Blog

What is a Timing Attack

A timing attack is a crytography issue where a hacker attempts to use the difference in processing time between two actions to gain information. Individually, the information gained is the amount time it took to run the process with a particular set of input. Performed once, the processing time is insignificant, however when performed in a series, the hacker can adjust the input (ie password for a particular username) and use the increase or decrease in time to create a security hole by drastically reducing the potential.

Normally, when software compares two strings it starts with the first character of each string and determines if the characters are the same. If the first characters are the same, it moves to the second characters and tests them. This process continues until two characters are found to be different or one string runs out of characters. Conceptually, if it took 1 second to compare two 1000 character strings and it took 1 millisecond to determine the first character, it would be useful to know that it took 54 milliseconds to compare two strings. The implication is the 54th character is the first character different between the two strings.

In a cryptographic sense, the hack would only know one of the two strings, the password inputted. If the password on the server is properly secured and hashed in the database, then every failed password will take roughly the same process through the system, with the comparison between the hashed password and the hashed version of the input password being the only real difference. Systematically changing the input password while comparing it to response times could allow the hacker to break the password in a practical amount of time by reducing the password combinations exponentially as each character is determined.

Fixes

Some programming languages and operating systems have special functions for comparing password hashes. Outside of these special functions, there three ways to disrupt a timing attack.

1) Rehash the hashes

By hashing the hashes and comparing the doubly hashed values, you are performing the comparison of two "strong password" style strings rather than the potentially "weak password" style strings. This shift drastically increases the number of potential possibilities, increasing the time it takes to perform the attack, potentially to impractical levels.

The problem with this approach is you are reducing the usefulness of the leaked information, thought not completely eliminating it. Depending on the computing power available to the hacker, theoretically this approach can still be overcome.

2) Inject a random delay

Inserting a random microsecond delay in the processing would distort the leaked information, making the information insignificant.

The problem with this approach is the speed of your own processing. This approach is dependent on the system having a microsecond processing time. If, for example, the comparison operator took tens of microseconds to process and you were adding between 0-9 microseconds, you have only distorted, and not hide, the leaked information. This means you would have to appropriately adjust the random factor per the processing speed of the current system or place the range in such a way that you would be wasting resources (ie making the script run tremendously longer than necessary).

3) Manually compare the entire strings

Because the basic string comparison operator works on an array basis, manually running through every character in the string (via a for loop and direct access to each character) removes the time difference created by the simple string comparison operator. Once a different character is identified, a bit flag is set and the comparison continues until every character is compared.

This is the preferred method and the basis for any of the special functions for password comparison.

In PHP this function would be roughly

  • function compare_hashes($hash1, $hash2) {
  •     if( !is_string($hash1)
  •             || !is_string($hash2)
  •             || empty($hash1)
  •             || empty($hash2)
  •            ) {
  •         return FALSE;
  •     }
  •  
  •     if( ($len = strlen($hash1)) != strlen($hash2) {
  •         return FALSE;
  •     }
  •  
  •     for( $i = 0; $i < $len; $i++) {
  •         $flag |= ord($hash1[$i]) ^ ord($hash2[$i]);
  •     }
  •     return (!$flag);
  •  }

 

Other Notes

In a practical sense, timing attacks are less of an issue than a copy of the password table from the database being leaked. Normal methods of blocking brute force attacks defeat most of the risks associated with Timing Attacks, but the ease of the fix is such that implementing a proper hash comparison is worth it.

All Hail King Content

This is the second part of our series on effective blogging. The series starts with "Managing Your Blog – The 5 Cs."

"Content is King" is a common sediment of digital marketing folks. You see it everywhere; if you want to have a successful blog, you must create good original content. It is easy to understand what original means, but what is "good content" and if you are starting out, how do you make sure you are creating good content? We all are not authors, so it may not necessarily be great content, but at least good content.

Like other small business owners, I was forced to deal with this problem, so I let my science background take over and created a semi-scientific study to determine what is good content. Reviewing blogs of different levels of success, as tell as testing some of the theories on a blog created on a free blogging platform, we worked out that every blog post could be segmented into one of 6 types.

Public Relations

Public Relations post simply provide information to the world about the workings of the company. They are generally simple, to the point and provide little useful information beyond the company exists and something happened. Seldom are these posts more than a couple hundred words and have anything more than blatant information.

Large corporations commonly put out PR statements in their blogs, though the practice appears to be much less prevalent with smaller firms. Some large public firms have set up "blogs" just for the purpose of sending out PR announcements, particularly associated with corporate filings and other financial issues.

For small businesses, these post types provide no real value for their readers, nor do they provide any substantial effect on search engine optimization and consequently should be avoided. If you feel like you have an announcement which fit the PR post profile, try changing the message to fit one of the other post types.

Sales

Sales posts are focused on a product or service of the company, and attempt to convince the reader to purchase said product or service.They provide little useful information beyond the fact that the company sells the product or service. Most younger readers will see the post for exactly want it is, an advertisement, and be turned off by the whole organization.

These blog types should be avoided by small businesses in all situations except when you are introducing a brand new product or service. When introducing a new offering, you should focus on how it is better than previous offerings and avoid any connotation that a reader needs to buy it.

Editorial

Editorial posts clearly state an opinion of the company or management. These posts should not try to sound like they are anything but what they are, opinions. They should include statements like "I think" or "we believe" to remove any doubt in the reader's mind that the post is objective. 

Editorial posts play an important role in a small business blog by creating a sense of humanity within the company. Large corporations are often viewed as cold, dry institutions where everything is dictated by a lawyer approved process. People work with small businesses because they want the personal touch. Creating this personal touch through the annoymity of the internet is difficult, but the opinion expressed in an Editorial reinforces the fact that at your company you have real humans working and taking care of the customers.

The biggest caveat of Editorial posts is liability associated with such posts. You are publicly putting your weight behind a stance, which can backfire. The safest bet is to choose a topic which is only controversial within your industry or a topic where you can provide a new approach to the situation, which does not have the political baggage of the more defined positions.

Educational

Educational posts involve you teaching your readers about a subject. These posts generally sacrifice details and instead strive for a solid conceptual understanding by the reader. Your goal is to teach your readers, and nothing else. These posts should use examples from unrelated topics that the reader may already understand.

The hardest part of educational posts is figuring out the topic. Systematically going through your company and identifying all the places where customers have asked questions is a great starting point for material. For every customer who asked a question, there is often a dozen customers who have been either too scared to ask or were not educated enough to know to ask the question.

Technical

Technical posts details the minutiae behind a process or product. These posts show off you are the expert in your field and reinforce the idea that you should be contacted when someone has an intricate problem.

We have create Technical posts detailing the steps of setting up WinSCP to access an AWS server and compressing HTML served using Apache.These posts do not hawk any of our products or services, but rather try to help them by going through the explicit details needed to accomplish a goal. It may seem like we are giving away our 'secret sauce' here, but rather when a Do-It-Yourselfer becomes stuck with problem you just explained, they will see your post and try to fix it themselves, or just give up and ask you to do it.

For service based small businesses think about a very technical process you occasionally perform for your clients and walk through steps providing explicit details and considerations. For product based small business, perform the same process but detail everything about a particular product, from the dimensions to the situations where you should and should not use that product.

Story

Story posts are possibly the hardest for small businesses to sincerely create because in order for them to be effective, they must be entertaining. Most small businesses do not perform tasks which are entertaining as much as functional, which makes it challenging to create an engaging story. However, if you can create an engaging story, you will hook your readers in reading the complete story and then looking for your other stories.

One way for a small business try to create Story posts is telling about their customers' stories. The problem is, while these are legitimate stories, they tend to feel forced or insincere. A better approach is telling a story from your own perspective, that of an employee or an trusted customer. These stories are considerably more sincere and endearing to customers.

 

Small business should focus on creating Educational and Technical posts while throwing in an occasional Editorial or Story post to create a sense of humanity at the company. Just make sure you are focused on the lay person within your target audience, and try to simplify everything for that lowest common understanding. This approach will annoy a few of the more knowledgeable readers, but will be endearing to those with the lowest level of understanding (ie your potential customers) nor those with a middle level of understanding (ie. more potential customers in other areas). Subconsciously, the middle and lower level readers are thinking; if this company can explain this complex topic so I can understand it, they can explain other associated topics, insignificant of my level of understanding, and I'm going to go back there next time I have a question.

Other Technical Considerations

There are also a few technical considerations to blog content. To have a real impact on search engines, you posts need to be at least a thousand (1000) words long and have decent keyword density. The word count is not a hard minimum, rather is a good target to generate a diversity of words while still being able to maintain a good keyword density. The keyword density is how many times and varieties of a particular keyword or key concept are mentioned in the post. Once you eliminate filler words (articles, prepositions, etc), you should have a 2-5% keyword density.

Managing Your Blog – The 5 Cs

Blogging is a really easy way to start spreading your special message online. A good blog will education, entertain and encourage your website's visitors while generating more traffic and therefore more potential customers. Over the next month we will be publishing a series of posts on techniques for successfully managing your blog and hopefully break down some of the ‘black magic’ out there associated with blogs and search engine optimization.

First, blogging should be fun and easy. If it wasn’t, why would so many people have their own personal blogs? You company should already have the interface setup and you are just expected to write content, manage comments, and generally build marketing pull for the company. Initially, this can seem like an overwhelm prospect, but it should be.

To simplify blogging, we have broke it down into five sections; Content, Connections, Comments, Creativity and Commitment. Each of these 5 C’s are equally important to the success of your blog, though they each require different amounts of effort during the maturation process. Over the next few weeks we will thoroughly explain each section, why it is important and some simple ways to succeed.

Content

“Content is King!” This is the battlecry of many digital marketing agencies and is commonly as a simplification of search engine optimization strategies. However, all content is not created equally. Why do some company blogs take off while others drag by the wayside?

We spent the last year investigating the differences in content and found all blog posts could be segmented into one of six types; Public Relations, Sales, Editorial, Education, Technical and Stories. The first two types (Public Relations and Sales) are not productive to any blog, and we suspect they can actually be detrimental to small businesses. Story blogs also generally do not fit well with a small business profile, which leaves Editorial, Education and Technical. Our research found that regularly cycling through these types of blogs can generate real, sustained viewership to any blog.

There are also a few technical considerations to blog content. To have a real impact on search engines, you posts need to be at least a thousand (1000) words long and have decent keyword density. The word count is not a hard minimum, rather is a good target to generate a diversity of words while still being able to maintain a good keyword density. The keyword density is how many times and varieties of a particular keyword or key concept are mentioned in the post.

Connections

Connections are all the methods for distributing the blog posts on other platforms, primarily social media. Posting links to your blog posts on social media highlights the topics you are discussing and encourages others to read and share your posts.

Another issue to consider is your sources of traffic. A large number of visitors from Facebook is different than Google. Some connections generate more traffic than other connections, and analyzing where your traffic originates helps determine how to allocate your publicity efforts and where to spend time in building more connections.

The top search engines have a set of tools for webmasters to view and manage their website's profile. An important feature of these tools are the search keyword analysis tool, where you can when your website appears on various search terms.

Comments

Feedback is essential in determining the subject of new content. Comments provide an instant, albeit subjective, to what your visitors are thinking. Their often naive questions or statements can indicate areas for explanation that you, as an expert in your field, over look as being obvious.

Encouraging users to comment can be hard for smaller, independent blogs. There are a variety of tricks, from allowing anonymous comments to integrating your blog with major social media platforms. Anything which minimizes spam while reducing a hurdle for your visitors to engage is worth investigating and using if appropriate.

Once you start getting comments, you will start getting spam comments. Most spam are comments whose only purpose is to hawk the spammers products. Most of the times these comments are obvious, though there is a growing trend of using legit sound generic comments to get a link back to their website. The website associated with the comment is often telling if the comment is just link spam.

Creativity

Your blog must demonstrate the company’s inner passion without saying a single word. The color scheme, the imagery, the navigation options and the general ease must resonate with your target viewership without them having to read anything.

Our blog, for example, is simple and to the point. We don’t have a hundred little things in the sidebar to distract you; rather we focus on the content. Our content can be complex at times, and we would rather you focus on understanding the topics than reading one paragraph and getting distracted by a flashing gif image.

Creativity should impact your content in your choice of subjects as well as your perspective on those subjects.

Commitment

Creating a blog and posting a bunch of content over a short period of time then ignoring the blog for a few months is common. It is easy to put creating blog posts on the back-burner when other things seem more pressing.

Commitment applies to two parts of the blogging process. First, it means placing a priority in regularly interacting with visitors through posting new content and responding to comments. Content can often be created in batches when you have available time then set to post automatically in the future. Responding to comments thought requires action within a short period of time of their comment.

The second portion of commitment is to your subject matter. A blog posting about dessert recipes should not deviate to a political topic, no matter the importance of said political topic. Your visitors are coming for recipes, not rants, so feed them recipes.

Conclusion

Conclusion could be thought of as the sixth C, but is just a good practice of writing. When you are writing blog posts think about who you want reading your posts and what encourages them to trust you. Blogging is about creating trust in others that you are an expert and someone they want to work with.

Over the next month or so of Fridays, we will dig deeper into each of these concepts and hopefully provide you with clear examples of what you should be doing and not doing.