truecrypt (and good passwords) 1, fbi 0

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil.   The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes.  In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success.  They then turned to the US FBI, who ran dictionary attacks against the encryption for another year.  No joy.  As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information.  First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice.  Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program  is a good and cost effective choice for protecting personal data as well as in small business environments.  The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

truecrypt (and good passwords) 1, fbi 0

babies – can’t trust them

Got my nose? Well give it back, punk!

Anyone who knows me knows that I am not a “kid person.”  To me, all babies (except for YOURS, of course) look like the offspring of Winston Churchill and a lizard.  And they all (except YOURS) seem to emit a plethora of unpleasant sounds, odors, and substances.  My wife reminds me every once in a while, that I, too entered the world as a baby, but I am becoming more and more convinced of the impossibility of this.

Well, it seems that my antipathy towards babies has been vindicated, folks – it turns out that today’s babies could grow up to be next generation of terrorists!  According to Rep. Louie Gohmert (R, TX), those wily terrorists have been sending women to the US in order to have babies, which are then whisked back to Al Qaeda run Gymborees (complete with US citizenship) where they would be trained to wreak terroristic havoc on their (legal) return to the US in oh, 20 years and destroy our way of life.  I knew it!  I’m glad that there are courageous Americans like Rep. Gohmert who understand where the real threat to our nation lies – in cribs!

babies – can’t trust them

slicing the salami in the 21st century

Lotsa slices = a big salamiAccording to an interesting story at Wired’s Danger Room blog, the FTC has filed a lawsuit against a number of “John Doe” defendants who stole more than $10 million dollars from 1.3 million credit card holders since 2006.  Using a variety of shell companies and money mules recruited via online advertising for work at home jobs, the unidentified defendants made small (20 cents to 10 dollar) charges to victims’ credit cards.  Each card was charged only once, but at 1.3 million cards, we’re talking some serious coin here.  In addition to being evil, this scheme was pretty smart – since the charges were so small, most people (90% in this case) never bothered to dispute them – after all, how much time are you willing to spend disputing a charge for a couple of bucks?   While the FTC has identified some of the mules, the ringleaders remain unknown. 

In the old days, this type of scam was called “salami slicing” – stealing just a little bit (one slice of salami) from a lot of people adds up to a big salami.   Mmmmmm…. salami…. 

This is a really hard type of fraud to fight… since so few of the charges were contested, it took 4 years for and credit card issuers and feds to find a pattern.  In the mean time, all of the victims suffered very small losses.  The ringleaders got their millions and are still on the lam (eating salami and caviar sandwiches, I assume).

slicing the salami in the 21st century

public enemy #1 – the sun?

Wanted - for destruction of society as we know it?

The subtitle of this blog promises reading to keep you up at night… so, here goes…  aside from creating hot weather and giving us skin cancer, our Sun threatens our technological society in yet another, even scarier way.  Solar activity can have a real effect on the Earth’s magnetic field, which in turn, can wreak havoc with such technological niceties such as GPS, radio communications, transpolar air travel and, the electrical grid which makes our way of life possible.

And depending on whom you ask, the Sun may be preparing to get pissed… or maybe not… but if it is, we could all be affected.  Read on if you dare…

Continue reading “public enemy #1 – the sun?”

public enemy #1 – the sun?

what happens in vegas gets blogged in vegas

End of July?  Vegas?   Security folk and shady folk in one place?   Stifling heat?  You know I’m there… (If anyone points out that “it’s a dry heat” I reserve the right to throw something heavy and possibly explosive).

I’m planning a Vegas double header this July, attending both Security B-Sides and DefCon.  I’m planning to blog/tweet during the festivities and would love to meet up with any of my readers… dm me (@alberg) when you are there… and if you are not planning to attend, consider it – both of these events are great places to learn security-fu, meet your peers (as well as many people whom you would not typically meet up with), and for the corporate types amongst us (myself included), they are very cost effective uses of your training budget dollars.

Nickel slot machines, here I come!

what happens in vegas gets blogged in vegas

porn, economics, and security (but mostly porn)

As we all know, the Internet is a series of tubes invented by Al Gore to allow us to exchange cute cat pictures and pornography. This past week, a paper presented at the Ninth Workshop on the Economics of Information Security provided some really interesting insight into both the economics of the Internet pornography industry and more importantly, how those economics translate into security considerations.

The research in question was conducted by a team of researchers from the Technical University of Vienna, Institute Eurecom, and UC Santa Barbara.  A brief digression here… if I had been informed that conducting studies of Internet porn was an option, I definitely would have finished college and gone into academia.  We should let kids know about this so that they stay in school!

Continue reading “porn, economics, and security (but mostly porn)”

porn, economics, and security (but mostly porn)

iFail – Apple drops the security ball – again

Apple, you're killing me!

If you ask people in my office what they hate about me, one of the items that is sure to show up on quite a few (long and varied) lists is my stubborn refusal to clear iPhones and iPads as corporate devices.   Well, my stubborness has been vindicated twice over…

First a security researcher found that connecting a stock iPhone 3GS to a system running Ubuntu Linux provides access to get read and write access to much of the content on the phone without having to enter the 4 digit phone PIN.

Now, Apple, in claiming that its flagship product is enterprise ready, tells us that iPhone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users.   I guess that the Apple version of AES just happens to replave every character with the same exact character…

This morning, the situation developed further… further research by Heise Security in Germany showed that it was possible to gain complete access to all data some iPhone 3Gs and 3GSes by connecting to them from a Windows system.  The trick does not work every time on every phone, and it is still unclear what the exact conditions are which case the vulnerability to manifest itself.  When it does work, this vuln allows the attacker to create an iTunes backup of all of the information on the device.  Not good.

Continue reading “iFail – Apple drops the security ball – again”

iFail – Apple drops the security ball – again