Hacking mechanical vibrations

These WIRED article described an interesting application of the side channel idea to key-log your typing by sensing mechanical vibrations.

More on Cyberwar

Cyber War: Is the Ultimate WMD For Sale at Best Buy?

Short Video from PJTV featuring an interview with Paul Rosenzweig.

Attacks on Cryptographic Systems (Part I)

  • Soft Attacks
    No matter how sophisticated the attack techniques become, one must not forget that when the ultimate goal is to obtain the secret message, coercion or social engineering are often the most effective attack techniques. These attacks are based on using physical or psychological threats, robbery, bribery, embezzlement, etc. The attacks are mostly directed to human links of the data security chain.
    Social Networks have become a launching pad for these kind of attacks. In a typical soft attack such as the so-called spear-phishing, e-mail addresses and information about the victims social circle is harvested from social networks and then used to send targeted e-mail with malware that cause to reveal secret information for access to secured systems.
  • Brute Force Attacks
    Assuming, as Kerchoff’s principle recommends, that the algorithm used for encryption and the general context of the message are known to the cryptanalyst, the brute-force attack involves the determination of the specific key being used to encrypt a particular text. When successful, the attacker will also be able to decipher all future messages until the keys are changed. One way to determine the key entails exhaustive search of the key-space (defined as the set of all possible valid keys for the particular crypto-system).
    Brute force is a passive, off-line attack in which the attacker Eve passively eavesdrops the communication channel and records cipher text exchanges for further analysis, without interacting with either Alice or Bob.
    To estimate the time that a successful brute-force attack will take we need to know the size of the key-space and the speed at which each key can be tested. If N_k is the number of valid keys and we can test N_s keys per second, it will take, on average \frac{1}{2}(\frac{N_k}{N_s}) seconds to find the proper key by brute-force.
    The threat that a brute-force attack poses cannot be underestimated in the real world. Most financial institutions use cipher-systems based on DES. Keys of length 56-bits, such as the one used by the
    standard implementation of DES, can be obtained by brute-force using computer hardware and software available since the late 1990’s. Indeed, to counter this possibility, most contemporary implementations of DES use a derivative known as Triple-DES (or 3-DES) which uses three different 56-bit keys instead of one. The effective key length for the combined 3-DES key is a more secure 168 bits.
    Brute force analysis have been used in combination with other attacks as was the case for the deciphering of the Enigma. The famous bombes were an example of the brute-force approach working in combination with a mathematical method that provided an important reduction of the key-space.

To be continued…..

The Stuxnet Encyclopedia

Symantec published the most comprehensive and detailed analysis of the Stuxnet virus to date.

Cyber war or hacking as usual?

The Government of Canada was hit by a phishing attack from servers outside the country.
This attack follows the trend described here by RSA.
Was it in retaliation for this?

2011 at its Prime

The fact that 2011 is a prime number didn’t escape the mathematical inclined minds. Moreover, as tweeted @mathematicsprof 2011 can be expressed as the sum of the 11 consecutive primes 157+163+167+173+179+181+191+193+197+199+211.

This already sets the stage for a year that, I will dare to predict, will not be easily forgotten. A confluence of processes already in motion may result in drastic changes for the world and in particular the Internet. To wit:

  • Cyber-attacks can get ‘physical’ as the stuxnet virus proved,
  • There is a struggle to control the internet at all levels,
  • Privacy and mobile computers have compatiblility issues,
  • All this against the backdrop of economical and political turmoil.


As the Chinese say “May you live in interesting times” ….


Check the strength of passwords

A cool application for checking the strength of passwords

del.icio.us Tags: ,

Stuxnet virus demonstration

Symantec released a video showing how the Stuxnet infect a PLC module attached to an air pump. See the Stuxnet virus in action

Now we are really secure….

That is a good idea, take your source code and give it to some guy bent on getting all your secrets to increase the security of your data:

Security Nightmare: Chinese Government Has Microsoft Windows Source Codes.

The world is REALLY in the hands of crazy people

Interesting new report

Most large Canadian firms have been hit by cyberattacks: Report.