Category Archives: Encryption
Another day, another set of cracking tools.
Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.
Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP
- Stronger password hashing in .NET with Microsoft’s universal providers (troyhunt.com)
- Wireless Internet Security (techhelpertoday.wordpress.com)
Courtesy of the first stable release of a Firefox add-on.
The tool does not let you force HTTPS (Hypertext Transfer Protocol Secure) willy-nilly on Web sites. Instead, it includes a series of rules that supports sites that allow HTTPS encryption. The Electronic Frontier Foundation said in the blog post announcing the release that it encompasses more than 1,000 popular sites, including Google Search, Wikipedia, Twitter, Facebook, bit.ly, GMX, WordPress.com blogs, The New York Times, Paypal, EFF.org, Tor, and Ixquick. The extension was co-developed between the EFF and The TOR Project, which is a Web service that encrypts data transmitted to and from your computer.
Not only is HTTPS Everywhere site-dependent, even sites that it works for might have some content that slips out of the encryption. The best way to check this, the EFF wrote, is to ensure that your browser’s lock icon isn’t broken or carrying an exclamation mark. “However, the effort that would be required to eavesdrop on your browsing should still be usefully increased,” the blog post said.
- Encrypt the Web with HTTPS Everywhere (eff.org)
- Privacy-centric alternatives to Google, Gmail, and Facebook (news.cnet.com)
The Federal Aviation Administration agreed Tuesday to purchase security software from Milwaukee-based PKWare for 50,000 of its desktop computers.
The software, SecureZIP, shrinks and encrypts computer files so they can be moved and stored easily, without being left open to hacking or security threats. SecureZIP meets the federal government’s requirements for data security, and the installation will cover the computers of everyone within the FAA who has access to sensitive information, said Tim Kennedy, president and chief operating officer of PKWare.
The installation comes three months after hackers stole 48 files from a computer server at the FAA, which is part of the Department of Transportation. Two of the stolen files contained the personal information of more than 45,000 current and recently retired employees. As a result, the FAA had to provide credit-monitoring services.
PKWare’s founder, the late Phil Katz, pioneered and popularized the data compression system commonly referred to as “zipping.” Since PKWare developed SecureZIP four years ago, more than 100 government entities have begun using the software, including the Department of Defense, Department of Justice and Nuclear Regulatory Commission. Most recently, the Centers for Medicare & Medicaid Services installed the zipping software.
The company’s government contracts give PKWare an advantage over competitors, particularly when important federal agencies are willing to talk about how their employees use PKWare software, Kennedy said.
“The government’s use is, to a certain extent, defining laws about privacy and the security of electronic information,” he said. When private companies “buy a solution like ours, they’re going to be in compliance with the mandates from the federal government on how they’re required to handle personal information.”
“Our opportunity now is that we can start to expand from within the Department of Transportation, in terms of more sales of both desktop technology” and other security software, Kennedy said.
Glad to see that the FAA is wising up, even if it is in reaction to a security breach as opposed to be proactive move. Kudos to PKWare for providing a security solution that meets federal government mandates for handling personal private information.