Viduped? Uh oh!

So here’s a question. How can Vidoop claim to be resistant to hacking when there’s this really obvious man-in-the-middle attack that can be executed on it? (After all, I believe it’s been suggested that we’ve all been “viduped”) First, it’s important (though I would have thought unnecessary) to bring up the word “resistant.” We say that Vidoop resists hacking because it’s harder to hack than usernames and passwords but does not actually defeat hacking wholesale.

Nothing can defeat hacking wholesale; there’s no authentication or authorization technology that is impervious to attack. Vidoop resists some man-in-the-middle attacks, largely shielding the user from automated hacking. But we also acknowledge that there are attacks that we can’t prevent.

A direct combination of a phishing and man-in-the-middle attack was demonstrated in a video not long ago, an attack that relies upon a user failing to recognize a suspicious email, then failing to realize that the e-mail is suspicious, that his computer should already be activated, that the site asking for activation is not legitimate and the URL is wrong, that SSL/TLS is disabled (a failure to “look for the lock”), that another computer has been activated on his account, and that there is likely a concurrent login to the site he is visiting. Though this is neither impossible nor even improbable for less seasoned users, it is a vulnerability to which every authentication scheme without major usability barriers offers equal or lesser resistance than Vidoop Secure.

Furthermore, even when the raw data is available to the man in the middle, the presence of a human familiar with the image categories would be necessary in order to distill the surveillance into useful information for later login attempts. Attacking Vidoop users’ login information en masse is much more difficult than with usernames and passwords because of the burden of human cognition on the hackers. There is also an additional burden of intermediate storage. While the automated system collects login session traffic, it must store the images of the grid as well as the username and one-time access code somewhere for a human to guess at the categories later.

Alternatively, suppose that a thousand users have, through lapses in vigilance, had their information compromised by this MITM-phishing attack. The hacker may just want to take the automated approach, trying random guessing at the grid to avoid having to actually engage himself in the process.

Let’s say the hacker is attacking myVidoop.com, where the chances of guessing the grid are 1 in 55 before you’re locked out. Now, even if he employs a perfect OCR (optical character recognition) to determine which letters are actually choices on the grid, the hacker will only get one in every 73 of those 1000 users whose grids he has access to. That’s 18 users. Without OCR, the odds become 1 in 650, which would mean that likely only one or two users would be compromised.

That’s pretty amazing, isn’t it? Only 1.8% (0.15% without OCR) of users whose credentials have been totally stolen will actually have their identities compromised by an automated system. If they had been using passwords, all 1,000 users would have been totally compromised. With myVidoop.com’s configuration, somewhere between 1 and 14 likely would have. Hardly an indictment. More like a vindication.

One more thing. Check out this ha.ckers.org interview with an 18-year-old phisher who makes thousands of dollars a day by stealing passwords and account details and selling them. The kind of things he does have everything to do with that return login — the one that he would get 1.4% of the time with guessing at the grid!

I think that’s enough for now, but I want to invite people to make more videos, to ask more questions, to bring things to Vidoop and to me, because I’m really interested in seeing how our solution stacks up. We’re pretty sure we’ve got something special here, and it’s exciting to see people play with it and see what they can come up with. So get on myVidoop.com, play around, try to automatically log in, try to steal your own categories, and have fun.

Until next time,
George

By: George on Jun 01, 2007 at 11:20 am | Category: Vidoop Secure(TM), myVidoop.com

Trackback | Comments [RSS 2.0]

2 Responses to “Viduped? Uh oh!”

Comments

  1. sebastiann
    2007/06/11 at 4:49 am | Link

    I read on the vidoop site that the login method is resistant against keystroke logging. But its not. Most of the keystroke loggers also record a screenshot every minute or every click. This mean that if about 3 logins gets “caught” in the keylogger, the attacker can figure out which categories the user has selected.

    The login method is very good in that its resistant against brute-force. Its like combining a One-time password with a captcha.

    —————

    Im trying to figure a login method that relies on a physical credential, should work on any computer, even computers that is locked down so only keyboard, mouse and screen is aviable. It should not require the user to remember anything else than to bring the physical credential (the card) with himself.

    Im experimenting with Visual Cryptography, that means that the user holds up a transparent card with black pixels against the screen (where the other part of the pixel image is shown), and gets a 12 digit numeric code that the user needs to enter.

    The problem is that is works on TFT/LCD-screen or other flat screens, but not on Cathode ray tubes. The distance between the card and screen distort the image.

  2. George
    2007/06/11 at 8:35 am | Link

    That’s pretty slick. I’ve read the foundational Naor & Shamir paper, and you’re definitely standing on the shoulders of giants. My thought is this: Rather than trying to adjust the key for the curvature of the monitor, what if you rendered the cryptograph such that it could be adjusted to compensate for curvature? “Check here if you’re not using a CRT” or something. Also, how much does the curvature vary between monitors? If it’s sufficiently similar, all you’d have to do (which is easy for ME to say, because I don’t have to code it) is grab the screen resolution with JavaScript and adjust accordingly, assuming you get to put the cryptograph in the same place every time.

    As far as keylogging is concerned, I’m probably going to do a demo of this sometime in the future, but the point is this. If you sent me even a keylogger that does something ridiculous like record full-frame video as it logs keystrokes, mouseclicks, and calls home, not only is it harder to get ahold of my what-you-know shared secret because you actually have to sit down and match keystrokes to categories manually, but you still don’t have my what-you-have software token.

Leave a Reply



Copyright ©2008 Vidoop LLC, All Rights Reserved.