How dead squid is made to dance when soy sauce is poured on it. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
HomeBlog Comments Lasershark • June 12, 2015 4:54 PM New Intel processors are supposed to have a ‘feature’ called Intel Identity Protection Technology that allows websites using javascript to interact with chip and determine its identity. Jacob • June 12, 2015 5:17 PM @Lasershark I consider this indeed a “feature”. It is a Good Thing. If you don’t like it, you can either not install the required drivers or, I assume, disable the Intel ME in the bios. Clive Robinson • June 12, 2015 5:49 PM Dead squid twitching due to soy sauce… A bit like oysters and lemon juice, or frogs legs and a little electricity (which apparently inspired Mary Shelly to give us Dr Frankenstein’s Monster). I’ve seen something similar in my local Sushi Bar, I’d ordered some sashimi, and being the first customer for a particular type of fish, it was pulled live from the tank, then beheaded and prepared and on the plate in front of my in around thirty seconds, when I dipped it in the soy sauce and wasabi mixture it twitched, I glaced up to see the chef smile and say it was good fortune. Whilst smiling back I noticed the head of the fish on the preperation board moving it’s jaw as though gasping for air. Fresh fish indeed but not quite as fresh as a drink I had in Norway, which was whisky with live elvers in it, the idea was to “knock it back” whilst they were still wriggling… And before anybody asks, no I’ve not tried “live monkey brains” but I have tried live mopane worms (actually a large caterpillar), but like sea slug and snails they taste a lot better cooked with strong herbs and spices, though the kids there liked them fried and dipped in chocolate… Benni • June 12, 2015 7:23 PM The article on the nuclear powerstation says on page 2 that they also have notified the employees via email about the ip adresses of the internet server to which they have to connect when they want to administrate AKW mühleberg…. I guess, they are a bit late, but at least they take the internet of things seriously… Manuel • June 12, 2015 7:50 PM Kaspersky leaves attribution up to the authorities and believes in responsible disclosure http://www.channelnomics.com/channelnomics-us/analysis/2412985/kaspersky-not-our-job-to-hunt-down-our-hackers In general, the attribution of cyber attacks is difficult to do conclusively; in order to know for a fact who is behind attacks, one must either catch the perpetrator in the act, the actors must admit to the attack, or law enforcement must uncover definitive forensic evidence that ties specific individuals to the acts in question. These activities are outside of the services and purpose that Kaspersky Lab delivers; they are the work of law enforcement investigators. In the case of Duqu, the attackers intentionally introduced false information to confuse investigators, and used multiple proxies and jumping points to mask their connections. The use of these tactics make tracking them down to a definitive end source a complex problem, and it makes definitive attribution based purely on systems-based information dubious at best. Some new details on the OPM hack http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html OPM is still assessing how many people were affected, spokesman Samuel Schumach said. “Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised,” he said. mployees of intelligence agencies, such as the CIA, generally do not have their clearance checks records held by OPM, although some do, officials said. “That’s the open question — whether it’s going to hit CIA folks,” the second official said. “It would be a huge deal. They could start unmasking identities.” In the past year or two, the Chinese government has begun building massive databases of Americans’ personal information obtained through cyberespionage. Besides the series of OPM intrusions, a federal government contractor that conducted background investigations for OPM and the Department of Homeland Security was hacked last year by the Chinese. And Beijing has been linked to penetrations of several health insurance companies that hold personal data on tens of millions of Americans. Lasershark • June 12, 2015 8:12 PM Regarding Intel Identity Protection Technology This ‘feature’ is already available using usb tokens from RSA. The difference is that the token is ‘opt in’ while the Intel chip is ‘jailed in’. As if we can trust that this ‘feature’ won’t be used to identify specific machines on the internet. Godel • June 12, 2015 8:25 PM While browsing on the Tails website I saw this little gem: When sending an email from an IMAP account, Claws Mail does the following: It connects to the IMAP server and stores a plaintext copy of the email in the Queue folder on the server. It encrypts the email locally. It sends the encrypted email through the SMTP server. It connects to the IMAP server and stores an encrypted copy of the email in the Sent folder on the server. It connects to the IMAP server and deletes the plaintext email saved in step 1 from the Queue folder. The Claws developers have been aware of this since December 2013 but have so far only published work-arounds. Apparently they think it’s not important and their comments virtually blame the users for not knowing that they have to configure their mail setup so as to avoid this. Is it any wonder that encrypted mail isn’t more widely employed by the average user? Thoth • June 12, 2015 8:29 PM @Lonely Stranger, Nick P, GeorgeL I think we miss the fact that high level languages for security settings are actually nearer to us and more common than we think. Most smartcard chips with JavaCard support uses Java as the high level language albeit the lack of a whole sleuth of standard Java functions. In these smartcard architectures (JavaCard and GP architectures), they have concepts of virtualized resources, application firewalls, resource sharing security and the likes (at a CC EAL level somewhere around 5+ for most). For the concern of attackers manipulating the memory access physcially, you can encrypt and sign the memory blocks on the external or internal memory but the trade off is memory consumption. secure code processing (secure execution) can be done in a tamper resistant security chip where you load your secure bootloader, microkernel and most critical functions while using the security chip’s internal limited RAM space to do the secure stuff and when you load the userland applications, you may use external RAM space while using the security chip’s signing and encryption key on the memory blocks. This would have allowed a physically more secured deployment of the high security microkernels in a relatively higher physically secure and logically secure setting. Thoth • June 12, 2015 9:21 PM @Godel Good old way of handling PGP/GPG email without a mail client is to encrypt/decrypt emails without using a mail client’s cryptographic capability but to simply use the PGP/GPG tools like the command line or GPA to do the trick. If one user wants to send images or media to another user, they could simply zip them up and email the PGP/GPG ASCII armoured text to each other over any sort of mail client regardless is it Gmail, Yahoo or personal mail servers. I am very doubtful if Claws, Enigma or Mailpile have been fully audited for their security functions so it’s best to not touch them directly least the same thing of storing unencrypted drafts happens again or something more serious than that. The storage of encrypted and decrypted emails at rest on the client side can be done using an encrypted volume (e.g. a variant of Truecrypt). Godel • June 12, 2015 9:54 PM @ Godel, Thoth I just tried the following in Evolution: New (message) (Type something) Options -> PGP Sign Options -> PGP Encrypt File -> Save as Draft The message is stored locally in plaintext, unsigned, which brings up some questions: Should a draft message be signed if it is saved? Perhaps, but not in such a way that would allow an attacker who obtained that message to simply send it on to your recipient as if it were your final intended communication. Should a draft message be encrypted if it is saved? Absolutely; I should think so. Nick P • June 12, 2015 10:39 PM @ Godel re Thoth’s suggestion You can use this cheat sheet to use GPG without knowing GPG. Just gotta verify that you got the right key and other person do the same. Past that, you can communicate with text files encrypted and decrypted using commands on the site. Encrypted one’s end in .gpg. Can encrypt other media that way, zipping it as Thoth noted. Could be some metadata exposed but I think GPG protects that. I haven’t been concerned about that given who I use it with. So, you install it, each generate key file with command, share it securely somehow (esp in person), and then communicate with texts protected by those cut and pasted commands. Save that page onto your own PC with Save as HTML only, too, to avoid a future MITM attack. EDIT re latest comment: I have no opinion on that as I don’t know the specifics of the product or what’s going on when you do that. @ Thoth re GPG It’s funny as I’ve been saying about the same thing on HN. You should read the comments here on how hard GPG is to use. I took time to tell each one individually that a person with only Google and cutnpaste can use the tool. That a panel of technical experts just gave up after 2 hours of work was… hilarious. If it’s even true. More disturbing is the response to my comment on ECC patents. The NSA rebuttal was fair as theirs are expired. Yet, it’s strange that all those people thought there were no patents on ECC despite it being a multi-million dollar source of income. It was getting amused because they started downvoting instead of responding while others upvoted me back up. I knew the Matasano guy was there: my rep always drops 1 point followed by a comment notification. I told him that the nonexistence of ECC patents was a neat trick given that they sold for 7x his company’s value. Edited comment to reflect what good feedback I got. Moving on. re languages That’s a good observation. However, they tend to use a combination of an abstract machine (VM), a verification component, and a safe language built for the VM. This powerful combination has been proven numerous times. It’s one model among many, though. Another is an inherently safe piece of hardware (eg SAFE, SSP). Another is a runtime or translation tool that makes unsafe code safe (eg full CFI, C-to-JVM compilers). Another is a language with optional runtime that inherently prevents certain problems (eg Ada, ParaSail, Ur/Web, Haskell) and might be compiled to arbitrary machines. Another are type-systems and domain-specific languages that prevent specific types of problems while outputing code that can integrate with other components. These may be used individually or all together. The memory crypto is accurate as that’s what academic and commercial work is doing. I’ve already sent you the specifics on that, though. The schemes are getting better each year. One had a formal security argument that was pretty nice. One of few I’ve seen for hardware. rgaff • June 12, 2015 11:51 PM @Nick P Re: that HN thread… OMG people berating you for copying a command off an “unsecured” cheat sheet off the net? Cheat sheets are reminders of stuff you already know or used to know or can easily look up in the docs and verify, not unintelligible gobbledygook that better be signed or you’re toast… I use them all the time for parameters I can’t quite remember but I know I’ve used them before… Nick P • June 13, 2015 12:09 AM @ rgaff Exactly! We all use them for that exact reason. They overlook that critical, little detail as the zealots push their position. I’ve determined “kragen” is part of the OpenBSD team. He’s been grasping at straws with his bogus arguments on this and the patent debate. His recent claims on the patent part of the discussion, especially that zero patents apply to current ECC, are damaging his credibility. As I told him, people wouldn’t be paying a fortune if patents had zero impact on ECC implementations. That’s what they have lawyers and engineers to prevent. It’s all good fun, though, as the commenters are showing their true colors and other readers have been reacting. 🙂 rgaff • June 13, 2015 1:37 AM @ Nick P Put more precisely… docs are often horrible, and don’t start with common usage at the top, explaining first and most obviously what you most likely are there for… they usually just overwhelm you with a complete reference list of minutia that confuses you and you can’t figure out what you need to do without a very long laborious process of deciphering and learning it all… and THAT is why cheat sheets are so valuable. But still… NEVER BLINDLY copy stuff off a cheat sheet… know what it does first! (Not saying you, Nick P, have a problem with this, just emphasizing for future readers here!) They’re great for giving examples of common usage (which docs often overlook!!), but always know what you’re running before you run it…. and that usually means looking up the options back in the documentation reference for anything you don’t already know and just needed a reminder. Hopefully that’s a slightly more balanced way of looking at it than kragen 🙂 For security’s sake though I really do wish one could take the best features of OpenBSD like the general anally careful programming, and other concepts like Mandatory Access Control (MAC) and Address Space Layout Randomization (ASLR) and jam them all together on a hardware tagged architecture and several other complementary security practices I’ve read about and a few I haven’t…. It wouldn’t even need to be a full-featured computer and operating system at first, just make a nice actually secure home router/firewall first and grow slowly and carefully from there… sigh. Benni • June 13, 2015 3:31 AM Apparently, thanks to these documents http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html the chinese now know something about what NSA is doing in their networks. And they seem not to like that and have upgraded: The chinese hack on the US government personal database was more severe than first acknowledged http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html a database holding sensitive security clearance information on millions of federal employees and contractors also was compromised. In an announcement, OPM said that investigators concluded this week with “a high degree of confidence” that the agency’s systems containing information related to the background investigations of “current, former and prospective” federal employees, and others for whom a background check was conducted, were breached. So the chinese have the data of CIA and NSA agents….. I seriously think they should put all the data they got here on wikileaks. Simply publish the real names, CV, and postal adresses and operations of all CIA and NSA agents that are doing something not directly related to anti-terrorism….. Perhaps the United States will now learn that introducing backdoors in consumer products, weakening encryption algorithms that are used by everyone and manipulating shipments is not a good thing. Others can, and will do that too, and attack the US, especially if the US behaved like that in the past…. Food Mule • June 13, 2015 3:55 AM Re:”Kaspersky leaves attribution up to the authorities and believes in responsible disclosure” They definitely did the right thing. No cover ups. As an observation of recent happenings, cyber attacks and breach attribution appear to have shifted from fame seekers of the not so distant past to nation state adversarials. Is it because people are tired of reading the old antisec anons soaps, so hard to sell papers and clicks, or is there a more nefarious purpose? As for the south China sea, hasn’t it always been the mess? 01 • June 13, 2015 6:04 AM With regards to the Intel Identity Protection Technology Apparently, it is possible to thoroughly disable Intel Identity Protection Technology 🙂 It requires a whole bunch of drivers (windoze-only by the way, as far as I can tell) and a service. By uninstalling the service and all the attendant dlls one can effectively gut this functionality (or, one could install, I dunno – debian or somthing – that will gut I2PT too!) http://www.shouldiremoveit.com/Intel-Identity-Protection-Technology-13783-program.aspx http://windowsvc.com/bbs/board.php?bo_table=windowsvc&wr_id=1441 One can also refrain from installing chrome/firefox plugins for this thing (or uninstall them) which are apparently crucial for using this thing correctly, thus one can have “lol anonymous” browser without Intel IPT and a “bizness stuff” browser with plugins installed (though this is of course less radical than purging the entire thing or moving your “anonymous” browsing needs into a VM, the latter being a reasonable thing to do irrespective of I2PT) AlanS • June 13, 2015 6:55 AM @Slime Mold with Mustard Thanks. Modern ‘democracy’in action: using surveillance for highly efficient and targeted lying. Curious • June 13, 2015 7:31 AM Why is curve 25519 (Twisted Edwards curve) used in ECC? I saw it was mentioned on twitter and there was a link to a NIST video. For someone like me that doesn’t really understand ECC, I still found it a little odd that according to Wikipedia, one of the requirements of an ‘elliptic curve’is that it isn’t self intersecting, however curve 25519 appear to intersect [redacted] on the cartesian coordinate system. This apparent requirement of the curve for not being ‘self intersecting’ (not being singular) is really the only thing that caught my interest about curve 25519, after hearing about curve 25519 being used in cryptography somehow. I just thought this might perhaps be a little odd, but otherwise, I am not really into ECC and wouldn’t know any better. My mind toyed with the more nonsensical notion of possibly there being a rounding of number values around origo (0,0), or even some kind of cancelling of rounded number values. I was once apparently able to help fix a broken feature in someones software, by pointing out the likely requirement of using floating point numbers for sake of presicion (in some other software I read about years ago) when there are successive rounding errors with successive transformations of points on a scalable grid. 😀 Thoth • June 13, 2015 8:22 AM @Nick P, Godel That is the usual communication method I use when communicating with anyone when using PGP/GPG. I don’t trust those plugins. @Nick P re:ECC Patents While I was deploying the HSM for a particular customer of mine whom is a CA, they bought the Thales HSM with ECC features and one of the problems were ECC licenses (not the HSM’s ECC license) but those that belong to the developers of the ECC algorithm namely Certicom, French agencies who develop ANSI curves, Brainpool and so on. It is one thing to provide ECC on the HSM but it is totally a different game if you are “demonstrating or publicly using” the ECC in terms of providing services with ECC curves patented by Certicom, ANSI, Brainpool (the ANSI and Brainpool curves are harder to track down as the custodians are also unclear of the actual patent owners). It took me quite a long time to try and hook my clients with the patent owners. Certicom and ANSI curve owners did not reply (but my customer supposedly managed to use other channels to get their attention). Brainpool custodians were also unsure of the status of the Brainpool curves in regards to their patents !!! In the end my CA customer managed to use their own cha… truncated (225,390 more characters in archive)
TextSearch