Ali Baba and the forty cyberthreats

[harlan4096]

It turns out that the tale of Ali Baba is a collection of stories from ancient Persia about … cyberthreats?

As we never tire of saying, fairy tales are thinly veiled reports on information security. And it wasn’t only the European storytellers who tried to warn their descendants about cyberthreats — they were equally prescient in the East. For example, Scheherazade, the protagonist of the classic 1001 Nights, kept what can only be described as a daily infosec blog with video podcasts. True, he had an ulterior motive for doing so …

… but today we’re looking at some cases added to Scheherazade’s blog much later, in the 18th century: in particular, the incident known as Ali Baba and the Forty Thieves. Even those who don’t know the story are surely familiar with the magical phrase, “Open sesame!”

Indeed, the entire plot is built around the idea of using a password to protect against unauthorized access. But that is far from the only information security tip in the fairy tale. It’s just the most obvious.

Password transfer through an insecure channel

Here’s a quick story refresher: A gang of robbers hides some loot in a cave that can only be accessed using the password open sesame. The protection mechanism harbors a number of serious flaws.

At the very start of the tale, the leader of the thieves stands at the entrance and shouts loudly: “Open sesame!” Several issues are immediately apparent. First, the password is too simple. Second, there is no two-factor authentication — or even a username!

Even worse, the password is transmitted over an open channel. Ali Baba, who is collecting firewood nearby, inadvertently overhears the robber. In fact, it’s only out of curiosity, with no malicious intent, that he later tries the password. When the cave opens, however, he enters the cave and expropriates some of the treasure inside.

Spyware module

On his return home, Ali Baba gives the gold coins to his wife to count. She tries to do it manually, but there are so many she loses count and instead borrows a measuring instrument from her sister-in-law, the wife of Ali Baba’s brother, Kasim.

Some translations specify kitchen scales, some say that it was a pot of some kind, but it’s not a weighty detail, so to speak. What’s important is that the curious Kasim’s wife smears the bottom of the instrument with honey (suet in some translations) to find out why her relative needs it all of a sudden. And when it’s returned, lo and behold, a gold coin is stuck to the bottom — which means that her sister-in-law was using it to count gold!

Even a cyberdunce can see that the author is describing a spyware module integrated into a legitimate product. Kasim’s wife provides a device (under the Measure-as-a-Service model) and spies on the activity of the client. The clear moral of the story is: Use tools from trusted sources — and check them for vulnerabilities and malicious implants.

Forgotten passwords

What happens next seems a little far-fetched to me. Ali Baba confesses everything to Kasim and tells him the password. The latter enters the cave. Inside, he manages to forget the password (which is also needed to get out), gets trapped, and has his head chopped off when the thieves find him there. The marketing message is clear: “Don’t lose your head over a forgotten password,” or something along those lines.

I suspect that back in the day, this part of the story contained a product pitch for some ancient password manager used by Sasanid techies, but the original message has been erased through endless retelling. To compensate, we’ll insert our own: Kaspersky Password Manager securely stores passwords and other confidential information.
...

Continue Reading