Conducting Password Splicing Attacks With oclHashcat-plus

2012-01-19 00:01:12 by chort

A coworker once told me he imagined immigration officials handing Chinese immigrants two bags with slips of paper, asking them to pick a paper from each bag and put them together to form the name of their restaurant. This is how he imagined names like "Green Dragon," or "Golden Lotus," or "China Garden" got created. While it might not be a very accurate way to describe culinary establishment marketing, it is similar to how many users choose passwords. I'm calling this method the "Chinese Take-out Attack."

Read the rest of this story...

Why the SOPA/PIPA Protests Worked

2012-01-18 22:53:40 by chort

While we all wear our arms out patting ourselves on the back for the remarkable changing of tides today, let's not forgot why the website blackouts actually worked: Because of the massive number of phone calls to senators and representatives. You can whine on Facebook and change your Twitter profile picture all you want, but no one in Washington D.C. will ever notice that. When a massive number of people jam phone lines and overflow voicemail boxes, THAT gets their attention. If you haven't called your senators and representative yet, your job is not finished. Make sure you call all three before the PIPA vote on January 24th.

Make no mistake, this war isn't over. The MPAA and RIAA will come back over and over again, in sneakier and sneakier ways. It costs them a lot less money to buy congresspeople than it does to take risks by investing in new business models. This is why I'm proposing another course of action: Defeat Lamar Smith in the next election. I made a promise today on Twitter to contribute the maximum legal amount to a candidate with a legitimate shot to defeat Rep Smith, and I intend to follow-through. We need to send a message that not only do we get pissed off when businesses buy laws, we don't forget who facilitated them.

We can't afford to financially assail every pro-SOPA/PIPA congressperson up for reelection, but we can make life miserable for one of them. Rep. Smith has been the most visible and the least rational MPAA/RIAA cheerleader, accepting all their propaganda verbatim, without any attempt to question it. This deliberate any-intellectualism (blocking network architects from even testifying on the ramifications of proposed legislation, and dismissing all amendments without consideration) needs to be punished. It's not OK to legislate out of ignorance. The citizens of Texas should be ashamed of putting this man into office, and they certainly shouldn't keep him there.

Even if you read this months after the posting date (January of 2012), it's almost certainly still relevant. Big, old corporate interests are still going to be attempting to legislate away any competitive or disruptive market forces, to protect their obsolete business models. Educate yourself, fight back. If you some how came to be reading this blog post and have no idea what I'm upset about, here are some references.

EFF action site for SOPA/PIPA.
Long history of content industry takedown powers abuse.
A technical examination of SOPA and PROTECT IP.
Statement by several brilliant, well-known artists against SOPA/PIPA
What Joe Brockmeier wishes sites were saying about SOPA/PIPA.
Learn about corporate money's corrupting influence (and what YOU can do).

Free Advice for the DHS

2012-01-17 10:46:51 by chort

You may be aware that the DHS are now sending (opt-in) "Daily Cyber Reports" to IT and security practitioners. The stated purpose of the reports is "to facilitate a greater understanding of the nature and scope of threats to the homeland." I wonder if they're aware of the threat they're creating by teaching people to open PDF documents from unauthenticated email? Well they have no excuse now, because I told them. Here's a copy of the email I sent them on the topic.

1.) Create a DKIM record for hq.dhs.gov and use it to sign the headers of the email, so recipients can verify it was really sent by hq.dhs.gov, rather than a phishing site.

2.) Publish a public key for OSINTBranchMailbox [at] hq.dhs.gov on a website that has a DNSSEC-signed record.

3.) Use the private key (GPG or S/MIME) to sign messages sent from OSINTBranchMailbox [at] hq.dhs.gov

4.) DO NOT INCLUDE ATTACHMENTS, unless they are plain text. Training users to open Adobe and Microsoft documents is the worst thing you can do, when most compromises are initiated with poisoned Adobe or Microsoft documents.

5.) Host the Cyber Report on a website that has a DNSSEC-signed DNS record and an SSL certificate that matches the hostname of the website and chains up to a trusted root.

If you're going to advise organizations on security, you should secure your infrastructure and comms too. Lead through action.

PS you haven't configured your authoritative DNS server properly. The template default value for email address is showing in the SOA.

Simple Guide to Secure Anything

2012-01-02 23:28:32 by chort

Recently I was asked for some pointers on creating a security roadmap. Since there's no one-size-fits-all strategy for which programs or technologies to implement, this is a tough question to answer. After thinking about it for a few minutes, I stepped back and put together this abstract, which is really what security boils down to after all. The rest is implementation details.

Read the rest of this story...