DECT or rather, Digital Enhanced Cordless Telecommunications, has apparently been broken by researchers.

From The Register:

Cryptographers have broken the proprietary encryption used to prevent eavesdropping on more than 800 million cordless phones worldwide, demonstrating once again the risks of relying on obscure technologies to remain secure.

The attack is the first to crack the cipher at the heart of the DECT, or Digital Enhanced Cordless Telecommunications, standard, which encrypts radio signals as they travel between cordless phones in homes and businesses and corresponding base stations.

Ah, the simple pleasures of smashing a 20 year old proprietary encryption algorithm to bits.

The researchers are presenting their findings at the FSE 2010 Conference in Korea as we speak. Should be interesting to see how the industry reacts.

For the full story, read on.

Article Link

The DoD is locking down its tubes with some new crypto it would appear. In an effort to move into cloud computing in earnest within the DoD there is a move afoot to layer in security.

OK, I’m listening.

From GCN.com:

The new cryptographic technology enables the convergence of various Defense Department Global Information Grid networks that operate at different security levels, which currently require individualized infrastructure designed to handle restricted data – and also individualized costs.

“The government spends a considerable amount of money on these networks, and they’ve been looking for years for a way to combine them,” said David Gardiner, vice president of security technology and solutions at Unisys, which is deploying its Stealth technology under a one-year JFCOM contract.

“Stealth” you say? Oh, I got all tingly there for a moment.

Stealth works by splitting bits of data into multiple packets as it moves through the network, then reassembles the information packets when delivered to authorized users. Only authenticated users who have obtained a workgroup key, authorized by a Stealth Solution server, would have the means to reassemble and unscramble the packets.

In some ways this sounds oddly familiar. The article goes on to say how this could be used to help improve cloud computing from a security perspective. I’d be interested to see how the keys are managed.

Oh look. A nice black helicopter overhead. Wave to the nice men.

Article Link

UPDATE: As per my conversation with Chris Hoff, I should offer clarity on the ‘Stealth’ article. “To be clear: Unisys’ Stealth is being ‘evaluated/assessed’ under the JFCOM contract, not widely deployed.” Thanks Hoff.

See, this is what happens when I write something with little to no sleep. Clarity escapes me.

(Image used under CC from iancarroll’s Flickr stream)

Chris Soghoian has another interesting piece on his CNET blog.

Wow, I’m certainly glad that I’ve not had the displeasure of police interrogation. But, to think of one in some countries around the world makes the blood run cold. One such example is apparently, Turkey.

From CNET:

The 2005 theft of tens of million credit card numbers from an unsecured wireless network run by TJ Maxx stores has lead to over 150 million dollars in damages for the company. The two gentlemen behind the heist sold the pilfered credit card information to others online. Eventually, the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and, according to media reports, a “major figure in the international sale of stolen credit card information.”

Mr Yastremskiy was later arrested in 2007, while on vacation in Turkey. The US government has formally requested that Yastremskiy be extradited, and has charged him with a number of crimes including aggravated identity theft.

Now, comments alleged to have been made by Howard Cox, a US Department of Justice official, shed some light on the possible means in which the Turkish police extracted the password for his encryption software.

Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password

Volun…damn. OK, the tongue and cheek imagery of a black and white film gives way to this image.

Guilty or not, this is not the right way to do things.

Article Link

From NewTeeVee:

The team behind the popular torrent site The Pirate Bay has started to work on a new encryption technology that could potentially protect all Internet traffic from prying eyes. The project, which is still in its initial stages, goes by the name “Transparent end-to-end encryption for the Internets,” or IPETEE for short. It tackles encryption not on the application level, but on the network level, the aim being that all data exchanged on your PC would be encrypted, regardless of its nature — be it a web browser streaming video files or an instant messaging client.

I wonder what the likelihood of them pulling this off would be? Then again at one point they were interested in purchasing Sealand. So, if anyone has the resources to start causing a ruckus, its them.

We’ll be keeping an eye on this developing story.

Article Link

Data breaches leave organizations vulnerable to massive information losses, including confidential client data. Data breaches also open companies to to reputation damage and lawsuits. Data encryption solutions significantly reduce companies’ rates of data breaches. Encryption can mitigate the consequences of a potential data breach.

More than eight out of 10 organizations have suffered at least one breach of data Relevant Products/Services in the last year, and 44 percent have lost data two to five times in the same period, according to new research from the Ponemon Institute.

There’s some good news for companies that have a comprehensive encryption Relevant Products/Services strategy, however. These organizations had significantly lower rates of data breaches.

Data breaches open organizations to reputation damage and lawsuits — witness the recent data loss at grocery-chain Hannaford, where more than 4 million credit- and debit-card numbers were exposed between December 7, 2007, and March 10, 2008, resulting in at least 1,800 stolen, and at least one federal class-action lawsuit.

I’m planning to review a few encryption vendor offerings in the not to distant future.

No, sales folks don’t need to call.

Down boy.

Article Link

Tags: Laptop Encryption, Encryption, Data Security

A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.

With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.

With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.

“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.

So, why does this seem familiar? The article seems a touch confusing. Did he break crypto or simply RFID? The quote from the article “found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.” seems to indicate that they merely attacked the RFID as opposed to some encryption. Does anyone have a link to Nohl’s presentation from CCC?

Article Link

Tags: RFID, Karsten Nohl

From Tech World:

Identum’s Private Post desktop and gateway server products will be integrated into Trend’s existing line of products and rebranded “Identum as Trend Micro.”

The Identum server software, which will automatically encrypt messages depending on the user’s corporate security policy, can be used alongside existing email and compliance products. It gives Trend a way to add email encryption to its InterScan Messaging Hosted Security product line.

Article Link

Tags: Trend Micro, Identum, Encryption

From Princeton.edu:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

To answer the emails that I received this afternoon at once, no, they have not released bitunlocker.sh.

Article Link

Paper Link (.pdf)

[UPDATE] Here is the video from YouTube.

Tags: Disk Encryption, Defeating Disk Encryption, Crypto, Cold Boot Attacks, Cryogenic Cryptanalysis

From IT Wales:

Banking online has become increasingly pervasive and is becoming more and more common. But has it reached a point where its actually safer than going to your local branch?

The risks of banking online are numerous

* Hackers have global reach – if you’re doing offline banking in Birmingham, you only need to be worried about bad guys in Birmingham, for instance the customers and employees present in your local branch. If you’re banking online, anyone in the world could attack you and your assets.

* Automation – in the physical world attackers are limited by their ability to manipulate physical items like making an extra copy of your account number. In the online world attackers are essentially unlimited in the resources they can bring to bear.

* Online security is opaque to the end user. People who aren’t particularly tech savvy have a tough time differentiating between good online security practices and bad online security practices. Security in the physical world is much more intuitive for most people – keep your chequebook in a safe place or don’t let someone peek when you are entering your PIN.

For the full piece read on.

Article Link

Tags: Online Banking, Internet Banking, Online Banking Safety

From TrueCrypt:

Main Features:

* Creates a virtual encrypted disk within a file and mounts it as a real disk.

* Encrypts an entire hard disk partition or a storage device such as USB flash drive.

* Encryption is automatic, real-time (on-the-fly) and transparent.

* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Hidden volume (steganography – more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

* Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.

Article Link

Tags: TrueCrypt, Disk Encryption, Encryption