I Had an Idea About Methods of Data Protection

[LjSpike]

Now, before anything else, i apologise if this should be in the speculatory threads area, it is my first post, but i reckon its more suitable here.

Recently a rise to what I could only really call 'physical keys' has dawned, such as texts to help verify a login or account creation.

Now, I had a slight idea when I was thinking about this, and it links to this magic part in your computer called the 'ROM'.

 

The ROM, for those of you who don't know, in very simple terms, tells your computer, what it is. So, what all its parts are and so on. So it can, well, do stuff!

Ok, now this is different on each different PC setup, and when it turns off, (which it will only ever do if the battery for it runs out, it stays on even when the computer is off) the computer is bust, and only really a specialist could fit a new ROM.

 

Now some of these new physical key things I find very time consuming, call me lazy, but I already have to put in a security question, password, account number, sort code and god knows what else to just view how much money i have in the bank. Its terribly time consuming then to have to use fiddly little devices to generates codes and put in more passwords to. What if we had a slightly 'different' approach to these ways of physical security, I mean, they can be VERY secure, but what about making a change to this long-standing component, called the ROM, or adding a secondary component, like a ROM, but slightly different.

 

Instead of telling your computer what it is, telling the person requesting the password, that well, its your computer.

Of course alone this wouldn't be very secure, but you could even have it a memory-stick mounted device if you wanted to, and then when you log on, it 'pings' your computer to ask around for this magic device, then if it recieves it, it accepts its probably you, as its your computer that is pinging it.

 

I guess you could say its a bit like a MAC address, but for whenever you use a password.

 

Just an idea, i'd love to know your thoughts

[fiveworlds]

Would you not just use air gapped networking?

[Sensei]

ROM is Read-Only Memory. Nothing magic at all.

https://en.wikipedia.org/wiki/Read-only_memory

It's like electronic version of CD/DVD.

It's burned once in factory, and never can be changed.

Rarely used these days.

 

BIOS is typically in EPROM

https://en.wikipedia.org/wiki/EPROM

Which means Erasable-Programmable ROM.

It requires significant actions to be erased, and reprogrammed. Read article.

"The programming process is not electrically reversible. To erase the data stored in the array of transistors, ultraviolet light is directed onto the die."

Or EEPROM

https://en.wikipedia.org/wiki/EEPROM

 

ROM/EPROM is the same in the same model of device.

Or at least should be if virus didn't overwrite it (EPROM) with its code.

Or you didn't upgrade BIOS by your self.

 

ROM/EPROM can be read by anybody. If you would store there (in EPROM) data they would be the worst secure ever.

 

Typically ROM/EPROM is not telling computer what it is. But it contains CPU program, which CPU is executing row by row.

[Strange]

Instead of telling your computer what it is, telling the person requesting the password, that well, its your computer.

 

Something like this: https://en.wikipedia.org/wiki/Trusted_Platform_Module ?

BIOS is typically in EPROM

 

Nowadays it is flash memory. And it is not very secure; there is quite a lot of malware that will reprogram the BIOS.

[LjSpike]

 

Something like this: https://en.wikipedia.org/wiki/Trusted_Platform_Module ?

Yeah, pretty much.

 

Nowadays it is flash memory. And it is not very secure; there is quite a lot of malware that will reprogram the BIOS.

Malware can't reprogram the BIOS can it? The bios is read-only?

 

 

ROM is Read-Only Memory. Nothing magic at all.

https://en.wikipedia.org/wiki/Read-only_memory

It's like electronic version of CD/DVD.

It's burned once in factory, and never can be changed.

Rarely used these days.

 

BIOS is typically in EPROM

https://en.wikipedia.org/wiki/EPROM

Which means Erasable-Programmable ROM.

It requires significant actions to be erased, and reprogrammed. Read article.

"The programming process is not electrically reversible. To erase the data stored in the array of transistors, ultraviolet light is directed onto the die."

Or EEPROM

https://en.wikipedia.org/wiki/EEPROM

 

ROM/EPROM is the same in the same model of device.

Or at least should be if virus didn't overwrite it (EPROM) with its code.

Or you didn't upgrade BIOS by your self.

 

ROM/EPROM can be read by anybody. If you would store there (in EPROM) data they would be the worst secure ever.

 

Typically ROM/EPROM is not telling computer what it is. But it contains CPU program, which CPU is executing row by row.

I can't say to know to much about EPROM, but ROM isn't in rare usage now. BIOS in a (standard) computer though, will be ROM, or atleast the very core of it. If the lovely little security mechanism is programmed into the ROM part, then it would be secure, the EPROM, im still unclear how that could be effected by a virus though, as it specifies it requires huge amounts of ultraviolet light to be directed onto the quartz, computer viruses can't (yet) magically make anything emit ultraviolet light?

[John Cuthber]

Yeah, pretty much.

 

Malware can't reprogram the BIOS can it? The bios is read-only?

 

 

I can't say to know to much about EPROM, but ROM isn't in rare usage now. BIOS in a (standard) computer though, will be ROM, or atleast the very core of it. If the lovely little security mechanism is programmed into the ROM part, then it would be secure, the EPROM, im still unclear how that could be effected by a virus though, as it specifies it requires huge amounts of ultraviolet light to be directed onto the quartz, computer viruses can't (yet) magically make anything emit ultraviolet light?

The BIOS is not read only.

There are about a zillion websites that tell you how to update i; here's an example.

http://www.howtogeek.com/196916/how-to-check-your-bios-version-and-update-it/

and, it's perfectly possible for malware to do that.

 

Also, not all eproms are uv eproms.

[Endy0816]

Main concern is that it would be single factor authentication. This has proven to be inadequate for protection of financial assets in the past.

[Roamer]

 

 

Recently a rise to what I could only really call 'physical keys' has dawned, such as texts to help verify a login or account creation.

 

Text ?? are you maybe referring to Captcha ?

The only physical key i got is for my bank(card + reader)

 

Captcha and the likes exist to make sure they're dealing with a real human who is putting in some effort to get in.

Because if only one in a million attempts-to-gain-access succeed there would be no way it would be worth it for a human hacker to get in,

but without Captcha the servers could be attacked by automated programmes trying out every different key.

Other solutions are possible, but they all amount to consuming more resources from a hacker to get in,

which would also consume more resources from the server and get costly one way or another.

Edited October 3, 2015 by Roamer

[LjSpike]

Main concern is that it would be single factor authentication. This has proven to be inadequate for protection of financial assets in the past.

I'd never think of using it as an individual factor authentication, nothing really uses individual factor authentication as its easy to get past, hence why its always password AND username... No, just as a replacement to some of the very slow, extra pieces of information.

---

 

 

 

Text ?? are you maybe referring to Captcha ?

The only physical key i got is for my bank(card + reader)

 

Captcha and the likes exist to make sure they're dealing with a real human who is putting in some effort to get in.

Because if only one in a million attempts-to-gain-access succeed there would be no way it would be worth it for a human hacker to get in,

but without Captcha the servers could be attacked by automated programmes trying out every different key.

Other solutions are possible, but they all amount to consuming more resources from a hacker to get in,

which would also consume more resources from the server and get costly one way or another.

No, I literally mean PHONE TEXTS. Captcha isn't text at all, its an image.

Also, a card reader just reads cards. No, I mean a physical object, not connected to a network, which offers capability to assist a login. For example, I have a little device that looks slightly like a calculator, I put in a code, it gives me a code based off its hardware and the time, that code then works to log in.

[Endy0816]

Usernames are not real secure these days.

 

Honestly sounds like your bank is simply more security focused than most. Mine, all I have to do is type in my password while using a trusted IP address.

[LjSpike]

Usernames are not real secure these days.

 

Honestly sounds like your bank is simply more security focused than most. Mine, all I have to do is type in my password while using a trusted IP address.

 

You seem to not fully understand the concept of a password. I shall explain its many benefits, which cause the accounts linked to passwords to be incredibly more secure:

1) They're memorable, thus don't have to be written down somewhere unlike a password, so say you get the password to this website for an account, you don't know which username it matches to, thus can't log in.

2) They cause many more combinations for a computer program to have to try if the website of such isn't using a captcha, so a 1 letter password has 26 possibilities, but a 1 letter password 1 letter username has 26x26 possibilities.

3) They offer the capacity to trick key loggers. Say you think you're being key logged, you can type in a letter of the username, then a letter of the password, and make sure you alternate, thus causing the keylogger to be fooled.

 

Usernames are used to make it double-factor or even triple-factor authentication, because single-factor authentication is very weak. Also you're bank is one of the least security-focused I've ever heard of, Most of them have at least a memorable question, password, and then require the account numbers input.

[Sensei]

3) They offer the capacity to trick key loggers. Say you think you're being key logged, you can type in a letter of the username, then a letter of the password, and make sure you alternate, thus causing the keylogger to be fooled.

Only poorly written key-logger will be fooled this way.

Because proper one, will check which window has focus using HWND GetFocus()

https://msdn.microsoft.com/en-us/library/windows/desktop/ms646294(v=vs.85).aspx

 

Key-logger/app also can use GetWindowText() to extract text already present in system-compatible GUI.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms633520(v=vs.85).aspx

Edited October 4, 2015 by Sensei

[Endy0816]

Only poorly written key-logger will be fooled this way.

Because proper one, will check which window has focus using HWND GetFocus()

https://msdn.microsoft.com/en-us/library/windows/desktop/ms646294(v=vs.85).aspx

 

Key-logger/app also can use GetWindowText() to extract text already present in system-compatible GUI.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms633520(v=vs.85).aspx

 

I've seen random layout virtual keyboards used to combat this. Interesting to see the moves and counter-moves.

 

 

 

You seem to not fully understand the concept of a password. I shall explain its many benefits, which cause the accounts linked to passwords to be incredibly more secure:

1) They're memorable, thus don't have to be written down somewhere unlike a password, so say you get the password to this website for an account, you don't know which username it matches to, thus can't log in.

 

There's only so many members. Nothing for a script to try them all here. More practically you can probably narrow it down significantly based on where you found it, even better if the person has the username field set to auto-fill.

 

Really you want to use a passphrase whenever more security is desired, at least until something better comes along.

 

People tend to reuse usernames. They are after all memorable. Probably the main issue. If we gave people the fields:

Password 1:

Password 2:

the situation would probably be different.

 

As it is they are low complexity and often reused. Passwords aren't much better but differing complexity requirements at least add some kind of wrinkle.

 

 

Usernames are used to make it double-factor or even triple-factor authentication, because single-factor authentication is very weak. Also you're bank is one of the least security-focused I've ever heard of, Most of them have at least a memorable question, password, and then require the account numbers input.

 

Security questions are used to validate IP addresses and in password recovery.

 

I'm sure UK law governing banking differs from that of the US, though I don't know the particulars. As a practical matter I safeguard my funds via use of credit, limiting my risk substantially. Something like a firewall.

 

Should note that there are security tokens out there that function similarly to what you are describing.

[John Cuthber]

 

I've seen random layout virtual keyboards used to combat this. Interesting to see the moves and counter-moves.

 

 

Can I blame one of them for my typing?

[LjSpike]

 

I've seen random layout virtual keyboards used to combat this. Interesting to see the moves and counter-moves.

 

 

 

There's only so many members. Nothing for a script to try them all here. More practically you can probably narrow it down significantly based on where you found it, even better if the person has the username field set to auto-fill.

 

Really you want to use a passphrase whenever more security is desired, at least until something better comes along.

 

People tend to reuse usernames. They are after all memorable. Probably the main issue. If we gave people the fields:

Password 1:

Password 2:

the situation would probably be different.

 

As it is they are low complexity and often reused. Passwords aren't much better but differing complexity requirements at least add some kind of wrinkle.

 

 

Security questions are used to validate IP addresses and in password recovery.

 

I'm sure UK law governing banking differs from that of the US, though I don't know the particulars. As a practical matter I safeguard my funds via use of credit, limiting my risk substantially. Something like a firewall.

 

Should note that there are security tokens out there that function similarly to what you are describing.

I didn't know about these security tokens. Interesting.

Anyway, A combat to the EPROM's eraseable by software stated earlier (terrible design flaw there, it should be a physical mechanism, but hey ho.) which makes this very 'weak' for security put it in the non-eraseable backup-ROM.

Also. To a point above about checking the fields, and copying text, thats no longer a keylogger, and is a trojan (Trojans watch what happens on the screen - in a manner of speaking. As keyloggers log key presses (and to a greater extent mouse clicks))

[John Cuthber]

 

Anyway, A combat to the EPROM's eraseable by software stated earlier (terrible design flaw there, it should be a physical mechanism, but hey ho.)

It's not a design flaw- it's just that you don't understand their purpose.

[Sensei]

(Trojans watch what happens on the screen - in a manner of speaking.)

No. Trojan is application which pretends some useful features to user, and does open door to hacker behind, without his/her knowledge.