Weekly Digest #2 – Interesting Articles

WPA Cracking
An interesting reference on Schneier’s blog to an article describing a “in the cloud” service to crack WPA keys. It is the realisation of the concept of distributed security cracking mentioned in 2008 by Chad Perrin, not sure if he was the first to introduce that idea.

WPA2 Vulnerability – Hole 196
A new man-in-the-middle attack for WPA2 seems to have been found and recently demonstrated at the Defcon 18

World’s Top Malware
FireEye has produced a nice colourful report on the 20 top malware they found on the net with their technology. Although this could be guess, it is interesting that the top 4  types of malware are 1) Information gathering/stealing, 2) Generic Malware dropper, 3) Rogue Anti-virus and then Spam.

Cisco 2010 Midyear Security Report
This is a good report published by Cisco on security risks and trends. Below is a very brief summary of what I found interesting in that report:
– An enterprise security landscape which is shifting in 3 areas: 1) A technological shift (mobile devices), 2) An economic shift (Virtualization of Operations) and 3) a Demographic shift (collaboration and social network)
– For each of those shifts, the report describes the associated security risks and provide some clear “generic” security steps to help address the risks (read here, non Cisco specific!)
– An interesting projection of number of “connected” devices by person… from 5 today to a prediction of 140 in 2013!! which push even more the need to move to IPv6 (if not for security reasons!)
– The logic behind what an attacker decides to focus on
– Security Attacks focus for 2010: 30% increase of spam compare to 2009, increase of attack on legitimate websites (i.e.: The Apple store)  and social networks.

So, all in all a very interesting report where only the last few pages offer references to Cisco specific products.

Weekly Digest #1 – Interesting Articles

Working in IT Security I receive and get to read lot of security related articles. I will list here a summary of the ones I found the most interesting, the idea is to try publishing this list on a weekly basis… not sure I will always have the time to do so, hence why the subject of those posts will be numbered, and we start with week #1:

–          Safari Vulnerability
An Auto-fill vulnerability in the Safari browser which allows attackers to get info from your personal contact details.
Reading the comments on that article, it is not clear if this could also affect other WebKit based browsers such as Chrome.
It may be best practise anyway to disable the auto fill option in any browsers you are using.

–          New GSM-cracking software release… the call of Kraken!
A software called Kraken has recently been released and claims to crack the A5/1 encryption algorithm used by some GSM networks. Although this algorithm had been subject to attacks before, this is a new and very efficient method. According to that article, the GSM network is also the fall-back network for the 3G network, thus maybe exposing the security of 3G users too (but not of the 3G network per say)!

–          Simple and safe password
A recent Microsoft research has described a new password policy scheme using simple but safe passwords. Instead of enforcing a complex password policy, the policy is based on password popularity… if a password is too popular it becomes a forbidden password.
Now I can see two requirements for this to work: a) (as mentioned in the article) A large user base population and b) (not mentioned in the article) for the system to have access to users’ clear text passwords, or for a unique “salt” to be used in the hash algorithm… not sure it would be a good thing!

The idea is that if all the passwords used are not “popular”, then it doesn’t really matter as much if they are complex as they would not be part of the “popular” passwords list. This however, would not protect you against a brute force attack!
Anyway, this is a refreshing take on a very old IT security issue…

Who cares about encryption?
An interesting poll study showing there is a consensus for most people that encryption is required, especially for mobile devices/users, but technical difficulties go in the way… something which has been associated with encryption technologies for a long time and although a lot has been done in recent years to simplify encryption implementation there is still some way to go.

New Version of Truecrypt

Truecrypt is a tool I have been using for a while, it is a great product and… free!

It allows for full disk encryption, being your desktop hardisk or a USB stick.

A new version has just been released, version 7, and it now provides:
– Hardware acceleration
– Auto-mount (windows)
– Security improvements related to windows hibernation files

Its main features are:
– Creates a virtual encrypted disk within a file and mounts it as a real disk.
– Encrypts an entire partition or storage device such as USB flash drive or hard drive.
– Encrypts a partition or drive where Windows is installed (pre-boot authentication).
– Encryption is automatic, real-time (on-the-fly) and transparent.
– Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
– Encryption can be hardware-accelerated on modern processors.
– Provides plausible deniability, in case an adversary forces you to reveal the password:
– Hidden volume (steganography) and hidden operating system.

More info can be found on the following website: http://www.truecrypt.org/

Email working again

This morning I checked my spam folder related to this website/domain name and noticed there had been no new spam for about a week… not that I am missing it but this did not sound quite right!

Indeed, it looks like my service provider recently had some issues with one of their site being compromised and used to host some malicious software and as a result their back-end domain was blacklisted by Google. Something they did not like too much…

They took the drastic decision to change their back-end domain, it seems to have worked. But in the process they have messed up some accounts. They have now fixed the issue with my domain but if you have sent me an email recently then, I am afraid, that email is lost and you probably did not receive any error message either!

I never thought spamming could be useful to the receiver of it, but in this case the lack of noise highlighted another issue :)

It was only yesterday…

For over 3 years this website has not been updated and it was time to give it a face lift!

It is actually quite astonishing to think this website has existed since 1998, 12 years! I guess I am getting older, my hair are getting greyer and there is less of it! One thing that hasn’t change though is my interest in Cryptography.

Because of a busy professional life in the IT Security world I haven’t been able to work on the BUGS algorithm for many years. However, I have recently completed a Master in Information Security at the London Royal Holloway University. I logically chose to work on a cryptography subject for my Master Thesis. This allowed me to spend some time back on the BUGS algorithm and, for the first time, learn some cryptanalysis techniques!

The main subject of my thesis was to give an “Overview of Modern Symmetric-Key Cipher Cryptanalysis Techniques”, as such after a general introduction on cryptography and cryptanalysis I focused on two main cryptanalysis techniques:
Linear and Differential Cryptanalysis
Finally, I started to conduct a cryptanalysis of my BUGS algorithm. Although I still haven’t conducted a full cryptanalysis on BUGS, my early tests seem to indicate the BUGS algorithm, may show some weaknesses if not used with its default settings. On the other hand it seems to be quite secure when default settings are used . However, I would need to pursue those tests further to prove this is correct.

In the process I have also highlighted what I believe could be a new type of cryptanalysis attack:
Unrestricted XOR-Sum Uniqueness Cryptanalysis attack
At this stage this is just a suggested new type of attack and more work is required to find out if this attack is indeed possible and if it offers any value!

So here you have it, this is what I will try to spend some time on in the coming months/years:
– To conduct a full cryptanalysis on BUGS and publish the results
– To investigate my new type of cryptanalysis attack

My MSc Thesis document is available HERE.

IT Security News & BUGS Cryptography Project