Cryptosmith

Cyber and security architecture, not bitcoins

Powered by
WordPress

  • Authentication Chapters Online

    Thanks to my former publisher, Addison-Wesley nee-Pearson Education, I can post several chapters of my favorite writing project: Authentication: From Passwords to Public Keys. I’m including these chapters as material for the Cloud Cybersecurity course I’m doing at the University of Minnesota for Coursera. The book was published in 2001, and it’s based on solid,…

  • Political campaign security

    Maciej Cegłowski has published a long, practical, insightful, and witty article on his experiences with political campaign security. He wisely focuses on a handful of steps to narrow the attack surface with the fewest tools and techniques. This should be a Coursera course, or a series of short videos.

  • The practical digital library updated

    A few years ago I moved my private library to the cloud. It uses Calibre to catalog my books, and the Open Publication Distribution System (OPDS) to provide an Internet-capable catalog. OPDS is built in to a lot of publisher-independent e-reader software. My e-readers can generally retrieve books from Internet hosts that provide OPDS. My…

  • Ross Anderson and another edition of Security Engineering

    Every cybersecurity professional knows – and almost certainly owns – this book. Ross Anderson published the first edition back around 2001. He’s starting a third edition and is using an on-line collaborative model for developing revisions. He has already posted drafts of a few revised chapters. Ross recently pointed out a disappointing result from Edward…

  • A Forged “From” Address

    To the left we see part of a malicious email. The author brags about how the From address is the same as the To address. This is supposed to mean that the author has broken into my email account. I have been waiting patiently for someone to mail one of these to me. Now I…

  • This photo should not exist

    pin.it/fnnc4j6fjamugy Once we get past the creep factor of Nazi army uniforms, we see a communications team sending a secret message. They are using the legendary Enigma machine to encrypt the message. But why, why did that officer allow a photographer to record this highly sensitive activity? A failure of operational security (OPSEC). Allies in…

  • Rule #1 for Detecting a Phish

    Golly. This one was really hard to spot. Just kidding. This is obviously a fake email. I don’t think that American Express is likely to be sending email from “Steakhousetopia.com” regardless of how challenging Internet operations might get.

  • A Mac Hack

    Here’s a clever two-step attack on a Macintosh. First, the victim downloads a file – it may be enough to email it to the victim as an attachment. Second, the victim opens a file or clicks a link. This executes the downloaded file. Yipes!

  • Invoice Phishing Campaign

    Here is a phishing email I received today. These almost always land in my junk mail (hooray!). This particular one encourages me to click on a Microsoft Word file claiming to contain an invoice I should pay. I also received a couple with “.xps” attachments. These apparently make use of printer paper specification files in…

  • State of the Art Password Cracking

    While researching my next edition of Elementary Information Security I came a this posting from last January. It comes from the “netmux” web site and describes a $5,000 design for a password hash cracker. It also links to other state of the art cracking gear.

  • Sen. John McCain, 1936-2018

    In June, 1999, Senator John McCain had started his presidential bid and was visiting companies in Silicon Valley, including Secure Computing Corporation, where I worked. He was there to discuss government policies on several tech topics, including the export of cryptographic technologies and products. I had been writing policy statements about crypto exports as part of…

  • Interesting Email Scam I Received

    I received an impressive email scam recently. My response was to forward it to the email provider’s abuse contact (abuse@outlook.com) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I’ll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don’t pay $1900 in bitcoin.…

  • Organizing Video Clips for an Online Course

     I’ve signed on to do a Coursera online course on cloud security. I’ll share more details as production progresses. This post contains a few notes on organizing video clips for a large project. The video almost always consists of two synchronized streams: one of my bearded face narrating the video and the other of animated images,…

  • How to Trace an Email Message

    There is no way to verify an email’s contents except through cryptography. Until every email client includes encryption and reliable authentication, we should always doubt an email’s source. We can increase our confidence in an email a little, though, by tracing its path through the mail system. I use this technique more-or-less daily to look…

  • HR and Phishing

    I receive thousands of emails every month. I do a lot of (for me) critical activities online. I never receive legitimate emails demanding a suspicious online action any more. Except from HR departments. IT security people know this is a problem. The upper left image comes from the University of Minnesota’s phishing awareness blog. HR people…

  • The Six Types of Cyber-Risks

    My textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now: Denial of service – Pillage – Subversion Masquerade – Forgery – Disclosure This is a…

  • Quantum Skepticism

    Quantum computing gives us a way in theory to quickly crack certain types of cryptography. Well-funded startups are working on prototype quantum circuits, as are big guns like Intel, Microsoft, and IBM. Success could render a lot of today’s encryption obsolete. In theory. Academic and industrial research labs have built basic quantum circuits. If Moore’s…

  • Two Longs and a Short

    By Dick Pence This story appeared in The Washington Post in 1991, shortly after a computer glitch caused a “long-distance blackout” on the East Coast. Those big phone outages of the past couple of weeks have had me feeling a bit guilty over what’s been happening. You see, I remember exactly how all this started.…

  • The Big Bug in the News: the WPA2 flaw

    The big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended…

  • Comparing Leaks: Trump vs. Hillary

    As I said in an earlier post, no crime is committed if the appropriate official leaks sensitive classified information. This applies to both Secretary Clinton’s email server and President Trump’s unfortunate meeting with Russian diplomats. Both carried the authority to disclose what they disclosed. One question remains: what damage might have ensued from each leak? I would argue…

  • Tiptoeing Through Vulnerabilities

    I sympathize with developers who throw up their hands and say, “I don’t do security stuff.” No matter what you choose, there’s a trade off that could go wrong. It’s especially troublesome if one deploys a “security website.” I’ve deployed security education websites in many environments over the past 20 years, and I rarely achieve…

  • Cryptosmith Video Series

    I have posted the fifteenth video in the Cryptosmith Series on practical basic cryptography. These videos use animation to explain basic crypto techniques. More people need to understand crypto technology. We all rely more and more on mobile and Internet security mechanisms. Aside from protecting online commerce and financial activities, many professionals are realizing that their daily activities require…

  • How DVD Crypto Keys Work

    Here are a couple of short videos that describe the basic cryptographic mechanisms used in DVDs. These don’t quite fit into my Cryptosmith series, at least, not right now. They’re short and interesting, so I went ahead and posted them.

  • Cryptosmith Video Series

    The Cryptosmith video series uses animation to explain well-known crypto techniques. This should help more people understand crypto technology. This is particularly important as people rely more and more on mobile and Internet security mechanisms. Aside from protecting online commerce and financial activities, many professionals are realizing that their daily activities require strong protection. [UPDATE:…