lucky13

GnuPG 2.0.7 released:

We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.7 This is maintenance release with a few minor enhancements.

Humphrey Cheung writes about Errata Security president Robert Graham’s point-and-click demonstration at Black Hat USA. Graham used a sniffer and ran Ferret to copy captured cookies (over wifi at the conference). He then cloned the cookies into his own browser and demonstrated the easy effect by showing someone else’s gmail account in his browser. (He also used the hijacked account to send a message to Cheung.)

Since the attack relies on sniffing traffic, using SSL or some type of encryption (like a VPN tunnel) would stop Graham in his tracks. However, many people browsing at public wireless hotspots don’t use such protections.

“You’re an idiot if you use T-Mobile hotspot,” said Graham.

I’ve come across a web-based service called Clipperz that may at first glance seem just a password manager, but the service can be as broad as any user wants it to be.

First, some highlights. It’s platform (OS) neutral — it uses the browser’s javascript capabilities to encrypt information locally and upload it, in encrypted form, to their servers for storage. It works with Firefox, Opera, MSIE, etc. So you can use it on any operating system and continue to access service if you change temporarily (such as borrowing a friend’s computer). It’s completely portable so you can access it from any computer, any time, anywhere. It allows you to store your passwords, certificates, and any other online credentials. You can use it to manage and auto-log into your online accounts through one interface. It can also be used to encrypt and manage other text-based information like PINs, access codes, confidential notes, etc., so they can be accessed from anywhere.

Second, some technical information. They use standard 128-bit encryption (SRP, AES, SHA-2, ECC, Fortuna PRNG, SSSS) which all occurs on your own computer using javascript. You keep your own key (Clipperz doesn’t); you lose it, you’re screwed. All they get on the server-side is scrambled data. They don’t know what you’ve uploaded, they don’t even know who you are; your account isn’t tied to an e-mail account, but to your own registered account. They don’t install anything on your computer.

Third, some minor concerns. Encryption is only as strong as the protocols used: stronger passphrases are harder to break than weak ones. I’m also not keen on the idea of storing PINs, account passwords, and information best not shared with the world on someone else’s servers; Clipperz does have an offline copy, which basically dumps what they have in your account down to your computer. The offline copy can’t be modified; modifications are online. And since it’s encrypted, the offline copy is only accessible by passphrase.

This could be a solution for people who use multiple computers and are concerned about the security of data they need to access and store online.

Coming soon: a review of PassPack, a competing service to Clipperz.

I’ve added a page about using bcrypt across different platforms. Since it’s highly portable (~125kb for the Windows version with zlib.dll) and very easy to use, there’s no excuse to not carry and use it to encrypt files and avoid scares like these on laptops and USB keys.

Many people store personal information as well as important business data on their laptops, notebooks, PDAs, and other portable computing devices. These devices can be very easily stolen or even “lost,” exposing individuals, corporations, and customers to more harm like identity theft (as happens with every new story about companies losing laptops and portable drives with customer credit card and SSN information) and loss of proprietary information.

The old rule of thumb about not owning things that someone wants bad enough to steal applies to data as much as it things like cars, jewelry, and even laptops themselves. If it’s important enough to cautiously protect, it probably shouldn’t be stored on such a portable (steal-able) device. That’s impractical for a lot of reasons in today’s world, but there are steps people can take to protect themselves and their data.

This article notes that laptop/notebook thefts eclipsed 750,000 in the US alone last year, and that 97% of stolen notebooks are never recovered and details a few steps to at least secure their data should their devices be stolen. Most are simple and straightforward: using passwords. Those aren’t impervious, though: I regularly bypass passwords (such as the last hard drive I bought at a garage sale — only the user account was password-protected, the rest of the drive was accessible).

Data can also be secured via encryption (which is only as strong as the protocol used). Stolen computers can also report their locations via services primarily targeted at Microsoft and Mac users. I think the former is preferable to the latter because I can think of several ways to keep a computer from e-mailing its most recent locations (and I’m pretty sure I could also disable such functions). In fact, it’s a lot easier to prevent a computer from calling home than it is to crack a well-encrypted file or partition.

There are open source options available in addition to those listed in the article. GPG is available for both Windows, Linux/BSD, and there’s also a Mac port now. Another smaller, and maybe simpler, encryption solution for those working across platforms is bcrypt. It’s not as feature-filled as GPG, but it’s small enough that it can be very portable — it’s only 61kb so it can be installed (along with the required zlib dll, 63kb) on every USB thumbdrive to encrypt/decrypt its contents regardless of where one may use it.

I’ve found bcrypt to be very useful when using both Windows, whether with PortableApps and U3 or just to encrypt/decrypt normally stored data, and Linux. Its only drawback in the Windows version is it doesn’t hide or mask passphrases. It works so simply (the same command encrypts and decrypts) and seamlessly, though, between Windows and Linux versions that I highly recommend it for those using either or both systems.

Here’s an article about how exploits are now being distributed among the criminal class after cracking WEP encryption to violate the security people have on home networks (if they even bother enabling encryption — too many people don’t), at public hotspots, etc.

You might not even know if these hackers have gained access to your connection. They may be a couple houses over or on the next street. But if they’re doing something illegal with your Internet connection, it’s going to come back to you.

It’s no longer just free-loading piggybackers you have to worry about slowing you down by hogging your bandwidth. Your IP is tracked regardless of who’s using it through your wireless router. Use stronger encryption, like AES and WPA, instead of WEP.

A Wall Street Journal article cited here quotes investigators familiar with the TJX breach as saying the criminals used an antenna connected to a laptop to capture data moving between scanning devices, cash registers and PCs, which were using wireless LAN connectivity and WEP encryption.

John Pescatore of Gartner is quoted as saying:

The encryption to keep someone from breaking in was done very poorly in this first generation. It’s no better than (no security at all). This is something I would have thought an audit would’ve caught.

It’s something an audit should have caught, and it shouldn’t have gone undetected for 19 months and compromised the security of 45.7 million customers.

Digg has given in to a crippling volume of user demand (as in site crash) that the popular site stop removing content. Digg had intended to comply with a cease and desist letter from AACS asking the site’s operators to remove information related to a DVD encryption key. Then the floods started: Diggs against censorship, Diggs against DRM, Diggs for the key.

After crashing, Digg founder Kevin Rose blogged:

After seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company.

The question is, how does AACS seek to put the toothpaste back in the tube? Google has thousands of hits for said key.

Have you ever wondered if you portable data storage could handle submersion up to 200 meters and survive crushing physical compression/destruction? Wonder no more. Try the Corsair Survivor. Available in 4GB ($60) and 8GB ($130) versions, 256-bit AES encryption app included.

This post was entered yesterday but blogsavy was down (again).
This article repeats Webroot Software’s finding last year that nine out of ten computers are infected with some form of malware and Consumer Reports’ claim that individuals and businesses spent $2.6 billion in 2006 trying to block or remove spyware. It also points out:

Criminals now have more incentive to crack into computers and steal information than they did only a few years ago.

People are increasingly accessing information such as bank accounts and stock portfolios online and are using credit cards to make purchases from Internet retailers. During tax season, more than 20 million submit tax forms full of personal information from a home computer.

Most criminals attack Windows because it’s so pervasive. While the article says that “most tech experts consider operating systems like Apple’s OS X and Linux more secure than Windows,” neither is without vulnerability. Cross-platform threats can and do affect non-Windows systems, particularly from vulnerabilities in certain applications (Open Office, Java, Flash, QuickTime, etc.), over the Internet (phishing and other scams are OS-neutral), and gullible trust when using unencrypted wireless connections.