Thursday, June 11, 2009

Rule #31 of Hacking: Bypass the Crypto

It's a story as old as time. A webmail company says their security is unbreakable. They give out their CEO's username/password and offer a $10,000 reward to anyone who can break into his account. Guess how this ends? Despite the predictable outcome, this story has been really interesting to me, not only for the issues it brings up but how the security community has been reacting to it.  

I think security contests can be a good strategy for a company. That being said, it really matters how they approach it. Google's take on it with their Native Client hacking contest was spot on. Not only did they get a lot of positive buzz, but they also attracted some of the smartest hackers out there to compete for only $8,192. You normally can't even get a CISSP to give you a Nessus scan for that type of money. The reason for this of course is that hackers don't do it for the money, but for the challenge and bragging rights.

Looking at other such events, a couple rules of thumb to holding a successful hacking challenge seem to come to mind.

1) Don't ever use the words, "un-hackable", "un-breakable", or "perfect". You need to approach these competitions with a healthy dose of realism and the knowledge that your security system probably will fail.

2) Treat the participants with respect. Bring them into the process and take the time to actually listen to them. You want them to feel like they are part of the team making a better product. If this doesn't happen then they will instead write posts talking about how you "don't get it".

3) On the other-hand, you can put so many rules and restrictions on the contest that it becomes almost impossible to win. Of course this is not ideal as you don't actually test the security of your system and this approach should only be used for marketing reasons. Normally this only works with abstract problems like with the Bodacion challenge where you can control everything. Otherwise you get hacked and just look dumb when you claim you weren't really hacked. Also, most security professionals will avoid your product like the plague but then again, we generally are not the ones buying this type of stuff.

Now about the merits of StrongWebMail's particular product:

They claim to be the most secure webmail service out there. For a nominal fee, when you attempt to log on to their site they will then call your phone for confirmation. While I haven't seen the details on their exact protocol, (nor do I want to spend $5 to start an account), I think I can safely say they call you after you typed your first password in successfully. If not, forget denial of service, think denial of sleep as someone brute-forces your account at 2am in the morning...

The thing is, the authentication mechanism doesn't matter much when you can bypass it. StrongWebMail's back-end website had several XSS vulnerabilities that apparently were trivial to exploit. This means that in a targeted attack you would be safer off using yahoo's webmail. That being said, I do have to admit that StrongWebMail is more secure against conventional password attacks. This isn't trivial. When singles.org was hacked their password list was leaked. The 4chan crowd then got ahold of it and proceeded to try those passwords on other accounts associated with the e-mail addresses provided to the site.  Since people often use the same password for all their accounts, webmail accounts were hacked. Horrid e-mails were sent out to family and friends. The same goes for paypal accounts, facebook accounts, amazon.com accounts... well you get the idea.

It really comes down to what you are trying to protect against. Personally I advise just using a unique password for your e-mail account. That way you get the back-end security of google or yahoo for free, but also are resistant to the above attack.  Yes I know, remembering different passwords is hard which is why I normally have different classes of passwords. My bank password is different from my mail password, but I use the same password for many of my other less important accounts. Oh, and write your password down. If someone is willing to sort through and read all the papers in your filling cabinet, they probably already stole your computer, (robber), or installed a keystoke logger, (government or a really smart robber).

Please don't take this as a knock against two factor authentication. Two factor authentication really raises the bar for a hacking attack to be successful. By using two factor authentication, it moves the security requirement away from the user having to select a strong password. That's huge. It also often forces an attacker to time their attack to coincide with the user logging into the site, (though CSRF and other attacks can get around this). That being said, StrongWebMail's approach is pure overkill. A much better implementation is this free I-Phone app made by Blizzard for World of Warcraft. Sure there are security implications, (what if they hack your I-phone?), but at that point we're getting into, "you're screwed already" territory.

So in conclusion: Don't ever believe in perfect security.



No comments: