Category Archives: Encryption

Easy Cracking of Microsoft Crypto

Another day, another set of cracking tools.

Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.

Source: Tools boast easy cracking of Microsoft crypto for businesses | Security & Privacy – CNET News.

Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP

Advertisements

Flame malware incident causes Microsoft to revamp Windows encryption keys

Granted it’s reactive instead of proactive but looks like a good move by Microsoft.

Starting next month, updated Windows operating systems will reject encryption keys smaller than 1,024 bits, which could cause problems for customer applications accessing websites and email platforms that use the keys.

Image representing Windows as depicted in Crun...

Image via CrunchBase

The cryptographic policy change is part of Microsoft’s response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, according to the Windows PKI blog written by Kurt L. Hudson, a senior technical writer for the company.

“To prepare for this update, you should determine whether your organization is currently using keys less than 1,024 bits,” Hudson writes. “If it is, then you should take steps to update your cryptographic settings such that keys under 1,024 bits are not in use.”

Source: Microsoft to revamp Windows encryption keys in face of Flame malware | Microsoft Windows – InfoWorld.

HTTPS Everywhere

Courtesy of the first stable release of a Firefox add-on.

The tool does not let you force HTTPS (Hypertext Transfer Protocol Secure) willy-nilly on Web sites. Instead, it includes a series of rules that supports sites that allow HTTPS encryption. The Electronic Frontier Foundation said in the blog post announcing the release that it encompasses more than 1,000 popular sites, including Google Search, Wikipedia, Twitter, Facebook, bit.ly, GMX, WordPress.com blogs, The New York Times, Paypal, EFF.org, Tor, and Ixquick. The extension was co-developed between the EFF and The TOR Project, which is a Web service that encrypts data transmitted to and from your computer.

Not only is HTTPS Everywhere site-dependent, even sites that it works for might have some content that slips out of the encryption. The best way to check this, the EFF wrote, is to ensure that your browser’s lock icon isn’t broken or carrying an exclamation mark. “However, the effort that would be required to eavesdrop on your browsing should still be usefully increased,” the blog post said.

Enhanced by Zemanta

 

FAA now using PKWare

Great news.

The Federal Aviation Administration agreed Tuesday to purchase security software from Milwaukee-based PKWare for 50,000 of its desktop computers.

The software, SecureZIP, shrinks and encrypts computer files so they can be moved and stored easily, without being left open to hacking or security threats. SecureZIP meets the federal government’s requirements for data security, and the installation will cover the computers of everyone within the FAA who has access to sensitive information, said Tim Kennedy, president and chief operating officer of PKWare.

The installation comes three months after hackers stole 48 files from a computer server at the FAA, which is part of the Department of Transportation. Two of the stolen files contained the personal information of more than 45,000 current and recently retired employees. As a result, the FAA had to provide credit-monitoring services.

PKWare’s founder, the late Phil Katz, pioneered and popularized the data compression system commonly referred to as “zipping.” Since PKWare developed SecureZIP four years ago, more than 100 government entities have begun using the software, including the Department of Defense, Department of Justice and Nuclear Regulatory Commission. Most recently, the Centers for Medicare & Medicaid Services installed the zipping software.

The company’s government contracts give PKWare an advantage over competitors, particularly when important federal agencies are willing to talk about how their employees use PKWare software, Kennedy said.

“The government’s use is, to a certain extent, defining laws about privacy and the security of electronic information,” he said. When private companies “buy a solution like ours, they’re going to be in compliance with the mandates from the federal government on how they’re required to handle personal information.”

“Our opportunity now is that we can start to expand from within the Department of Transportation, in terms of more sales of both desktop technology” and other security software, Kennedy said.

Glad to see that the FAA is wising up, even if it is in reaction to a security breach as opposed to be proactive move.  Kudos to PKWare for providing a security solution that meets federal government mandates for handling personal private information.

%d bloggers like this: