Jeffrey Walton | 17 Dec 21:41 2014

Misuses/abuses of Sony's compromised root certificate?

Has anyone come across any reports of abuse due to Sony's compromised
root? I believe its named "Sony Corp. CA 2 Root"?

I did not find it in the Windows 8.1 certificate store. Are any of the
browsers carrying it around?
ianG | 15 Dec 20:18 2014

OneRNG kickstarter project looking for donations

About this project

After Edward Snowden's recent revelations about how compromised our 
internet security has become some people have worried about whether the 
hardware we're using is compromised - is it? We honestly don't know, but 
like a lot of people we're worried about our privacy and security.

What we do know is that the NSA has corrupted some of the random number 
generators in the OpenSSL software we all use to access the internet, 
and has paid some large crypto vendors millions of dollars to make their 
software less secure. Some people say that they also intercept hardware 
during shipping to install spyware.

We believe it's time we took back ownership of the hardware we use day 
to day. This project is one small attempt to do that - OneRNG is an 
entropy generator, it makes long strings of random bits from two 
independent noise sources that can be used to seed your operating 
system's random number generator. This information is then used to 
create the secret keys you use when you access web sites, or use 
cryptography systems like SSH and PGP.

Openness is important, we're open sourcing our hardware design and our 
firmware, our board is even designed with a removable RF noise shield (a 
'tin foil hat') so that you can check to make sure that the circuits 
that are inside are exactly the same as the circuits we build and sell. 
In order to make sure that our boards cannot be compromised during 
shipping we make sure that the internal firmware load is signed and 
cannot be spoofed.
(Continue reading)

John Young | 13 Dec 03:01 2014

Keith Alexander's IronNet Cybersecurity Comsec

Recognize former (and current?) NSA officials, among 30, working for
Keith Alexander's IronNet Cybersecurity, Inc.
cryptography mailing list
John Young | 6 Dec 22:39 2014

Forgetting the Lesson of Cypherpunk History: Cryptography Is Underhanded

Bill Blunden, "Forgetting the Lesson of Cypherpunk History: 
Cryptography Is Underhanded," Truthout, December 6, 2014.
ianG | 5 Dec 17:14 2014

cost-watch - the cost of the Target breach

I often point out that our security model thinking is typically informed 
by "stopping all breaches" rather than "doing less damage."  Here's some 
indication of damage.

The ruling is one of the first court decisions to clarify the legal 
confusion between retailers and banks in data breaches. In the past, 
banks were often left with the financial burden of a hacking and were 
responsible for replacing stolen cards. The cost of replacing stolen 
cards from Target’s breach alone is roughly $400 million — and the 
Secret Service has estimated that some 1,000 American merchants may have 
suffered from similar attacks.

The Target ruling makes clear that banks have a right to go after 
merchants if they can provide evidence that the merchant may have been 
negligent in securing its systems.

At the time of its breach last year, Target had installed a $1.6 million 
advanced breach detection technology from the company FireEye.

But according to several people briefed on its internal investigation 
who spoke on the condition of anonymity, the technology sounded alarms 
that Target did not heed until hackers had already made off with credit 
and debit card information for 40 million customers and personal 
information for 110 million customers.
John Young | 4 Dec 14:24 2014

NSA OPULANT PUP A5/3 Crypt Attack

NSA OPULANT PUP A5/3 Crypt Attack released by The Intercept 3Dec2014

Along with 62 pages on NSA AURORA GOLD et all (26.8MB)
ianG | 1 Dec 14:46 2014

"completely unexpected" drop in Cisco's foreign revenues

Cisco’s disastrous quarter shows how NSA spying could freeze US 
companies out of a trillion-dollar opportunity
Bellwether Cisco indicates American tech companies are no longer welcome 
in Russia and other emerging markets.(AP Photo/Lee Jin-man)

Written by
Christopher Mims <at> mims
November 14, 2013

Cisco announced two important things in today’s earnings report: The 
first is that the company is aggressively moving into the Internet of 
Things—the effort to connect just about every object on earth to the 
internet—by rolling out new technologies. The second is that Cisco has 
seen a huge drop-off in demand for its hardware in emerging markets, 
which the company blames on fears about the NSA using American hardware 
to spy on the rest of the world.

Cisco chief executive John Chambers said on the company’s earnings call 
that he believes other American technology companies will be similarly 
affected. Cisco saw orders in Brazil drop 25% and Russia drop 30%. Both 
Brazil and Russia have expressed official outrage over NSA spying and 
have announced plans to curb the NSA’s reach.

Analysts had expected Cisco’s business in emerging markets to increase 
6%, but instead it dropped 12%, sending shares of Cisco plunging 10% in 
after-hours trading.

This completely unexpected turn, which Chambers said was the fastest 
swing he had ever seen in emerging markets, comes just as Cisco is 
trying to establish itself as a bedrock technology provider for of the 
internet of things, which industry analysis firm IDC says will be an 
$8.9 trillion market by 2020. This quarter Cisco unveiled the nPower 
chip, a super-fast processor designed to funnel the enormous volumes of 
data that the internet of things will generate. Cisco also announced the 
Network Convergence System, a handful of routers that will use the 
nPower chip.

Arguably, the current shift in the underlying infrastructure of the 
internet makes Cisco and other American companies uniquely vulnerable. 
The move to cloud services, streaming video and machine to machine 
communication (i.e., the internet of things) means new standards and new 
default hardware providers are taking root, and if NSA spying keeps 
American companies from dominating the market at an early stage, it 
could mean that in the long run they’ll simply be locked out of these 
markets while competitors like Huawei and ZTE reap the benefits.
John Young | 30 Nov 22:07 2014

Encryption Experts and Snake Oilers Quacking Like Governments

Capitalizing on the comsec frenzy, several sites, probably many,
are offering to encrypt for those who do not want install programs
or find them too difficult to use. All appear to promise that no
records, private and public keys, email addresses or content
will be kept. Trust them.

For example, here's one used to send encrypted messages:

This approach suggests that the renewed crypto wars have again
bred a new round of opportunities to beguile those who yearn for
comsec but do not know how to get it, nor how to evaluate the
offerings, in particular those provided by US producers which they
doubt are free of government manipulation. But they also doubt that
any cryptosystem is free of that, thanks to the NSA revelations of
global cooperation among nations to do what NSA does, and the
failure of crypto experts and firms to fully disclose their aid to
governments, before and after Snowden's revelations.

So the downside of Snowden's revelations is that there is considerable
suspicion that all crypto is compromised, and, worse, that snake oil
is not really different from the good stuff for the ordinary user who lacks
the technical skills to distinguish them. And that comsec experts are
in league with authorities to dupe the public by excessive warning
of snake oil to peddle their own offerings, that is, experts and
snake oilers are doing what governments do.

Trust Snowden, trust experts, trust governments, but distrust
snake oil. Wait, users say, how can we tell the difference when
they all quack like ducks.
John Young | 28 Nov 14:25 2014

What Is Good Encryption Software?

Reader asks: What Is Good Encryption Software?

I have contacted you asking about certain security questions.
After reading a few of the Snowden leaked documents, I have
started to be more aware of my privacy being at risk. I have a
few questions concerning certain programs and safety tips.

First, I've recently started to doubt about my encryption software.
Is Symantec's "PGP Endpoint" a good hard drive encryption software?

In other words, is it trustworthy since it is an American company.
And if not, what encryption software is the best for Mac.

Second, is "ProtonMail" as secure as they say it is? If not, what
email provider doesen't let the NSA see into my account.

Third, is Jetico inc's "Bestcrypt Container Encryption" trustworthy?
If not, what could be an alternative.

Fourth, are these encryption types good? Blowfish, Gost & AES - 256bit.
And which encryption type remains the best above all?

Last, is Kaspersky a good anti-virus software? If not, which one is the
best for Mac.


Important, difficult questions, likely to produce a range of answers.
We will publish for answers.
ianG | 26 Nov 18:04 2014

Underhanded Crypto

The Underhanded Crypto contest was inspired by the famous Underhanded C 
Contest, which is a contest for producing C programs that look correct, 
yet are flawed in some subtle way that makes them behave 
inappropriately. This is a great model for demonstrating how hard code 
review is, and how easy it is to slip in a backdoor even when smart 
people are paying attention.

We’d like to do the same for cryptography. We want to see if you can 
design a cryptosystem that looks secure to experts, yet is backdoored or 
vulnerable in a subtle barely-noticable way. Can you design an encrypted 
chat protocol that looks secure to everyone who reviews it, but in 
reality lets anyone who knows some fixed key decrypt the messages?

We’re also interested in clever ways to weaken existing crypto programs. 
Can you make a change to the OpenSSL library that looks like you’re 
improving the random number generator, but actually breaks it and makes 
it produce predictable output?

If either of those things sound interesting, then this is the contest 
for you.