Some of my students have asked why we always use XOR (Exclusive OR) in encrypting plaintext into ciphertext. To answer this question, please take a look first at the output of the various combinations of inputs for XOR function.

Suppose we have a plaintext of 1100001111100 and a key of any arbitrary binary number 0001111001000 of the same length. If we XOR them together to give a ciphertext, the ciphertext is:

The XOR output is the ciphertext.

If we now apply the XOR function to the ciphertext with the same key:

The XOR output becomes the original plaintext.

So you can see, the XOR function serves exactly what a symmetric encryption does.

We encrypt (XOR) the original message into the cipher message with any chosen key. Then we can decrypt (XOR) the cipher message back to the original one with the same key.

If you study a lot of symmetric encryption algorithms like DES, you will note that XOR functions play a very important role in the encryption process.

Perhaps the safest encryption system we can now do with symmetric encryption is the so called “One-Time Pad.” This refers to using an infinite long key to XOR with your original message to give a cipher message. If you do not repeat the bit sequence of the encryption key used in your subsequent encryptions, then there is no way a hacker can uncover the original message from ciphertext unless s/he has the same set of one-time pad (the encryption key) that you have. Claude Shannon proved, using information theory considerations, that the one-time pad has the property he termed perfect secrecy.

But of course, practically, it’s not feasible if not impossible to use one-time pad. This is because the receiver needs to process the same identical one-time pad as what you have in order to decrypt the message. You may have a hard time transmitting the one-time pad to the receiver beforehand, considering that it has to be of a length that is long enough to fulfill your present and all future communication needs with the receiver.

The most interesting example of one-time pad I can think of is in the movie “Crimson Tide” with Denzel Washington. This movie is about a US Navy submarine. In the Navy, whenever a submarine is set out for a mission, it has to carry a pre-arranged decoding key (the one-time pad) for decoding the commander’s message sent to it during the mission’s journey. The one-time pad has to be long enough to cover the needs to decrypt all urgent messages of command within that journey. In this movie, the decoded message is about whether the submarine will launch the missile attack on its enemy which will provoke war! So you can see the decoding system is a crucial setup within the navy’s submarine operations.

Of course, whenever the submarine comes back to its base station, it has another chance to “refresh” the one-time pad stock to allow the decoding to be carried out in the next journey.

The one-time pad can never be reused. Otherwise, it will defeat its prime protection feature of being unbreakable by hackers because the keys used appear to be totally random in nature (as there is no repeating sequence). So there is no way the hacker can guess what it is.

And the random generator that generates each one-time pad has to be carefully designed. If somehow, it fails to produce a one-time pad with truly random combinations of 0s and 1s, the encryption key generated from it could be broken. Although I cannot locate the source anymore, I once came across some literature describing an instance during World War II, when the German’s one-time pad encryption system was broken because of an inherent weakness in its one-time pad generator that perhaps was generating one-time pads with statistical bias towards the bit sequence, allowing the allies to finally break the system.

Tags: pseudo-random number generator

Technorati Tags: XOR, Exclusive OR, plaintext, ciphertext, symmetric encryption, DES, One-Time Pad, Claude Shannon, perfect secrecy, pseudo-random number generator

Yesterday morning, I managed to find some time to attend the 9th INFOSECURITY CONFERENCE in Hong Kong. One of the keynote speakers was Bruce Schneier, a security guru and founder and CTO of BT Counterpane – an information Security firm offering managed security services. Bruce, the author of several best-selling books on the subject, presented an excellent talk on his views about security concepts. Some of his books that I have on my shelf are: Applied Cryptography, Secrets and Lies, and the recently published Beyond Fear.

Bruce began the discussion by stating the difference between two types of security in our lives. One type has to do with what you feel about security, and other type is about the reality of security.

These are two separate things. You can feel secure yet not actually be secure. On the other hand, you can have real security but not feel it. These two tend to diverge from each other. But what surprises us is that in linguistics, we do not find two different words to describe these two types of security. We have only one word in English and it seems the situation is quite similar in other languages.

Perhaps the reason for this is that in the ancient world, while our languages were being developed, these two types did always go together. You can observe the physical environment with your five senses and judge whether it is secure or not. So essentially you feel secure when you really do in fact have physical security.

But today in the information world, these two types of security do not go together all the time. We have security measures installed in our information systems that “safeguard” our information assets, even when we do not actually “see” or “feel” them.

What is worrisome is that most of the time we may not actually “feel” there is lack of security in our system when in fact it does contain serious security flaws.

So the first thing we need to do in regards to security is educate people to be more aware of the need for security. Educate them so they have the knowledge necessary to “see” the security measurements installed in their systems.

What helps us do this, according to Schneier’s idea, is to use “systems” to explain the security implementations in our society. System refers to the simplification of the real world situation into models, to help people understand in a simpler way how something works. For example, we can explain the mechanism of a camera surveillance system in a way that helps people understand its value in not only monitoring a crime taking place, but also in helping to deter the crime from happening as well, since criminals know that its presence increases the risk of being caught.

By helping people understand the working mechanism behind a camera surveillance system, people are more likely to support its implementation, and to be less likely to object to the concern about privacy issues involved with a surveillance system.

As I have always emphasized, successful security management has to first be built on the trust, support, and understanding of people. After all, it is always a tradeoff to obtain security. You need to forgo first convenience, and second, the time and money invested in the security system in exchange for something you cannot really “feel,” even when has been properly put into place.

So security is kind of a “second thought” in many people’s minds. People tend to think of many excuses not to commit to the best security practices simply because they don’t really feel insecure, even when they do not have proper security measures in place.

All in all, I think Bruce used a very good approach to present this idea at the conference. If you want know more about Bruce Schneier, visit his personal website here: http://www.schneier.com/.

For details of the conference, please visit: http://www.infosecurityproject.com/

Tags: Information Security Awareness

Technorati Tags: 9th INFOSECURITY CONFERENCE in Hong Kong, information Security, Applied Cryptography, Secrets and Lies, Beyond Fear, security management, security, Bruce Schneier, Information Security Awareness

How can I get Linux security tools installed on my Windows Desktop instantly? Answer: Using VMware

Using VMware, now you can easily try out Linux security tools. Read on…

As I said in my previous post, VMware allows you to instantly install another instance of an OS on your computer system. In the case of Internet Security related tools, most are run on Linux platforms, such as these popular softwares:

• Dsniff (packet sniffer)
• John the Ripper (password cracker)
• NmapFE (Nmap)
• Chkrootkit (check for rootkits, etc.)

In the past, I’ve had to ask my students to install Linux on their original Windows computers before they can try out these software tools. But now, you can easily download the various VMware OS images of Linux to be run on your computer.

If you need to install the latest version of Fedora, Ubuntu, or Suse Linux to install your particular security tool, go straight to this link:
http://www.vmware.com/vmtn/appliances/directory/cat/45
and download your favorite Linux OS images.

VMware uses the term “Virtual Appliances” for all those preconfigured application images to be run directly on VMware software. There are a lot of people contributing to the creations of different Virtual Appliances now.

If you are a bit lazy and want an all-in-a-box solution, you can get some OSs with preconfigured security tools, such as with this link:
http://www.vmware.com/appliances/directory/1065 for Vulnerability Assessment, Intrusion Detection, and more.

Or try this one:
http://www.vmware.com/appliances/directory/348 for all the security tools you can imagine, such as Dsniff, John the Ripper, NBTscan, Nessus, NetCat NmapFE, Saint Scanner, Snort , ethereal, and more.

Of course, you can also look for other possible security related virtual appliances here:
http://www.vmware.com/appliances/directory/cat/47

Enjoy the convenient test environment brought to you by VMware!

Tags: John Ripper

Technorati Tags: Linux security tools, VMware, Dsniff, John the Ripper, NmapFE, Chkrootkit, rootkits, Virtual Appliances, Vulnerability Assessment, Intrusion Detection, NBTscan, Nessus, NetCat, Nmap, Saint Scanner, Snort, ethereal, John Ripper

I have been using Gmail, Yahoo! Mail, and Hotmail for very long time. My general feeling is that the super-powerful spam filtering capability of Gmail is unprecedented. It can eliminate almost 98% of spam emails while at the same time maintaining an almost zero error rate of filtering legitimate emails. It definitely outperforms the other two free email systems.

I am always curious how it achieves this phenomenal success rate, but I find no clue at all. Having had no success in finding its algorithm, I turn to a very practical question: How we can make use of its powerful spam filtering capability to handle our daily corporate email reception task?

The first solution is to use Gmail for receiving emails from your contacts. That sounds easy and straightforward, but the downside is that you have to give up the corporate email address that signifies your corporate identity. How can we preserve that?

Here is a quick solution you can try. Since Gmail allows email received to be forwarded to another email address, you can follow these steps to set this up.

First, you’ll need to create the following three email addresses for each staff member of your company:

1. The primary corporate e-mail, which is shared with contacts. Say, for John Doe of your company XYZ Inc., you can john.doe@xyz.com.
2. A second corporate e-mail, called john.doe_filtered@xyz.com. (You’ll see the use of this second e-mail in a few minutes.)
3. A Gmail account, with an address similar to: john.doe-xyz@gmail.com

Next, configure the first, primary email address to forward email to the Gmail address.

In the Gmail account settings for the Gmail email address, select the option “Forwarding and POP/IMAP” as shown below:

You will see the following screen:

Set this to forward to the second corporate email address of your staff (i.e., the john.doe_filtered@xyz.com address, as shown in the above screen capture).

Now John Doe can configure his email client to read spam filtered email from the second email account. Those emails are originally addressed to his primary email address, filtered by Gmail, then automatically forwarded to his second corporate email account.

What John needs to remember is to make sure the email address john-doe_filtered@xyz.com is hidden from his contacts. He only uses it as a tool to receive the filtered emails.

If you really want to own the Gmail account as a private labeling service to your company (and that entitles you to own the big storage space of Gmail for each of your private corporate email account and also the spam filtering service), you can register for a private label email program through Google Apps here:
http://www.google.com/a/help/intl/en/index.html

However, this involves pointing all your corporate emails to Google’s Server for storage and processing. I am not so sure if this is a good idea for your company, although this service is basically free with an option to pay a small fee to receive technical support service.

Technorati Tags: Gmail, Yahoo! Mail, Hotmail, spam filtering, spam, Google Apps

Last year, a student of mine presented a very good topic on desktop security by VMware. I think it is a good idea to share with you this idea of using virtualization for desktop security.

If you are not familiar with VMware, take a moment to look at their website:

http://www.vmware.com

Desktop and server security is a common headache in modern IT security management, with most organizations having many PCs and Servers running different Operating Systems (OSs) with different customizations. If a particular piece of hardware runs into problem, a great amount of work is involved in recreating the same operating environment on another hardware platform.

This is where virtualization comes in – shining a light on this common problem.

VMware produces virtualization software – a special kind of software that helps a single piece of hardware to concurrently run several different instances of the same or different OSs. In effect, you have a single hardware platform operating several virtual machines using this company’s software.

Virtualization, as defined by VMware, is “an abstraction layer that decouples the physical hardware from the operation system to deliver greater IT resource utilization and flexibility”.

Actually, virtualization extends beyond this definition to cover applications and storage virtualization. There are some other definitions that you can compare and understand:

“Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system, a server, a storage device or network resources.” -

SearchServerVirtualization.com

“Virtualization is a technique for hiding the physical characteristics of computing resources to simplify the way in which other systems, applications, or end users interact with those resources…Virtualization lets a single physical resource (such as a server, an operating system, an application, or storage device) appear as multiple logical resources; or making multiple physical resources (such as storage devices or servers) appear as a single logical resource.” – About.com

From an economical point of view, this is great, since you can use the very single piece of physical computing hardware to run several logically separated pieces of OS. This can save money because there is no need to operate separate pieces of hardware for each OS.

But I will stress from the security point of view, this is even greater news. Now you can separate the applications from the hardware by introducing virtualization software like VMware as a HAL (Hardware Abstraction layer).

Your software is no longer tied to a particular hardware platform. If your hardware fails, you can migrate your hard-built software platform to another piece of hardware immediately without having to re-build the software from scratch to adapt to the new hardware platform.

From a security standpoint, this achieves the continuity of your desktop system since your software platform is now operating independently from the hardware platform. Among the three security objectives (namely: confidentiality, integrity, and availability) this achieves the last objective.

If you are in a hurry to migrate your existing well-built applications on common OS platforms to VMware HAL, you can try the free VMware Converter, found here: http://www.vmware.com/products/converter/.

And you can also use their free VMware Player to operate your converted VMware virtual machine, found here:  http://www.vmware.com/products/player/

Tags: WMWARE, Desktop Continuity, Server Continuity, Availabilty, Business Continuity

Technorati Tags: desktop security, VMware, VMware Converter, VMware Player, WMWARE, Desktop Continuity, Server Continuity, Availabilty, Business Continuity

Recently I spotted a piece of news about a type of network attack combining techniques we have discussed in recent articles involving Google Hacking and Buffer Overflow Attack . The incident, according to Forbes News¹ involves “using Google searches to track down sites vulnerable to so-called ‘SQL injections’.”

Essentially, the hackers use Google to hunt for sites with a problem in the web server program codes and exploit them using the knowledge gained from the error messages displayed on the problem websites. In this particular case, the hackers used the SQL command to take control of the sites under attack.

(If you are interested to know about how to work safely using SQL commands, read our post about Buffer Overflow Attack here: http://www.bestinternetsecurity.net/52.)

Some security experts attribute this situation to the usage of Microsoft-related technologies in web sites, such as Microsoft’s own Internet Information Servers (IIS) and its SQL server.

“Whitehat Security’s Grossman speculates that machines running that software were targeted because they allow several commands to be injected in a single user input field on the sites they host, making those sites easier to hijack,” according to Forbes News.

However, I have a different view, and this is the same comment that I expressed in my previous post: It does not matter what technologies you are using to run your websites. What does matter is taking extra care in writing programs that use SQL commands to manage program data. If in the original program design you fail to carefully validate users’ inputs, you will open doors to possible attacks. This is especially disastrous if you fail to do so with web application programming, like in the case we are discussing now.

But as I have also said, it is extremely difficult (if not totally impossible) to write completely bullet-proof code. But to be aware of what can happen if you do not take extra steps to write code that carefully lessens the risk of attack is more than half of the battle. Read the news in the reference section to know more about this case.

Reference:

¹Greenberg, A. (2008), Google-Hacking Goes To China, Forbes.com LLC, Available from: http://www.forbes.com/2008/04/28/hackers-google-china-tech-security
-cx_ag_0428hack.html?partner=yahootix [Accessed 28 April 2008]

Tags: SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack

Technorati Tags: SQL injections, Buffer Overflow, web application programming, SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack