Electric Alchemy: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR: “
ELECTRIC ALCHEMY
INFORMATION SECURITY

FRIDAY, OCTOBER 30, 2009

Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR
Cloud Computing has enabled some interesting projects:  undertakings that wouldn’t have been attempted without the cheap, flexible, easy to provision and simple to release computing power that ‘cloud’ delivers.

The New York Times used Amazon EC2 and S3 to create PDF’s of 15M scanned news articles.  NASDAQ  uses Amazon S3 to deliver historical stock information.  We recently tapped into the power of the cloud to perform brute force password cracking attacks which simply aren’t feasible using traditional IT infrastructure.

We at EA are ‘pro-cloud’ and have been assessing the security of various incarnations of cloud for some time now.  However, until recently we had not had an opportunity to leverage the massive scalability that cloud promises.  That changed a few months ago when we were approached by a client who needed several PGP ZIP archives decrypted thr”

(Via .)

Recently, I had to use the PGP for the first time when one of my colleague wanted to send some documents securely. Over all, this is an easy process and works quite well. I use Windows XP, Thunderbird and gnupg for this to work. Following are some instruction to do this…

You download the software from http://www.gnupg.org if you’re using Windows. If you have Linux, you most likely already have GnuPG.

Enigmail is the plug-in for Thunderbird. You can get it from https://addons.mozilla.org. Alternately, on GNOME-based Linux, check out Seahorse. You can use GnuPG with Outlook, but it isn’t pretty. I would recommend Thunderbird any day.

The software will generate a key pair for you.

Unlike traditional S/MIME, where you use an X.509 certificate signed by a trusted CA, PGP / GnuPG is based on a more general model. You determine if a key is “valid” if it has been signed by someone you “trust”. So, let’s say, you trust that I will not sign any key without verifying that it actually belongs to who it says it belongs to. Then, you can be assured that any key you get that is signed by me is valid.

For distribution, you can upload your public key to a few key servers at PGP and MIT. Keep your private key, well, private.

Signing a message is easy. You just click a button in Thunderbird that says, “Sign message”.

Encryption requires that you have the public key of the person you’re sending the message to. Either he can give it to you, or you can download it from a key server that you trust and that he’s uploaded it to. Once the public key is downloaded, it is stored in your “keyring”. When you send a message to a person whose public key you have, you can click the “Encrypt” button, and it will work.

Assalammualaikum dan salam sejahtera kepada semua. Di sini ingin saya terangkan perbezaan antara Patskom 3.0 dan Patskom PGP.

Ingin dinyatakan anda perlu memastikan terdahulu PC yang digunakan oleh anda menggunakan Office versi berapa. Ini kerana Patskom 3.0 hanya berfungsi dengan Office 2003 kebawah sahaja dan tidak berfungsi sekiranya anda menggunakan Office 2007. Penawarnya ialah anda hanya perlu memasukkan Excel 2003 sahaja pada PC baru anda itu  dan kedua-dua versi dapat digunakan. ^_^

Manakala Patskom PGP boleh berfungsi pada Office 2007 dan 2003 ( berdasarkan pengalaman saya) walaupun mempunyai kekurangan fungsi.

Sekiranya mempunyai sebarang pertanyaan atau pembetulan untuk artikel saya..sila maklumkan ya.

Bamber is a University of Iowa Sophomore making the change from female to male.  This is his story.

A PGP Online Store vulnerability could have allowed hackers to harvest PGP Corporation’s customer data.

Exposed data included each customer’s full contact info (name, physical address, email address, telephone number, etc), the PGP product & version level purchased by the customer, and the customer’s operating system (Windows or Mac).

For some customers, partial credit card information were also exposed, including the type of card the customer used (Visa, Amex, etc.), the last four digits of the card, the card’s expiration date, and the first & last name associated with the card.

The type and amount of data exposed could have subjected PGP customers to an extremely effective targeted phishing attack, especially considering PGP’s reputation as a leader in the data protection market.

The vulnerability involved an Insecure Direct Object Reference on a product renewal URL which was not protected by any form of authentication.

Timeline:

This vulnerability was disclosed to PGP on October 17, 2009.  PGP acknowledged the issue on October 22 and implemented a fix; however, my re-testing indicated the problem was not resolved (results communicated back to them on the same day).  Sent follow-up email on November 5 as there were no updates from PGP.  On November 9, PGP responded that they were planning to add authentication to protect the renewal function.  Verified vulnerability still existed on November 11. Issue appears to have been fixed on November 12.

Am 20.11. findet parallel zum Münchner Piratenstammtisch eine Keysigning Party statt. Es werden GnuPG/PGP und CAcert Assurances abgearbeitet.

Wer also Lust hat kommt einfach mal vorbei. Der öffentliche Schlüssel sollte aber schon ein paar Tage vorher losgeschickt werden, damit alles gut funktioniert. Näheres auf der entsprechenden Webseite.

Link

While working on some application security requirements for a client, I came across this little nugget about cracking pgp passwords using a cloud.

Cracking Passwords in the Cloud

It’s interesting to see how easy it  has becomes to brute force passwords using distributed computing. While brute force attacking passwords for the average person is still time-prohibitive, even with a cloud, the ability to reduce password cracking times from years to weeks is impressive.  Cracking performance will continue to increase as distributed computing becomes cheaper, faster and more widely adopted.

Take a look at the article and think of how this could affect your data:  Cracking Passwords in the Cloud

If you haven’t started to really focus on application data security, perhaps you should…

A veces cuando ofrecemos cierta información en nuestra página web corporativa nos interesa que quede claro que la información que refleja tal o cual documento está tal y como fue publicada y mantiene su integridad. Este es el fin de la firma PGP de páginas web, donde cualquier usuario puede comprobar que la información no ha sido modificada. Para ello se puede utilizar PGP como clave criptográfica de clave pública.

PGP es uno de los primeros programas aparecidos que permitían a los usuarios firmar y codificar documentos. Tiene versiones de código abierto para casi todas las plataformas y sistemas operativos, lo que le convierte en un sistema flexible. Las ventajas sobre el sistema de certificados SSL/TLS que permite mantener conexiones seguras de forma transparente para el usuario es que con el sistema de firmas la conexión es bastante más rápida.

Utiliza un sistema de criptografía de clave privada y clave pública. Este tipo de sistemas tienen dos claves una privada con la que se firma la página y otra pública que es accesible para todos los usuarios. Para firmar un documento lo realizamos con la clave privada, mientras la clave pública nos garantiza que no se ha modificado el documento desde el momento de su firma. El inconveniente es que es el usuario el que tiene que realizar esta comprobación de forma proactiva.

Es interesante utilizar este tipo de mecanismos para asegurar a nuestros usuarios que no hemos modificado tal o cual documento de garantía, por ejemplo, que incluimos en nuestra página web, así que nuestros clientes pueden estar seguros de que lo reflejado en la web es lo que nosotros hemos ofrecido. Este tipo de mecanismos es igualmente válido a la hora de cifrar documentos con cualquier tipo de software que utilice PGP.

AutoCAD references all kinds of files to help you create your drawings. Your .LIN files for Line types, .PAT files For Hatches, your .PGP file for Custom shortcuts and your .CUI file for your user Interface settings.

If you want to back up, repair or customise any of these files, you need to know where to find them right?

Open the Options pallet:

Menu:   Tools  Options

At the Command prompt, enter options.

Shortcut menu: Right-click in the command window, or (with no commands active and no objects selected) right-click in the drawing area, and choose Options.

Command entry: options

Choose the ‘Files’ Tab and click on the ‘Support File Search path’ Node to expand it.

Click once on the first path you see to select it, click again to edit it – But Don’t edit it! Just right click and choose copy.

You can now open any Windows folder and paste this address into the address bar:

Now you’ve found all the good stuff, why not create a short cut! If you want to customize AutoCAD in any way, you will want to come here first and create back ups of the relevant files. If you have already customised AutoCAD, you may want to back up these files before that pesky IT guy comes around and re-installs your software…

I usually do not start with a conclusion… But now I will.
Simply stay away from this dreadful software… !!!
It is simply buggy !

Outlook 2007 crashes almost at every signed email that this crappy software tries to display.

STAY AWAY FROM http://www.gpg4win.org/ at least until they fix these crashes !!!

]]> http://erling.wordpress.com/2009/10/07/intercettati/ Wed, 07 Oct 2009 20:24:44 +0000 erling http://erling.wordpress.com/2009/10/07/intercettati/

E’ scomparsa rapidamente, inghiottita da notizie più ghiotte, la segnalazione da parte di un funzionario dell’autorità garante della privacy di una catalogazione di tutte le attività su internet svolte dai navigatori italiani, dal 2001 al 2008, finchè lo stesso garante ha emesso un provvedimento per bloccare le registrazioni illecite.

E non sono poche queste registrazioni, si parla di tutte le url visitate, le password transitate in modo non protetto, le mail, le chat, di tutti gli abbonati a Telecom Italia, Vodafone e H3G.

Non sembra che la notizia abbia causato grande indignazione, il commento prevalente è “non ho niente da nascondere, possono intercettare finchè vogliono”; a me invece questa idea di una totale trasparenza mette i brividi, mi sa tanto di dittatura; come ha scritto Phil Zimmerman, l’inventore di pgp, “Se la privacy diviene fuorilegge, solo i fuorilegge avranno la privacy”, e si trova ancora qui la sua convicentissima esposizione del perchè è necessario che i nostri dati privati restino tali. Non saprei spiegarmi meglio di lui, quindi rinvio al link.

Non credo che ci saranno grandi reazioni al fatto che in Italia le compagnie telefoniche facciano il bello ed il cattivo tempo con la nostra vita privata; ci si occupa solo delle loro tariffe, ma non di quello che combinano con i nostri dati.

E’ poco plausibile che di loro iniziativa le telecom ci regalino la privacy, e lo stato sembra preoccuparsi più della privacy dei personaggi illustri che di queste retate di massa.

Sto pensando quindi di cercare alternative a livello individuale, forse tor può essere una strada, occorre studiarselo un po’, ma come sempre non si ha niente per niente.

]]> http://mnomedenimp.wordpress.com/2009/10/06/problems-of-perception-and-nazis/ Tue, 06 Oct 2009 15:29:48 +0000 nome http://mnomedenimp.wordpress.com/2009/10/06/problems-of-perception-and-nazis/ http://mnomedenimp.wordpress.com/2009/10/05/is-cis-and-friend-contradictory/ Mon, 05 Oct 2009 15:32:05 +0000 nome http://mnomedenimp.wordpress.com/2009/10/05/is-cis-and-friend-contradictory/ http://mnomedenimp.wordpress.com/2009/10/03/frustrations/ Sun, 04 Oct 2009 04:11:57 +0000 nome http://mnomedenimp.wordpress.com/2009/10/03/frustrations/ http://mnomedenimp.wordpress.com/2009/10/03/gender-neutral-name/ Sat, 03 Oct 2009 17:48:13 +0000 nome http://mnomedenimp.wordpress.com/2009/10/03/gender-neutral-name/ http://mnomedenimp.wordpress.com/2009/09/27/i-am-suuuuch-a-ze/ Sun, 27 Sep 2009 18:38:00 +0000 nome http://mnomedenimp.wordpress.com/2009/09/27/i-am-suuuuch-a-ze/ http://mnomedenimp.wordpress.com/2009/09/17/i-dont-want-your-apologies/ Thu, 17 Sep 2009 08:48:34 +0000 nome http://mnomedenimp.wordpress.com/2009/09/17/i-dont-want-your-apologies/ http://pgpsucks.wordpress.com/2009/09/16/solution-for-pgp-desktop-for-mac-mail-bundle-and-snow-leopard/ Wed, 16 Sep 2009 09:28:00 +0000 Nuri http://pgpsucks.wordpress.com/2009/09/16/solution-for-pgp-desktop-for-mac-mail-bundle-and-snow-leopard/

I’ll describe a simple workaround that may eliminate the need for the Mail Bundle forever.

I’m assuming that PGP Desktop is already installed in your system. I merely upgraded my Leopard to Snow Leopard and PGP Desktop is working fine save for the occasional non-critical crash.

The important part is to define PGP’s Encrypt and Decrypt-Verify commands as system-wide services. The Services menu is cumbersome to use but thanks to Snow Leopard, once you define a system-wide service, it pops up in the contextual menu when you right click.

For this to work, there are two important notes:
- You need to be in a text window.
- You need to be operating on editable text.

In Mail.app, when you want to Encrypt a message, just type it normally, then do a Select All. Right click to reveal the contextual menu and select Encrypt. Your message is ready to go, properly encrypted by PGP.

Decrypting received messages is just a little more tricky but you’ll get used to it in no time. The problem is the message does not contain editable text. Just hit reply to open a new message containing the received text. Of course this gives you the received text in an editable window. Now do a Select All and then right click to reveal the contextual menu, and finally select Decrypt-Verify. Now you have the original received message properly Decrypted. If you want to reply it at that point, write your reply and Encrypt as above. If you just want to read it and reply later, just discard the message window that contains the decrypted text.

It’s really easy and I see it no different that the routine with the Mail Bundle.

And now the mother of all tips: Since we’re talking of a system-wide service, the routine above works exactly the same using any web mail system be it Gmail, MobileMe or anything else.

Enjoy!

Postscript: Of course PGP Corporation could have given us something like this at exactly the time that they said “Don’t upgrade to Snow Leopard!” If, of course, they had been anything like a decent customer service company. It’s almost farcical to think that they should have banned me from PGP customer forums. I’m their best ally in the blogosphere trying to help PGP Desktop Mac users!

This is how your Services menu should look like.

Thus you write your message and encrypt it. Once you manage to get Encrypt and Decrypt-Verify services in your contextual menu, happiness could not be far behind.

]]> http://mnomedenimp.wordpress.com/2009/09/10/to-pass-was-passed-as-and-blend/ Thu, 10 Sep 2009 20:24:47 +0000 nome http://mnomedenimp.wordpress.com/2009/09/10/to-pass-was-passed-as-and-blend/ http://mnomedenimp.wordpress.com/2009/09/10/an-example-of-why-i-dont-love-gay-groups/ Thu, 10 Sep 2009 05:06:58 +0000 nome http://mnomedenimp.wordpress.com/2009/09/10/an-example-of-why-i-dont-love-gay-groups/ http://mnomedenimp.wordpress.com/2009/09/09/soap-dispensers/ Wed, 09 Sep 2009 13:48:48 +0000 nome http://mnomedenimp.wordpress.com/2009/09/09/soap-dispensers/ http://mnomedenimp.wordpress.com/2009/08/30/reflection-on-the-past-few-months-of-pgp/ Sun, 30 Aug 2009 18:00:23 +0000 nome http://mnomedenimp.wordpress.com/2009/08/30/reflection-on-the-past-few-months-of-pgp/ http://borgerrettigheter.wordpress.com/2009/08/27/avlyttningssikker-telefoni-helt-n%c3%b8dvendig/ Thu, 27 Aug 2009 13:37:58 +0000 Tankeren http://borgerrettigheter.wordpress.com/2009/08/27/avlyttningssikker-telefoni-helt-n%c3%b8dvendig/

Ny teknologi som muliggjør avlyttning av Skype viser at avlyttningssikker telefoni er helt nødvendig. Borgerrettighetsbloggen har vært i kontakt med Telio, en leverandør av IP-telefoni, og fått bekreftet at de ikke bruker noen form for kryptering. Jeg mistenker at ingen av de norske firmaene i dag beskytter samtalene. Dette er farlig, fordi det er vanvittig lett for en mellommann å avlytte samtalene, og dermed snappe opp viktig informasjon som senere kan brukes i svindel.

Philip Zimmerman, som i sin tid utviklet Pretty Good Privacy har utviklet en teknologi som heter ZRTP. ZRTP muliggjør avlyttningssikker telefoni, og du kan i dag bruke denne teknologien gratis ved å laste ned Zfone og Yahoo Messenger. Hvis du og din samtalepartner bruker disse to programmene til stemmetelefoni, er det umulig å avlytte samtalen deres. Snart kommer SIP Communicator, en plattformuavhengig avlyttningssikker programvare som har ZRTP innebygget.

Bør ikke myndighetene ha en universalnøkkel? Nei, mener Zimmermann. Risikoen for at den samme metoden vil bli misbrukt av organiserte kriminelle er for stor, og det holder å se hvem som har snakket sammen for å trekke slutninger. Det er ikke nødvendig å vite hva som har blitt sagt.

Zimmermann ble i sin tid etterforsket av FBI for “å eksportere våpenteknologi”. Etterhvert som myndighetene innså at kryptering var en nødvendighet i den moderne dataalderen, måtte de gi seg, og lovliggjøre eksport av slik teknologi etter press fra databransjen. Den kjente kryptografen ble igjen angrepet etter 11. september, fordi man mente at terroristene hadde brukt hans teknologi i planleggingen av angrepene. Han angret ikke på at han utviklet den, og mener at alle har rett til privatliv, uansett om det kan misbrukes.

IP-telefoniinfrastrukturen i Norge burde inkludere ZRTP som standard, og det er flaut at man ikke bruker noen som helst form for beskyttelse.

]]> http://factualfiction.wordpress.com/2009/08/26/standing/ Tue, 25 Aug 2009 17:48:31 +0000 wulu http://factualfiction.wordpress.com/2009/08/26/standing/