The Abstract Cheetos Attack.

June 18th, 2008 § 7 comments

I need to write a CERT paper for this —

  • Name of Attack:The Abstract Chee­tos Attack
  • Type of Attack: Pass­word Vul­ner­a­bil­ity / Local Exploit / Brute Force
  • Known fix: Lack of Cheetos
  • Attack Vec­tor: Food[1]/Social Engineering
  • Exploit Details: It is pos­si­ble to deter­mine the most-frequently used let­ters on a given key­board on the target’s com­puter by pro­vid­ing the tar­get with a “friendly” pack­age of Chee­tos at some reg­u­lar inter­val, and then exam­in­ing, over time, the build up of dan­ger­ously cheesey residue on the target’s key­board. Armed with the most fre­quent key­strokes, it is pos­si­ble to per­form a reduced brute-force attack on the target’s account pass­word. Due to the reduc­tion in keys, it is pos­si­ble to grossly reduce the time and resources required to iden­tify the target’s pass­word. This attack also enables the attacker to deter­mine other per­sonal infor­ma­tion includ­ing fre­quency of hand-washing, like/dislike of said “Food” and fre­quency at which the tar­get cleans their clothes.

[1] Note that Chee­tos may not be clas­si­fied as “Food”

  • Pas­sive

    Inter­est­ingly enough, a sim­i­lar attack has proved very use­ful against build­ing secu­rity sys­tems that require PIN entry to dis­able. Usu­ally, the key­pads are only used for enter­ing the PINs, so by exam­in­ing the wear on the key­pad, it is often clear which are the PIN keys. In an old office I worked at, the order of the PIN num­bers was even clear, as the first key was both the most worn, and the dirt­i­est, due to force of press­ing, and trans­fer of dirt/oils from the pressers fin­gers. It seems that the first keys is always jabbed rather fiercely, with the amount of force gen­er­ally being reduced on each sub­se­quent press.

  • http://holdenweb.com/ Steve

    Remind me never to bor­row your laptop …

  • jnoller

    Or my clothes for that matter!

  • http://lucasrichter.tumblr.com/ Lucas

    Prob­a­bly works best in the PIN set­ting men­tioned by Pas­sive above, since pass­word char­ac­ters may not be the most fre­quently used. Take a pass­word like “eleph@nt”, for exam­ple. “e” is the most com­monly used char­ac­ter in Eng­lish, as in this pass­word. And if the tar­get types many email addresses (which is not too far-fetched), even the @ sym­bol may be explained away.

    All that said, this can be a very use­ful attack in the right context.

  • jnoller

    Well, that spoiled my dan­ger­ously cheesey fun :)

  • http://www.purple.com Ann E. Mouse

    I worked at a small com­pany in the East Bay that had a small shroud around the key­pad and the num­bers showed up in ran­dom loca­tions on the key­pad for each attempted pin entry. They had good secu­rity for the time.

  • http://www.yocowholesale.com/ whole­sale­cloth­ing

    The post really nice , i like it ‚thanks for sharing,thanks for your post, i will keep read your blog every­day
    whole­sale cloth­ing
    whole­sale cloth­ing dis­trib­u­tors
    whole­sale Korean fashion

What's this?

You are currently reading The Abstract Cheetos Attack. at jessenoller.com.

meta