Sunday, 28 February 2010

Why do I need a privacy filter? (3M's new Vikuiti Gold Privacy Filter)

I received my free sample filter from 3M a week ago now - it is one of the first of their new Vikuiti Gold Privacy Filters. Before I tell you about my experiences with it though, I think I ought to cover the question: 'Why do I need a privacy filter?'

So, what is a privacy filter? It is a thin sheet of plastic that fits over your screen to reduce the viewing angle. LCD manufacturers spend all their time increasing the viewing angle of their screens so that many people can view the TV from all over the room or crowd round a computer screen to share information. The problem with this is the advantage itself - what if I have sensitive information on my screen that I don't want everyone to be able to read? The privacy filter reverses the wide angle viewing trend to reduce it as close to straight on as is practical. The point of a privacy filter is to stop prying eyes and shoulder surfing.

Do you need a privacy filter? I was speaking to one professional a little while ago and they told me about the time they were on a plane travelling back from an exhibition. He was sat beside a competitor who was working on their laptop for the whole journey, looking at details of their sales leads from the exhibition. At the end of the flight he thanked his fellow passenger for the information. Do you or your users have corporate laptops that they use in a public location? Shoulder surfing documents, usernames, security procedures, etc., can be a serious issue. We can spend all our time and effort protecting the storage and transmission of information and forget about the display and viewing of them.

3M Gold Privacy Filter
Back to the new 3M Gold Privacy Filter. The viewing angles of filters are around 40 degrees from perpendicular. Mostly they work in a similar way to vertical blinds - if you are straight on then you only see the thin edge, but as you move off the perpendicular they start to show until they overlap and you can't see through them. The problem with this is that you can still see the screen if you move in the vertical plane. The 3M Gold filter seems to have a narrower angle of view (which is good for a privacy filter) and also cuts out vertical shifts to a certain extent. This is due to the gold mirror-like surface that cuts out the light from the screen and reflects the surroundings. The matte filters from 3M and other vendors are not so effective due to the lack of reflections. However, in bright ambient light with the laptop LCD panel turned to minimum brightness it can be harder to see the screen effectively with a shiny filter. This can be mitigated, to a certain extent, by the gold filter as it shows a brighter, clearer image than the grey ones in my opinion. Which brings up another problem with privacy filters; they do reduce the brightness of the screen. However, with the brightness turned up on my laptop, I can see the screen with no problems in any ambient lighting environment.

The one poor feature of the filter is the fitting. Small clear plastic tabs get stuck to your laptop round the screen (they have to protrude over the screen). The filter then slides in behind these and fits the screen perfectly (you have to buy the correct size). Fitting the filter is fairly easy (but can be a bit fiddly on a screen like mine as the sides of the laptop slope towards the screen) and removing it is very easy. However, you are left with the tabs over the edges of the screen even with the filter removed. They aren't that obtrusive though and you don't really notice them when the filter is in place.

Overall, I think that the 3M Gold Privacy Filters are probably the best filters on the market at the moment - certainly the best ones I've seen, though I haven't seen them all.

Wednesday, 17 February 2010

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post.

How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't really any different from having a longer, stronger password, it's still single-factor.

The idea behind the Grid Card is that you have a set of random numbers shared between you and the bank that are very hard to guess. I only say very hard to guess because I don't know how they generate the cards in the first place and if this isn't truly random - which it almost certainly won't be - then you can predict parts of the grid given other parts of it. Randomness is a rare but essential commodity. There are 50 co-ordinates on the card and Coventry ask for 3 each time, giving 19,600 possible combinations, assuming they'll never ask for the same co-ordinate more than once per login (order doesn't matter as we're told which grid squares). Does this mean that someone would have to log all 19,600 combinations before they could regenerate the card? No. Each co-ordinate appears 1,176 times in the 19,600. Each pair of co-ordinates appears 48 times. There are only really 17 unique combinations of co-ordinates such that they aren't repeated (and that's a cheat, because one co-ordinate will appear twice if we have 17 as 17x3=51). However, it is unlikely that these 17 would get asked for in succession, so it would take significantly more observations before we have the whole grid, but we won't need the whole grid before we're very likely to be able to login. Indeed, there's a 17.3% chance that at least one co-ordinate will be repeated on the next login. Also, a shoulder surfer with camera phone (or CCTV cameras) could take a photo of the whole card in one go, so this is an authentication mechanism to be used only in the 'safety' of your own home.

This is, however, a step in the right direction, so they should be commended for it. What else do you need to login to Coventry? Well, a Web ID and date of birth, both of which are easily pharmed. So the security is based solely on the password and Grid Card, which is better than two passwords. They do also have an anti-phishing technique bundled in there as well. When you sign up you choose a picture that they will display during your login along with your last login date and time. If the picture or date is incorrect then this isn't Coventry (or your account has been compromised). It's good to add a picture here, because many people don't actually check the last login date and time even if it's put up on the screen. The picture is obvious and hard to miss though. These mechanisms don't really stop spear phishing (or targeted phishing), but they do stop blanket or mass phishing attacks.

It's about time more banks started issuing 2-factor authentication for login and Coventry should be congratulated on being amongst the first. However, we have to be careful about how it's implemented.

Keylogging Trusteer's Rapport

Let's get some perspective on this first: no security product is 100% secure and just because there may be an obscure way round a product doesn't mean you shouldn't use it and that it won't protect you against a lot of attacks. How secure is your Anti-Virus (AV) product? Certainly not 100%, so we need layers of security. Rapport is another layer of security and could help protect your machine.

I have said in my previous post about this issue how well Trusteer dealt with me. So, now to the method of keylogging Trusteer. It's quite simple really, but requires a special setup. Rapport hooks onto the keyboard driver to prevent keylogging. However, if you invoke the remote desktop feature in Windows then a different keyboard driver is invoked, which Rapport cannot hook onto. So, if you're using a remote desktop connection into your machine then Rapport will not be giving you the full protection (it still has other layers of protection that work in this scenario).

Is this such a special case that you don't need to worry about it? Well not necessarily. There are a plethora of remote access software solutions available to users who are increasingly using them to access their machines at home or at work. There is also another technology that can be leveraged to cause this effect whilst the user is at the actual machine. Microsoft have introduced RemoteApps to the Windows desktop environment to allow for legacy applications to appear to run seamlessly on Windows 7. This is done via Virtual PC running another OS and the RAIL QFE update to allow applications to be exposed from a desktop machine as RemoteApps. However, we can use this technique to look back at the machine and expose the web browser as a RemoteApp, which the user should not notice.

As I say, it's a special case and not one a user would normally encounter, but it is possible. There are other issues with Trusteer as well, being able to capture the screen of protected websites and information leakage as highlighted on here. It doesn't mean you shouldn't use Rapport though, just know and trust the machine that you're using. Basically, don't ever connect to any secure site or service from an untrusted machine, no matter what's installed on it.

Friday, 12 February 2010

Trusteer's Response to Issues with Rapport

I have been getting a lot of hits on this blog relating to Trusteer's Rapport, so I thought I would take a better look at the product. During my investigations, I was able to log keystrokes on a Windows 7 machine whilst accessing NatWest. However, the cause is as yet unknown as Rapport should be secure against this keylogger, so I'm not going to share the details here yet (there will be a video once Trusteer are happy there is no further threat).

I have had quite a dialogue with Trusteer over this potential problem and can report that their guys are pretty switched on, they picked up on this very quickly and are taking it extremely seriously. They are also realistic about all security products and have many layers of security in place within their own product. No security product is 100% secure - it can't be. The best measure of a product, in my opinion, is the company's response to potential problems. I have to admit that Trusteer have been exemplary here.

Why do I keep saying it's a potential problem when I have logged keystrokes? Well, under normal operating conditions this isn't possible with the keylogger used. Most home users won't have a machine set up like the test machine in this case.

Trusteer have also pointed out that keyloggers are not the main threat facing the banks at the moment and are of less use now than in the past. Rapport has several layers of security protecting the machine beyond keyloggers and blocking screen capture. One of he major plus points about Rapport is their anti-phishing and anti-pharming technologies. Although, again, these aren't perfect, it's better than nothing.

I don't agree totally with Trusteer here though. The problem with being able to log typed characters comes back to weak passwords and single-factor authentication. In this case, NatWest seem to require a customer ID, consisting of the user's date of birth and a 4 digit ID in the format ddmmyyxxxx, a 4 digit PIN and only a short password. Now, they will let any Customer ID through in this format whether it's valid or not (good from a security point of view as you don't know if you've got a valid Customer ID or not). However, clearly they allow 6 character passwords and then ask for three of them. So with one capture I can have 3 out of 4 PIN digits and half the password. We know people choose weak passwords that can be guessed. This becomes a crossword puzzle to make a 6 character password given three known characters. I would agree with Trusteer that keyloggers and screen capture shouldn't be a problem now, but it still is, as the banks cling onto simple username and password authentication, often with poor password policies.

If the banks move to 2-factor authentication and one-time passwords then most of this would be redundant, and Trusteer could concentrate on pushing us off to the correct site to avoid phishing and pharming attacks. Of course, these will become even more prevelant and sophisticated. Technology can't stop this alone, it has to be coupled with user education. Screen capture can still cause problems with strong authentication solutions, such as those using images or on-screen grids to generate one-time passwords.

So, what's the bottom line? Since my earlier posts, Rapport has come a long way with compatibility, etc. The tone of the marketing has also changed for the better and is more realistic (although some of the 44 partner banks could be doing more). So Rapport could be an additional layer of security to protect you, but you will still have to be vigilant. You must have an up-to-date, legitimate anti-virus/anti-malware product, firewall protection, tight controls on your browser and a cautious and skeptical approach to all communiations and links. Without these, Rapport isn't going to help you anyway.

Edit: video in later post - Keylogging Trusteer's Rapport

Thursday, 4 February 2010

Cisco TACACS+ Password Length

I have recently come up against a problem with using the 'new' wireless network at work. We are using Cisco kit and TACACS+ to interface onto Microsoft's AD in the back end. Technically, usernames should be able to be up to 31 bytes long (not a problem there) and the password up to 254 bytes. However, the web portal implementation that we are running has a problem with my password. It would appear that passwords of up to 16 characters are fine, but passwords in excess of 16 characters don't work.

We are currently investigating this, as it seems like a real problem, especially as we are recommending that people switch to using longer pass phrases, in excess of 16 characters. Hopefully vendors will catch up with this soon, as many still have problems with so-called 'special characters' such as punctuation and other common symbols.

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust