recentpopularlog in

bwiese : crypto   183

« earlier  
Extracting BitLocker keys from a TPM
By default, Microsoft BitLocker protected OS drives can be accessed by sniffing the LPC bus, retrieving the volume master key when it’s returned by the TPM, and using the retrieved VMK to decrypt the protected drive. This post will look at extracting the clear-text key from a TPM chip by sniffing the LPC bus, either with a logic analyzer or a cheap FPGA board. This post demonstrates the attack against an HP laptop logic board using a TPM1.2 chip and a Surface Pro 3 using a TPM2.0 chip. From bus wiring through to volume decryption. Source code included.

TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.
bitlocker  security  tpm  encryption  crypto 
march 2019 by bwiese
Duplicati works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon Cloud Drive & S3, Google Drive,, Mega, hubiC and many others.
backup  software  windows  tools  linux  crypto  encryption 
december 2018 by bwiese
Warning: Encrypted WPA2 Wi-Fi Networks Are Still Vulnerable to Snooping
It’s quite easy for someone to monitor this encrypted traffic. All they need is:

The passphrase: Everyone with permission to connect to the Wi-Fi network will have this.
The association traffic for a new client: If someone is capturing the packets sent between the router and a device when it connects, they have everything they need to decrypt the traffic (assuming they also have the passphrase, of course). It’s also trivial to get this traffic via “deauth” attacks that forcibly disconnect a device from a Wi_Fi network and force it to reconnect, causing the association process to happen again.
Really, we can’t stress how simple this is. Wireshark has a built-in option to automatically decrypt WPA2-PSK traffic as long as you have the pre-shared key and have captured the traffic for the association process.
wpa2  cybersecurity  crypto 
december 2018 by bwiese
Decrypt WPA2-PSK using Wireshark | mrn-cciew
Now you have to go to “Edit -> Preferences -> Protocol -> IEEE 802.11” & need to “Enable Decryption” checkbox. Then click on Edit “Decryption Keys” section & add your PSK by click “New“.  You have to select Key-type as “wpa-pwd” when you enter the PSK in plaintext.

If you enter the 256bit encrypted key then you have to select Key-type as “wpa-psk“.If you want to get the 256bit key (PSK) from your passphrase, you can use this page. It use the following formula to do this conversion
wireshark  cybersecurity  wpa2  crypto 
december 2018 by bwiese
Open Sourcing JA3 – Salesforce Engineering
A JA3 hash represents the fingerprint of an SSL/TLS client application as detected via a network sensor or device, such as Bro or Suricata. This allows for simple and effective detection of client applications such as Chrome running on OSX (JA3=94c485bca29d5392be53f2b8cf7f4304) or the Dyre malware family running on Windows (JA3=b386946a5a44d1ddcc843bc75336dfce) or Metasploit’s Meterpreter running on Linux (JA3=5d65ea3fb1d4aa7d826733d2f2cbbb1d). JA3 allows us to detect these applications, malware families, and pen testing tools, regardless of their destination, Command and Control (C2) IPs, or SSL certificates.

JA3 gathers the decimal values of the bytes for the following fields; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. It then concatenates those values together in order, using a “,” to delimit each field and a “-” to delimit each value in each field.

The field order is as follows:
ja3  cybersecurity  tls  crypto  threathunting  cyberthreatintel  netflow  bro  suricata 
december 2018 by bwiese
I'm giving up on PGP
Mostly I'll use Signal or WhatsApp, which offer vastly better endpoint security on iOS, ephemerality, and smoother key rotation.

If you need to securely contact me, your best bet is to DM me asking for my Signal number. If needed we can decide an appropriate way to compare fingerprints.

If we meet in person and need to setup a secure channel, we will just exchange a secret passphrase to use with what's most appropriate: OTR, Pond, Ricochet.

If it turns out we really need PGP, we will setup some ad-hoc keys, more à-la-Operational PGP. Same for any signed releases or canaries I might maintain in the future.

To exchange files, we will negotiate Magic Wormhole, OnionShare, or ad-hoc PGP keys over the secure channel we already have. The point is not to avoid the gpg tool, but the PGP key management model.

If you really need to cold-contact me, I might maintain a Keybase key, but no promises. I like rooting trust in your social profiles better since it makes key rotation much more natural, and is probably how most people know me anyway.

I'm also not dropping YubiKeys. I'm very happy about my new YubiKey 4 with touch-to-operate, which I use for SSH keys, password storage and machine bootstrap. But these things are 100% under my control.
yubikey  pgp  crypto  privacy  whatsapp  signal 
december 2018 by bwiese
CERT - Self-Encrypting Drives Have Multiple Vulnerabilities

Crucial (Micron) MX100, MX200 and MX300 drives
Samsung T3 and T5 portable drives
Samsung 840 EVO and 850 EVO drives (In "ATA high" mode these devices are vulnerable, In "TCG" or "ATA max" mode these devices are NOT vulnerable.)
cybersecurity  ssd  harddrive  crypto 
november 2018 by bwiese
How to Hack WiFi Password Easily Using New Attack On WPA/WPA2
developer of the popular password-cracking tool Hashcat, Jens 'Atom' Steube, the new WiFi hack works explicitly against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

it is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point
The attack to compromise the WPA/WPA2 enabled WiFi networks was accidentally discovered by Steube while he was analyzing the newly-launched WPA3 security standard
wpa2  cybersecurity  wifi  crypto  exploit 
august 2018 by bwiese
New PGP Encryption Exploits Are Being Discovered Almost Every Other Day
Gizmodo was alerted to flaws discovered as recently as Wednesday that currently impact multiple PGP implementations, including Enigmail (Thunderbird) and GPGTools (Apple Mail)—the technical details of which are withheld here while the appropriate developers are contacted and given time to address them.

“It wasn’t a case of having to write software to do this. You could literally just cut and paste what they said in the paper and use it. The video of how easy it was to use, that was the thing that clinched it for me—sitting and watching a video of someone just clicking a few buttons and being able to exfiltrate data.”

“It’s sometimes better to [temporarily] disable encryption (or decrypt in the terminal) than to have your whole past communication at stake.”
pgp  gpg  cybersecurity  crypto  encryption  efail  vulnerability 
june 2018 by bwiese
Bad RSA Library Leaves Millions of Keys Vulnerable | Hackaday
So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. Major vendors including Microsoft, Google, HP, Lenovo, and Fujitsu already released software updates and guidelines for mitigation.

The following key length ranges are now considered practically factorizable (time complexity between hours to 1000 CPU years at maximum): 512 to 704 bits, 992 to 1216 bits and 1984 to 2144 bits. Note that 4096-bit RSA key is not practically factorizable now, but may become so, if the attack is improved.

The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):

512 bit RSA keys – 2 CPU hours (the cost of $0.06);
1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 – $40,000).
encryption  pki  tpm  cybersecurity  vulnerability  crypto  keylength  rsa  hack 
june 2018 by bwiese
It has been a bad week for encrypted messaging and it’s only Wednesday | Ars Technica
Monday brought word of decade-old flaws that might reveal the contents of PGP- and S/MIME-encrypted emails. Some of the worst flaws resided in email clients such as Thunderbird and Apple Mail, and they offer a golden opportunity to attackers who have already intercepted previously sent messages. By embedding the intercepted ciphertext in invisible parts of a new message sent to a sender or receiver of the original email, attackers can force the client to leak the corresponding plaintext. Thunderbird and Mail have yet to be patched, although the Thunderbird flaw has been mitigated by an update published Wednesday in the Enigmail GPG plugin.
cybersecurity  encryption  pgp  signal  email  javascript  crypto 
may 2018 by bwiese
New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED
This malicious code was particularly concerning because one of the backdoors, which had gone undetected in the software since 2012, could be exploited for the purposes of decrypting protected data passing through the VPN, or virtual private network, in Juniper NetScreen firewalls.

But since that revelation, Juniper—whose customers include AT&T, Verizon, NATO and the US government—has refused to answer any questions about the backdoor, leaving everyone in the dark about a number of things. Most importantly, Juniper hasn't explained why it included an encryption algorithm in its NetScreen software that made the unauthorized party's backdoor possible. The algorithm in question is a pseudo-random number generator known as Dual_EC, which the security community had long warned was insecure and could be exploited for use as a backdoor. Whoever created the backdoor in Juniper's software did exactly this, hijacking the insecure Dual_EC algorithm to make their secret portal work.
backdoor  router  vpn  routers  juniper  nsa  crypto  cybersecurity 
may 2018 by bwiese
Juniper's VPN backdoor: buggy code with a dose of shady NSA crypto | PCWorld
According to further analysis by Ralf-Philipp Weinmann, founder and CEO of German security consultancy firm Comsecuris, that parameter turned out to be Q, one of two constants -- P and Q -- that are used by the Dual_EC random number generator (RNG).

Dual_EC was standardized by the U.S. National Institute of Standards and Technology (NIST) in 2007 after being championed by the U.S. National Security Agency, which played an important role in its development. Shortly after, Dan Shumow and Neils Ferguson, two researchers from Microsoft, disclosed a major weakness in the standard that could serve as a backdoor.

"Omitting the mathematics, the short version is that Dual EC relies on a special 32-byte constant called Q, which -- if generated by a malicious attacker -- can allow said attacker to predict future outputs of the RNG after seeing a mere 30 bytes of raw output from your generator," said Matthew Green, a cryptographer and assistant professor at Johns Hopkins University, in a blog post Tuesday.
vpn  juniper  routers  backdoor  cybersecurity  nsa  crypto 
may 2018 by bwiese
RSA Compromise: Impacts on SecurID | Secureworks
On March 17, 2011, RSA announced [1] that a cyberattack on its systems was successful and resulted in the compromise and disclosure of information "specifically related to RSA's SecurID two-factor authentication products". While the full extent of the breach remains publicly undisclosed, RSA states that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

However, seed secrecy is critical. An exposure of the seed to a third party may allow duplication of tokencodes, and by extension allow the guessing of PINs and one-time passwords.
rsa  secureid  compromise  2011  crypto 
may 2018 by bwiese
How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report • The Register
Reuters reports that RSA received $10m from the NSA in exchange for making the agency-backed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) its preferred random number algorithm.

If that figure sounds small, that's because it is. Tech giant EMC acquired RSA for $2.1bn in 2006 – around the same time as the backroom NSA deal – so it seems odd that RSA would kowtow to the g-men so cheaply.
nsa  rsa  crypto  cybersecurity  backdoor  ecc 
april 2018 by bwiese
ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying • The Register
Ashur's push back was supported by other delegations from Germany, Japan and Israel. The Israeli delegate – whose expertise was also attacked - Orr Dunkelman, told Reuters last year that he didn't trust the US designers. "There are quite a lot of people in NSA who think their job is to subvert standards," he noted. "My job is to secure standards."
crypto  cybersecurity  iso  nsa  iot 
april 2018 by bwiese
Security vs. visibility: Why TLS 1.3 has data center admins worried | CSO Online
draft of the 1.3 version of the protocol with increasing alarm. One of the key exchange mechanisms bounced from the draft standard, static RSA, is a crucial tool for admins who want to monitor and troubleshoot data traffic within a company's network. "I think there may be enterprises that don’t realize that this is going to hit them," says Nalini Elkins, President of the Enterprise Data Center Operators (EDCO) consortium. "They’re going to upgrade and things are going to go blind.  They’re going to have outages that they can’t fix and security tools that go dark."

"In today’s environment, the traffic coming in through the internet is encrypted, and it’s been NAT'd by the content delivery network so we have no way to even find a failing session. We need to get a user name, the URL where he's trying to go, and the time that the failure happened. And we can see that in a packet if we can decrypt it. But if we can’t decrypt the packet, we’re completely blind for troubleshooting."

take place out-of-band — that is, the packets can be decrypted and inspected by tools that aren't in the main flow of network traffic
tls  rsa  cybersecurity  crypto 
april 2018 by bwiese
Size SSH key - Cisco Support Community
> show crypto key mypubkey rsa # test and compare lines of key data
configure trustpoint with self-signed cert
> show crypto pki certificates verbose
putty - check event log for connection
ssh  cisco  crypto  techsupport 
march 2018 by bwiese
Next Generation Encryption - Cisco
(April 2012, Last updated: October 2015)
Operation Recommended Minimum Security Algorithms
Encryption AES-128-CBC mode
Authentication RSA-3072, DSA-3072 (or ECDSA-256)
Integrity SHA-256
Key exchange DH Group 15 (3072-bit)
cisco  crypto  cybersecurity  advice 
march 2018 by bwiese
An overview of TLS 1.3 and Q&A
So, we have a way to do 1-RTT connections in 1.2 if the client has connected before, which is very common. Then what does 1.3 gain us? When resumption is available, 1.3 allows us to do 0-RTT connections, again saving one round trip and ending up with no round trip at all.

If you have connected to a 1.3 server before you can immediately start sending encrypted data, like an HTTP request, without any round-trip at all, making TLS essentially zero overhead.
tls  crypto  cybersecurity 
february 2018 by bwiese
KRACK Attacks: Breaking WPA2
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):

the properties that were proven in formal analysis of the 4-way handshake remain true. However, the problem is that the proofs do not model key installation. Put differently, the formal models did not define when a negotiated key should be installed. In practice, this means the same key can be installed multiple times, thereby resetting nonces and replay counters used by the encryption protocol (e.g. by WPA-TKIP or AES-CCMP).
wpa2  wifi  cybersecurity  attack  krack  crack  crypto  protocols 
january 2018 by bwiese
State-Associated Hackers Target Me - Here's What To Do When They Come After You - Active Response
Obvious advice: be a defensive target
MFA, reset passwords, set alert notifications/monitoring, check email for fwd rules, check acct logs, rebuild computers/phones, encrypted comms and encrypted data at rest
cybersecurity  defense  mfa  crypto 
january 2018 by bwiese
Detecting Encrypted Malware Traffic (Without Decryption)
As an overview, Figure 1 provides a simplified view of a TLS session. In TLS 1.2 [4], the majority of the interesting TLS handshake messages are unencrypted, and are displayed in red in Figure 1. All of the TLS-specific information that we use for classification comes from the ClientHello, which will also be accessible in TLS 1.3 [7].
cisco  machinelearning  tls  cybersecurity  analytics  crypto  scikit  python 
december 2017 by bwiese
Weak Diffie-Hellman and the Logjam Attack
Logjam attack against the TLS protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.
Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
22nd ACM Conference on Computer and Communications Security (CCS ’15), Denver, CO, October 2015
Best Paper Award Winner

We have also created a Guide to Deploying Diffie-Hellman for TLS, and several Proof of Concept Demos.

Contact the Team
ssl  tls  crypto  cybersecurity 
november 2017 by bwiese
Millions of high-security crypto keys crippled by newly discovered flaw | Ars Technica
The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli, which will be presented on November 2 at the ACM Conference on Computer and Communications Security. The vulnerability was discovered by Slovak and Czech researchers from Masaryk University in the Czech Republic, Enigma Bridge in Cambridge, UK, and Ca' Foscari University in Italy. To give people time to change keys, the paper describing the factorization method isn't being published until it's presented at the conference.

The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation. The library allows people to generate keys with smartcards rather than with general-purpose computers, which are easier to infect with malware and hence aren't suitable for high-security uses. The library runs on hardware Infineon sells to a wide range of manufacturers using Infineon smartcard chips and TPMs. The manufacturers, in turn, sell the wares to other device makers or end users. The flaw affects only RSA encryption keys, and then only when they were generated on a smartcard or other embedded device that uses the Infineon library.

Factorizing a 2048-bit RSA key generated with the faulty Infineon library, by contrast, takes a maximum of 100 years, and on average only half that. Keys with 1024 bits take a maximum of only three months.

Both the flawed Infineon library and the Taiwanese digital ID system passed the FIPS 140-2 Level 2 and the Common Criteria standards. Both certifications are managed by the National Institute of Standards and Technology. Both certifications are often mandatory for certain uses inside government agencies, contractors, and others.
cybersecurity  tpm  rsa  crypto 
october 2017 by bwiese
How My Mom Got Hacked -
Use the CryptoWall message interface to tell the criminals exactly what happened. Be honest, in other words.

So she did. She explained that the virus had struck the same week that a major snowstorm hit Massachusetts and the Thanksgiving holiday shut down the banks. She told them about the unexpected Bitcoin shortfall and about dispatching her daughter to the Coin Cafe A.T.M. at the 11th hour. She swore she had really, really tried not to miss their deadline. And then a weird thing happened: Her decryption key arrived.

When I shared the news with Mr. Hoats, he was jubilant. “That is great news, truly!” he wrote. “Whoever these yahoos are, they have some little shred of humanity.”

But Mr. Wisniewski had a more pragmatic take. “From what we can tell, they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back.”

Welcome to the new ransomware economy, where hackers have a reputation to consider.
bitcoin  russia  crypto  ransom  ransomware 
january 2015 by bwiese
Here's a Good Reason to Encrypt Your Data | Threat Level |
Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, stressed that the decision was important, and not because it might hinder a kiddie-porn prosecution.

“This isn’t just about child porn. It’s about anything on your computer that prosecutors or government officials may want,” he said in a telephone interview.

Federal prosecutors did not immediately respond for comment, but said in court papers they have spent months trying to decrypt the data.
supremecourt  court  crypto  encryption  legal  law  5A  constitution  privacy 
june 2013 by bwiese
Schneier on Security: Breaking Hard-Disk Encryption
The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it's only $300

Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off.

t AccessData doing the same thing in 2007: And PRTK breaks more than 50 percent of passwords from this dictionary alone.
crypto  truecrypt  pgp  bitlocker  security  schneier  passwords  forensics 
january 2013 by bwiese
Schneier on Security: Information-Age Law Enforcement Techniques
Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with their counterparts hiding messages inside images with steganography and sending the emails disguised as spam, deleting Internet browsing cache afterwards to make sure that the authorities would not get hold of the data. Spanish and Colombian authorities cooperated to break the encryption keys and successfully deciphered the messages.

Point 198: It explains how an investigator can circumvent Truecrypt plausible deniability feature (hidden container), advising computer forensics investigators to take into consideration during the computer analysis to check if there is any missing volume of data.
truecrypt  security  schneier  crypto 
january 2013 by bwiese
OpenSSH Public Key Authentification (PKA)
server$ chmod 700 ~/.ssh
server$ chmod 600 ~/.ssh/authorized_keys
cp /etc/ssh/ssh_config ~/.ssh/config
ssh  howto  techsupport  reference  crypto 
july 2011 by bwiese
Using 7z for strong encryption in ZIP files
supports AES256.. $ 7z a -tzip '-pyour passphrase here' -mem=AES256 list-of-archive-contents
software  windows  linux  crypto  friends  howto 
september 2010 by bwiese » Numbers Stations
good old shortwave is often the best option for getting messages to spies in the field.

“Because [a message] can be broadcast over such an enormous area, you can be transmitting to an agent who may be thousands of miles away,” he says. And, he adds, computer communications almost always leave traces.
spy  radio  ham  wireless  history  crypto  security 
july 2010 by bwiese
Open Memory Forensics Workshop | OMFW
some slides and presentations on memory forensics
forensics  toread  pdf  security  crypto  ram 
august 2008 by bwiese
free on the fly disk/virtual drive encryption software - 2 factor authentication and plugins
crypto  linux  windows  software  foss  todo 
july 2008 by bwiese
CryptoBox server source installation - howto
steps after installing cryptobox server package on debian
debian  security  server  howto  crypto 
may 2008 by bwiese
« earlier      
per page:    204080120160

Copy this bookmark:

to read