Seeing what stuxnet…

… was capable of, it was just a matter of time until someone take a jab to the instalations of an utility company.

We need a “DO NOT TRACK” option for smart-phones!

smartphones tracking users

smartphones tracking users

Hey Apple, Google, when are you going to have a DO NOT TRACK option on your smartphones’ operating systems?
This is another idea, maybe RIM engineers can come up with a feature like that to give the BlackBerrys a fighting chance.

The fact that most of us carry (voluntarily) a tracking device should not be news for anybody. I guess the news-worthy part is that somebody expossed what Apple and Google where doing. I am not sure it is illegal, have you checked the small font bits of the contract you signed? Me neither.
Believe me, that Apple and Google know where you are and where you have been is not the biggest of our problems with privacy as discussed in here.


(h/t) Raymond who sent this link

More on Cyberwar

Cyber War: Is the Ultimate WMD For Sale at Best Buy?

Short Video from PJTV featuring an interview with Paul Rosenzweig.

Attacks on Cryptographic Systems (Part I)

  • Soft Attacks
    No matter how sophisticated the attack techniques become, one must not forget that when the ultimate goal is to obtain the secret message, coercion or social engineering are often the most effective attack techniques. These attacks are based on using physical or psychological threats, robbery, bribery, embezzlement, etc. The attacks are mostly directed to human links of the data security chain.
    Social Networks have become a launching pad for these kind of attacks. In a typical soft attack such as the so-called spear-phishing, e-mail addresses and information about the victims social circle is harvested from social networks and then used to send targeted e-mail with malware that cause to reveal secret information for access to secured systems.
  • Brute Force Attacks
    Assuming, as Kerchoff’s principle recommends, that the algorithm used for encryption and the general context of the message are known to the cryptanalyst, the brute-force attack involves the determination of the specific key being used to encrypt a particular text. When successful, the attacker will also be able to decipher all future messages until the keys are changed. One way to determine the key entails exhaustive search of the key-space (defined as the set of all possible valid keys for the particular crypto-system).
    Brute force is a passive, off-line attack in which the attacker Eve passively eavesdrops the communication channel and records cipher text exchanges for further analysis, without interacting with either Alice or Bob.
    To estimate the time that a successful brute-force attack will take we need to know the size of the key-space and the speed at which each key can be tested. If N_k is the number of valid keys and we can test N_s keys per second, it will take, on average \frac{1}{2}(\frac{N_k}{N_s}) seconds to find the proper key by brute-force.
    The threat that a brute-force attack poses cannot be underestimated in the real world. Most financial institutions use cipher-systems based on DES. Keys of length 56-bits, such as the one used by the
    standard implementation of DES, can be obtained by brute-force using computer hardware and software available since the late 1990’s. Indeed, to counter this possibility, most contemporary implementations of DES use a derivative known as Triple-DES (or 3-DES) which uses three different 56-bit keys instead of one. The effective key length for the combined 3-DES key is a more secure 168 bits.
    Brute force analysis have been used in combination with other attacks as was the case for the deciphering of the Enigma. The famous bombes were an example of the brute-force approach working in combination with a mathematical method that provided an important reduction of the key-space.

To be continued…..

Securing the Human

SANS Institute set up an excellent resource for those interested in computer security issues (who is not these days?).
OUCH! and other newsletters carry current information on the security issues and they are published now in several languages. I’ve put a permanent link with the badge in the right column.

Fingerprinting Computers – Part I – Your browser.

Authentication is about the only big open problem in the practice of internet security. The existing encryption and hashing algorithms as well as the key generation/management protocols offer a high degree of security, barring programming/implementation errors.
Authentication technologies face serious challenges mainly because identity is difficult to establish with a 100% certainty even using physical characteristics, i.e., signatures and credentials can be forged, the physical appearance of people can be manipulated, etc.
Read more of this post

It didn’t take very long… [UPDATED]

for my prediction to become a reality.
PC world reported on Feb 18 that a bunch of websites, only 84,000, were taken down “accidentally” by the ICE.
I have zero sympathy for people who uses the web to steal or commit morally reprehensible acts, however, if I can anticipate the heavy damage that a government agency with the power to shut down internet domains can unleash on hardworking and honest people,you cannot convince me that the legislators cannot figure this was bound to happen. Obviously they don’t care about the consequences of their grandstanding have for the rest of us mortals. And at the end of the day, shutting down websites doesn’t stop the traffic of child pornography or stolen intellectual property, it is just a nuisance for the bad guys that now need to go and setup another channel.
The danger for the rest of us is this, if we trust the government, any government, with the switch to the Internet, how long before the shutting down of domains is used as a way to silence dissent?
Oh wait! It did already happened? That was another prediction that turned to be right!


Check this Hall of Shame page at the EFF

from Backdoor to Backdoor

While the FBI was accused to set a backdoor to OpenBSD, the NSA clears the record on DES.
There are many stories about sneaking sophisticated chunks of code that make perfectly good encryption system to leak information. Something like this is extremely difficult to do without nobody noticing it and I think that it must be considered as a lot of unnecessary trouble for the guys that rather will nicely ask for the keys to your front door.

The Stuxnet Encyclopedia

Symantec published the most comprehensive and detailed analysis of the Stuxnet virus to date.

Cyber war or hacking as usual?

The Government of Canada was hit by a phishing attack from servers outside the country.
This attack follows the trend described here by RSA.
Was it in retaliation for this?