Skip navigation
Help

private key

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.
Original author: 
Joshua Kopstein

Facebooksecurity1_2040_large_jpg

Demand for encryption apps has increased dramatically ever since the exposure of massive internet surveillance programs run by US and UK intelligence agencies. Now Facebook is reportedly moving to implement a strong, decades-old encryption technique that's been largely avoided by the online services that need it most.

Forward secrecy (sometimes called "perfect forward secrecy") is a way of encrypting internet traffic — the connection between a website and your browser — so that it's harder for a third party to intercept the pages being viewed, even if the server's key becomes compromised. It's been lauded by cryptography experts since its creation in the early 1990's, yet most "secure" online services like banks and webmail still...

Continue reading…

0
Your rating: None
Original author: 
Urbanist

[ By WebUrbanist in Gaming & Computing & Technology. ]

bitcoin digital physical designs

The crypto-currency Bitcoin is all over social media, blogs and news sites. But beyond the volatility, speculation and noise there is a fascinating question being asked and answered: from coins to wallets, how does the world’s first widespread digital currency manifest in visual or physical form(top image by cybrbeast)

bitcoin 3d currency variants

The Bitcoin logo is a rather simple affair, borrowing much from traditional currencies (a partial strike-through) and clearly, most of all, the United States dollar. For some, though, seeing is not enough – for emotional and practical reasons alike, many want a physical analogue to their virtual wealth.

bitcoin physical round design

That baseline design, however, has spawned not only 3D renderings approximating solid coins, but actual physical coins themselves for fans of hand-held collectibles. The Casascius series have solid brass, electroplated gold and pure silver variants that ‘contain’ real Bitcoins (an address with a private key hidden below a removable hologram). Like Gold Eagles, the value of these on the secondary market has consistently stayed above the ‘spot’ price for the currency they contain.

bitcoin paper currency notes

And it does not end there. For security purposes, many people prefer to keep copies (in some cases: their only copies) of their virtual Bitcoin ‘wallet’ in offline form. For better or worse, this translates computer-centric risks (hacking and data corruption) back into more familiar ones (physical theft or loss). Designers on that front  have come up with a number of interesting options, from plasticized and paper ‘notes’ to self-printed wallets. In the decentralized, open-source spirit of Bitcoin, many designers (like Doctor 75R) give these designs out freely as well.

bitcoin printable folding wallet

Canton Becker lists off the advantages of his variant, shown above: “(1)Private key is hidden behind folds, so your wallet content is still safe if left out in the open or photographed. (2) Tamper-proof tape indicates when you (or someone else!) has revealed the private key. (3) Folding design obfuscates private keys so they’re hidden even when holding wallet up to a bright light. (4)Reverse side has basic wallet operation instructions and a register for writing down deposits / balance. (5) Private and public keys are replicated (and rotated) in triplicate to maximize chances of recovering keys if paper is damaged / crumpled.”

bitcoin physical ring designs

There is even a movement toward making Bitcoin secret (de)coder rings – like gold or silver ones, they can be stolen, but they also allow you to wear and keep your wealth (literally) close at hand. By engraving the private key on the inside of the band, there is no way to see it unless you (or someone) takes it off.

bitcoin wallpaper digital designs

And, of course, anything with sufficient fans warrants making wallpapers – here are a series of six available at full size on Flickr.

Share on Facebook [ By WebUrbanist in Gaming & Computing & Technology. ]

[ WebUrbanist | Archives | Galleries | Privacy | TOS ]

    

0
Your rating: None

Aurich Lawson / Thinkstock

Encryption, the transformation of data into a form that prevents anyone unauthorized from understanding that data, is a fundamental technology that enables online commerce, secure communication, and the protection of confidential information.

Encryption algorithms are the mathematical formulae for performing these transformations. You provide an encryption algorithm with a key and the data you want to protect (the plaintext), and it produces an encrypted output (the ciphertext). To read the output, you need to feed the key and the ciphertext into a decryption algorithm (sometimes these are identical to encryption algorithms; other times they are closely related but different).

Encryption algorithms are designed so that performing the decryption process is unfeasibly hard without knowing the key.

Read 55 remaining paragraphs | Comments

0
Your rating: None

Aurich Lawson

My family has been on the Internet since 1998 or so, but I didn't really think much about Internet security at first. Oh sure, I made sure our eMachines desktop (and its 433Mhz Celeron CPU) was always running the latest Internet Explorer version and I tried not to use the same password for everything. But I didn't give much thought to where my Web traffic was going or what path it took from our computer to the Web server and back. I was dimly aware that e-mail, as one of my teachers put it, was in those days "about as private as sticking your head out the window and yelling." And I didn't do much with that knowledge.

That sort of attitude was dangerous then, and the increasing sophistication of readily available hacking tools makes it even more dangerous now.  Luckily, the state of Internet security has also gotten better—in this article, the first in a five-part series covering online security, we're going to talk a bit about keeping yourself (and your business) safe on the Web. Even if you know what lurks in the dark corners of the Internet, chances are you someone you know doesn't. So consider this guide and its follow-ups as a handy crash course for those unschooled in the nuances of online security. Security aficionados should check out later entries in the series for more advanced information

We'll begin today with some basic information about encryption on the Internet and how to use it to safeguard your personal information as you use the Web, before moving on to malware, mobile app security, and other topics in future entries. 

Read 21 remaining paragraphs | Comments

0
Your rating: None

Enlarge / A diagram of a side-channel attack on a virtual machine. Using a malicious VM running on the same hardware, scientists were able to recover a private encryption key.

Zhang et al.

Piercing a key defense found in cloud environments such as Amazon's EC2 service, scientists have devised a virtual machine that can extract private cryptographic keys stored on a separate virtual machine when it resides on the same piece of hardware.

The technique, unveiled in a research paper published by computer scientists from the University of North Carolina, the University of Wisconsin, and RSA Laboratories, took several hours to recover the private key for a 4096-bit ElGamal-generated public key using the libgcrypt v.1.5.0 cryptographic library. The attack relied on "side-channel analysis," in which attackers crack a private key by studying the electromagnetic emanations, data caches, or other manifestations of the targeted cryptographic system.

One of the chief selling points of virtual machines is their ability to run a variety of tasks on a single computer rather than relying on a separate machine to run each one. Adding to the allure, engineers have long praised the ability of virtual machines to isolate separate tasks, so one can't eavesdrop or tamper with the other. Relying on fine-grained access control mechanisms that allow each task to run in its own secure environment, virtual machines have long been considered a safer alternative for cloud services that cater to the rigorous security requirements of multiple customers.

Read 8 remaining paragraphs | Comments

0
Your rating: None

I've already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don't think so. To be perfectly blunt, I wasn't talented enough to be any kind of threat. I'm still not.

There are two classic books describing hackers active in the 1980s who did have incredible talent. Talents that made them dangerous enough to be considered criminal threats.

 Tracking a Spy Through the Maze of Computer Espionage

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage

 My Adventures as the World's Most Wanted Hacker
Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

Cuckoo is arguably the first case of hacking that was a clearly malicious crime circa 1986, and certainly the first known case of computer hacking as international espionage. I read this when it was originally published in 1989, and it's still a gripping investigative story. Cliff Stoll is a visionary writer who saw how trust in computers and the emerging Internet could be vulnerable to real, actual, honest-to-God criminals.

I'm not sure Kevin Mitnick did anything all that illegal, but there's no denying that he was the world's first high profile computer criminal.

Kevin Mitnick FBI wanted poster

By 1994 he made the FBI's 10 Most Wanted list, and there were front page New York Times articles about his pursuit. If there was ever a moment that computer crime and "hacking" entered the public consciousness as an ongoing concern, this was it.

The whole story is told in minute detail by Kevin himself in Ghost in the Wires. There was a sanitized version of Kevin's story presented in Wizzywig comix but this is the original directly from the source, and it's well worth reading. I could barely put it down. Kevin has been fully reformed for many years now; he wrote several books documenting his techniques and now consults with companies to help improve their computer security.

These two books cover the genesis of all computer crime as we know it. Of course it's a much bigger problem now than it was in 1985, if for no other reason than there are far more computers far more interconnected with each other today than anyone could have possibly imagined in those early days. But what's really surprising is how little has changed in the techniques of computer crime since 1985.

The best primer of modern – and by that I mean year 2000 and later – computer crime is Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. Modern computer crime is more like the classic sort of crime you've seen in black and white movies: it's mostly about stealing large sums of money. But instead of busting it out of bank vaults Bonnie and Clyde style, it's now done electronically, mostly through ATM and credit card exploits.

 How One Hacker Took Over the Billion-Dollar Cybercrime Underground

Written by Kevin Poulson, another famous reformed hacker, Kingpin is also a compelling read. I've read it twice now. The passage I found most revealing is this one, written after the protagonist's release from prison in 2002:

One of Max’s former clients in Silicon Valley tried to help by giving Max a $5,000 contract to perform a penetration test on the company’s network. The company liked Max and didn’t really care if he produced a report, but the hacker took the gig seriously. He bashed at the company’s firewalls for months, expecting one of the easy victories to which he’d grown accustomed as a white hat. But he was in for a surprise. The state of corporate security had improved while he was in the joint. He couldn’t make a dent in the network of his only client. His 100 percent success record was cracking.

Max pushed harder, only becoming more frustrated over his powerlessness. Finally, he tried something new. Instead of looking for vulnerabilities in the company’s hardened servers, he targeted some of the employees individually.

These “client side” attacks are what most people experience of hackers—a spam e-mail arrives in your in-box, with a link to what purports to be an electronic greeting card or a funny picture. The download is actually an executable program, and if you ignore the warning message

All true; no hacker today would bother with frontal assaults. The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside. Max, the hacker described in Kingpin, bragged "I've been confident of my 100 percent [success] rate ever since." This is the new face of hacking. Or is it?

One of the most striking things about Ghost In The Wires is not how skilled a computer hacker Kevin Mitnick is (although he is undeniably great), but how devastatingly effective he is at tricking people into revealing critical information in casual conversations. Over and over again, in hundreds of subtle and clever ways. Whether it's 1985 or 2005, the amount of military-grade security you have on your computer systems matters not at all when someone using those computers clicks on the dancing bunny. Social engineering is the most reliable and evergreen hacking technique ever devised. It will outlive us all.

For a 2012 era example, consider the story of Mat Honan. It is not unique.

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password and then reset it to do the damage to my devices.

I heard about this on Twitter when the story was originally developing, and my initial reaction was skepticism that anyone had bothered to brute force anything at all, since brute forcing is for dummies. Guess what it turned out to be. Go ahead, guess!

Did you by any chance guess social engineering … of the account recovery process? Bingo.

After coming across my [Twitter] account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.

Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account.

So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.

Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. … First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

Phobia, the hacker Mat Honan documents, was a minor who did this for laughs. One of his friends is a 15 year old hacker who goes by the name of Cosmo; he's the one who discovered the Amazon credit card technique described above. And what are teenage hackers up to these days?

Xbox gamers know each other by their gamertags. And among young gamers it’s a lot cooler to have a simple gamertag like “Fred” than, say, “Fred1988Ohio.” Before Microsoft beefed up its security, getting a password-reset form on Windows Live (and thus hijacking a gamer tag) required only the name on the account and the last four digits and expiration date of the credit card on file. Derek discovered that the person who owned the “Cosmo” gamer tag also had a Netflix account. And that’s how he became Cosmo.

“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.”

This method still works. When Wired called Netflix, all we had to provide was the name and e-mail address on the account, and we were given the same password reset.

The techniques are eerily similar. The only difference between Cosmo and Kevin Mitnick is that they were born in different decades. Computer crime is a whole new world now, but the techniques used today are almost identical to those used in the 1980s. If you want to engage in computer crime, don't waste your time developing ninja level hacking skills, because computers are not the weak point.

People are.

[advertisement] How are you showing off your awesome? Create a Stack Overflow Careers profile and show off all of your hard work from Stack Overflow, Github, and virtually every other coding site. Who knows, you might even get recruited for a great new position!

0
Your rating: None

Cyberoam, a maker of appliances designed to secure sensitive networks, said it has issued an update to fix a flaw that could be used to intercept communications sent over the TOR anonymity network.

Cyberoam issued the hotfix on Monday to a variety of its unified threat management tools. The devices, which are used to inspect individual packets entering or exiting an organization's network, previously used the same cryptographic certificate. Researchers with the TOR network recently reported the flaw and said it caused a user to seek a fake certificate for thetorproject.org when one of the DPI (or deep packet inspection) devices was being used to monitor his connection.

"Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key," TOR researcher Runa A. Sandvik wrote in a blog post published last Tuesday. "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device—or to extract the key from the device and import it into other DPI devices, and use those for interception." Someone commenting on the post went on to publish the purported private key used by the Cyberoam certificate.

Read 3 remaining paragraphs | Comments

0
Your rating: None