Computer Security World

Do you use the same password across different websites? Do you know if you do so your passwords may be stolen by the website you signed up with. So, is there a solution? The best solution of course is to use a different password at at each website you signed up with. But for most mere mortals that is not a practical option. I will tell you what I do. I use a password generator that generates a unique password for me at each website I sign up with. The password generator takes a secret pass phrase that I enter and the website's unique URL and cryptographically mixes it to generate a unique password for the website. It basically uses a cryptographic hash function to make sure that even if somebody gets access to one of your passwords, your secret passphrase cannot be guessed. To learn more about why that works, see here

To be even more secure I actually have two pass phrases. I use one pass phrase to generate passwords for all the websites that are related to banking or finance and other for normal websites like Google etc this password generator is actually just a bookmark and is compatible with all browsers. Here is a link to the password generator.

Note that when you visit the link you will find that there is also a mobile version of the password generator which is useful when you are working on a machine that is not your own. This mobile version can be used to generate passwords from a web page form. You can copy and run this mobile password generator on your own website.

In our work as security professionals a lot of time we encounter decisions about what data to reveal or hide due to privacy concerns. I am sure when Netflix decided to release its data as a part of the challenge to come up with a better recommendation algorithm, it thought that it had sanitized the data enough. But, it seems that Arvind Narayanan and Vitaly Shmatikov, researchers at the University of Texas at Austin, were able to extract enough info out of the data to be able to identify a few sampled users. More at this faq.

They used some data mining techniques and associated the Netflix data with that stored by the user in IMDB. Since the IMDB data is available publicly and is associated with usernames, they were able to associate the two sets of data and identify which Netlix data belonged to a particular used on IMDB. In effect they removed the anonymity of the Netflix data for that user.
It makes perfect sense if you realize that with so many choices in this world, our habits are very individual and unique whether they are movie watching habits, eating habits, buying habits etc.
So, how do we anonymize the data? By inserting errors, removing random pieces etc. It seems none of that works as very little data is needed to uniquely identify you.
This quote from this article explains it very clearly
"Other research reaches the same conclusion. Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. "In general," the researchers wrote, "few characteristics are needed to uniquely identify a person."

So in effect as the power of computers and the amount of public data increases, Can we pretty much say goodbye to anonymity? Only the future will tell, but the signs don't look good. Attacking anonymous data is exactly how we will learn how to defend anonymity. Narayanan and Shmatikov are currently working on developing algorithms and techniques that enable the secure release of anonymous datasets like Netflix's. We need a lot more researchers like them to learn how to do anonymity right.

I just found this article on securityfocus which talks about what are the legal implications of computers executing operations on your behalf. Who is responsible if an automated agent buys something on your behalf , or logs on to a website on your behalf by automatically accepting the TOS? As usual technology seems to be moving much faster than the law here. Maybe that is why the book The Sovereign Individual: Mastering the Transition to the Information Age says that technology is gong to end the nation state as government's powers are eroded by technology moving too fast for them to control.

I love Firefox and besides the standard reasons of it being faster, better interface etc., the main reason I love firefox is because of their addons. As an example some of the security related addons that I have on my firefox browser are:

• Add N Edit cookies: Allows me to edit any cookie. A great took for hacking the cookies that are stored by a website.
• No Script: This is the greatest Firefox extension in terms of improving the security. It gives awesome amount of control over which websites are allowed to run scripts in a browser and even prevents some XSS attacks.
• Tamper Data: Allows you to view and modify HTTP/HTTPS headers and post parameters. Great hacking tool!

Found this this Red Herring article from this blog. The article claims that technology by the startup iViz Tech in India "Aims to Put Hackers Out of Work". The Red Herring article is a little light on details, so I looked through there website. They claim to use "Emulation of Human Intelligence" to simulate attack the way a real hacker would. It probably is more like expert systems because simulating a real human hacker at any reasonable level is currently not possible. This implies that although it would be possible for it to find new attacks, it would probably be impossible for it to find a totally new class of attacks. Also, there are other penetration testing companies which use AI techniques for penetration testing like Rapid7. So, what is new? Not very clear from the description on there website. If you know let me know. Also, I think that the "Putting Hackers out of work" is just a headline grabbing bait as current state of AI does not allow us to do that. It may make penetration tester's job much easier though.
Update: Found another company which offers Artificial Intelligence based penetration testing tools: Procheckup
P.S.
Artificial Intelligence" for security attacks has also been previous employed in the technique of fuzzing used by some security researchers to find an exploit a day for a month in different browsers. Hackers are beginning to employ fuzzing/AI too

I just Created this Web Application Security resource list. I hope to maintain this and make it more useful as I find more links.

This is my first post. I will try to put information, news and comments on different security and cryptography aspects including Tutorials, Howtos, reviews etc. Basically, anything that catches my fancy in the area of security and cryptography.