Technology

OSX 10.9.2 fixes "goto fail;" SSL vulnerability

Apple have just released OS X 10.9.2, fixing among other things the "goto fail;" SSL vulnerability.  The bug also affected iOS 7 - a fix was released earlier with the release of iOS 7.0.6. Everyone running OSX 10.9 "Mavericks" and iOS 7 should upgrade immediately to these releases. The technical details of the SSL vulnerability have been discussed in an excellent writeup by Adam Langley.  The vulnerability is caused by a failure to correctly validate the signature of a presented certificate. This allows any private key to be used with any certificate, creating an avenue for man-in-the-middle attacks.

A website designed to test vulnerability to the bug is available at https://gotofail.com/.

The bug is formally known as CVE-2014-1266.

 

Significance of IPv6 Interface Identifiers

The last 64 bits of an IPv6 address are what is known as the interface identifier. IPv6 unicast addresses are made up of a prefix followed by an Interface Identifier (IID), the last 64 bits. According to a recent RFC on the subject, these identifiers are formed through varying methods. The RFC, which can be read in its entirety here, elaborates on the idea that the bits in the interface identifier should be “treated as an opaque value”, and have no stand-alone significance.

This finding comes to a conclusion that the value of the "u" bit in IIDs contains no significant meaning.  As stated in the document, “In the case of an IID created from a MAC address according to RFC 4291, its value is determined by the MAC address,  but that is all.” The U and G bits are found to have little significance in relation to their originally believed “purpose”, but may present other details of importance.

This RFC makes a change to RFC 4291, by indicating that the Universal and Group bits of an IEEE link-layer address are merely significant in the act of gleaning interface identifiers from that IEEE link-layer address.

Argh, Passwords!

In the last 24 hours I've received data breach notifications from two different companies I have accounts with - Apple and Canonical (the company behind Ubuntu Linux). Prior to those, I've had my data leaked from Sony, the ABC (Australian Broadcasting Corporation), and others. Even worse, these are just the organisations that have both realised they've lost data and been good enough to inform their customers about it. I have absolutely no doubt that my data has been leaked from other companies and they either don't realise or are too afraid to admit to it.

Usually the leaked info is "nothing more" than a username, email, and hashed password. How bad the situation depends on whether I've ever used that username/email/password combination on any other site.

I will admit to password reuse, at least in the past. And I bet if you're honest, you will too. Remembering passwords is a pain so the less you have to keep track of the better. I get that, but it's time to grow up.

We can talk all day about how bad passwords are as an authentication mechanism, and how everything will be fantastic just as soon as everyone starts using 2-factor auth and all the rest. That's all true, but it's not here today. What we're stuck with today is passwords and attackers who are able to discover them. We can accept that reality and deal with it or continue playing Russian Roulette with the really valuable data that's still secured by not much more than a password - the same one that's already been leaked.

Let's start with a simple assumption to guide our thinking: every site we have an account on will eventually be compromised and the attacker will learn our username/email and password. Maybe they'll only get a password hash, maybe plaintext.

With that in mind, we have two tactics available to protect ourselves. First, use long, complicated passwords for every site. Forget the idea of simple 'throwaway' passwords or any of that. Every password is long and complex, the end. My preference is 16 characters or longer using alphanumeric characters and symbols. Every additional character you add to a password dramatically increases the effort required to brute force it. So pick passwords that are completely impractical to precompute. If someone wants your password, make them work for it.

The second tactic is to never use the same password twice. When someone does finally compromise your wonderful 20+ character password, what leverage does it get them? None whatsoever. If they want your other passwords, they have to start from scratch. Unlucky for those guys.

Our third tactic (Suprprise! Bonus Tactics for the Win!) is to occasionally change our passwords. This one is our third tactic simply because I'm going to assume most people will never get around to it - that's why we're picking passwords that will take a few millennia (at current computation rates) to break. But hey, if you change your passwords every now and again it reduces the value of any hashes that do get leaked. That can't hurt - but we won't rely on it. We're only human after all.

So the plan is to have lots of really long passwords that in all honesty, we have no chance of remembering. How's that going to work? Using a password manager. I'm a big fan of 1Password by Agilebits, but there are plenty of other options. The general idea is to pick a single, high quality password that you will remember, and use that to encrypt the database of usernames and passwords for all of your sites. There's browser extensions baked in to make filling in login forms a snap. It's other great feature is the ability to generate passwords for when I need to sign up to a new site or change a password. I can specify length, character sets and whether I want the password to be pronounceable. It's pretty neat.

Moving to a password manager takes concentrated effort. Technically it's not hard, just different, and we all experience resistance when changing habits and workflow. Dropping in your throwaway password will always be there as a temptation. Resist! A small amount of effort on your part now will protect your interests in the long term, at least until something better than passwords comes along.