All posts filed under “Keith’s Favorite Post

A collection of my favorite post in no particular order

comments 2

Relax dear-citizen your contactless card is relatively safe—ish

As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well.

To be clear, Banks are only mandated to issue new Pin cards (replacing the signature cards you had before), but are taking the opportunity to also embed contactless capabilities into them as well. After all they’re already issuing new cards to every (single!) card holder, might as well get them on the contactless bandwagon while they’re at it.

The reason for being so gung-ho about contactless is purely economical. Research suggest that the easier payment methods become, the more money people are willing to spend. People with credit cards spend more than people with just cash, and 0% interest schemes have been a godsend to retailers. Contactless payments, which don’t involve cumbersome Pins or signatures, are clearly the next evolutionary step, with one research paper suggesting they increase customer spending by nearly 10%.

Banks make money from small percentages per transactions, the more transactions at higher amounts, the more money they stand to make. So if an extra dollar worth of electronics in a contactless card increases revenue by 10%–why not?!

Pins are for security, Contactless is for convenience

But while PINs are a security feature, contactless is all about convenience. And conveniences trade-off security, so it stands to reason that contactless cards are less secure than regular ‘contact’ ones.

The question is whether that trade-off is worth the increase in convenience. After all, nothing is absolutely secure, and in today’s criminally infested internet, keeping your money under the mattress is safer than keeping it in a bank–but nobody does it because the mattress would be too inconvenient.

So what convenience are you getting with a contactless cards?

For one thing, no more waiting for a receipt printout to sign on, or bending down to an inconveniently placed pinpad to type in your PIN. Plus, for someone with gigantic fingers like me, I jump on the opportunity to avoid having to fidget with pinpads that must have been designed for dwarf children after they’ve been struck by the ray gun from Honey I shrunk the kids.

But that’s about it–the only convenience contactless cards provide is that you can do contactless payments–up to a specified amount.

The question now is what security trade offs are you making for this remarkable feature?

comment 0

The safest place for your money is under the mattress


When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest.

In the 80’s this was a compelling argument, when interest rates were high and banks really did provide security,but is that thinking still applicable today?

In June of 2000, Maybank launched their ‘new’ internet banking platform, Maybank2u, which allowed their customers to do their banking online, outside of traditional branches or even ATMs. Few years later, it begun offering online purchases and soon after the mobile app was launched.

But while online banking platforms brought convenience, they also introduced new security threats — and it wasn’t clear whose job it was to secure against those new threats, and who would be liable for inevitable financial losses.

Was it going to be bank who assumed liability, just like they did before, or would it be the account holder, or possibly a mixture of both?

The answer depends on who gets attacked, because not all attacks are equal.

Not all attacks are equal

There’s two types of attack, one where the bank itself is attacked, and another where the account holder is targeted instead.

When someone walks into a bank  with the threat of violence, and walks out with $30,000 of the banks cash, the bank absorbs all the loses. After all, that’s why your money is in their safe and not under the mattresses.

507d7acb92f46ed8d8779be14e3f2051But there exist another class of attack–customer impersonation, where the attacker isn’t threatening violence or even ‘attacking’, but trying to fool the bank into believing they are the rightful account holders. In other words, the attacker is trying to impersonate you, to get to your money.

And in the digital world, customer impersonation is far more common. Consider the case of ATM fraud.

ATMs identify a user by verifying their ATM cards, and then prompting them for the PIN. More specifically, the ATM first authenticates the inserted ATM card (is this card real?) and then proceeds to ask the user for the PIN (is the person the accountholder?), once an ATM is satisfied, it then proceeds to grant the user access to the account.

Hence if an attacker managed to steal your card and knows your PIN, the ATM has no way to differentiate between you and the attacker. Anyone could take your money from your account, by just having your ATM card and PIN, in contrast robbers attacking a bank would simply be taking the bank’s cash…not yours.

Credit Card fraud is another prime example, but at least in Malaysia end customers have their liability capped at RM250 provided they report their lost cards in a ‘reasonable’ amount of time. For debit cards and ATM cards are not protected in the same way. Which is strange because the poorer sections of society who need more protection usually have debit instead of credit cards.

But even credit card users need to be wary, because changes in the liability model are bound to happen when we introduce Chip and Pin. (read more here)

To summarize, customer impersonation isn’t the same as a bank robbery, when the bank issues you credentials (like PINs, passwords or ATM cards), the responsibility to secure those credentials are yours–and if those credentials are compromised, then you’ll have to shoulder some of the financial losses as well.

comment 0

Two years on, teaching coding in schools declared a success

teach-codingKLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020.

The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 had scored an A while the rest had failed with a grade of F.

Education Minister, Dato’ Seri Java, said that this reflects the current IT market, where out of 10,000 security consultants, only 10 will ever give you good advice.

“We benchmarked against the industry, and set the grading curve accordingly, so only a 10 students getting an A was the intention!! We can’t have cases where students just memorize a textbook and then score an A, this is not History or Geography, this is an important subject” he said, while further mocking drama and English literature under his breath.

Deputy Director of Education, Perl Ramachandran further added that instead of focusing on the 9,990 students who failed, the public should instead focus on the ‘A’ students who showed exemplary work and are were ‘bright spots’ in the dark abyss which is the Malaysian education system.

One such exemplary student was 17-year old lass Siti Pintu bt. Belakang, she had managed to install a backdoor into the MOE exam system and downloaded the question paper days before the exam. A backdoor is an application that allows an attacker unfettered access to the compromised system, and Siti managed to code one from scratch specifically for this purpose.

Already Russian cyber-criminal organizations are offering her scholarships to prestigious universities, Perl further added.

Then there Godam a/l Rajakumar, who instead of stealing exam papers, simply hacked into the MOE grading system and gave himself a ‘A’.

comment 0

Show notes for today

Your browser does not support native audio, but you can download this MP3 to listen on your device.   Some interesting links you might want to check out during my interview on BFM today, will tidy up this list later…

comment 0

The Internet is slow because of illegal downloads

Let’s start with the quote that set off the rage in my heart—

“You can see today that our Internet is slow. Not because it itself is slow but because a lot of people are using it,” he said

The government agency chief blamed this on illegal downloads hogging Internet bandwidth here, adding that this does not happen in countries like Germany due to stricter enforcement.

“In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.

“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.

“That is why the Internet highway is slow but we blame the government. The government has created proper Internet highways but we don’t know how to use it. Millions have been spent on this by the government,” he explained.

So apparently, Datuk Ibrahim Saad, the  National Civics Bureau (BTN) chief  thinks that the internet is slow in Malaysia (it’s not that slow), because illegal downloads are hogging up the pipelines.

Let’s start with his first sentence, an substitute the word ‘internet’ with the name of any Malaysian highway you choose, personally I like to use the LDP:

You can see today that our LDP is slow. Not because it itself is slow but because a lot of people are using it

Hmmm, I guess in his infinite wisdom that makes sense to the BTN chief, but to me that just sounds like the highway wasn’t built properly.

Let’s go to the 2nd statement:

In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.

“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.

“That is why the Internet highway is slow but we blame the government

Now we come to the crux of the issue. If Malaysians weren’t illegally downloading, they’d have faster internet.

Here’s 4 reasons why he’s wrong.

comment 0

When bad advice comes from good people

What happens when a government agency tasked with providing cybersecurity “guidance” and “expertise” gives you advice like “avoid uploading pictures of yourself to avoid the threat of black magic”?

And then goes into damage-control claiming that it “was just a casual remark and did not represent the federal agency’s official position on the matter”,  only to follow-up with more ridiculous advice like “passwords should be changed constantly to prevent identity theft and hacking”.

Sometimes I sigh so often my wife gets worried—or annoyed, maybe both 🙂

First-off you know my view on black magic, and for an agency under MOSTI to make such an anti-science remark is just appalling. Secondly, from a security point of view, changing passwords regularly doesn’t help, and they cause more harm than good by encouraging users to use easy to remember passwords that they transform after every iteration. Think superman123, then superman456…etc.

In fact, research from Microsoft suggest changing your passwords regularly isn’t worth the effort, and the best one can do is use a password manager that would allow you to have passwords that are both unique and hard to remember across all online services you use.

The fact, that the head of cybersecurity Malaysia is giving advice that most people in the security community consider obsolete doesn’t exactly calms your nerves.

comment 0

The miners dilemma – Bitcoin sabotage can be profitable

black diceImagine a small village of a 100 people.

One day,  a sorcerer shows up,  and grants all the villagers magical 1000-sided dice, which are purely random and can only be thrown at a fixed rate of 1 throw per second (no faster & no slower).

Over the next year, at noon of every day, the sorcerer will announce a random number between 1 and 1000, and the first villager to throw that number on their magical dice will earn $100, just by raising than hands and announcing it to the wizard.

The villagers play along, and the since the dice are purely random, each villager can expect to win $100 every 100 days.

But if they pooled their dice together they could create interesting scenarios. For example, a group of 10 ‘pooled’ villagers, could expect to win once every 10 days, and the winnings of $100 could be equally divided between them. To these villagers $10 every 10 days is a better deal than $100 every 100 days.

Eventually the village ends up with 2 pools of 50 villagers each. The pools expect to win once every other day, and the winnings would be $2 dollars per villager. So effectively, they’re winning $2 every 2 days.

So far so good.

The Crooked Pool attacks

crooksHowever, one of these pools (called the crooked pool), starts to act all dick-dastardly. They send 25 of their members to infiltrate the other ‘honest’ pool. These infiltrators will roll their dice, but never claim announce their winnings to the sorcerer, even if they roll the magical number. Essentially these infiltrators become dead-weight on the honest pool, rolling dice choosing to never win. The remaining 25 members in the crooked pool will continue rolling and trying to win.

At first this seems illogical, why would a pool intentionally give up half it’s resources to sabotage another? How could discarding winnings actually benefit anyone? Does it even profit the crooks?

Yes it does:

  • The crooked pool now has 25 villagers rolling dice;
  • The honest pool has 75 villagers, but only 50 of them are effectively trying to win
  • Don’t forget, the crooked pool has 25 members in the honest pool, and hence is entitled to 1/3rd of their winnings.
  • Which means the original 50 villagers in the honest pool, only get 2/3rd of their winnings.
  • With only 75 villagers effectively throwing the dice, the crooked pool now has both it’s original 25 members and a 1/3rd share of the remaining 50.
  • The maths is only a ‘bit’ complicated, but the result is the crooked pool increases its chances of winning from 50% to 56%.

Amazing right?! Even though the 25 infiltrators are essentially wasting their throws, they can actually profit from the activity.

This isn’t just a thought experiment either, this is a problem known in bitcoin as the miners delimma, analogous to famous prisoner dilemma thought in game theory. Bitcoin mining works almost exactly like this scenario, it is a purely random function similar to dice throwing, whose odds of success can only be increased if you ramp up the hashing power, or in this case, adding villagers to a pool.

comment 0

Apple vs. FBI: Everything you need to know

broken-fenceA judge in the US has ordered Apple to provide ‘technical assistance’ to FBI, in creating what some (but not all) cybersecurity experts call a backdoor. In the few years I’ve written about these issues, I’ve never seen anything as hotly debated as this one, across the folks from digital security to foreign policy all coming down on both sides of the debate.

On one hand it seems a bit snarky of the FBI to use this one particular case, that looks to have the highest possible chance of success to set precedent, but on the other hand it seems mighty nasty of Apple to refuse to comply with a court order, to crack into a terrorist phone.

So here’s some facts of the case.

The phone in question belonged to Syed Rizwan Farook, a shooter in the San Bernadino shooting, which caused the deaths of 14 people. America has numerous mass shootings, but this one involved two Muslims aligned to ISIS–and hence more easily labeled terrorism, without the need for adjectives like ‘domestic’.

As I blogged about last week, self-radicalized terrorist don’t get funding from headquarters, and without that glorious ISIS-oil money, all these guys could afford for was an iPhone 5C, an entry-level phone with hardware identical to that of the iPhone 5, a phone launched waaaayy back in 2012 (you’ll remember that as the year Manchester United last won the Premier League). As an older phone, the security architecture of the 5C lagged behind the current generation iPhones, all of which have a secure enclave, but make no mistake, it’s still pretty secure.

By pretty secure, I mean that the phone has all of its contents encrypted, and un-readable to anyone without the encryption key. The key is derived from both the user passcode, and a randomly generated hardware key that is unique to the specific iPhone. It is generally understood that Apple doesn’t keep track of the hardware key, and therefore unable to provide it, as you might expect the hardware will also never give up it’s key under any circumstance. Without the hardware key, the encrypted  data is unreadable, even with the passcode. Which explains why the FBI can’t suck the data out of the device for decryption on a more powerful computer, or load the data into 1000’s of iPhones for parallel cracking.

comment 0

Questions we need to ask about spyware

If you believe (as I do), that the government bought spyware, then here are some pertinent questions

Question 1: Do these government agencies actually have investigative powers?

While the police might have the legal authority to investigate someone, does the PMO, MACC or anyone else share that authority. If a government agency has no right to investigate someone, then why is it buying spyware?

The conversation should end here, as I don’t believe the PMO has any authority to use spyware, but the next question actually goes even further and ask if anyone has the legal authority to use it.

Question 2: Is spyware legal?

Installing spyware on a laptop or smartphone is far more intrusive than a regular home search, it’s like having an invisible officer stationed in your house listening in on everything you say and do. It doesn’t just invade the privacy of the victim, but even those that victim communicates with, shares their laptop with or even those that just happen to be nearby.

The MACC act, that governs the powers of the commission, specifically state that a the Public Prosecutor or Commissioner of the MACC can authorize the interception of communications if they ‘consider’ that the specific communication might help in an ongoing investigation. However, spyware from hacking team isn’t really ‘intercepting’ communications, because what is being communicated through the Internet is usually encrypted, Hacking team circumvents this by capturing the data before it is encrypted and then sends that captured data in a separate communication back to its control servers. Strictly speaking, this isn’t interception, its shoulder surfing on steroids.

Hacking Team InterceptionMore worrying, is that the spyware might take screen shots of diary entries and notes that the victim never intended to communicate with anyone, or draft e-mail entries that they later delete are also captured by this spyware.  Obviously this falls into a different category than simple ‘interception’, but I’m not done yet.