LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘encryption’ Category

DEFCON Brings the Scary | TechSNAP 18

without comments

post thumbnail

This week on TechSNAP:

The UK Prime Minister wants a Kill switch for social media, ebay upgrades their servers to SSD, and you won’t believe the costs, and we take a peak at Microsoft’s data center in a box!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:


UK PM Proposed Social Media Kill Switch

  • UK PM David Cameron is proposing that the police, intelligence agencies and telecom industry investigate if it would be right and technically feasible to disable access to social networks during times of civil unrest
  • “Everyone watching these horrific actions will be struck by how they were organised via social media”
  • This is obviously the wrong way to solve the problem, and it will never work. Even if the telcos block access to facebook and twitter via the Internet and cellular networks, rioters could just use text message trees like those that were used to organize the riots in Egypt.
  • Some are even proposing entirely disabling the cellular networks in affected areas, however this would be seriously disruptive considering that many in the UK only have cellular phones. Leaving citizens without access to emergency services would obviously be untenable.
  • Even if the UK government was successful in blocking access to the major social networks, protesters could use other networks, there are an infinite number of competing services. Protesters could also use proxies and other techniques to mask their access to social media. This is common place in workplaces that block access to the sites.
  • A number of people have already been arrested for posting messages on facebook that were said to be ‘inciting violence’ and ‘public disorder’
  • More detailed article from the BBC

Denial of Service Attack results in suspended trading on the Hang Seng Stock Exchange

  • An attack against a site used to post official announcements about issues on the Hang Seng stock exchange resulting in the site being unreachable
  • Trading in stock issues that were to make important price affecting announcements was suspended.
  • Trading of shares in HSBC, Cathay Pacific, China Power International and the Hong Kong exchange itself, among others, was suspended
  • If the site remains offline, the Hang Seng exchange will find an alternate way to release the announcements and trading will resume
  • Earlier this year the US NASDAQ exchange revealed that cyber attackers had planted malicious code on its “Directors Desk” web application

eBay begins migration to pure SSDs in its datacenters

  • Approximately half of eBay’s 4000 VMs are now backed purely by SSD storage
  • The average time to deploy a VM has dropped from 45 minutes to 5
  • Previously, eBay had been using 15k RPM drives via Fibre Channel
  • One rack full of SSDs is equivalent in performance to eight or nine racks of the previous drives
  • After replacing 100TB of storage, a 50% reduction in rack space, a 78% drop in power consumption and a five-fold boost in I/O performance were realized
  • The appliance eBay is using does not use traditional hard drive form factor SSDs, but rather 2U modules of pure flash storage via a 6 Gbit/sec SAS interface.
  • Storage is priced at $10,000 per Terabyte, and comes in 2.5TB, 5TB, and 10TB modules

Radios used by US Federal Law Enforcement suffer Security Flaws

  • The P25 Radios used by many Federal Law Enforcement Agencies support encryption, but not always use it. Many messages are sent in the clear, even when the users believe they are communicating securely
  • This vulnerability results in trivial passive attacks, where the supposedly secure communications can be eaves dropped on
  • The P25 Radios are also subject to active attacks. An attacker with very modest resources is able to jam specific types of communication to and from the P25. This would allow an attacker to block LEOs in the area from sending or receiving encrypted messages.
  • The available symmetric encryption systems are DES, 3DES and AES. Obviously the first two options have not been considered secure for many years.
  • Because the radios are based on a best-effort protocol, and do not have the ability to retransmit garbled frames, advanced encryption mechanisms like CBC (Cipher Block Chaining) cannot be used. This also means that MAC (Message Authentication Code) cannot be used to verify that the incoming transmissions have not been altered.
  • Because of this, it is possible for an attacker to impersonate a legitimate user, inject voice and data traffic, and replay captured traffic resulting in false signals, even when the messages are encrypted
  • PDF of the official University of Pennsylvania study

Defcon presentation claims MITM attack on 4G and CDMA mobile phones

  • Reports indicate that a successful Man-in-the-Middle attack was executed against devices in and around the Defcon venue.
  • The attackers were able to gain permanent kernel-level root access in some Android and PC devices by using rootkits and non-persistent user space access in some other devices. In both cases, whoever launched this attack against both CDMA and 4G devices was able to steal data and monitor conversations.
  • It is speculated that the attacker was able to inject specially crafted packets in to the data streams, possibly displaying prompts to the user, that if accepted would install the rootkit
  • Once the device is compromised, it is trivial to monitor ongoing communications or steal the 4G encryption key

A tour of Microsoft’s cloud data centers

  • Microsoft’s newest data center designs are modular and containerized
  • The new design allows them to bring new data centers online much more quickly
  • The new designs allow the contains to be ‘plug and play’, and results in far less packing materials being required

Round Up

Bitcoin Blaster

Written by chris

August 12th, 2011 at 12:42 am

Google Server Secrets | TechSNAP 17

without comments

post thumbnail

Find out what consumer storage device is shipping with an encryption backdoor, and we share details about Google’s super secret million servers strong infrastructure.

AND – How Chris lost $1k in bitcoins!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Verbatim’s Crypto NAS has unexplained second key

  • Like we have talked about before, the only ‘secure’ way to ensure that encrypted data is recoverable if the encryption key is lost, is to encrypt it to a second key, a ‘recovery agent’
  • The important fact here, is that Verbatim does this without your consent, and there is no way to turn it off
  • This means that if you lose your key, you can call Verbatim and they will decrypt your files for you. Nice feature…
  • A rouge employee at Verbatim could also decrypt your data
  • An attacker could steal or guess the Verbatim key, giving them access to EVERY verbatim crypto NAS device
  • The government could have Verbatim decrypt your data against your will, or without your knowledge

Study estimates Google has around 900,000 servers

  • Based on Google’s energy use, compared to all other data centers in the work, and factoring in that google uses custom build highly efficient servers, it is estimated they have as many as 1 million servers
  • Google’s newly designed management system is build to be able to manage up to 10 million machines

Chris loves this book: In The Plex: How Google Thinks, Works, and Shapes Our Lives


The Massachusetts lottery can be gamed for a guaranteed payout

  • The way the rules are structured, if the lottery jackpot builds up to over $2 million, then they commence what are know as ‘rolldown weeks’, These weeks increase the payouts of minor jackpots, meaning if you buy enough tickets to increase your odds of winning, you can be assured a profit
  • It is estimated that if you buy 200,000 of the $2 tickets, during 4 roll down weeks a year, your payout would be between 1.8 and 4 million dollars, without ever winning the actual jackpot (which has only ever been won once)
  • The state lottery commission has known about this flaw for years, but has only recently started to enforce new rules after the stories started to get press

Pakistan passes new Internet monitoring law, bans encryption and VPNs

  • How will this effect Pakistani users of services like gmail, that require SSL encryption for authentication
  • Will this cause the creation of more tools designed to mask encryption, for example with steganography or masking data transfer as DNS requests
  • A copy of the proposed law

What are the requirements for true Freedom in the Cloud

  • Right to restrict Access – The user must be able to prevent the provider from reading their data
  • Freedom to leave, but not lose – Users must be able to export all of their data and move it to a different service
  • Open Standards – In order to be able to interact with your data, as well as import and export data, there must be open standards for interacting and transferring data
  • Transparent Privacy Policies – Most users will never read a 20 page privacy policy, there must be a legible and easily understood list of what the provider is and is not allowed to do with your data
  • No change of policy without explicit consent – If the provider can just change the policy, and it is up to you to notice this change, you can never be safe from the whim of the provider
  • We have seen many of these problems with services such as DropBox, which does not comply with most of these requirements. You cannot stop dropbox from accessing your data, they encrypt it only with their own key. There are no open standards for dropbox, when an open source project started an alternate client, it was promptly sent a DMCA notice. And dropbox has on numerous occasions changed it’s privacy policy and terms of service, without informing their users, requesting the users consent, or explicitly stating what was changing in the policy.

TOSBack | The Terms-Of-Service Tracker


Round-Up:

Bitcoin Blaster:

Classified Cloud | TechSNAP 15

without comments

post thumbnail

This week on, TechSNAP!

The UK Government is building a cloud of secrets, but can it ever possibly be secure enough?

Plus we’ll cover the FBI Arresting 16 suspected members of Anonymous, and being prepared when forced to decrypt your laptop!

All that and more on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Thanks to the TechSNAP Redditors!


UK Government to use the Cloud to share Restricted Documents

  • Files will be hosted on the UK internal cloud, the Government Secure Application Environment (GSAE)
  • The system will allow civil servants, diplomats and other Government officials to share documents up to the secrecy level IL3, or Restricted
  • “Information marked as Restricted is at a level where the release of the material will have effects such as significant distress to individuals, adversely affecting the effectiveness of military operations, or to compromise law enforcement.”
  • The internal cloud will use SaaS software from established tech startup Huddle.
  • Planned upgrades to the GSAE and Huddle software will allow it to support IL4 or Confidential information
  • “The effects of releasing information marked as Confidential include considerable infringement on personal liberties, material damage to diplomatic relations, or to seriously disrupt day-to-day life in the country.”
  • A possible obstacle to the deployment of a cloud based system for storing classified information is that policy states that the end users must have local disk encryption to be allowed to access the documents

FBI Arrests 16 suspected members of Anonymous

  • 14 of the arrests are related to the attacks on PayPal after they announced they would no longer accept donations on behalf of WikiLeaks
  • The defendants are charged with conspiracy to intentionally damage protected computers
  • The remaining arrests are related to attacks on InfraGard (Affiliated with the FBI) and a former AT&T Contractor who stole files from AT&T and gave them to members of LulzSec
  • Similar arrests were also made in the UK and the Netherlands
  • The charge of “intentional damage to a protected computer” is punishable by a maximum of 10 years in prison and a $250,000 fine, while conspiracy carries a maximum penalty of five years in prison and a $250,000 fine.

US General Criticizes Defense IT Infrastructure

  • The Military and Defense Department use far too many proprietary systems
  • During the 2nd invasion of Iraq, The Army and Marine Corps used different proprietary encrypted radios, and were therefore unable to communicate directly with each other, because of this, they had to be assigned to different areas of the country to avoid running in to each other
  • Proprietary systems meet the states requirements, but are not flexible and require a long time to modify or adapt the hardware and software.
  • The General places most of the blame on the procurement process, and contractors who design their systems to be proprietary.
  • The Federal CIO worries about the IT Cartel, a small group of companies that understand the Government IT Procurement process better than other companies, and get a disproportionate share of contracts.

DoJ asks Federal Judge to order Defendant to Decrypt Laptop

  • A woman being accused of mortgage fraud is contesting a court order that she provide the decryption key for her laptop
  • The laptop was seized during a raid of her home
  • This case could set the president, as no Appeals Court has yet ruled on whether such an order would violate a defendant’s 5th amendment right to not incriminate themselves.
  • The DoJ goes on to state that “Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these”. Failing to compel defendants amounts to a concession to potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence.
  • Prosecutors clarified that they were not asking for the pass phrase it self, and that the defendant would be allowed to enter the pass phrase on the computer without anyone looking over her shoulder
  • The U.S. Supreme Court already affirms that defendants can be forced to provide fingerprints, blood samples, or voice recordings, however past rulings have affirmed that a defendant cannot be forced to disclose the contents of their mind.
  • The EFF filed a brief supporting the rights of the defendant, stating “Decrypting the data on the laptop can be, in and of itself, a testimonial act–revealing control over a computer and the files on it“ and “Ordering the defendant to enter an encryption password puts them in the situation the Fifth Amendment was designed to prevent: having to choose between incriminating themselves, lying under oath, or risking contempt of court“
    Submitted by: port-forward-podcast

Round-Up:


Bitcoin Blaster:

Written by chris

July 22nd, 2011 at 12:02 am

Encryption Best Practices | TechSNAP 10

without comments

post thumbnail

Coming up on this episode of TechSNAP:

We follow up on last week’s bitcoin coverage with scandal that has a $500k price tag.

Then – We launch into your questions, and cover encryption best practices to keep your data safe!

Plus – We take our first live war story call, all that and more on this week’s TechSNAP!


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

TechSNAP has a new Sub-Reddit, submit links and questions for the show, and vote away!


Topic: Bitcoin wallet stolen (25,000 coins worth ~$500,000 USD)

  • Bitcoin wallets work by using public/private key pairs
  • Each wallet, by default, has 100 keys, and you allocate them as needed, and then new ones are generated so that you always have 100 ready for use
  • If someone manages to steal your wallet.dat file, they have the private keys for your addresses that contain the coins, and they can cryptographically sign a transaction using that private key, and therefore transfer the coins
  • User who had their coins stolen admits that they found spyware/malware on their computer. Possibly also a trojan
  • The attack also accessed the users account at a mining pool, and changed the destination address for payouts (some pools off the option to lock this address so that i can never be changed)
  • Bitcoin transactions are irreversible and there is no central authority to settle disputes or forcibly undo a transaction (This is both a feature and a flaw, it is a trade off to allows BTC transactions to avoid many forms of interference)

How to protect your wallet file:

  • Use separate wallet files, and don’t keep all of your money in one place.
  • Backup your wallet file regularly. The wallet file contains the private keys that actually control the coins, without them, you cannot transfer the coins. If you totally lose your wallet file without a backup, those coins are lost to everyone forever.
  • Your backups of your wallet file must be recent, because of the ‘100 key buffer’, that your wallet file has, if your backup is more than 100 transactions old, it will not contain the keys used for the newer transactions, and you will not be able to control those coins. Make sure you backup your wallet file on a regular basis. You can also adjust the configuration of your client to created a larger key buffer.
  • Your wallet file is the same as your GPG key ring, protect it as best you can. It should be stored in an encrypted volume (like a TrueCrypt mount or a GBDE file system) . It might also be advisable to run the bitcoin client as a dedicated user with much more locked down permissions on your machine.
  • As we learned from this incident, and the banking trojan news last week, it is imperative that you ensure that no one is logging your keystrokes, sniffing your traffic, or remotely controlling your machine (a remote control trojan such as the ZeuS banking worm, would be able to access your truecrypt partition when you mount it to use your bitcoin wallet)

mybitcoin.com – The bitcoin bank Chris is “trying”.

BITCOIN BLASTER:

- Our current Mining efforts -

Allan:
It all started with the dual GPUs in my gaming machine and the spare cycles on some of my servers, but CPUs and older nVidia cards were just not worth the power and effort with the higher difficulty.

So, a two friends and I have built a dedicated mining rig (2×5870, 1×6950) that is doing over 1100 Mh/s with a bit of overclocking. Sadly, the difficulty jump came only a few hours after we got the machine online, and it cut the profitability down. We are looking at another more expensive machine, but this will mean a longer wait for ROI.

Chris:
I’m pushing about 500 – 600 Mh/s during the day, nearing 810 MH/s at night. I plan to add two more moderately powerful ATI cards in the next week.

I bought my first physical good, a video card to mine some more. Using a “service” to convert bitcoins to Amazon gift-cards: http://www.bitcoinredemption.com/


FEEDBACK:

Q: (Michal) Is there a way for me to tell if my machine has been compromised while I was asleep?
A: Yes, using an application such as Tripware, or the Verification system in some backup software (Bacula, etc), allows you to detect which files have been changed since the last time the tool was run (ie, you run it daily). This way, when an important system file is changed, you are notified, if you did not cause this change (OS or package update/install), then it is possible someone has successfully compromised your system and modified important system files.


Q: (Dale) Is continuing to use Dropbox safe if i use TrueCrypt to encrypt my files before uploading them?
A: While it is theoretically safe to store your encrypted files in dropbox, because of the way dropbox works (copy on write deduplication), you would have to reupload the entire TrueCrypt volume every time you changed a file (because of the nature of the encryption, the changes to the encrypted volume will also be bigger). Unless you only store some very small files, or are using separate TrueCrypt volumes for each file you are storing, this will quickly get unwieldy and slow.


Q: (Michal) How can I store my users’ files such that they are encrypted with the users’ password, but can still be recovered if the password is lost/forgotten
A: The short answer is that you cannot. Strong cryptography does not have any recovery method. If you want the files to be truly secure, then they need to be able to be accessed by only a single key, and if that key is lost, the files are lost. The only real option is to encrypt the files to two different keys, one of the user, and one of the ‘Recovery Agent’, the person responsible for decrypting the files if the user loses their key. This lowers the security of the encrypted files, because the Recovery Agent can decrypt the files without the users’ permission.


Q: (Justin) How secure is it to enable to ‘text a password reset token to your mobile phone’ in gmail?
A: Mostly that depends on how secure your phone is. Does it display part of the text message when it comes in? How quickly does your phone lock it self when it is inactive. Can your unlock code be reset? How many other people have your unlock code? How easily can the unlock code be defeated? It is really up to you to decide how secure you feel your phone is. I for one, just don’t lose my passwords :p


Q: (brotherlu) What is the difference between a NAS and a SAN. Also in which environments would you use each.
A: a NAS (Network Attached Storage) is a dedicated storage device that you connect to your network. a SAN (Storage Area Network) is a dedicated network for storage devices. Usually SANs are much higher performance and sometimes use technologies other than ethernet. Really, it depends how much performance you need, SANs are much more expensive.


Grab bag bonus links:
Senate Bill Requires Permission to Collect & Share Location Data
LulzSec’s busy week:
Senate website, CIA.gov hacked. LulzSec claims responsibility.
LulzSec opens hack request line
LulzSec takes Eve Online and Minecraft offline
Ex-Googler Calls Out Google Infrastructure as Obsolete
Sophisticated Cyberattack Is Reported by the I.M.F.


Download:

Dropbox Flaws | TechSNAP | 1

without comments

post thumbnail

Get the full details are two major issues with Dropbox, that are simply built into the core of the software/service.

Plus WordPress has undergone a multi-server hack, and Facebook gives away their plans for the ultimate data center!

iTunes & RSS Feeds:

Show Notes:

WordPress gets hacked:
Story 1
Story 2

-multiple servers got hacked
-facebook and twitter API keys exposed
-non-opensource code and partner code exposed
-they recommend if you use the same password elsewhere you should change it (does this mean they are not doing secure hashes?)

Facebook Topic:
Facebook gives away detailed schematics etc from it’s datacenters under an open license

http://hardware.slashdot.org/story/11/04/07/2125238/Facebook-Opens-Their-Data-Center-Infrastructure
http://hardware.slashdot.org/story/11/04/16/2218232/Photo-Tour-of-Facebooks-Open-Source-Datacenter
-Custom power supply, only one voltage 10.5v
-harddrives (up to 6) powered by the motherboard, BIOS staggers drive start by 5 seconds each to deal with inrush current
-open cases, uses large scale air mover at the rack level instead of a large number of smaller fans per server
-power supplies have an AC feed, and a DC feed from UPS for backup (this is different from googles design, which placed a separate DC battery in each server, directly connected to the motherboard (circumventing the PSU). did this power the drives too? googles design is mostly secret)

Comodo Topic:

-SSL is the only thing standing between you and the eavesdroppers
-SSL makes sure you are talking to the real site
-if an SSL CA is compromised, someone could get a seemingly legitimate certificate for mail.google.com and setup a rouge wireless AP at your local starbucks, now he has not only your password, but all of your emails.
-once they have your email, they can reset your passwords for everything else

Comodo CA issues certs for major domains:

https://www.threatpost.com/en_us/blogs/phony-web-certificates-issued-google-yahoo-skype-others-032311
http://www.infoworld.com/t/authentication/weaknesses-in-ssl-certification-exposed-comodo-security-breach-593?page=0,1

-EFF finds 37,000 SSL certificates issues for unqualified domain names
https://threatpost.com/en_us/blogs/problem-issuing-certs-unqualified-names-040611

-EFF SSL Observatory
https://www.eff.org/observatory

Comodo’s plans to solve the problem:

http://www.scmagazineus.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/

Microsoft patch to blacklist certs

http://www.microsoft.com/technet/security/advisory/2524375.mspx

More and more sites are offering SSL, or even doing SSL by default. This can be important if you are accessing things via wifi, especially if it is a public hotspot. This compromise means that it was possible for someone to have a valid certificate for skype and to sniff your credentials right out of the air.

Comodo SSL Article by Allan:

http://appfail.com/read/304/Comodo-SSL-Certificate-Authority-Breach/

Dropbox security:
Dropbox insecure by design, if you upload one file w/ the app, hacker can access everything, even if you reformat

http://it.slashdot.org/story/11/04/08/1838220/Dropbox-Authentication-Insecure-By-Design

http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

-problem with the authentication system
-uses only a host_id to authenticate devices. host_id is not related to a hardware hash, or your password.
-host_id is stored as plain text in a config.db SQLite db
-the same host_id can be used on multiple machines/devices
-so if someone copies your config.db, they can access you files without you knowing
-changing your password would not stop someone, as the host_id would still be valid
-because the host_id is not unique per device, you would not notice a new device
-once compromised, even if you reformat and change your passwords, the attacker could still access your files
-the only way to stop the attacker is to realize you have been compromised, and remove the effected device(s) via the dropbox control panel
-easy fix: include the password and some details (system name/type, hardware info) in the seed for the hash that is used as the host_id, automatically invalidate all host_ids when a password is changed.

Second Dropbox Flaw:

http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-user-privacy-for.html

-Article mentions Tarsnap, written by Colin Percival, the FreeBSD Security officer. he wrote his own blog entry about a different backup company claiming to use the same encryption as banks and the military, see here: http://www.daemonology.net/blog/2010-03-11-zumodrive-rolls-a-hard-six.html
-Files are encrypted once, using a key controlled by Dropbox. Dropbox policy allows them to decrypt and render your files to law enforcement. A real secure system would not allow Dropbox or law enforcement to access the files.
-AES is approved by the NSA to encrypt classified documents, such as ones classified Restricted, no-forn, confidential, secret, and top secret (top secret requires 256 bit keys, lower classifications only require 128 bit)
-There are US standards covering the use of encryption to protect CONFIDENTIAL, SECRET, and TOP SECRET information; but merely using 256-bit AES is nowhere near enough: The entire encryption system needs to be approved (including block cipher modes, key management, vulnerability to side channel attacks, et cetera), not merely the choice of block encryption algorithm.


Download: