“Ricochet is idiot-proof and anonymous.” (more)
Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts
Wednesday, September 17, 2014
Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying
The National Security Agency has some of the brightest minds... But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts...
John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client...
“Ricochet is idiot-proof and anonymous.” (more)
“Ricochet is idiot-proof and anonymous.” (more)
Friday, August 8, 2014
Free Tip: Recover Files Locked by Cryptolocker Ransomware
If your computer files have been (or will be) held for ransom by Cryptolocker, bookmark this site... https://decryptcryptolocker.com/.
FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.
These folks will analyze one of your locked files and send you the decode key, FREE.
FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.These folks will analyze one of your locked files and send you the decode key, FREE.
Sunday, July 20, 2014
Scytale - Ancient Spy Gadget - Early Tweet
500 BC: The Spartans of ancient Greece invented the Scytale to transport hidden messages. Scytales were long, slender rods typically wrapped in a thin strip of papyrus, leather, or parchment.
A message was written on the wrapping, and then the strip was unwound and passed on to a messenger. Only when it was rewound around a rod of the same diameter could the original message be deciphered. (more)
Wednesday, July 2, 2014
BSI Publishes Study on Enterprise Mobile Device Security
BSI, the German Federal Office for Information Security, has published a report on "Enterprise mobile device security" (in German*) that provides a comprehensive overview on the current risks associated with the deployment of mobile devices in an enterprise context.
The report... covers Apple iOS, Google Android and Blackberry devices, taking a hard look at the current generation of hardware and software and the resulting dependencies on a limited number of key suppliers.
The study identifies key risk areas associated with the deployment of mobile devices in an enterprise context... and makes the case for doing so only in the context of a well-defined framework of organizational and technical measures that secure the enterprise against industrial espionage and other kinds of attacks.
* An English version may be available. Ask at ESD America.
Audio interview about Cryptophone, a high security cell phone ≈ 6 min.
The report... covers Apple iOS, Google Android and Blackberry devices, taking a hard look at the current generation of hardware and software and the resulting dependencies on a limited number of key suppliers.
The study identifies key risk areas associated with the deployment of mobile devices in an enterprise context... and makes the case for doing so only in the context of a well-defined framework of organizational and technical measures that secure the enterprise against industrial espionage and other kinds of attacks.
* An English version may be available. Ask at ESD America.
Audio interview about Cryptophone, a high security cell phone ≈ 6 min.
Thursday, June 12, 2014
alt.eMail - Send Spyproof Messages
Beepip uses your own computer's power to scramble messages. It then blasts these encrypted messages out over a peer-to-peer network and only descrambles them when they arrive at the right beepip address. Because no central server is involved, there is no chance of snooping.
Encrypted email isn't secure.
Unlike traditional email and instant messaging which leave data trails that companies and governments can access, the security and anonymity built into Beepip means that no outside force—not even the team that built Beepip—can see your messages or track down senders or receivers of messages.
Simply Beepip.
Beepip’s easy-to-use interface brings cryptography and secure communication to non-expert users, but also achieving military-grade security against hackers.
Whisper or shout Beepips.
A beepip can be sent to an individual or a whole group of subscribers. Broadcasts are messages that are sent out to any group of Beepip users that are listening. In this way, organisations or individuals can get information out to their subscribers anonymously if they choose. (more)
Encrypted email isn't secure.
Unlike traditional email and instant messaging which leave data trails that companies and governments can access, the security and anonymity built into Beepip means that no outside force—not even the team that built Beepip—can see your messages or track down senders or receivers of messages.
Simply Beepip.
Beepip’s easy-to-use interface brings cryptography and secure communication to non-expert users, but also achieving military-grade security against hackers.
Whisper or shout Beepips.
A beepip can be sent to an individual or a whole group of subscribers. Broadcasts are messages that are sent out to any group of Beepip users that are listening. In this way, organisations or individuals can get information out to their subscribers anonymously if they choose. (more)
Tuesday, March 18, 2014
MIT's Crytophone Round-Up
Ever since Edward Snowden came forward with a trove of secret documents about the National Security Agency, business has been booming for Les Goldsmith, CEO of ESD America.
Goldsmith’s company sells a $3,500 “cryptophone” that scrambles calls so they can’t be listened in on. Until recently, the high-priced smartphone was something of a James Bond–style novelty item. But news of extensive U.S. eavesdropping on people including heads of state has sent demand from wary companies and governments soaring. “We’re producing 400 a week and can’t really keep up,” says Goldsmith...
For the most part, consumers haven’t joined the security rush. According to Gartner, a firm that tracks technology trends, few have even purchased antivirus software for their phones. Sales of mobile security software are about $1 billion a year, a fraction what’s spent on desktops, even though mobile devices now outnumber PCs.
Yet secure communication products could eventually have mass appeal as consumers tire of being tracked online. Some of the most successful apps of the past year have featured self-destructing messages or anonymous bulletin boards. (more)
For the most part, consumers haven’t joined the security rush. According to Gartner, a firm that tracks technology trends, few have even purchased antivirus software for their phones. Sales of mobile security software are about $1 billion a year, a fraction what’s spent on desktops, even though mobile devices now outnumber PCs.
Yet secure communication products could eventually have mass appeal as consumers tire of being tracked online. Some of the most successful apps of the past year have featured self-destructing messages or anonymous bulletin boards. (more)
Wednesday, March 5, 2014
A Black Eye for Blackphones
Australian law enforcement agencies are increasingly unable to monitor the communications of some of the country's most powerful criminals due to the rising prevalence of uncrackable encrypted phones.
The phones are linked to a series of the underworld killings that rocked Sydney, several senior law enforcement officials told the ABC on condition of anonymity.
The phones are sold by dozens of companies worldwide and have legitimate uses.
But the law enforcement officials say thousands of the phones have been obtained by Australian criminals and they are using them to commit serious crimes, including murder. (more) (video report)
Interesting article, but... one half of my brain is saying wouldn't the LE's want criminals to think these phones are secure? And, once the general public views encryption as a criminal tool, the politicians would be free to pass laws restricting communications encryption so then only the outlaws (and selected others) would use it... kind-of-like gun silencers.
Or, maybe I've been "Snowed-in" over the long winter and have become cynical.
The phones are sold by dozens of companies worldwide and have legitimate uses.
But the law enforcement officials say thousands of the phones have been obtained by Australian criminals and they are using them to commit serious crimes, including murder. (more) (video report)
Interesting article, but... one half of my brain is saying wouldn't the LE's want criminals to think these phones are secure? And, once the general public views encryption as a criminal tool, the politicians would be free to pass laws restricting communications encryption so then only the outlaws (and selected others) would use it... kind-of-like gun silencers.
Or, maybe I've been "Snowed-in" over the long winter and have become cynical.
Tuesday, March 4, 2014
Crypto Bug Leaves Linux, Hundreds of Apps Open to Eavesdropping
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates ... indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher.
Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers. (more)
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates ... indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher.
Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers. (more)
Saturday, March 1, 2014
"Black" Smartphones Come of Age
The launch of not one, but two, "Black phones"
this past week may lead people to think that secure cell phones are a hot new item.
Hot, yes. New, no. Many other secure smartphones, not to mention a plethora of apps, have existed for years. Mostly, these phones have been sold to governments and have commanded high prices. Now, as the demand heats up, prices are dropping.
Want a government-level secure, encrypted smartphone at a reduced price? (You know you do. Even if only to attract attention.)
Cryptophone™ today announced. "...special prices on the first two phones of any order placed this week." (more)
this past week may lead people to think that secure cell phones are a hot new item. Hot, yes. New, no. Many other secure smartphones, not to mention a plethora of apps, have existed for years. Mostly, these phones have been sold to governments and have commanded high prices. Now, as the demand heats up, prices are dropping.
Want a government-level secure, encrypted smartphone at a reduced price? (You know you do. Even if only to attract attention.)
Cryptophone™ today announced. "...special prices on the first two phones of any order placed this week." (more)
Tuesday, December 10, 2013
GSM A5/1 Encryption Comes to German Cell phones
Deutsche Telekom is the first network operator in Germany to deploy the A5/3 encryption standard for voice transmission in its mobile phone network. This means conversations are better protected against wiretapping, even in the GSM network... The GSM network previously implemented the A5/1 encryption standard, which experts have cracked... Telekom is not limiting rollout of the A5/3 encryption standard to Germany, either: the new technology has already been implemented in Macedonia, Montenegro, Poland and the Czech Republic. More countries will follow. (more)
Monday, December 9, 2013
On "Free" Security Apps...
I came across a new smartphone security app the other day which caught my eye. It promised...
In my mind, I could hear my father saying, "there is no free lunch, if it looks too good to be true..." The years have always proven him correct.
The app's web site had a foreign country URL. Not a big issue. Perhaps it was the only place where the site's name was available. A little more digging and I came up with a company address here in the United States; a residential address. Again, not a big issue. The company is just over a year old, they have no other products, and software development from home is common. Both the Chairman and CEO of the company have names normally associated with a foreign country. I am still not phased. The United States is the world's melting pot.
A question on their FAQ page was the first red flag. "Why do you need my cell phone number to activate the service?" The answer, "we need the number so we can send you the activation code." My question is, why does a free encryption product need an activation code? It sounds like a ploy to identify users. Apparently, enough people felt this was an invasion of their privacy. The next part of the company's answer was that the code would no longer be needed after version x.xx.
The next FAQ was, "Why do you upload my contact book to your servers?" The answer smelled like more dung. Apparently, everything the app does goes through their servers.
On to the fine print.
The product is specifically not guaranteed: not the encryption, not the self-destruction of the messages, photos or videos, nothing. They accept no liability. The are held harmless in the event transmissions are decrypted, deleted, copied, hacked, or intercepted.
Apps cost money to develop. Even allowing for ads, as these folks do, that is not enough money to justify an app this fancy (assuming it fulfills all its claims). There must be another payoff. What's worth money here?
Information.
People who use encryption are a select group; easy to target. For whatever reason, they feel their information is valuable. Hummm, a free security app could be great espionage tool. Let's see what information the company admits to collecting...
"We have the right to monitor..." Boom! What!?!?
And, they collect: IP addresses, email addresses, phone numbers, address books, mobile device ID numbers, device names, OS names and versions. They can know who you are, where you are, and information about everyone you know. Even if you never use this app, if you are in the address book of someone who does, you're now coin of their realm.
"Photos and videos are cashed on servers..." and you can't delete them. They claim they will do this for you after, "a period of time."
Throughout all of this, the user's fire-of-fear is dowsed with, don't worry, it's all encrypted, no one but you can see it, trust me. Right... how about a little trust, but verify. Other security software companies allow vetting. I saw no claims that their code was independently vetted for bugs, back doors, or spyware. And, what about that "We have the right to monitor..." clause? How is that accomplished without a back door?
They, "May collect statistics about the behavior of users and transmit it to employees, contractors and affiliated organizations outside your home country." Yikes. Who are you affiliated with anyway? Please don't tell me, "if I tell you, I will have to kill you."
Here's another kicker. If they sell the company, "user information is one of the assets which would be transferred or acquired by the third party."
This may be a perfectly legitimate app. Maybe I'm paranoid. But, money, power, politics, espionage and blackmail all come to mind. Any government intelligence service, business espionage agent, or organized crime boss could have come up with this as a ruse.
Which brings me to the moral of this story...
Before you trust any security service, vet it thoroughly.
If your OTHBD needle starts to tremble, don't rationalize, move on. ~Kevin
- Free and secure phone calls.
- Send self-destructing messages.
- Recall or remotely wipe sent messages.
- Safely share private photos and videos.
- Photo vault to hide photos and videos.
- Hide text messages, contacts, call logs.
- Private vault for documents, notes and diary.
In my mind, I could hear my father saying, "there is no free lunch, if it looks too good to be true..." The years have always proven him correct.
The app's web site had a foreign country URL. Not a big issue. Perhaps it was the only place where the site's name was available. A little more digging and I came up with a company address here in the United States; a residential address. Again, not a big issue. The company is just over a year old, they have no other products, and software development from home is common. Both the Chairman and CEO of the company have names normally associated with a foreign country. I am still not phased. The United States is the world's melting pot.
A question on their FAQ page was the first red flag. "Why do you need my cell phone number to activate the service?" The answer, "we need the number so we can send you the activation code." My question is, why does a free encryption product need an activation code? It sounds like a ploy to identify users. Apparently, enough people felt this was an invasion of their privacy. The next part of the company's answer was that the code would no longer be needed after version x.xx.
The next FAQ was, "Why do you upload my contact book to your servers?" The answer smelled like more dung. Apparently, everything the app does goes through their servers.
On to the fine print.
The product is specifically not guaranteed: not the encryption, not the self-destruction of the messages, photos or videos, nothing. They accept no liability. The are held harmless in the event transmissions are decrypted, deleted, copied, hacked, or intercepted.
Apps cost money to develop. Even allowing for ads, as these folks do, that is not enough money to justify an app this fancy (assuming it fulfills all its claims). There must be another payoff. What's worth money here?
Information.
People who use encryption are a select group; easy to target. For whatever reason, they feel their information is valuable. Hummm, a free security app could be great espionage tool. Let's see what information the company admits to collecting...
"We have the right to monitor..." Boom! What!?!?
"Photos and videos are cashed on servers..." and you can't delete them. They claim they will do this for you after, "a period of time."
Throughout all of this, the user's fire-of-fear is dowsed with, don't worry, it's all encrypted, no one but you can see it, trust me. Right... how about a little trust, but verify. Other security software companies allow vetting. I saw no claims that their code was independently vetted for bugs, back doors, or spyware. And, what about that "We have the right to monitor..." clause? How is that accomplished without a back door?
They, "May collect statistics about the behavior of users and transmit it to employees, contractors and affiliated organizations outside your home country." Yikes. Who are you affiliated with anyway? Please don't tell me, "if I tell you, I will have to kill you."
Here's another kicker. If they sell the company, "user information is one of the assets which would be transferred or acquired by the third party."
This may be a perfectly legitimate app. Maybe I'm paranoid. But, money, power, politics, espionage and blackmail all come to mind. Any government intelligence service, business espionage agent, or organized crime boss could have come up with this as a ruse.
Which brings me to the moral of this story...
Before you trust any security service, vet it thoroughly.
If your OTHBD needle starts to tremble, don't rationalize, move on. ~Kevin
Wednesday, November 27, 2013
TUMs Solves Wireless Security Headache. Warning: explanation gives headache.
Researchers at the Technische Universität München (TUM) have proven that wireless communications can be made more secure through a novel approach based on information theory."
The method is counter-intuitive and involves information theory and zero capacity channels. "The scheme uses two physical channels – that is, frequency bands in a wireless system – that are inherently useless, each being incapable of securely transmitting a message," says TUM.
Intuitively, combining one zero-capacity with another zero-capacity should result in zero capacity. “But in this case,” Schaefer explains, “it’s as if we’re getting a positive result from adding zero to zero. We find that we are able to ‘super-activate’ the whole system, meaning that combining two useless channels can lead to a positive capacity to transmit confidential messages securely.”
Superactivation is not unknown in quantum theory. It's the combining of zero capacity quantum channels to produce a channel with positive capacity; but is not yet applicable to current technology. But what Boche and Schaefer have achieved "is," says Boche, "the first example of super-activation – where zero plus zero is greater than zero – in classical communication scenarios.”
Huh?
Intuitively, combining one zero-capacity with another zero-capacity should result in zero capacity. “But in this case,” Schaefer explains, “it’s as if we’re getting a positive result from adding zero to zero. We find that we are able to ‘super-activate’ the whole system, meaning that combining two useless channels can lead to a positive capacity to transmit confidential messages securely.”
Superactivation is not unknown in quantum theory. It's the combining of zero capacity quantum channels to produce a channel with positive capacity; but is not yet applicable to current technology. But what Boche and Schaefer have achieved "is," says Boche, "the first example of super-activation – where zero plus zero is greater than zero – in classical communication scenarios.”
Huh?
Monday, November 25, 2013
Not to be Out-Spooked by the NSA...
The FBI is expected to reveal Thursday that because of the rise of Web-based e-mail and social networks, it's "increasingly unable" to conduct certain types of surveillance that would be possible on cellular and traditional telephones.
FBI general counsel Valerie Caproni will outline what the bureau is calling the "Going Dark" problem, meaning that police can be thwarted when conducting court-authorized eavesdropping because Internet companies aren't required to build in backdoors in advance, or because technology doesn't permit it.
Any solution, according to a copy of Caproni's prepared comments obtained by CNET, should include a way for police armed with wiretap orders to conduct surveillance of "Web-based e-mail, social networking sites, and peer-to-peer communications technology." (more)
FBI general counsel Valerie Caproni will outline what the bureau is calling the "Going Dark" problem, meaning that police can be thwarted when conducting court-authorized eavesdropping because Internet companies aren't required to build in backdoors in advance, or because technology doesn't permit it.
Any solution, according to a copy of Caproni's prepared comments obtained by CNET, should include a way for police armed with wiretap orders to conduct surveillance of "Web-based e-mail, social networking sites, and peer-to-peer communications technology." (more)
Saturday, November 2, 2013
Encryptor's Unite! - From Those Wonderful Folks Who Brought You Lavabit & Silent Circle
Our Mission - To bring the world our unique end-to-end encrypted protocol and architecture that is the 'next-generation' of private and secure email.
As founding partners of The Dark Mail Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the worlds first end-to-end encrypted 'Email 3.0' throughout the world's email providers.
Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind. (more)
As founding partners of The Dark Mail Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the worlds first end-to-end encrypted 'Email 3.0' throughout the world's email providers. Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind. (more)
Friday, October 25, 2013
Wednesday, October 23, 2013
Citing "Terrifying" Surveillance Tactics, Yet Another U.S. Privacy Service Shuts Down
Yet another American Internet privacy service has bitten the dust, prompted by fears about broad government surveillance demands.
San Francisco-based CryptoSeal, a provider of virtual private networks that can be used to browse the Internet anonymously, has closed its doors to users of its private VPN service.
In a statement posted online, CryptoSeal announced that a key factor in the closure was the government’s recently revealed attempt to force email provider Lavabit to turn over its private encryption keys. Lavabit shut down in August as part of an effort to resist a surveillance demand believed to involve NSA whistle-blower Edward Snowden, who was a Lavabit customer. Lavabit was ordered to turn over its master encryption keys in a way that could have potentially compromised thousands of users’ private data. (more)
San Francisco-based CryptoSeal, a provider of virtual private networks that can be used to browse the Internet anonymously, has closed its doors to users of its private VPN service.
In a statement posted online, CryptoSeal announced that a key factor in the closure was the government’s recently revealed attempt to force email provider Lavabit to turn over its private encryption keys. Lavabit shut down in August as part of an effort to resist a surveillance demand believed to involve NSA whistle-blower Edward Snowden, who was a Lavabit customer. Lavabit was ordered to turn over its master encryption keys in a way that could have potentially compromised thousands of users’ private data. (more)
Thursday, October 17, 2013
Three Tips to Keep Your Mobile Data Safe
Keeping your mobile gear secure while you’re zipping across the grid is tricky business. Laptops and tablets—veritable gold mines of personal information—are popular targets for thieves. Law enforcement officials, meanwhile, could confiscate your smartphone and then examine the data—merely as a result of a routine traffic stop.
If you’re packing an Android device, it gets even trickier, because with such a device, you stand a better chance of falling prey to the booming mobile malware market. Independent malware testing lab AV-Test had less than 10,000 Android malware samples in its database by late 2011. Now, two years later, that number has blossomed to around 1.3 million.
Step One:
Encrypt everything
One of the easiest things you can do to protect an Android or iOS device is to take advantage of built-in hardware encryption. This feature will turn the data on your phone into nearly unreadable junk—unless it's properly unlocked with your password.
Let's start with the easy one: iOS. Owners of iPhones or iPads can rest easy knowing the data is already encrypted, provided you create a passcode from the lock screen.
Step Two:
Keep malware at bay
Android users are particularly vulnerable to malware. Google, unlike Apple, doesn’t vet applications before they go live on Google Play. This has proven an easy way for malware creators to sneak malicious apps onto Google’s app store. Malware-laden apps range from those offering free device wallpaper to games, and even to impostors that try to look like popular apps.
That’s why security vendors such as Avast, Kaspersky, and Lookout offer antivirus and security apps for Android to help keep you secure online. But how good are these apps, really? Back in late 2011, results from the AV-Test lab found that the free solutions were nearly useless.
Step Three:
Go Covert
You can protect your data from being nabbed by a Customs agent and downloaded into some massive data silo in the Utah desert. The Electronic Frontier Foundation suggests an interesting option: Leave the hard drive at home and boot your laptop from an SD card.
(Full instructions on how to create a Ubuntu boot disk or USB boot drive in Ubuntu guide for displaced Windows users.) ...Even if you don’t have any sensitive data to protect, this is such a great, secret-agent-style use for your laptop that you might want to try it simply for the cool factor. (more)
If you’re packing an Android device, it gets even trickier, because with such a device, you stand a better chance of falling prey to the booming mobile malware market. Independent malware testing lab AV-Test had less than 10,000 Android malware samples in its database by late 2011. Now, two years later, that number has blossomed to around 1.3 million.
Step One:
Encrypt everything
One of the easiest things you can do to protect an Android or iOS device is to take advantage of built-in hardware encryption. This feature will turn the data on your phone into nearly unreadable junk—unless it's properly unlocked with your password.
Let's start with the easy one: iOS. Owners of iPhones or iPads can rest easy knowing the data is already encrypted, provided you create a passcode from the lock screen.
Step Two:
Keep malware at bay
Android users are particularly vulnerable to malware. Google, unlike Apple, doesn’t vet applications before they go live on Google Play. This has proven an easy way for malware creators to sneak malicious apps onto Google’s app store. Malware-laden apps range from those offering free device wallpaper to games, and even to impostors that try to look like popular apps.
That’s why security vendors such as Avast, Kaspersky, and Lookout offer antivirus and security apps for Android to help keep you secure online. But how good are these apps, really? Back in late 2011, results from the AV-Test lab found that the free solutions were nearly useless.
Step Three:
Go Covert
You can protect your data from being nabbed by a Customs agent and downloaded into some massive data silo in the Utah desert. The Electronic Frontier Foundation suggests an interesting option: Leave the hard drive at home and boot your laptop from an SD card.
(Full instructions on how to create a Ubuntu boot disk or USB boot drive in Ubuntu guide for displaced Windows users.) ...Even if you don’t have any sensitive data to protect, this is such a great, secret-agent-style use for your laptop that you might want to try it simply for the cool factor. (more)
Sunday, October 13, 2013
NIST - Not Indelibly Secure & Trustworthy?
The National Institute of Standards and Technology (NIST) has an image problem.
Last month, revelations surfaced indicating that the National Security Agency (NSA) may have planted a vulnerability in a widely used NIST-approved encryption algorithm to facilitate its spying activities. And cryptographers are also questioning subtle changes that might weaken a new security algorithm called Secure Hash Algorithm-3, or SHA-3.
Encryption experts say NIST’s reputation has been seriously undermined but that the security community would like to continue using it as a standards body if it can show that it has reformed. (more)
Last month, revelations surfaced indicating that the National Security Agency (NSA) may have planted a vulnerability in a widely used NIST-approved encryption algorithm to facilitate its spying activities. And cryptographers are also questioning subtle changes that might weaken a new security algorithm called Secure Hash Algorithm-3, or SHA-3.
Encryption experts say NIST’s reputation has been seriously undermined but that the security community would like to continue using it as a standards body if it can show that it has reformed. (more)
Monday, September 23, 2013
Is Your Cell Phone Talking to Your Carrier, or Behind Your Back to a Rogue?
It's not easy to tell, but very important if you want to have a confidential conversation.
What is a rogue or IMSI catcher?
"An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones. Such a virtual base transceiver station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and intercepting its calls." (more)
Folks with a Cryptophone know...
"Each week an increasing number of Cryptophone customers are becoming aware of disturbing, yet unfortunately not surprising changes to the cellular network in their area.
This screenshot sent in by a customer shows the Cryptophone 500 alerting them to changes in the mobile network. In this case standard network encryption has been turned off. This is often an indication that a rogue base station or “IMSI Catcher” is active in the area.
While this knowledge would be of great to concern to most people, Cryptophone users can rest easy knowing that even in the presence of an ‘active’ attack’s like this, their communications are still completely secure." (more) (more)
Think the problem is theoretical?
"Recently leaked brochures advertising next generation spy devices give outsiders a glimpse into the high-tech world of government surveillance. And one of the most tantalizing of the must-have gizmos available from a company called GammaGroup is a body-worn device that surreptitiously captures the unique identifier used by cell phones." (more)
"Hacker intercepts phone calls with homebuilt $1,500 IMSI catcher, claims GSM is beyond repair" (more)
What is a rogue or IMSI catcher?
"An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones. Such a virtual base transceiver station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and intercepting its calls." (more)
Folks with a Cryptophone know...
This screenshot sent in by a customer shows the Cryptophone 500 alerting them to changes in the mobile network. In this case standard network encryption has been turned off. This is often an indication that a rogue base station or “IMSI Catcher” is active in the area.
While this knowledge would be of great to concern to most people, Cryptophone users can rest easy knowing that even in the presence of an ‘active’ attack’s like this, their communications are still completely secure." (more) (more)
Think the problem is theoretical?
"Recently leaked brochures advertising next generation spy devices give outsiders a glimpse into the high-tech world of government surveillance. And one of the most tantalizing of the must-have gizmos available from a company called GammaGroup is a body-worn device that surreptitiously captures the unique identifier used by cell phones." (more)"Hacker intercepts phone calls with homebuilt $1,500 IMSI catcher, claims GSM is beyond repair" (more)
"Septier IMSI Catcher (SIC) has been designed as a tactical solution intended to extract GSM entities. Based on the Septier GUARDIAN infrastructure, Septier IMSI
Catcher provides its users with the capability of extracting IMSI and
IMEI of GSM Mobile Stations (MS) that are active in the system's
effective range.
Septier IMSI Catcher is the perfect solution for both extracting
identities from MS in its area of coverage (when these identities are
previously unknown) and detecting the presence of known cell phones in
the area, notifying the system user about those phones. Septier IMSI
Catcher can be equipped with an add-on 3G module that allows identity
extraction for 3G cell phones as well. It has several configurations
that allow meeting the specific requirements of every operation and are
suitable for various working conditions." (more)
Monday, September 16, 2013
"Secure" Integrated Circuit Chip Salami'ed into Spilling Secrets
A technique has been developed to bypass elaborate physical protections and siphon data off the most secure chips potentially including those used to protect military secrets.
The proof-of-concept technique demonstrated by researchers at Berlin's Technical University and security consultancy IOActive was successfully applied to a low-security Atmel chip commonly used in TiVo video recording devices. But the research team found that their complex and expensive attack could be applied to successfully pry data from highly-secure chips.
The attack used a polishing machine to mill down the silicon on the target chip until it was 30 micrometers thin.
The chip was then placed under a laser microscope fitted with an infrared camera to observe heat emanating from where encryption algorithms were running.
A focused ion-beam was then shot at the chip which dug a series of two micrometer -deep trenches in which wiretap probes were inserted.
Together, the elaborate techniques if bolstered by the use of more expensive equipment not available to the researchers could potentially bypass the most advanced chip security mechanisms. (more)
The proof-of-concept technique demonstrated by researchers at Berlin's Technical University and security consultancy IOActive was successfully applied to a low-security Atmel chip commonly used in TiVo video recording devices. But the research team found that their complex and expensive attack could be applied to successfully pry data from highly-secure chips. The attack used a polishing machine to mill down the silicon on the target chip until it was 30 micrometers thin.
The chip was then placed under a laser microscope fitted with an infrared camera to observe heat emanating from where encryption algorithms were running.
A focused ion-beam was then shot at the chip which dug a series of two micrometer -deep trenches in which wiretap probes were inserted.
Together, the elaborate techniques if bolstered by the use of more expensive equipment not available to the researchers could potentially bypass the most advanced chip security mechanisms. (more)
Subscribe to:
Posts (Atom)