Archive for the ‘Crytography’ Category

How does a journalist secure his laptop against a police search?

Border laptop search

2 November 2015 – Last week the media blogs lit up over the British police’s seizure of a BBC laptop and what is the right configuration and practices to ensure that such a seizure provides zero information to the cops?

Sarah Naomi was at the t2’15 infosec conference in Finland last week and described a presentation by security researcher Georg Wicherski. Wicherski is a Senior Security Researcher with CrowdStrike who we have met several times at Black Hat.

Wicherski outlined in his talk several steps that could be taken to render, for instance, an ordinary Chromebook immune (or at least make it very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have “an appliance, that comes with a manual, and low-skilled operators.” By using a setup that is not very common, the border cops might not know what to … Read more

Want to outfox the NSA? Generate memorizable passphrases even they can’t guess

 

Rolling dice

 

 

27 March 2015 – Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with each word in your … Read more

What’s next, a gift shop? The National Security Agency has a side business licensing its technology

Dollar sign on keyboard with magnifying glass

 

30 September 2014 – We were at the “Defense Labs Tech Transfer” trade show in Maryland last week and stumbled across a company called TechLink, which is a US Department of Defense (DoD) Partnership Intermediary. These partnership entities are all done via government statute (check out 15 USC 3715). TechLink is based at Montana State University. The company brokers licensing agreements between DoD labs and US industry for manufacture and use of DoD inventions. These inventions involve virtually all technology fields, including medicine, software, electronics, communications, advanced materials, and energy-related technologies. There are between 100 and 150 research labs that participate under the DoD’s umbrella.

And lo and behold … the National Security Agency (NSA) is in the program (the DoD includes the NSA under its umbrella) and has been making money on the side by licensing its technology to private businesses for more than two decades. It’s called the Technology Transfer Program, under which the NSA declassifies some of its technologies that it developed for previous operations, patents them, and, if they’re swayed by an American … Read more

Researchers connect 91% of phone numbers with names in metadata probe

 

Metadata 2

24 December 2013 – One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency’s collection of phone metadata is that the information it’s collecting, such as phone numbers and length of call, can’t be tied to the callers’ names.

Wrong.

Some quick investigation by some researchers at Stanford University who have been collecting information voluntarily from Android users found that they could correlate numbers to names with very little effort. The Stanford researchers recently started a program called Metaphone that gathers data from volunteers with Android phones. They collect data such as recent phone calls and text messages and social network information.

The goal of the project, which is the work of the Stanford Security Lab, is to draw some lines connecting metadata and surveillance. As part of the project, the researchers decided to select a random set of 5,000 numbers from their data and see whether they could connect any of them to subscriber names using just freely available Web tools.

The result: They found … Read more

The mathematics behind NSA hacking

back door open

23 December 2013 –  There has been a lot of chatter these past two days on whether the RSA (which has angrily denied the claim) secretly took $10 million from the NSA to use the buggered up Dual Elliptic Curve Deterministic Random Bit Generator in its encryption products. RSA, which is owned by EMC, started using Dual EC DRBG by default in 2004, before the generator was standardized.

In 2007 a backdoor in the algorithm weakened the strength of any encryption that relied on it. It was only in September 2013, RSA told its customers to stop using the algorithm. The NSA is also accused of weakening the random number generator during its development. The RSA said that it categorically denied the allegation that it knew Dual EC DRBG was “flawed” when it started using the algorithm. It said it made sense to use the random number generator in the context of an industry-wide effort to develop newer, stronger methods of encryption.

At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption. … Read more