This is a terrific graphic that breaks down how Google collected data from wi-fi networks with Streetview vehicles
Tag: Encryption
The risks that onerous copyright laws pose for law enforcement are rarely considered, despite such laws (potentially) threatening national security operations. In Sweden, following efforts to dissuade file sharing, the population is increasingly moving to encrypted VPN connections to continue their sharing. From an article over at Torrentfreak,
according to new research from the Cybernorms research group at Sweden’s Lund University, an increasing proportion of the country’s population are taking measures to negate the effects of spying on their online activities.
The study reveals that 700,000 Swedes now make themselves anonymous online with paid VPN services such as The Pirate Bay’s iPredator.
What does this have to do with law enforcement? As the Swedish population moves to encrypted communications it limits authorities’ insights into the data traffic moving through Swedish networks. Consequently, the copyright lobby is (unintentionally) increasing the challenges of applying digital ‘wiretaps’ on Swedish citizens. While not something that the copyright lobbies are necessarily concerned with, these developments can be problematic for national security agencies.
I’m not advocating that communications should necessarily be easier for such agencies to investigate – far from it – but do I think that before aligning legislative efforts with copyright groups it is critical for legislators to think of the broader implications associated with ‘strong’ copyright laws. While such laws might dissuade some file sharing, are the benefits derived from limiting file sharing sufficient to justify disadvantaging national security and intelligence operation?
Categories
Making Dropbox a Little Safer
Research conducted by Christopher Soghoian demonstrated that Dropbox lacks a security model that genuinely protects user data. As a consequence, while Dropbox is a convenient service it isn’t one that can really be trusted. Regardless, individuals around the world do, and will, continue to use the service.
Recognizing the user-constrains around cloud file-storage solutions, BoxCryptor has provided the tools to encrypt files before they are sent to Dropbox. This lets users rely on Dropbox for convenient storage while also reducing their risk profiles. All in all, it’s a win-win for the consumer.
The instructions are for OS X, Leopard, Snow Leopard, and Lion, and are relatively easy to follow. If you want to secure yourself a little bit better than you likely are right now you’d be well served to set up automatic encryption now. As an added bonus, the instructions will let you also choose Microsoft’s or Google’s cloud services so long as you point the “EncFS Raw Path” to the file path of these other services (don’t worry: it’ll be super clear what that refers to as you go through the instructions!).
Categories
Nice Overview of Encryption Tools
While it’s certainly not definitive, and it doesn’t walk you through using each and every tool, Edwards has a good high-level overview piece that is worth reading.
A group of my colleagues and I are always on the hunt for affordable, easy-to-use, secure drive encryption tools that can be deployed to non-technically savvy individuals. The most recent piece of software we’ve come across is LaCie’s Public-Private encryption which, as far as I can tell, is a pretty front-end for TrueCrypt.
I’ve reached out to the company in the hopes of learning what, if anything, they’ve done in making TrueCrypt a tiny bit easier for people to use. TrueCrypt is one of the more secure means of protecting data. LaCie’s software itself is free – available here – and runs on any USB drive, so you can use the software without having to purchase anything from the company. The only deficit that I’ve come across thus far is that you can only create 4GB partitions; this means that if you want to encrypt everything on an 8GB drive then you’ll need to establish two separate partitions.
I’ll be updating this site once/if I hear back from the company.
In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.
Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.
In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.
The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.
Abstract:
In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection
Categories
I get that indexing encrypted backups is a royal pain in the ass, and that doing this well is challenging to boot. That said: the notion RIM would provide discrete, encrypted, backups of the PlayBook rather than solving the problem of indexed backups is absolutely absurd.
Even in an era of 500GB+ hard drives, ‘paying’ 13GB+ for each backup is ridiculous; this kind of storage cost simply doesn’t lead to a sustainable long-term backup schema (especially when you head north to 55GB+ backups). Most users, in response, will dial back to non-encrypted backups and thus reduce the security profile of what is meant to be a secure device. This is incredibly bad form for RIM, made worse by the company’s (often contrasting) focuses on (a) consumer markets; (b) professional – and thereby more security-conscious – markets.
Apple had the same problem with storing encrypted disk profiles in the previous iteration of their operating system – OS X Snow Leopard – though this was resolved in Lion. While the lessons learned by Apple likely are not perfectly equatable to RIM’s own situation, RIM needs to move the ball ahead if they are to simultaneously deliver to their dual markets. At this point they cannot afford to satisfy only one market or the other and hope to remain competitive.
From the Ars lede:
Critics are calling for the ouster of Trustwave as a trusted issuer of secure sockets layer certificates after it admitted minting a credential it knew would be used by a customer to impersonate websites it didn’t own.
The so-called subordinate root certificate allowed the customer to issue SSL credentials that Internet Explorer and other major browsers would accept as valid for any server on the Internet. The unnamed buyer of this skeleton key used it to perform what amounted to man-in-the-middle attacks that monitored users of its internal network as they accessed SSL-encrypted websites and services. The data-loss-prevention system used a hardware security module to ensure the private key at the heart of the root certificate wasn’t accidentally leaked or retrieved by hackers.
It’s not new that these keys are issued – and, in fact, governments are strongly believed to compel such keys from authorities in their jurisdiction – but the significance of these keys cannot be overstated. SSL is intended to encourage trust: if you see that a site is using SSL then that site is supposed to be ‘safe’. This is the lesson that the Internet industry has been pounding into end-users/consumers for ages. eCommerce largely depends on consumers ‘getting’ this message.
The problem is that the lesson is increasingly untrue.
Given the sale of ‘skeleton key’ certs, the hacking of authorities to generate (illegitimate) certs for major websites (e.g. addons.mozilla.com, hotmail.com, gmail.com, etc), and widespread backend problems with SSL implementation, it is practically impossible to claim the SSL makes things ‘safe’. While SSL isn’t in the domain of security theatre, it can only be seen as marginally increasing protection instead of making individuals, and their online transactions, safe.
This is significant for the end-user/consumer, because they psychologically respond to the difference between ‘safe’ and ‘safer’. Ideally a next-generation, peer-reviewable and trust agile, system will be formally adopted by the major players in the near future. Only after the existing problems around SSL are worked out – through trust agility, certificate pinning, and so forth – will the user experience be moved back towards the ‘safe’ position in the ‘safe/unsafe’ continuum.
From the article:
So-called quantum key distribution is unconditionally secure–it offers perfect secrecy guaranteed by the laws of physics.
Or at least that’s what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect.
It will be interesting to see how quantum computing practically differs from the theoretics of quantum physics; I suspect that efforts will be made to find ‘kludges’ that will ultimately be the source of practical problems to quantum-based security and computing efficiency. Of course, this is a similar issue that currently besets security and computing: dealing with real-world materials and accommodating imperfections (and variable modes of breaking security models that extend beyond the system being imagined) are amongst the most pressing of today’s issues.
Categories
How to hack a smartphone via radio
Encryption keys on smartphones can be stolen via a technique using radio waves, says one of the world’s foremost crypto experts, Paul Kocher, whose firm Cryptography Research will demonstrate the hacking stunt with several types of smartphones at the upcoming RSA Conference in San Francisco next month.
“You tune to the right frequency,” says Kocher, who described the hacking procedure as involving use of a radio device much like a common AM radio that will be set up within about 10 feet from the smartphone. The radio-based device will pick up electromagnetic waves occurring when the crypto libraries inside the smartphone are used, and computations can reveal the private key. “We’re stealing the key as it’s being used,” he says, adding, “It’s independent of key length.”
Kocher says the goal of the hacking demo, which Cryptography Research will demonstrate throughout the RSA Conference at its booth, is not to disparage any particular smartphone manufacturer but to point out that the way crypto is used on devices can be improved.
“This is a problem that can be fixed,” he says, noting Cryptography Research is working with at least one of the major smartphone makers, which he declined to name, on the issues around these types of radio-based attacks.
This is a high level of awesome. I wonder who the major smartphone maker is; Microsoft? Apple?
Excited Pixels 