Security

The Big Bug in the News: the WPA2 flaw

1 Comment

Wi Fi signal graphicThe big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended to encrypt.

The technique can trick the system into reusing a cryptographic key. To keep encrypted data safe we must avoid encrypting the same data twice (here’s an example of how it fails). While crypto system designs usually account for this, the attack on WPA2 tricks the system into reusing the key.

Continue reading The Big Bug in the News: the WPA2 flaw

Security

Comparing Leaks: Trump vs. Hillary

1 Comment

Lattice for Secret, Top Secret, and compartmentsAs I said in an earlier post, no crime is committed if the appropriate official leaks sensitive classified information. This applies to both Secretary Clinton’s email server and President Trump’s unfortunate meeting with Russian diplomats. Both carried the authority to disclose what they disclosed. One question remains: what damage might have ensued from each leak?

I would argue that in both cases the initial lapse of judgement did not explicitly damage the United States. In both cases, however, the subsequent brouhaha may have leaked classified information. I personally doubt that the country will suffer much from either leak, though that is based on my own assessment of national threats (a political opinion).

Continue reading Comparing Leaks: Trump vs. Hillary

Security

Tiptoeing Through Vulnerabilities

BombI sympathize with developers who throw up their hands and say, “I don’t do security stuff.” No matter what you choose, there’s a trade off that could go wrong. It’s especially troublesome if one deploys a “security website.” I’ve deployed security education websites in many environments over the past 20 years, and I rarely achieve the security level I’d like.

I wanted to watch a security webinar today.  But the webinar requires Adobe Flash, in which security researchers seem to uncover 1 or 2 vulnerabilities a month. I discarded Flash when upgrading my OS a couple years ago. It’s ironic that a security webinar might tempt it back onto my machine.

Continue reading Tiptoeing Through Vulnerabilities

Tech Teaching

Cryptosmith Video Series #1 through #15

2 Comments

Diagram of signing a public-key certificateI have posted the fifteenth video in the Cryptosmith Series on practical basic cryptography. The video collection falls into three parts: the network crypto introduction, the DVD example, and the public-key certificate discussion.

There are also updates to other series videos. They now use the acronym “SSL” a lot more, since people recognize it more often than “TLS.” The public-key discussions now include elliptic curve algorithms, since they are very popular in state-of-the-art SSL (TLS) deployments.

An overview and notes about the series appear below. If you take the time to look at these videos, please “like” and/or comment as appropriate.

Continue reading Cryptosmith Video Series #1 through #15

Security

Cryptosmith Video Series

2 Comments

Banner for Transport Layer Security videoThe Cryptosmith video series uses animation to explain well-known crypto techniques. This should help more people understand crypto technology. This is particularly important as people rely more and more on mobile and Internet security mechanisms. Aside from protecting online commerce and financial activities, many professionals are realizing that their daily activities require strong protection.

[UPDATE: See the latest post to summarize the video series.]

After publishing three books on cybersecurity and cryptography I’m looking for a different medium for explaining technical concepts. While there are many online tutorial videos, most are narrated slide presentations. I’m trying something else.

Continue reading Cryptosmith Video Series

Security

#PodestaEmails are NOT obvious fakes

1 Comment

Wikileaks globe-hourglass logoEmails are notoriously hard to validate. Emails are like typed, signed contracts with no section or page numbers: you can take out or add whatever pages you want as long as you keep the signatures.

Intelligence expert Malcom Nance has tweeted that Wikileaks’ recent collection of Podesta emails contain “obvious forgeries.” It is hard to detect emails forgeries in general, but easy to find obvious forgeries. For details, check out Chapter 15 of Elementary Information Security, my textbook.

I searched recent news reports highlighting specific Podesta emails. I looked at about a dozen of those emails, plus similar “unimportant” emails. I checked the email delivery data for tampering or forgery. The email headers look correct. Thus there are no “obvious forgeries.”

Continue reading #PodestaEmails are NOT obvious fakes

Security

Election Crypto Conspiracy Theory

1 Comment

Eye atop a pyramid - a mystical signI’m not often a fan of conspiracy theories, except for entertainment value. This one is interesting because it combines international intrigue, the elections, and our world of notoriously poor email security.

The conspiracy arises from foreigners trying to influence the United States election. They spy on unprotected emails and leak the contents to influence US public opinion. This isn’t limited to attacks on the Democratic candidate Hillary Clinton. Some suggest that Fox News and the Trump campaign have also been attacked this way.

We could be blocking this threat, except that pressure groups within the government want to leave as much information unprotected as possible, notably law enforcement and intelligence agencies. I think we face a greater threat from foreign exploitation of our unprotected emails than we face from impeded investigations or even a few terrorist bombs.

Continue reading Election Crypto Conspiracy Theory

Tech History

A Yank at Bletchley Park

A friend and colOne of Turing's Bombe devicesleague introduced me to a 94-year-old gentleman with a rare tale to tell. John McCallister was recruited during World War II to be a US Army liaison officer at “Station X,” the UK’s highly secret codebreaking operation at Bletchley Park. Station X collected intercepted German radio messages, all encrypted with the supposedly-unbreakable Enigma cipher, and broke the encryption. The resulting data was distributed to a handful of senior UK and US military commanders.

At first, McCallister worked at Bletchley and learned about the codebreaking operation. He met Alan Turing, now recognized as a giant in computer science. Turing developed codebreaking machines at Bletchley, including the “bombe” (left). Then McCallister prepared for his own role: to handle and distribute the highly secret information to senior US military commanders.

Following the war, McCallister left the crypto world. After college and reserve service for the Korean War, he applied his mathematic skills to business accounting at General Electric and Zenith Electronics. He retired in 1984.

[Postscript added]

Continue reading A Yank at Bletchley Park

Security

Symantec Breaks Trust with the Internet?

1 Comment

Crypto machine rotor

Symantec is one of the companies that holds the keys to the Internet: they are a trusted certificate authority for authenticating major web sites. All major browsers recognize Symantec as a trustworthy source of SSL/TLS authentication certificates. Symantec (also known by its subsidiary name Verisign) is part of a chain of trust that keeps our Internet traffic safe.

Recent reports suggest that they have broken their trust with the Internet community. Symantec has apparently delegated some of its authentication authority to Blue Coat software, a company that makes and sells network snooping gear. A 2013 report by Reporters Without Borders contains 2 pages highlighting Blue Coat’s role in helping repressive regimes monitor encrypted web traffic.

Symantec has issued Blue Coat its own authority certificate. Blue Coat can use this to create and distribute bogus certificates that allow its gear to decrypt encrypted web traffic.

Continue reading Symantec Breaks Trust with the Internet?