Securing
Public Web Servers
NIST
Guide 8OO-44
Web
servers may also face indirect attacks to gain information
from their users. In these attacks, the user is persuaded
or automatically directed to visit a malicious Web site that
appears to be legitimate.
The identifying information that is harvested may be used
to access the Web site itself or form the basis for
identity theft. Successful attacks can compromise confidential
Web site resources or harm an organization’s image. |
| X |
Federal
Information Processing
Standard
NIST
Secured Hash Standard Publication 18O-3
NIST
Keyed Hash Message Authentication Code Publication 198-1
This document reviews five secure hash algorithms (SHAs) called
SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 which are used
to condense input messages to fixed-length messages, called
message digests. These algorithms produce 160, 256, 384, and
512-bit message digests, respectively. [Part
O1] [Part
O2] |
| X |
Biometrics
NIST
Fact Sheet Publication
Biometric technology systems recognize a person based on physiological
characteristics, such as fingerprints, hand and facial features,
iris patterns or behavioral characteristics. |
| X |
Robust
Security
Network
NIST
Guide to IEEE 8O2.11i
This
publication provides an explanation of the differences between
WPA and WPA2 encryption and provides some information on the
different features and functionality. |
| X |
Loose
Clicks Sink Ships
The Economist :: Science :: Computer
Security --CLATTERING keyboards may seem the white
noise of the modern age, but they betray more information
than unwary typists realise. Simply by analysing audio recordings
of keyboard clatter, computer scientists can now reconstruct
an accurate transcript of what was typed—including passwords.
And in contrast to many types of computer espionage, the process
is simple, requiring only a cheap microphone and a desktop
computer.
Such
snooping is possible because each key produces a characteristic
click, shaped by its position on the keyboard, the vigour
and hand position of the typist, and the type of keyboard
used. But past attempts to decipher keyboard sounds were only
modestly successful, requiring a training session in which
the computer matched a known transcript to an audio recording
of each key being struck. Thus schooled, the software could
still identify only 80% of the characters in a different transcript
of the same typist on the same machine. Furthermore, each
new typist or keyboard required a fresh transcript and training
session, limiting the method’s appeal to would-be hackers.
Now, in a blow to acoustic security, Doug Tygar and his colleagues
at the University of California, Berkeley, have published
details of an approach that reaches 96% accuracy, even without
a labelled training transcript. The new approach employs methods
developed for speech-recognition software to group together
all the similar-sounding keystrokes in a recording, generating
an alphabet of clicks. The software tentatively assigns each
click a letter based on its frequency, then tests the message
created by this assignment using statistical models of the
English language. |
|
|
For
example, certain letters or words are more likely to occur
together—if an unknown keystroke follows a “t”,
it is much more likely to be an “h” than an “x”.
Similarly, the words “for example” make likelier
bedfellows than “fur example”. In a final refinement,
the researchers employed a method many students would do
well to deploy on term papers: automated spellchecking.
By repeatedly revising unlikely or incorrect letter assignments,
Dr Tygar’s software extracts sense from sonic chaos.
That said, the method does have one limitation: in order
to apply the language model, at least five minutes of the
recorded typing had to be in standard English (though in
principle any systematic language or alphabet would work).
But once those requirements are met, the program can decode
anything from epic prose to randomised, ten-character passwords.
This
sort of acoustic analysis might sound like the exclusive
province of spies and spooks, but according to Dr Tygar,
such attacks are not as esoteric as you might expect. He
says it is quite simple to find the instructions needed
to build a parabolic or laser microphone on the web. You
could just point one from outside through an office window
to make a recording. And as he points out, would-be eavesdroppers
might not even need their own recording equipment, as laptop
computers increasingly come equipped with built-in microphones
that could be hijacked.
To
protect against these sonic incursions, Dr Tygar suggests
a simple remedy: turn up the radio.
His computers were less successful at parsing recordings
made in noisy rooms. Ultimately, though, more sophisticated
recording arrays could overcome even background noise, rendering
any typed text vulnerable. Dr Tygar therefore recommends
that typed passwords be phased out, to be replaced with
biometric checks or multiple types of authorisation that
combine a password with some form of silent verification
(clicking on a pre-chosen picture in a selection of images,
for example).
Loose lips may still sink ships, but for the moment it seems
that an indiscreet keystroke can do just as much damage.
|
|
|
|
INNOVATIVE