AVG CTF problems

A few days ago AVG, which is a nice lightweight and free anti virus program, started giving me strange error messages when I tried to update my AV definitions. It was complaining that the “CTF control files” had been corrupted somehow, but offered neither explanation nor remedy. After realising it wasn’t going to go away by itself , I did some digging and found the “ctf” files it was complaining about. To save you time looking, the files can be found in :

C:\Documents and Settings\All Users\Application Data\Avg8\update\download

Luckily this problem is very easy to fix, just delete the ctf files in that directory (but don’t touch the bin files as I believe these are the incremental AV definitions) and run a manual update.

I hope that helps anyone in a similar position.

Spore Awarded Dubious Honour

I am sure EA will be squirming as they are given the dubious honour of having the most pirate game ever. According to torrentfreak, Spore has been pirated 17 million times since it’s release in September, that is a staggering amount of lost revenue. Spore is currently selling on Amazon for £29.99, that equates to nearly £51,000,0000 of lost revenue for the company. Now I am no huge fan of EA, but that amount has to hurt especially in the current financial climate.

One has to wonder however, what percentage of that 17 million were gamers who simply rebelled against Spore’s draconian DRM which I ranted about previously? Moreover, how many people just skipped buying Spore altogether? There will always be piracy, but by making it harder for ordinary users (and not affecting pirates at all) EA and other companies are merely shooting themselves in the foot. I don’t blame them for trying to protect their interests, however I think they have things sadly backwards.

I neither pirated nor bought the game out of protest and, a few months on, I don’t feel a need or desire to reverse my decision. Which is a shame and a lost opportunity for EA and a waste as I think I probably have enjoyed it.

Spore Spurrned

Way back in 2005, Will Wright got on a stage and proclaimed the future of gaming did not have to include ultra high resolution graphic, overly flashy animations and scripted environments. He described his vision of a game which was by its very nature, procedurally generated from the textures to the very mechanics themselves.

He got a standing ovation – not just from the crowd, but from me as well which probably looked a bit peculiar to those around me, seeing as I was watching this on youtube. As time went on, gamers were tantalised further and further from videos of Robin Williams creating his own creature to more recently the Spore Creature Creator. All was not well however, unknown to the larger gaming community, storm clouds were forming behind the scenes, the weather system was called EA.

Fast forward to today, the game has been released and for the most part it lives up to Will’s original promises. It is fun, imaginative, very configurable and different. So why have I and many others not bought it?! Why is the rating for the game on Amazon so low? DRM has hit land.

DRM, or digital rights management, is a mechanism or system by which control and access to something (MP3s, DVD / Blueray video, Games etc) is restricted to predefined parameters. Despite countless examples of DRM not working companies still convinced it is their only method of protecting their products press forward with more and more limiting restrictions. Whilst I can understand a system which stops someone buying a game and then installing on ten computers belonging to their friends DRM has gone a lot further. Depending on implementation, it can install hidden software on computer systems, deny owners of legally purchased content (e.g. music) to play it on all their devices and generally inconveniences loyal, legal customers.

But thats all well I good, I hear you say, these companies are stopping people from stealing their work which they are perfectly entitled to. If that were the case, I would agree (despite my reservations.) However such is not the case, you see DRM doesn’t work. Copy protections are circumvented typically quicker than they make it to market. With a bit of know-how, anyone with a reasonable internet connection can illegally download copyrighted music, videos or games which have this copy protection entirely removed. Even more absurdly, in some cases, at a better quality than could be purchased legally! I could go on and on for a while backing up my claims, presenting examples but I am getting off topic.

So why have I yet to buy Spore? Simple, its not that I don’t want it, the converse is true, Spore uses SecureRom coupled with an activation system that allows the game to be installed three times. No more. So if you need to rebuild / reinstall your system or you buy another computer, that’s another install gone. After three installs, the game will no longer work.. that is until you buy another copy. Ludicrous huh? And Spore is not the only game to have such a draconian system, Bioshock and Mass Effect had similar ‘controls’ bundled with them. I did not buy Mass Effect for that reason, luckily I managed to buy Bioshock on steam without such restrictions.

So what is the point of all of this, have EA saved money from people not pirating their game? Quite the contrary, you see, this copy protection system EA seem to be dry humping was cracked and a completely unprotected version of Spore was released to P2P sites before the game was officially released. Turning legitimate users who paid money to buy a game, only to find they were just leasing it, are being driven to piracy sites just to install a game they legally own and others are simply not bothering to buy it, or worst still for EA and Will Wright, pirating it. DRM does not work, certainly in this case EA have lost money than they would have had they released the game with no copy protection. In fact, it made me smile today to read on slashdot that they are being sued because of this tomfoolery.

EDIT: Just found an article with EA relaxing the restrictions slightly. Now you can install the game five times and ‘deactivate’ installed copies. I know someone who installed the game on three PCs when it came out. He is still waiting on EA to de-authorise two of the copies. I will buy the game but only if I can get it without SecureRom and this activation nonsense.

EDIT 2: Ars technica as a great article on this topic, claiming that, despite EA’s stupid DRM Spore has been downloaded more than half a million times. I wonder what percentage were protest downloads?

What Morons are running this country?!?

It seems that almost every other week there is a revelation in the United Kingdom about data going missing. From mindless fools posting unsecured data on CD/DVDs to flash drives containing military or intelligence data being left in public places. It was bad enough last year when a Government agency lost CDs containing the personal details of 25 million people, but the public was prepared to accept that such things can and do happen occasionally. But since then, more and more data appears to have been misplaced, culminating in the revelation today that a 500Gb hard drive containing details of 5000 prison officers has been lost.

What irkes me the most about all of this, is that no-one appears to have the common sense to use an off the shelf utility (I could name a variety) to encrypt this data! I can (just) understand in a ’secure’ government environment where data is accessed continuously that encryption would not be viable*, but when the data is being transported, not to secure it somehow is criminal! I am not even talking asymmetric cryptography which takes some brains and infrastructure to set up, but how about just using a one time symmetric cryptography model purely for when the data is out of a secure environment?!?!

Data ‘Protection’ minister Michael Wills really needs to start clamping down on these rouge operators who seem to have no respect for the sanctity of personal or sensitive information or resign, I (and I am sure many others) have had enough of our country continually being a laughing stock for having data security policies which resemble a particularly effectual colander.

*although a variety of transparent encryption technologies exist.

Oyster card security broken.

Oyster cards are cards containing RFIDs which facilitate transport on the London Underground (and overground) networks. I had been wondering for a while how exactly they worked, but not finding much detailed information online I based my conclusions initially on my observations.

Here is what I have deduced.

1. Each RFID card has a unique ID which is recorded during each transaction with a card scanner.

Any Oyster user can access their usage history, either online or via a Oyster top up machine. This presents an interesting problem – if you can check up on where your card has been, what is to stop Transport for London from using the same information? Either individually or as part of the collective, it presents a very detailed picture of individual and mass use of the transport network.

2. The RFID works passively and contains a small amount of EEPROM.

Given that the Oyster card needs to be ‘tapped’ on the reader every time, it is safe to assume that the RFID does not have an internal power source. Instead, it only becomes ‘active’ with the energy it obtains via induction from the electromagnetic field close to the surface of the Oyster touch point. This energy is sufficient to power up the (presumably) CMOS device which then sends the encrypted data to the reader. It is not clear at this point whether the reader then sends back a response with the new balance to the card, or whether the entire ‘transaction’ process is done on the RFID card.

3. The information stored on the EEPROM is encrypted, most likely with symmetrical cryptography.

4. When scanned, the information from the Oyser card is used, it is not pulled from a central server.

When updating the Oyster card the card itself must be touched against a scanner. If this is not done the balance is not applied. I initially believed all balance and travel card information was securely stored on a ‘mothership’ server. This clearly can’t be entirely the case. Although, when a top-up is bought online, it is stored in the Oyster system until the Oyster card is touched on a reader somewhere in London. This suggests there is a ‘mothership’ server which records all this information, although it is likely it is only linked to newsagent kiosks and top-up points, not the barriers themselves otherwise there would be no need to store the information on the card.

5. Not only can the RFID store a balance, it can also store season tickets for a variety of durations and zone validities.

However, the title of the post suggests the security is broken, and indeed it is, although not through my investigations. A Dutch team took this a step further.

It turns out almost all my assumptions were correct, the Dutch team used a portable device to ‘touch-in’ on an Oyster reader, this disclosed the encryption key used on the Oyster device which they then stole. In possession of this, not only could they decrypt any Oyster card to determine how the information was stored but they could also theoretically generate any balance or season ticket, which encrypted properly would be indistinguishable from the real (paid for) thing.

However, to avoid no doubt countless hours of reverse engineering, the Dutch team brushed up against commuters on the tube and wirelessly interrogated their cards, stealing the information that was on them. This allowed the team to effectively clone cards which were valid, entitling them to free travel.

But the story does not end there, it turns out the company that makes the RFIDs for Oyster cards is called MIFARE, and their chips are used in a wide variety of sensitive installations in a variety of countries.

When the file extension… is not the file extension.

I was bemused to read on bbc news earlier that a trivially simply ploy stung half a million file sharers. The concept is nothing new having been started a fair few years ago by virus / malware writers and adopted by Copyright enforcement agencies in recent years. Do the anatomy of a decentralised file sharing system, anyone can seed a file. Once this seeded file is made available to the peer-to-peer network it either becomes advertised to a localised central file distributor (referred to as a Super Node or Server) or is found during a spider search query run by another user logged into the peer to peer network. If these files are topical or sought after, they can be transferred onto a different node (client) rapidly. There they are stored in the second user’s ’shared’ directory where more people can download it.

Once a seeded file has been downloaded and spread over a few tens of nodes the rate at which it can be downloaded by others increases almost exponentially with a cascade like effect. Other people of the peer to peer network are lured into downloading this file based on the number of people who have it therefore assuming it must be genuine and would be comparatively quick to obtain. Couple this with a topical or sought-after song / album or file aimed at the masses (who statistically would contain a fair percentage of PC-illiterate users and those with a penchance for agreeing to all the pop ups they come across) means these files explode across networks.

This malicious file in question appears to have masqueraded as a MP3 by Girls Aloud. Given the fact that on running the file pops up a message saying the computer requires a codec to play the song and tries to direct you to a website in order to download it, most computer users would stop and reexamine what they had just downloaded. People that brazenly proceeded and downloaded the malicious ‘codec’ package had spyware installed on their system which would ‘bombard’ users with pop ups. Also, the download file would spawn copies of itself within the User’s shared folder under different names to try to make itself attractive to a greater audience.

But what happened? How were people tricked into downloading an MP3 file but ended up running a malicuous program? The answer to this lies in the file type. Broadly speaking, there are two ways in which a file can be opened:

1) via script or binary execution (e.g. .exe, .com, .vbs, .java, .scr … and some others)

2) via program read from an external application (e.g. .txt, .doc, .wav, .mpg, .avi …. and MANY more.)

MP3 files (Moving Picture Experts Group version 1 audio layer 3) are the latter, upon execution, Windows searches through its list of known file extensions stored in the registry to see what it should do. It instantly finds the entry for MP3 and sees this type of file is handled by a media player like Windows Media Player, WinAMP, iTunes etc etc. Windows then executes the media player which, on loading, opens the MP3 file specified in the command line argument, decodes a block, fills its buffer and starts to play. Unless a clever trick like a buffer overflow is used, which have historically been responsible for security breaches in various Windows programs as well as console homebrew development, this renders all ‘program read’ type files harmless*. As such we have to look elsewhere for the source of this problem.

That brings us nicely to the point I wanted to raise in this post, file extensions and more specifically, security vulnerabilities in their implementation. Recent versions of Windows from XP (and possibly earlier, I can not remember) have automatically hidden the file extension by default leaving the user to distinguish between file types by iconographic representations. Whilst at times this is both cleaner looking and more functional, it does present an interesting security problem, what if there are two file extensions? Window will quite happily truncate the file .xxx from a file name leaving the first extension, despite the fact Windows ignores anything before the final .xxx . As a result, if you name a file SomethingInteresting.mp3.exe, in its default state, Windows will happily display the file as SomethingInteresting.mp3 but will execute the file as an EXE when double clicked. Obviously, if you quieried the file by right clicking on it and selecting properties you would be immediately told what type of file it is, but most people will take the file at face value.

Luckily there is a very simple way to gaurd against such black magic, in Windows XP and Vista** in the file browser, goto the Tools menu and select Folder Options.

In this dialog, uncheck ‘Hide extensions for known file types’ and click Apply followed by clicking Apply to all folders.

And that’s it! A simple check box and some common sense now separates you from being lured into downloading fake or malicious files.

* Some files like some movies can have containers which direct the media player or operating system to web pages. It is not just media files which are vulnerable but this is a completely different topic.

** In Vista you may have to enable the classic menu

Test your password!

I found a fantastic site today which quickly and transparently tests the strength of your password(s). I would not recommend you actually type your current passwords in (just in case there is some sneaky javascript code) but it is interesting to experiment with different password combinations.

Since I was on the topic of passwords, I ended up writing a brief post about how to choose a good password and general password security.

A good password should be four things:

1) Use at least two cases* (e.g. lower case, upper case, ‘number’ case and ‘character’ case.)

2) Be a suitable length – anything less than 7 characters should be avoided.

3) Not include repetition within the password and should not be used for more than one application.

4) Be something personal or easy to guess (a birthday, pet or family member name or related to the application – for example ‘email’ as a password for your email account would be ludicrous.)

Let look at some examples:

The old favourite: “password”. As you can see from the rating below, it is a terrible password. Not only is it predictable (and one of the most commonly used passwords) but it uses only one case and has some repetition (sequential double ’s’.)

A slightly better version of the old classic: “pa55word”. This time, all I had done is replaced the ’s’ with the 733t-ified version. By adding numbers, the complexity of the password has increased dramatically although it is still hindered by repetition.

Lets go even further: “Pa55Word”. Now we are using three cases and the result is predictably much stronger than using two cases alone.

And finally, lets go nuts: “Pa5!Word”. Using all the cases available on the Roman alphabet and removing all sequential characters. It is still not a brilliant password, but it is head and shoulders above the others.

Whilst choice and selection of password is important, it is not always essential to pick random strings as your password. Whilst passwords like gY$5c0p[ are very strong (it scored 92%) it is difficult for most people to remember them due to their entropic nature. It is therefore important to marry practicality with security and my advice to anyone picking a password would be to think of a word (or phrase) and substitute some of the letters for numbers / capitals / characters as in the example above**.

Password hints:

1) If you are choosing a very important password, pick a passage from a book. For example, the first 3 (or as many as you want) words from the first line of a particular page** and add a good degree of randomness to it as described above. If you need to jog your memory in the future, simply refer to that page and it should normally come back to you.

2) If you must write or record your password, obfuscate (via a stenographic method) it! Split it in half (or more pieces) and hide the password/passphrase in several bits of innocuous data. For example: If you made your password Nice225 Woods987 then you could store the following contacts somewhere:

William Nice +44207 750 1225

Christian Woods +43133 987 3245

The same method can be applied for card PIN numbers which can be stored as part of a dummy contact on a mobile phone.

3) Never stick to the same password for more than one service – if someone compromises one password, all your services will be vulnerable.

4) Scale your password to the particular security environment. A password that is used for an unencrypted email account need not be as strong as one for a SSH / VPN / Remote Terminal or VNC account.

5) For accounts you are particularly cautions with, rotate your password frequently. This need not be very week or even every month. If you change your password every 2 or 3 months, it will provide a much better protection against online stalkers who may be lurking and checking your accounts / emails periodically.

6) Passwords can be passphrases! It is much easier to remember a line of a story / poem etc than a bunch of rubbish. Unfortunately, even if that line of text is long enough, it will not offset the problems** caused by character repetition, although it would be important to obfuscate it in some way.

Appendix

* The reason cases are so important is simply a matter of maths. If an attacker knows the password is only one (or two) cases, it significantly reduces the amount of computational time to brute force (or guess) the password. Take for example, a password with only one case (lets assume its lower case). There are only, 26 characters in the Western (Roman) alphabet meaning the complexity of the password is:

…if the password is 4 characters long, there are : 456976 combinations.

If the password is 8 characters long, there are : 208827064576 combinations.

Now lets assume two cases (lower and upper case) are used. Now the attacker has to try a total of 52 character combinations for every character suspected to be in the password.

…if the password is 4 characters long, there are : 7311616 combinations.

If the password is 8 characters long, there are : 53459728531456 combinations.

You can quickly see the significance in the numbers. If to round it off, we try all the (printable) characters available (94), an 8 character long password would have 6095689385410816 combinations!!

** Generally speaking, when trying to create a password, we are trying to create as entropic an outcome as possible as this will be the most computationally time consuming to break. The entropic value measured per key is calculated on the basis that each key press is independent and the entropy per key essentially increases with increased character range.

1 Source

2 Source

Due to the manner in which language is constructed, the occurrence of letter like vowels is dramatically increased leading to a much decreased entropy per key. This means, in order to create a reasonable secure 64bit key, you would need approximately 58 characters as opposed to only 10 if all characters are used.e

Vista SP1 – A reflection

It is interesting how perusing or glancing at the popular tech topic currently doing the rounds on wordpress can give an insight into the impact such announcements (or software/game/hardware/press releases etc) are having on the general public. Its all well and good reading about something (in this case Vista Service Pack 1) from recognised tech insiders such as Paul Thurrott, it is far more telling to read about the experiences everyone else is having.

Here are a selection of headlines from the last few days,

Vista wreaks havok on some PCs, users complain (anti Vista blog), My Nightmare trying to upgrade to SP1 (Insightful look into incompatible drivers), Vista SP1 update not showing up is for your own good (Reasons why SP1 may not be available yet for some people), SP1 Now available, Delayed, Delayed, Delayed, SP1 Day two (interesting positive feedback from a user), Hell has frozen over (overexcited user).

And guess what? Its not (entirely) the usual doom and gloom and has become almost ubiquitous when it comes to reports about Vista. Vista Service Pack 1 has come a long way since internal betas handed out to the Microsoft beta testers. These poor guys must have been feeling particularly abused this time round if the early write ups are anything to go by. With several restarts required to complete the process (and a few hours) these so-called tech elite reported back their thoughts on the process and as you can imagine, even the most staunchly pro-Microsoft of them has a few ‘choice’ comments to make.

But anyway, fast forward to now and you will see in your Windows Updates Vista Service Pack 1 waiting patiently for you to let it into your digital home. Software and hardware compatibility is good and the lengthy installation process has been slimmed down dramatically to a single reboot after completion. Inevitably it won’t go that way for everyone with some users reporting issues with certain drivers. To Microsoft’s credit, a fairly comprehensive list of drivers that have issues has been published and I have reproduced the list below.

Realtek AC’97

For x86-based computers: Alcxwdm.sys – version 6.0.1.6242 or earlier
For x64-based computers: Alcwdm64.sys – version 6.0.1.6242 or earlier
SigmaTel

For x86-based computers: Sthda.sys – version 5.10.5762.0 or earlier
For x64-based computers: Sthda64.sys – version 5.10.5762.0 or earlier
SigmaTel

For x86-based computers: Stwrt.sys – version 6.10.5511.0 or earlier
For x64-based computers: Stwrt64.sys – version 6.10.5511.0 or earlier
Creative Audigy

For x86-based and x64-based computers: Ctaud2k.sys – version 6.0.1.1242 or earlier
For x86-based computers: P17.sys – all versions (This was originally a Windows XP-based driver.)
Conexant HD Audio

For x86-based computers: Chdart.sys – version 4.32.0.0 or earlier
For x64-based computers: Chdart64.sys – version 4.32.0.0 or earlier
Display drivers

Intel Display

For x86-based computers: Igdkmd32.sys – versions between and including driver 7.14.10.1322 and 7.14.10.1403
For x64-based computers: Igdkmd64.sys – versions between and including driver 7.14.10.1322 and 7.14.10.1403

Unfortunately, I am the (not-so) proud owner of a Ac’97 soundcard in my primary laptop so it looks like I may have to fish around for drivers (AGAIN!!) to get my laptop to work properly with Redmond’s latest offering. The issues here are not Microsoft’s fault. Infact, as several tech insiders have noted, Microsoft was beating the drum about drivers to ODM/OEMs for months prior to Vista’s (and SP1’s) release but when the moment came to deliver, most manufacturers did not come to the party.

The reason is simply, it is not really cost effective. Take a computer you bought in the last few years (or Motherboard) and goto the manufacturer’s website and check the date of the ‘latest’ drivers (or BIOS.) Whilst these companies are fairly diligent during the product’s lifecycle, when they move onto something else, they stop putting out bugfixes or updates because it no longer makes commercial sense for them to pay their software engineers to do so. When Vista came out, many people had equipment (like me) that was designed for XP but could, with a fair amount of tweaking, run Vista very comfortably. The problem I (and many others) faced was a complete lack of native driver support for this hardware. I understand the problem, but I still think it is ridiculous. Microsoft did try to smooth this over by building in a compatibility layer into Vista to allow the loading of some XP drivers and while this helped a lot, there were performance penalties.

For now, I am not particularly fussed about SP1 so I will be sticking to vanilla Vista until either these driver issues are resolved (unlikely) or I get the time to find replacement drivers for my laptop.

MSN Spamharvesting – A Caution…

Let me set the scene, I was randomly on MSN when a friend of mine sent me a message saying “http://www.almanbirasi.info/list ” On inspection, the site appears to offer a service to tell users who has blocked them on their contact list, a function not available in regular MSN.

I would highly advise anyone looking at any such ‘third party’ service to do a bit of background digging before giving ANY of their details over to a dubious third party. I was immediately suspicious and I will detail for you why.

1) The page looks well designed, but has no google page rank. This can mean one of many things, but usually it means a site or page is new. A service such as a MSN block checker is likely to spread virally (if it worked and was genuine) and this would likely lead to it being assigned a google page rank. An example where this SEO based tool can be very handy.

2) Whenever you are prompted for personal or account details, you should immediately stop for a sanity check – look to see who owns the site (can be done by a whois) and if your data will be secure. This takes on two forms, one – is the site reputable (can be checked a number of ways) and two – will your data be secure ? For the latter, considerations of encryption (is the page SSL secured) and data storage (does the site have a privacy policy etc)

3) The link ‘http://www.almanbirasi.info/list’ infact takes you to a page ‘http://www.msnliststatus.com/’ which is a bit odd.

4) The .info TLD – call me a domain-ist if you will, but I don’t trust this TLD.

5) The terms of service explicitly state that by using their service you are opting in to (a doubtlessly un-opt-out-able) advertising service.

As it turns out I was right, I sent a message back expressing my concerns to this person, assuming he had stumbled across it and sent me the link. Here is the conversation we had, edited to remove the name of the person.

Person A says:
http://www.almanbirasi.info/list
Konrad says:
what is this?
Konrad says:
haha no way!
Konrad says:
it has no page rank, i.e. its a great way to loose your login details to do something you can do within gaim / pidgin
Person A says:
huh?
Konrad says:
I would not use it
Person A says:
huh?
Konrad says:
looks like a big security hole
Person A says:
what?
Konrad says:
lol you tried it didnt you?
Person A says:
what?
Person A says:
did it just send a message for me?
Person A says:
fucking thing
Konrad says:
hahahaha!
Person A says:
sorry, just changing my password
Konrad says:
lol
Konrad says:
thats funny
Person A says:
did it send a message to you
Konrad says:
yes

So, as you can see, he used this utility and it logged into his account, sent me (and presumably others) a link back to its page without him either knowing or expressing his permission for this. It appears this has been going on for a few months with users also reporting having their accounts hijacked. Luckily there is a very simple way to determine whether you are on a person’s contact list or whether he/she has blocked you on a variety of accounts not just MSN like Googletalk, ICQ, AIM etc. It involves using a free open source program called Pidgin.

Install it, setup the account you want to use and login. Right click on the contact and select ‘Get Info’ this window should tell you everything you want to know about a certain contact as illustrated below.

My friend is very clued up about systems, IT and security but he fell for it, just be careful on the web.

Local Client Insecurity

Any tech-savvy user will know of a handful of security vulnerabilities relating to desktop computing, these can range from remote attacks (Man in the middle / Malware / DDoS / Brute Forcing / Port Scanning) to local exploits ( hardware & software keystroke logging / more Malware / dailers etc.)

In-fact, apart from the distant days of Windows 95 I cant recall a time when there were more things for security conscious users to be worried about. Back in the middle to late 90s, the internet was gradually becoming common place and within the reach of the layman. Unfortunately these users typically didn’t (or didn’t have a sufficiently fast connection – 4hrs for IE 4.0 update?) update software to patch security holes. The term script-kiddy was coined, referring to individuals who would use “off the shelf” exploit programs to wreak havoc. These easily found resources would be effective for months (if not years) due to the majority of users being completely clueless or disinterested in protecting their digital homes.

Fast forward to modern day, wireless hacking tools exploiting the poor design and implementation of WEP encryption have been commonplace for a number of years now. Wireless equipment manufacturers have taken on the role of securing their client’s networks by shipping routers with WEP (and more recently WPA) enabled by default which has helped secure many home networks from a variety of threats, from freeloading neighbours to network peeping toms. Security software companies have helped raise awareness while peddling their, often rather poor offerings to the unsuspecting public. (Norton anyone?)

By now everyone must know that running WEP on a Wifi connections is potentially extremely risky, those reading this who are still running an unencrypted Wireless Access point without some kind of secondary encryption system should stop what they are doing and read up on this.

It would appear that even wireless keyboards (using 27Mhz radio transmitters not Bluetooth) are vulnerable (although Bluetooth ones are also but via a different type of attack.) It turns out that security was probably very low down on the list of priorities during development of this common interface extension. The security system emplyed uses a single bit XOR encryption. The best explanation of how rubbish this is stems from TechFaq’s definition / explaination of XOR :

“XOR encryption is a trivially simple symmetric cipher which is used in many applications where security is not a defined requirement.”

The article concludes that there are only 256 possible keys that are set once a keyboard / receiver have been paired with no periodic shifting. It does make you wonder how easy it would be to build a portable device designed to record all 27Mhz data it can pull off the air for later analysis. Whilst the majority of the time it would capture useless keystrokes or harmless IM conversations, it could potentially capture bank details (although most banks now use secondary non input based authentication) or email / shopping account passwords. As if we didnt have enough to worry about with both software and hardware keyloggers already.