« | Home | Categories | »

NSA-Ausschuss erwägt Einsatz von Schreibmaschinen

Posted on July 14th, 2014 at 18:56 by John Sinteur in category: News

[Quote]:

Der NSA-Untersuchungsausschuss will möglicherweise auf altbekannte Methoden setzen, um sich vor Ausspähung zu schützen. Es werde erwogen, wieder auf mechanische Schreibmaschinen zurückzugreifen, um geheime Dokumente zu verfassen, sagte der Vorsitzende des Untersuchungsausschusses, Patrick Sensburg (CDU), am Montag im ARD-“Morgenmagazin”.


Write a comment

Comments:

  1. A pre-TCP/IP Mac or MS-DOS machine would probably be fine too.

  2. Pen and paper.

Cartoons

Posted on July 14th, 2014 at 15:48 by John Sinteur in category: Cartoon


Write a comment

Make sure you update the firmware on all your lightbulbs!

Posted on July 14th, 2014 at 14:31 by John Sinteur in category: Security

[Quote]:

In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.

[..]

According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.


Write a comment

Google Glass Snoopers Can Steal Your Passcode With a Glance

Posted on July 14th, 2014 at 14:00 by John Sinteur in category: Security

[Quote]:

The odds are you can’t make out the PIN of that guy with the sun glaring obliquely off his iPad’s screen across the coffee shop. But if he’s wearing Google Glass or a smartwatch, he probably can see yours.

Researchers at the University of Massachusetts Lowell found they could use video from wearables like Google Glass and the Samsung smartwatch to surreptitiously pick up four-digit PIN codes typed onto an iPad from almost 10 feet away—and from nearly 150 feet with a high-def camcorder. Their software, which used a custom-coded video recognition algorithm that tracks the shadows from finger taps, could spot the codes even when the video didn’t capture any images on the target devices’ displays.

“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Xinwen Fu, a computer science professor at UMass Lowell who plans to present the findings with his students at the Black Hat security conference in August. “If someone can take a video of you typing on the screen, you lose everything.”


Write a comment

How a password changed my life

Posted on July 14th, 2014 at 13:47 by John Sinteur in category: News

[Quote]:

It was obvious that I couldn’t focus on getting things done with my current lifestyle and mood. Of course, there were clear indicators of what I needed to do -or what I had to achieve- in order to regain control of my life, but we often don’t pay attention to these clues.

My password became the indicator.


Write a comment

Comments:

  1. Here’s a link to change all your passwords with one click: http://fffff.at/category/projects/

X509

Posted on July 14th, 2014 at 13:37 by John Sinteur in category: Do you feel safer yet?, Google

[Quote]:

Shortly after the initial news came out that NSA fakes google and yahoo servers with stolen or faked certificates:

https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html

the german computer magazine C’T issued a warning that it is a security risk, when microsoft automatically updates its list of certificates without any noticing of the users, so that dubious certificates could easily get into the windows certificate list, which is thrusted by webbrowsers like internet explorer or google chrome for windows:

http://www.heise.de/ct/artikel/Microsofts-Hintertuer-1921730.html

After reading this, I filed a bug in chromium, which then was dismissed as a “won’t fix”, with the chromium developers saying that the certificate list is “signed by Microsoft” and there would not be any break in the “chain of thrust”.

And now I see this message from google:

http://www.heise.de/security/meldung/Indien-stellte-falsche-Google-Zertifikate-aus-2252544.html

http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html

“On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.

We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.”

Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”

Now microsoft has removed the certificates in question and it turnes out that the issue affected 45 domains:

http://www.heise.de/security/meldung/Microsoft-entzieht-Indischer-CA-das-Vertrauen-2255992.html

https://technet.microsoft.com/en-us/library/security/2982792

google.com
mail.google.com
gmail.com
www.gmail.com
m.gmail.com
smtp.gmail.com
pop.gmail.com
imap.gmail.com
googlemail.com
www.googlemail.com
smtp.googlemail.com
pop.googlemail.com
imap.googlemail.com
gstatic.com
ssl.gstatic.com
www.static.com
encrypted-tbn1.gstatic.com
encrypted-tbn2.gstatic.com
login.yahoo.com
mail.yahoo.com
mail.yahoo-inc.com
fb.member.yahoo.com
login.korea.yahoo.com
api.reg.yahoo.com
edit.yahoo.com
watchlist.yahoo.com
edit.india.yahoo.com
edit.korea.yahoo.com
edit.europe.yahoo.com
edit.singapore.yahoo.com
edit.tpe.yahoo.com
legalredirect.yahoo.com
me.yahoo.com
open.login.yahooapis.com
subscribe.yahoo.com
edit.secure.yahoo.com
edit.client.yahoo.com
bt.edit.client.yahoo.com
verizon.edit.client.yahoo.com
na.edit.client.yahoo.com
au.api.reg.yahoo.com
au.reg.yahoo.com
profile.yahoo.com
static.profile.yahoo.com
openid.yahoo.com

In view of this list, the advice from google looks especially funny:

“Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”

The microsoft certificate list is used in the browser chrome. Faking of a google server is difficult, since chrome checks its certificate by different means and that was how the attack was revealed. But chrome does not have a similar check for yahoo. If that attack would not be working after all, the hackers would not have used it.

But still, google does explicitely not suggesting anyone that they should change passwords…


Write a comment