[Full-disclosure] Wireless keyboard insecurity - any secure one available?
I decided to write here after not getting any real response from any vendor or security forums that I have written about the subject in the past few months. The issue is relatively simple and affecting a lot of people, companies and propably even goverment officials: Wireless keyboards. Now, we know that most of the wireless keyboards are just stupid, if not analog, atleast somehow buggy and cheap pieces of tech that work on various RF bands. Some of them have been analysed and cracked wide open and ofcourse nobody is patching them up at all. For example here is a good example to proof my point: http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/ Is this a big issue? Oh yes. What point is having a good 32+ char passphrase on your www-accounts, 63marks long WPA2-PSK and PGP encryption in your emails...if you type them all with wireless keyboard, that can be easily eavesdropped maybe over 100yards away? Or is it just me thinking its weakest link in the chain of security? From my knowledge, Id say the best option for secure wireless keyboard is somekind of bluetooth keyboard that actually, REALLY works like bluetooth is supposed to work. You know, a wireless keyboard that would allow its default PIN (which is usually 1234 or ) to be changed in secure fashion to something long and complext (well, lets say 16 or 32 marks long)...and that would only allow encrypted and authenticated connections and would not broadcast its existance to the rest of the world. Sure, there has been cracks in bluetooth and its crypto, like here: http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216 that make you think that even bluetooths crypto, if it would actually be used, is not good enought for wireless keyboards. But its still the best we got right? WUSB might be a good replacement for bluetooth, but are there really any secure ones available yet - or will there ever be? How can you know they are secure - are you trusting the same manufactorers claims that have for years marketed and sold insecure wireless keyboards while claiming that they are secure? I dont. Is it just me or have someone else also payed attention to the insecurity of the wireless keyboards - and the total silence around this serious security issue? And how to fix this? How and where to get wireless keyboards that are really secure? -- http://www.markusjansson.net http://markusjansson.blogspot.com PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Finnish thought police censors site about censorship!
I usually dont make this kind of politically motivated posts here, but this is just waay too terrible to be ignored. I hope mods agree on this. http://www.poliisi.fi/poliisi/krp/home.nsf/pages/indexeng]Finnish Thought Police[/url] has now used dirty tactics to silence a website used to distribute information and discussion about the recent law about censorship. The laws is sayed to be used to censor child porn websites located outside Finland off the ISP customers. If the page does not contain child porn or is located in Finland, this law should not be applied at all. The situation is a bit same as it was a while back, when Swedish authorities used the same laws and same blacklists to censor access to [url=http://en.wikipedia.org/wiki/The_Pirate_Bay]Pirate Bay[/url]. Again, without any proof that there is or has been child porn there. Now, the same tactic is [url=http://www.insideonlinevideo.com/2007/07/06/swedish-police-censors-pirate-bay/]apparently soon be used again[/url] to kill the Pirate Bay off the net forever. However, there is a HUGE difference here. 1) Laws specifically demand that site must be outside Finland to be censored. http://lapsiporno.info is not, its located in Finland. 2) Laws specifically demand that site must host child porn to be censored. http://lapsiporno.info does not contain any child porn. 3) The attack is not motivated by RIAA or similiar industry to kill of P2P. The attack is purely motivated to kill of discussion and information sharing about this censorship. http://lapsiporno.info is the only site dedicated to this issue. This attack is direct attack against freedom of speech by police of Finland. 4) The blacklist used to censor sites off the net doesnt really even contain child porn sites. I personally checked the lists about 45 minutes, visiting dozens of pages (via Tor-network) and did not see a SINGLE child porn image or movie etc. Its total bullshit and censorship of legitimate sites. This is the level of freedom of speech here in Finland. Im very, very dissapointed and shamed to be a Finn. And this isnt over, they are going to expand this censorship to block access to internet gambling, soon hate speech etc. etc. 1984 is here today. Luckily the site is already mirrored in several places (and if needed, I will get them dozen or so more mirrors, I couldnt care less what happens then). Also, it has raised little critics about this law and police actions. Unfortunally, this issue hasnt been discussed much outside Finland. Hopefully it is now. More info in english http://en.wikinews.org/wiki/Finnish_internet_censorship_critic_blacklisted And in finnish http://markusjansson.blogspot.com/2008/02/ajatuspoliisi-sensuroi-netist-sensuuria.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PWDumpX v1.4 (and GUI:s)
OK, OK, I get your point. If you use GUI, you are lamer, because you could do fine without them 20 years ago so you should be able to do just fine without them now too. Its just lazy mans way of doing things to use GUI, and especially lazy and now knowledge enought peoples way of doing things. The same logic should also point us, that its lame to use cars, because we humans have had two legs for millions of years. Anyone who travel by car, bus, train, bike, or any other mean of transportation than just using their 2 legs, is therefore to be concidered a lazy lamer. After all, it takes guts and stamina to walk/run to places, and not everyone can really do it. Besides, you can go to many places by foot where its very difficult to travel using, for example, car. Id say its pretty damm hard trying to climb Mount Everest using car, but you can somehow do it with your 2 legs. Wake up to this day people. Things evolve. DOS is 20 years old stuff. If you are still running only DOS or other command line OS stuff, I think that you really should concider upgrading to OS and stuff that have clean, easy and fast GUI:s. (BTW. My doubleclicking on desktop icon is maybe 200x faster than you writing two lines of command line crap to get the program to do the same thing I make it do with just doubleclicking it with my mouse.) -- http://www.markusjansson.net http://markusjansson.blogspot.com PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PWDumpX v1.4
How about a nice GUI? Or atleast some kind of GUI? I dont know what OS are you using, but I stopped using MS-DOS about 15 years ago. Im sure there are folks out there who just lve command line crap, mostly Linux users I suppose, they obiously are still missing what even Windows 3.11 had. But most of us who live in this day are used on using OS and programs that work via GUI. Thank you. Markus Jansson Finland -- http://www.markusjansson.net http://markusjansson.blogspot.com PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Backdooring PDF Files
POC did nothing for my Foxit PDF reader. No www-page was opened and no script was executed. Maybe you folks should just dump the clumsy and insecure Acrobat Reader and move onto something better for reading .pdf documents? ;) -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Tabloid phone-tapping net widens
It seems to me that this may be a global, not UK-specific vulnerability which probably affects all of the world's 1 billion mobile phones (just a guess) on each of the world's carriers. My question is, what are the vendors doing about it? The usefulness of their technology is undermined if it cannot be trusted. The immediate remedial step for users appears to be to make their PINs difficult to guess. One simple solution would be to make it possible for users to disable voice mail access to all other than the actual phone(number) that is using that voice mail account. Kinda make it trusted number and concider all others untrusted unless trusted number tells the system that number X can also be concidered trusted. Ofcourse this makes no difference if anyone can fake the phone number they are calling or sending SMS from. In Finland, atleast, this is not possible since phone numbers are not directly trusted when authenticating phone or SMS senders, but the trust comes from the operator who confirms that number X really belongs to phonecall Y. (Ofcourse I think it might be a bit paranoid solution to encrypt all voice mail with users publickey and then allow them to be decrypted only by the privatekey stored in protected area of the recipients SIM card, but anyway...) -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fw: Researchers hack Wi-Fi driver to breach laptop
I bet I wasnt the only one just waiting first publications about these kinds of attacks. The drivers of various WiFi hardware are vulnerable and can be exploited very efficiently, even if the computer is not connecting/trying to connect to some network. Only defence is to turn them physically off when you dont need them and limit your usage of them to somewhere safe. Concidering the range of these devices (BT over a mile away, WLAN even more, HSDPA even much more), threath is serious. http://www.infoworld.com/article/06/06/21/79536_HNwifibreach_1.html Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver. ... Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access). ... The victim would not even need to connect to a network for the attack to work...You don't have to necessarily be connected for these device driver flaws to come into play, Ellch said. Just because your wireless card is on and looking for a network could be enough. ... More than half of the flaws that the two researchers found could be exploited even before the wireless device connected to a network. -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: PGP Truecrypt A Nasty Security Bug
From what I understod, this is really not any kind of bug. The issue is simple: If you have encrypted something the way PGP/Truecrypt does (that is, it creates encryption key and encrypts that with encryption key created from your passphrase), you can ofcourse do this. How? Well, since you can always hold the original encryption key used. It doesnt matter how many times the passphrase is changed, since the original master encryption key remains the same. This is the basic issue here. Lesson: Dont just change passphrases when re-using encrypted containers etc. but RECRYPT the container. Point: Anything encrypted with PGP/Truecrypt is still secure if you have complex passphrase on it and dont let anyone else know what it is. -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Windows XP Home LSA secrets storesXP loginpassphrase in plain text (John Doe)
John Doe sayed: As what comes to EFS, once you get hold of the administrator account, you can decrypt the EFS for _all_ users on the computer. It doesn't matter how you acquired the password. In Windows 2000 this is true, however, in Windows XP this is NOT TRUE. In Windows XP the EFS private key is encrypted using users passphrase and without the passphrase, you cannot decrypt it. In Win2k this is not the case, in Win2k 1) Administrator is the (compulsory) recovery agent and can decrypt all EFS files anyway. 2) Users private keys are not stored encrypted in the system and anyone who can simply sign in with that users credentials (like with 3rd party tools) can decrypt users EFS files. If you dont believe me, I promise to give you 1 euros if you can decrypt my EFS files by simply signing into my computer as administrator. If you cannot do that, you will pay me 1000 euros, ok? -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Windows XP Home LSA secrets stores XP login passphrase in plain text
Heh, couple minor corrections to the original post: Now, let me clear few things up, ok: - Im not talking about bruteforcing NL/NTLM/NTLMv2/NT hashes. Im ofcourse talking about LM/NTLM/NTLMv2/NT hashes. - HOWEVER, if you can actually GET the users password (he is currently using) the way Im talking about now, you can do a lot of harm with that. You can, for example, decrypt all EFS encrypted files in normal situations (since users EFS privatekey is encrypted using users passphrase). Ofcourse XP Home edition does not have EFS at all, but this attack/bug is also present in some XP Pro. -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows XP Home LSA secrets stores XP login passphrase in plain text
This again proves the reason to do some hacking of your own system, things like these would otherwise go unnoticed... OK, I setup Windows XP Home, did the regular securing up (the much you can do with Home edition), like for example setting that users must use passwords and usernames to sign in, use control+alt+delete to sign in, disabled automatic login to Windows etc. etc. Rebooted, changed my account X passphrase, then rebooted again. Then I signed in to other admin level account (account Y) and ran Cain Abel and used it to dump LSA secrets...wellwellwell...Windows stores my account X Windows XP login passphrase in plaintext in DefaultPassword field! My Windows XP should NOT store any Windows passphrases in clear text on the hdd, but only stores the passphrases hash (LM/NTLM/NTLMv2/NT)...UNLESS specific settings are set (allowing automatic login to Windows). But it does. Other people have also verified Windows sometimes does this, even if specifically set not to save it. I understand that LSA Secrets might / should store user X password in memory for the time the user X is signed in, so it can be used to authenticate the user to maybe third-party sites, network drives, etc. But when user X is logged out of the system, user Y cannot/should not see users X:s Windows XP password since it is NOT loaded into memory (from where it could be loaded into memory if user has not entered it yet because user X hasnt signed in on this session yet?!?). So, in this case, its seems that Windows IS storing the users passphrase in somewhere in plaintext, what it should not do. Now, let me clear few things up, ok: - Im not talking about bruteforcing NL/NTLM/NTLMv2/NT hashes. - Im not talking about using rainbowtables to fetch the password. - Im not saving anything under any Outlook Express, MSN, saved passwords or anything in the whole XP Home computer (so that if I used same passphrase on them too, CA could somehow recover that). - Yes, its true that inorder to do this, you must have SeDebug priveledge set to the user and admins can always reset any users passphrase (and anyone with physical access to the computer can always get admin permissions using 3rd party tools). - HOWEVER, if you can actually GET the users password (he is currently using) the way Im talking about now, you can do a lot of harm with that. You can, for example, decrypt all EFS encrypted files in normal situations (since users EFS privatekey is encrypted using users passphrase). You can, for example, try that same password in all kinds of places where that users is logging in (since chances are hes using the same password or variations of it elsewhere). - Yes, if/when villan can get admin permissions or physical access to the computer, the game is lost in sense, that it can be loaded with all kinds of hardware and software keyloggers and insecure settings, so that the next time users sign in to the computer, their passwords etc. can be recorded and abused by villan. However, notice the words next time users sign in! If someone steals the computer, that doesnt happen. If someone leaves hints that system is tampered, that doesnt happen. BUT, in this scenario I have told you, all you need is to GET the access to the computer and game is over, you dont have to wait users to sign in next time to the computer! This is very important issue when thinking about this bug regular keylogging/insecuring the system. - Nobody, including admins, should NOT be able to see plaintext passwords and Windows should NOT store them in the computer unless specially ordered to do because of some weird configuration or usability thing. Now, the funny thing is, that if I changed my password via Control Panel - User Accounts, the new password would always be recorded in the LSA Secrets and recovered by CA. However, if I used control userpasswords2 to SET my password, the new password would NOT be recorded to LSA Secrets and CA could not recover it from there. This similiar bug has been discussed earlier in here, but with no solution or idea about why its there: http://www.derkeiler.com/Newsgroups/microsoft.public.security/2005-05/0765.html Ongoing discussion about the subject in: http://www.dslreports.com/forum/remark,16012871 -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows XP Home LSA secrets stores XP loginpassphrase in plain text
Johd Doe sayed: Markus, if a villain has physical access to your computer you have bigger issues than this. You obiously didnt bother to read these part of my message: - You can, for example, decrypt all EFS encrypted files - You can, for example, try that same password in all kinds of places where that users is logging in (since chances are hes using the same password or variations of it elsewhere). You can NOT do these if you just get physical access to the computer (without this bug), since EFS remains secure and your password unknown to attacker. Especially focus on the following I sayed: - ..The next time users sign in to the computer, their passwords etc. can be recorded and abused by villan. However, notice the words next time users sign in! If someone steals the computer, that doesnt happen. If someone leaves hints that system is tampered, that doesnt happen. -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NISCC DNS Protocol Vulnerability
http://www.niscc.gov.uk/niscc/vulnAdv-en.html The vulnerabilities described in this advisory affect implementations of the Domain Name System (DNS) protocol. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all. Impact: ..DoS...memory corruption...stack corruption...buffer overflow exploits Vendors affected: Cisco, Delegate, Ethereal, Hitachi, ISC, Juniper Networks, MyDNS, pdnsd, Sun, Wind River Microsoft Whole stuff in .pdf format http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PasswordSafe 3.0 weak random number generator allows key recovery attack
I wonder why havent anyone posted this one here yet?!? Concidering the fact that Password Safe is used to create and store users secure passphrases in one database, the compromise of this database could be horrible...therefore I see this attack/bug also as horrible. http://www.securityfocus.com/archive/1/428552/30/0/threaded Title : PasswordSafe 3.0 weak random number generator allows key recovery attack Date : March 23, 2006 Product : PasswordSafe 3.0 Discovered by : ElcomSoft Co.Ltd. ... PasswordSafe 3.0 utilizes two different random number generator (RNG) functions: Win32 API RtlGenRandom() and standart Visual C++ rand(). RtlGenRandom() is not available on Windows prior to Windows XP (i.e. Windows 2000, Windows NT, Windows Me) so rand() is used instead. Specifically, rand() is used to generate 256-bit database encryption key. It is widely known that using rand() in cryptographic applications is not secure due to its predictbility and small internal state. ... It is possible to mount guaranteed decryption attack on PasswordSafe 3.0 databases created under OS prior to Windows XP. The attack is very simple: 1. Generate 256-bit key for every possible seed value 2. Decrypt first database record (the structure is documented, so we have known plaintext attack) 3) Check decrypted value against the known plaintext ... The total number of all possible seed values is limited by 2^32, so it is quite feasible. Our experiments show that the key can be recovered in less than 6 hours on the single PC (Pentium 4). Can anyone confirm 1) Is version 2.xx also vulnerable (either on XP or other OS)? 2) Password Safe has ability to create secure passphrases, are they too insecure because PRNG is insecure in PSv3? 3) Is there a fix available? 4) Is there a more secure password manager solution available? ;) -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Olli Haukkovaara sayed: Your answer below is in fact what I expected - you can not be sure about this issue, because you can not proof it. I am (pretty darn) sure about the issue, even I cannot provide you with specific facts about some vendors and model numbers. I have received information and talked about the subject with people who are into this business. Its like that you would say that Australia exists and I would start to argue against you, that you cannot be sure it exists, because you cannot provide me exact information about the lenght of the coastline of Australia etc. Wake up. Besides, all of this is irrelevant to the subject in hand: Insecurity of TeliaSonera A5/1 and the fact that our goverment/parlament would need to have some people working in the compsec/infosec section that would understand and care about these issues. -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Olli Haukkovaara sayed: Can you state some models of GSM base stations /,message centers that support A5/3 in GSM networks? No, I cant, because Im not an expert on GSM base station hardware systems. :) I bet you better ask Nokia Elisa about that issue (and hope that they will answer you anything)...unless someone in the list can point out references? I only know that there is hardware for that and it is used. I cant name the brand and model of it. ;) -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Juha-Matti Laurio: http://blogs.securiteam.com/index.php/archives/299 entitled as Cell phone operator sent 7000-large government account information with unprotected e-mail. Good article, but it lacks one important aspect of the fiasco: TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which made it possible to eavesdrop on its/goverments GSM:s. This was a the big fuzz. OK, basically whether or not you are using A5/1 or A5/0 makes no difference, since A5/1 is so easily cracked that any serious attacker can do it anyway (or crack COMP-128-1 or COMP-128-2). If you have the tools to capture/listen GSM calls, you can relatively easily get the stuff to attack A5/1 and COMP-128-1 or 2 anyway. But ofcourse it was nice to hype about the fact that TeliaSonera disabled crypto too. And maybe some folks dont still understand that A5/1 is broken and think that it offers some protection. LOL. Anyway, only sensible way to secure govermental cellurar phones would be use strong crypto/suitable GMS:s, like http://www.cryptophone.de/ so that every member of goverment/parlament could talk securely with any other member of govermenet/parlament and some officials too. Ofcourse if people in Finnish parlament or infosec/compsec sections would know a drek about crypto and security, they would have already done it. ;) Putting all their eggs again in one basket (Elisa) and without strong end-to-end-crypto does not help much. BTW. How long would you think it would take them to spot false-base-station type of attacks near our parlament house? ;) -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
On Tue, 21 Feb 2006 14:07:50 +0200 Juha-Matti Laurio juha- [EMAIL PROTECTED] wrote: TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which made it possible to eavesdrop on its/goverments GSM:s. This was a the big fuzz. I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson of TeliaSonera Finland says this is not true. Well, several people in different discussion forums in Finland found it out by GSM analysing tools and posted it up. Those tools shown that peoples phones (in TeliaSonera network) used A5/0 cipher, meaning that no encryption was used. I doubt that all of them are simultaneously lying and TeliaSonera is telling the truth. :D -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Cruzan wrote: I know that there is a documented case that Russian KGB authorities switched GSM crypto off from base stations in St. Petersburg area during 2003 when there were lots of foreigners visiting at St. Petersburg's 300 years celebreations. I guess you refer to FAPSI/GRU authorities? ;) But I have not seen any document about the incident that Markus refers below. Can you show us some evidence about that or is that just another urban security legend? Finnish, sorry http://mikropc.net/uutiset/index.jsp?categoryId=atkday=20060215#w200602150926118974 Ministeriö varoitti henkilöstöään välttämään arkaluontoisista asioista keskustelemista matkapuhelimessa viime perjantaina. MuroBBS-verkkopalvelussa sekä keskusteluryhmissä esiintyneiden tietojen mukaan Soneran gsm-salaus on kyseisenä ajankohtana ollut pois päältä. Nokia network monitor -työkalulla verkkoa tarkkailleet ovat raportoineet verkon Ciphering-arvon olleen tilassa 'OFF' esimerkiksi Elisan verkon näyttäessä normaalia A51-salaustietoa. Also, it was discussed in the newsgroups I recall... What do you mean by message center ? Do you mean MSC (mobile service switching centre)? Encryption/decryption in GSM is done in between MS (mobile station) and BS (base station). Keys are stored in SIM and AuC (authentication center). Maybe some with more expertise in english and technical terms could help me out here... :) Anyway, the point is that GSM encryption is NOT done literally between BS and user. Its done in message center and user. Sometimes MC is in same location as BS, but sometimes not (for example, in countryside where there are fewer BS and its impossible to physically secure them so tightly, so the encryption/decryption is done in more secure enviroment in message center, behind some datalinks). Anyway, can you point some vendors that provide hardware that supports A5/3 ? Its been out there for almost 4 years, there is hardware support for it. Also, in Finland 3G networks are getting up everywhere and they ofcourse support A5/3. ;) For example http://www.ttpcom.com/en/products/silicon/cbemacro.htm -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Olli Haukkovaara cruzan at gmail.com Mon Feb 20 08:52:01 GMT 2006 Or can someone point me some GSM base station model that supports A5/3 ? At least I googled a lot, but could not find any... Its not about base stations. The encryption/decryption is not done in base stations, but in message centers. Sometimes, true, they are located in same spot. But they are still not the same thing, but two different components of the GSM network. BTW. Talking about insecurity of Finnish parlament and TeliaSonera:s GSM, take a look at these (sorry, only in Finnish) latest issues about TeliaSonera having no idea about security whatsoever. Luckily, they are moving to their GSM:s on Elisa networks... :) http://www.digitoday.fi/showPage.php?page_id=14news_id=53413 http://www.digitoday.fi/showPage.php?page_id=14news_id=53434 -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Thunderbird SMTP down-negotiation weakness
Tim wrote: I agree that this is less than optimal. Could you point me to the bug report you filed in bugzilla that requests these changes? Here is one, you can follow the links to other ones :) https://bugzilla.mozilla.org/show_bug.cgi?id=154641 It probably isn't that hard. Why don't you write a patch? I dont have any knowledge of programming. Honestly though, this stuff is such a miniscule portion of overall security... How many users actually care when websites don't even have valid certificates? Heck, most browsers don't even check for CRLs by default, including IE. True, but the ones who would like to check, they find that it is impossible. And the ones who are not used to check it, take an example from Opera how to make them check it: It clearly displays the symmetric and asymmetric key sizes in the addresslike/statusline when you are in https connection. Also, it warns if the symmetric keysize is secure, but asymmetric is insecure. There are many many more, much easier ways to steal someone's sensitive info without attacking the crypto. Sometimes. But that doesnt mean that obious weakness should not be fixed. Heck, why even bother patching at all, since the weakest link is always the dumb user who will execute any file you email to them...lets just forget Windowsupdate then, and new versions to Firefox, right? ;) -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mozilla Thunderbird SMTP down-negotiation weakness
Madison, Marc wrote: When will Mozilla get it right? There products seems to be riddle with encryption problems? My suggestion; hire someone that knows how to implement encryption CORRECTLY. I have to agree. Lets not forget that STILL all Mozilla products fail to show RSA/asymmetric keysize in any sensible format. Users of Mozilla products have no idea about safety of SSL/TLS connections, since the information about asymmetric keysize is not shown properly (= read: Its not shown at all unless you want to start calculating it from the raw form of the asymmetric key). You can easily check the symmetric (RC4/AES) keysize (40/56/64/128/256 bits) when selecting Page info - Security, but nothing shows you how large the asymmetric keysize is (512/1024/2048/4096 bits)! This is very, very stupid. Firefox, for example tells you that you have high grade encryption when you have AES-256-CBC with 512bit RSA! Since 512bit RSA only gives a work factor of about 2^60 and AES-256-CBC about 2^120 (if you think the most advanced attacks that only work in very, very theoretical form could be implemented against it)...well, who would even dream on cracking AES-256 when all they have to do is to crack 512bit RSA to get even better solution! It cant be THAT HARD to implement a feature onto Mozilla products that would show asymmetric keysize. Opera does it. IE does it. Why cant the geeks at Mozilla do it too? Because the seem to lack even basic knowledge of crypto... :( -- My computer security privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/