several compression formats. One of these formats is called JBIG2. It’s designed for black-and-white (bitonal) images. The algorithm recognizes text-like portions of the image, which it then breaks down into a series of symbols (typically one symbol per character). The compressed image contains a sequence of symbols along with a dictionary to look up the shape each symbol represents.
It appears that the Xerox machines are somehow mixing up their symbols, perhaps judging two different characters to be so similar that they should be represented by the same symbol even when they should not.
Kriesel says he has received reports that, in addition to the two models of WorkCentre that he’s had issues with, other Xerox copiers show the same problem. The faulty scans can apparently be avoided by ensuring that JBIG2 compression isn’t used. Xerox has been notified of the errors but has not produced a fix yet.
Courtesy Sean Gallagher, ArsTechnica
Information security firm Trustwave has reported a potential cyber-attack vector to a device you may have never expected the phrase "security vulnerability" would be applied (other than in reference to the end of a toilet paper roll, that is). In an advisory issued August 1, Trustwave warned of a Bluetooth security vulnerability in Inax’s Satis automatic toilet.
Functions of the Satis—including the raising and lowering of its lid and operation of its bidet and flushing nozzles—can be remotely controlled from an Android application called "My Satis" over a Bluetooth connection. But the Bluetooth PIN to pair with the toilet—"0000"—is hard-coded into the app. "As such, any person using the ‘My Satis’ application can control any Satis toilet," the security advisory noted. "An attacker could simply download the ‘My Satis’ application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, [or] activate bidet or air-dry functions, causing discomfort or distress to user."
And you thought the only thing you had to worry about was dropping your phone into the toilet.
Courtesy Peter Bright, ArsTechnica
At the Black Hat security conference in Las Vegas, a quartet of researchers, Alex Stamos, Tom Ritter, Thomas Ptacek, and Javed Samuel, implored everyone involved in cryptography, from software developers to certificate authorities to companies buying SSL certificates, to switch to newer algorithms and protocols, lest they wake up one day to find that all of their crypto infrastructure is rendered useless and insecure by mathematical advances.
We’ve written before about asymmetric encryption and its importance to secure communication. Asymmetric encryption algorithms have pairs of keys: one key can decrypt data encrypted with the other key, but cannot decrypt data encrypted with itself.
The asymmetric algorithms are built on an underlying assumption that certain mathematical operations are "hard," which is to say, that the time it takes to do the operation increases proportional to some number raised to the power of the length of the key ("exponential time"). However, this assumption is not actually proven, and nobody knows for certain if it is true. The risk exists that the problems are actually "easy," where "easy" means that there are algorithms that will run in a time proportional only to the key length raised to some constant power ("polynomial time").
The most widely used asymmetric algorithms (Diffie Hellman, RSA, and DSA) depend on the difficulty of two problems: integer factorization, and the discrete logarithm. The current state of the mathematical art is that there aren’t—yet—any easy, polynomial time solutions to these problems. However, after decades of relatively little progress in improving algorithms related to these problems, a flurry of activity in the past six months has produced faster algorithms for limited versions of the discrete logarithm problem.
At the moment, there’s no known way to generalize these improvements to make them useful to attack real cryptography, but the work is enough to make cryptographers nervous. They draw an analogy with the BEAST, CRIME, and BREACH attacks used to attack SSL. The theoretical underpinnings for these attacks are many years old, but for a long time were dismissed as merely theoretical and impossible to use in practice. It took new researchers and new thinking to turn them into practical attacks.
When that happened, it uncovered a software industry ill-prepared to cope. A lot of software, rather than allowing new algorithms and protocols to be easily plugged in, has proven difficult or impossible to change. This means that switching to schemes that are immune to the BEAST, CRIME, and BREACH attacks is much more difficult than it should be: though there are newer protocols and different algorithms that avoid the problems that these attacks exploit, compatibility concerns mean that they can’t be rapidly rolled out and used.
The attacks against SSL are at least fairly narrow in scope and utility. A general purpose polynomial time algorithm for integer factorization or the discrete logarithm, however, would not be narrow in scope or utility: it would be readily adapted to blow wide open almost all SSL/TLS, ssh, PGP, and other encrypted communication. (The two mathematical problems, while distinct, share many similarities, so it’s likely that an algorithm that solved integer factorization could be adapted in some way to solve the discrete logarithm, and vice versa).
Worse, it would make updating these systems in a trustworthy manner nearly impossible: operating systems such as Windows and OS X depend on digital signatures that in turn depend on these same mathematical underpinnings to protect against the installation of fraudulent or malicious updates. If the algorithms were undermined, there would be no way of verifying the authenticity of the updates.
While there’s no guarantee that this catastrophe will occur—it’s even possible that one day it might be proven that the two problems really are hard—the risk is enough to have researchers concerned. The difficulties of change that BEAST et al. demonstrated mean that if the industry is to have a hope of surviving such a revolution in cryptography, it must start making changes now. If it waits for a genius mathematician somewhere to solve these problems, it will be too late to do anything about it.
Fortunately, a solution of sorts does exist. A family of encryption algorithms called elliptic curve cryptography (ECC) exists. ECC is similar to the other asymmetric algorithms in that it’s based on a problem that’s assumed to be hard (in this case, the elliptic curve discrete logarithm). However, ECC has the additional property that its hard problem is sufficiently different from integer factorization and the regular discrete logarithm that breakthroughs in either of those shouldn’t imply breakthroughs in cracking ECC.
However, support for ECC is still very problematic. Much of the technology is patented by BlackBerry, and those patents are enforced. There are certain narrow licenses available for implementations of ECC that meet various US government criteria, but the broader patent issues have led some vendors to refuse to support the technology.
Further, support of protocols that can use ECC, such as TLS 1.2 (the latest iteration of SSL technology) is still not widely available. Certificate authorities have also been slow to offer ECC certificates.
As such, the researchers are calling for the computer industry as a whole to do two things. First, embrace ECC today. Second, ensure that systems that use cryptography are agile. They must not be lumbered with limited sets of algorithms and obsolete protocols. They must instead make updating algorithms and protocols quick and easy, to ensure that software systems can keep pace with the mathematical research, and adapt quickly to new developments and techniques. The cryptopocalypse might never happen—but we should be prepared in case it does.
Courtesy Sean Gallagher, ArsTechnica
The National Security Agency’s broad Internet monitoring program can do a whole lot more than provide a look inside a person’s Internet life. According to documents on the X-Keyscore program published byThe Guardian, the system can also be used to find computers that are vulnerable to attack, allowing the NSA’s Tailored Access Office to exploit them.
A training slide on the capabilities of X-Keyscore provided to The Guardian by Edward Snowden entitled “TAO” (for Tailored Access Operations, the organization within the NSA that hacks the networks of foreign governments and organizations) states that vulnerability profiles used by TAO to find targeted systems can be used to “show me all the exploitable machines in country X.” The “fingerprints” for vulnerabilities are added as a filtering criteria for X-Keyscore’s filtering application “engines”—a worldwide distributed cluster of Linux servers attached to the NSA’s Internet backbone tap points.
Enlarge / "Show me all the exploitable machines in country X"—like searching for a banana bread recipe on Google.
This capability essentially turns X-Keyscore into a sort of passive port scanner, watching for network behaviors from systems that match the profiles of systems for which the NSA’s TSO has exploits constructed, or for systems that have already been exploited by other malware that the TSO can leverage. This could allow the NSA to search broadly for systems within countries such as China or Iran by watching for the network traffic that comes from them through national firewalls, at which point the NSA could exploit those machines to have a presence within those networks.
Other slides in the set of documents explain how X-Keyscore could be used to track down VPN sessions and determine who they belong to from selected countries. The program could also be used to capture metadata on the use of PGP encryptions in e-mails and encrypted Word documents for later decryption. While X-Keyscore keeps a "buffer" of all the Internet traffic it traps at its tap locations for about three days, metadata on traffic can be kept for up to 30 days, allowing the NSA to trace and store information on who created documents passing across the Internet. "No other system performs this on raw unselected bulk traffic," the document states—implying that searches can be made across traffic that hasn’t been specifically tagged for monitoring.
Whose VPN connection shall we crack today, Brain?