Paranoid Technology All things cybersecurity


Forget Weak Encryption, Rely on OpSec Fundamentals & Human Intelligence

LooseTweetsHillary Clinton recently joined the growing chorus of politicos suggesting that Silicon Valley tech giants need to stop treating the government like an adversary and calling for collaboration to “find solutions” to encrypted communication. “Finding solutions” meaning weakening encryption so that the US government has a legal means of eavesdropping on what would otherwise be private communications – not only among terrorists, but also among people in the (much) larger population.

This begs the question, is weakening encryption the only means of improving national security? Reviewing the recent attacks, there are a few important things to note: the terrorists in Paris were not using encrypted communications; that said, ISIS does have a sophisticated OpSec manual – which shows their heightened awareness of encryption technologies and means to maneuver around them; plus, several other nation states (the U.S. and Germany among them) shared intelligence with France on either the attacks or on the attackers that wasn’t acted on in a timely manner.

Putting aside these other programmatic gaps, let’s assume that weakening encryption is the only means of improving security. For the government to have “back door” access to any encrypted application or systems, the country would need to be operated as an enormous Public Key Infrastructure (PKI), with the government as the top level certificate authority (CA) for all domains and communications; it would issue all certificates for encryption, which would also conveniently enable surveillance.


NSA’s MYSTIC Program – Where is it deployed?

mystic-logoOn March 18 Washington Post published an article detailing another NSA program based on Snowden documents. According to these documents the NSA has a surveillance system that is capable of recording 100% of  a foreign country's phone calls.

Some details of the system - from the Washington Post article:

".... In the initial deployment, collection systems are recording “every single” conversation nationwide, storing billions of them in a 30-day rolling buffer that clears the oldest calls as new ones arrive, according to a classified summary.

The call buffer opens a door “into the past,” the summary says, enabling users to “retrieve audio of interest that was not tasked at the time of the original call.” Analysts listen to only a fraction of 1 percent of the calls, but the absolute numbers are high. Each month, they send millions of voice clippings, or “cuts,” for processing and long-term storage. ...."


SEC Left Computers Vulnerable to Cyber Attacks

(Reuters) - Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.

While the computers were unprotected, there was no evidence that hacking or spying on the SEC's computers took place, these people said.

The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC's Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems, one of those people said.


Get Secured with Your Heartbeat!

Short of DNA and brainwave signatures the next best thing looks like securing your devices with your heart-beat signature. A Canadian security company called Bionym created a solution, where they use your cardiac signal to protect your computing devices and privacy. The system works through reading a user's cardiac rhythm via low-cost ECG sensors when they hold the equipped device. Apparently during the initial enrollment period the unique characteristics of the user is mapped to create a template. This template is either stored remotely (on an auth server) or locally on the device that uses this type of authentication. One unique capability of this system - the authentication can be done one time or continuously during a session.

Sounds like it may become a little more convenient to use high-security devices and OSs after all!....


Phil Zimmerman and Navy SEALs Start Silent Circle

Are you worried about your communications privacy? With ever so increasing surveillance efforts of governments and private companies indexing every piece of correspondence in the name better serving us products, you should be! With this concern in mind an information security legend Phil Zimmermann and some of the original PGP team have joined up with former US Navy SEALs to build an encrypted communications platform that should be proof against any surveillance.


XSS Flaw discovered in Skype’s Shop

An independent security researcher Ucha Gobejishvili from Georgia has detected a cross site scripting (XSS) vulnerability on Skype's shop application. The vulnerability effects and; it allows allows an attacker to hijack cookies via required user interaction. Successful exploitation of the bug can result in session hijacking and account steal.

Upon successful exploitation the vulnerability allows an attacker to hijack cookies via required user interaction, leading to complete session hijacking and stealing of the account.

Gobejishvili has informed Skype of the vulnerabilities and is currently investigating.


Four out of Every 1,000 Public Keys Provide No Security

Another must share - found this on Ars Technica - According to researchers four out of every thousand public keys provide no security, this does not mean everything over SSL is broken, but the findings sure are an eye opener, here is the article:

An astonishing four out of every 1,000 public keys protecting webmail, online banking, and other sensitive online services provide no cryptographic security, a team of mathematicians has found. The research is the latest to reveal limitations in the tech used by more than a million Internet sites to prevent eavesdropping.


Remove Trustwave Certificate(s) from trusted root certificates

"Remove Trustwave Certificate(s) from trusted root certificates" is the title of Bug 724929  in Mozilla's bug database... I don't know if would classify this as a bug or a screw-up - here is what happened:

A Digital Certificate Authority called Trustwave announced that it issued a certificate to a undisclosed private company, so that they can spy on SSL connections on their network. The certificate was a subordinate root cert and it enabled its owner to sign digital certs for virtually any domain on the internet. (See Trustwave's blog.) But hey up side, apparently they checked to see that the cert could not be stolen or abused...


How Does Encryption on the Cloud Work?

There are two types of encryption on the cloud; server and client side.

Client side encryption is cumbersome (well security is not about convenience anyway...), it adds multiple steps for storing and viewing data, not to mention the time it takes to encrypt. Initially the service providers did not offer server side encryption, so everybody had their data stored in the clear...  In time with the regulatory requirements the companies that under the gun pushed for server-side (at-rest) encryption for their data and the cloud service providers had to react to this demand, the key criteria in


Using Wifi Protected Set-up? Think Again…

Designed by Wi-Fi alliance and introduced in 2007, Wi-Fi Protected Set-up (WPS) aims to provide an easy method for novice consumers to set-up their wireless access points. Recently discovered by Stefan Viehboeck, apperantly it is also designed to be a backdoor to your wireless access point 🙂

Due to a design flaw in the PIN authentication mechnaism an attacker can brute force your WPS PIN and gain access to your very long WPA2 key and access your network. The US CERT issued a vulnerability note, VU#723755 on this finding.