NemID's attempts to improve security by hiding the source pro plas code as image files is a really bad idea. Only inexperienced pro plas companies use the method, says Associate Professor at ITU. By Jesper Stein Sandal Friday, November 18, 2011 - 6:59
The procedure is also known as 'security by obscurity' and go out on that one can increase security if you keep your resolution a secret or hidden. But it is not a method that belongs in a solution which NemID, says associate professor and security expert Joseph Kiniry from the IT University.
Joseph Kiniry backed by the American Institute of Standards and Technology, NIST, which on several occasions pro plas has explicitly recommended not to use security by obscurity. "A system security should not depend on the secrecy of implementation or system components," writes NIST Thus, in his "Guide to General Server Security."
The content of the Java applet that is used to login with NemID was featured Thursday by antivirus software from McAfee responded pro plas to the content of some of the files that are stored locally on the user's PC when he logs on with NemID.
A packed file that is used to distribute among other image files with Java applet, has been found to contain four files disguised as GIF image files, but actually contains code for Windows, Unix and Mac.
The binary code has been difficult to analyze, indicating that programmers have gone to great lengths to make it as difficult as possible to separate the code apart and analyze it. Nor is there any standard tools used to camouflage code. The developers have apparently used their proprietary methods to camouflage the program code.
A group of Joseph Kinirys students at ITU has recently looked at the program code in NemID applet, but not the image files. All program code in the applet is however made difficult to decode the common reverse engineering tools.
The problem with trying to improve security by placing veil over what is going on inside the software, is that no outsider has the opportunity to see if it is safe. Neither the bad guys or the persons to be protected by security.
This means that users only need to rely on the supplier to have made the system so safe that it can not be hacked. And when security by obscurity as in this case, accompanied by deafening silence from the Nets DanID, it means that it becomes increasingly difficult to dismiss the possibility that the hidden code in the GIF image files do not come from Nets DanID but from hackers pro plas .
"The alternative is to design a system where you can publish all the details and source code. That is what is being done with all open encryption standards. So you have many eyes to look at the system and you get the trust of users, "says Joseph Kiniry to Version2.
The process of blurring security through security by obscurity pro plas is not popular among IT security, because it is not security as part of a safe design, but simply a bet on that criminals can not figure out what is going on behind the veil.
"If you use the standard methods of security by obscurity, so you can raise the bar a bit and keep the dumbest criminals away. If you go even further security by obscurity, so you can raise it even more, but you can never keep everyone out. The resolute criminals will always be able to achieve what they want, "says Joseph Kiniry.
The security of NemID has really come into focus, after eight customers at Nordea got stolen money from their online banking as a result of a phishing attack, where they were lured to disclose their login information in a so-called man-in-the-middle attacks.
DanID denied that such an attack would mean that security is not sufficient in NemID, because the attack is dependent on that criminals can entice the user to follow a link. Send Tweet
Comments (12)
Take a long and thorough look at IC4 trains that keep decommissioned at Aarhus Station now. How it looks when you continue to keep alive a death-sailing. How many citizens did not ask themselves already back in the middle of the last decade, what the meaning with the latter the IC4 madness was. And why Ansaldobreda kept free rein.
Until now there has not been a single success story i.forb.m NemID besides how many people are using it, which of course obviously be attributed to coercion and no natural customer influx. On the contrary, it has already been a star cavalcade of operational problems, incompetence, security holes delays. All spiced with outrageous poor communication, lie, distortion or just arrogant disregard for criticism.
Dear politicians; How many cadavers must topple out of the closet before you say "Enough is enough", takes the job from DanID and have created a system of direct labor, as it should be made ifgl. professionals, mathematicians, security experts. Not to talk
No comments:
Post a Comment