Friday, July 10, 2009

Brilliant Attacks

Brilliant attacks. (especially the laser one !)
- Monitor the powerline and detect and decode keystrokes from 15m away
- Monitor vibrations on desktop object via laser reflections and decode keystrokes.

The more secure we think our systems are, the more we must remind ourselves that there are styles of attacks that we cannot conceive.

If anybody tells me ‘this is complete secure, it is unhackable’, then this I know for sure about the speaker is that they are NOT very imaginative. They might not be thinking very hard about possible attacks. To me this makes products from vendors who make such claims less secure, they will be blind-sided by some hacker with more imagination.

6 comments:

Don said...

Morse code operators used to be able to tell the identity of the sender by the rhythm of the signals sent down the line. It wonder if it would be possible for a (very) skilled listener to decipher a message based on the sound of the keyboard clicking?

Terry said...

The laser attack is essentially doing that. The surface the laser targets acts as a microphone membrane.

Don said...

And then there is the "Jack Bauer" hack: abduct the user and torture him until he reveals his password.

Low tech, but simple. The downside it that it will only work once per user.

:-)

Don said...

I have sometimes wondered what happens when a login attempt fails.

Could an unscrupulous web master store these failures and then use them somewhere else?

Most people have multiple passwords that they use on various web sites. When a user keys in the wrong password for a particular site, the cause could be a mere typing error, but often it is that the user got his passwords mixed up. In other words, the password may be invalid for this web site, but might be valid elsewhere.

Harvesting password errors could be a profitable activity for a dishonest webmaster. Especially when so many sites use your email address as a user id.

Don said...

I have sometimes wondered what happens when a login attempt fails.

Could an unscrupulous web master store these failures and then use them somewhere else?

Most people have multiple passwords that they use on various web sites. When a user keys in the wrong password for a particular site, the cause could be a mere typing error, but often it is that the user got his passwords mixed up. In other words, the password may be invalid for this web site, but might be valid elsewhere.

Harvesting password errors could be a profitable activity for a dishonest web master. Especially when so many sites use your email address as a user id.

Don said...

Quote of the day:

"data can be either useful or perfectly anonymous, never both".

http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars