FBI wants backdoors

Recently, the director of the FBI, James Comey, stated that unless the government is give special access cell phone encryption will prevent them from doing their job, ie stopping terrorists. He noted “both real-time communication and stored data are increasingly encrypted,” which prevents them for “lawfully pursuing criminals”.

He wishes to expand on the Communications Assistance for Law Enforcement Act(CALEA) from 1994 which mandated that telephone companies build backdoors in their equipment for wiretapping. But currently law forces communication companies to do so.

The director of the FBI stated that the default encryption in iOS 8 and the soon to be default for Android, will block law enforcement from gathering all evidence against a suspects and the solution to the problem is the tech companies build “front-doors” on the cell phones.

“”We aren’t seeking a back-door approach,” Comey said, referring to a common term          for encryption that has been intentionally weakened. “We want to use the front door,            with clarity and transparency, and with clear guidance provided by law,” including court      orders, he said.”

He also notes that “adversaries will exploit any vulnerability they find” and to reduce the risk from the backdoor there should be a development of “intercept solutions during the design phase”.

-Chris Lazarus

Navajo Code Talkers

-Chad Johnson

The Navajo Code Talkers program was proposed and implemented at the beginning of WWII by Philip Johnston. Johnston was a WWI vet that was raised on a Navajo reservation and was one of only about an estimated 30 non-Navajo’s who could understand the language.

The reason the Navajo language was so appealing was because of the complexity and uniqueness of the grammar, dialect, and the language itself. It was an unwritten langue and so complicated even the closest of other tribes could not understand it. It was approved after a demonstration Johnston had set up where he demonstrated, under simulated combat conditions, that Navajo men code encode, transmit, and decode a 3-line message in 20 seconds. Given the technology at the time, this same message would take approximately 30 minutes to do with machines.

Most of the code was a variation on the military’s phonetic alphabet, although specific code words were given to more commonly used military terms and definitions (I.E.  “silver oak leaf” given to the rank of lieutenant colonel).

During the first few days of Iwo Jima Major Howard Connor of the 5th Marine Division had Navjo Code Talkers working around the clock and would later credit them to the victory, saying “”Were it not for the Navajos, the Marines would never have taken Iwo Jima.”

The deployment of the Navajo code talkers continued through the Korean War and after, until it was ended early in the Vietnam War. The Navajo code is the only spoken military code never to have been deciphered.

Firechat: not secure….yet

Firechat is a new app for Android, iOS, and Windows phone that has gained momentum because of its interesting ability to create mesh networks or Ad hoc networks. There are a few conditions to use the app, one being that an internet connection is requited for initial creation of username and password. The fact that the creators ask for real names show how much they don’t understand how their app is being used. Though there is no verification on the real name. Firechat has become so popular because when in large protests like in Hong Kong cell networks can be congested and almost unusable. Also in protest situations the government can actually shutdown the networks to prohibit communication. Lastly there is the case where there is no network at all, for example at Burning Man in Nevada. This is where firechat comes in. Firechat uses mesh networks created with a combination of Bluetooth and Wi-Fi. Each phone acts as a node that has the ability to forward messages to the nodes around them.

This app is really cool just on the technical side alone but in practice there are some security flaws to mention. The messages the all the nodes on the mesh network are receiving are in plain text and there is no verification on the messages to see if they were manipulated. Using a tool called Blucat, it is a version of Netcat that port scans on Bluetooth can see the messages. It is then possible to spoof where the messages are coming from and sent your own fake messages.

In conclusion, firechat is a cool new app that has a lot of potential. I hope these security flaws are fixed soon and in the meanwhile have fun.

Live demo of Blucat @ 9:16 https://www.youtube.com/watch?v=39fNxtTJtis&list=UU3s0BtrBJpwNDaflRSoiieQ

Source article

http://breizh-entropy.org/~nameless/random/posts/firechat_and_nearby_communication/

UK Government Cracks Down

The Computer Misuse Act has been in affect in the the Parliament of the United Kingdom since 1990. It it used to deal with hackers who commit serious crimes. But now its up for revision as people continue to complain about the original Bill’s poor wording and hasty creation.

With the Bill being amended it would allow judges to hand out life sentences to British hackers whose actions damage, national security, the environment, the economy or the human welfare in any country. As cyber crimes become increasingly damaging, as said by a Home Office spokesperson “they blight lives and causes misery across the UK. It is a threat to our national security and costs hard-working taxpayers at least £24bn a year.” the government needs to increase the severity of the punishments.

The Bill has yet to be amended. It reached the House of Lords on October 14th, where Baroness Williams of Trafford expressed her concern of the wording to still be too vague. But the government is keen to press ahead with the Bill, and we should see a change soon.

http://nakedsecurity.sophos.com/2014/10/24/hackers-who-threaten-national-security-could-face-life-sentences/

http://www.theguardian.com/law/2014/oct/23/computer-users-damage-national-security-face-jail

Cameron Clark

Stronger Passwords, or Stronger Administrators?

We all know that the user cannot be trusted because often times, the user is not concerned with security. Websites have been pushing users to make stronger passwords for years, but silly passwords like “password” or “12345” still are prominent. The question for website administrators remains, “how can we ensure the security of the user?”

A study from Microsoft (available here) shows that the demands of website administrators are often ignored by the user. The push to get users to use more complex passwords is often a failing attempt. The study suggests that administrators should do more on their end to protect the user.

The authors suggest that a password that’s targeted in an online attack needs to be able to withstand no more than about 1,000,000 guesses.

An online attack is the most common method of attacking. Users’ passwords are subject to dictionary attacks. However, security measures like a limited number of password guess attempts limit the success of the attacker. Diligence in administrator response to abnormally large amounts of login traffic can limit the success of an attacker. Therefore, it was concluded that a password only needs to survive about a million guesses, as long as the proper security measures are in place with the responsibility of the administrators.

So how strong does a password need to be to stand a chance against a determined offline attack? According to the paper’s authors it’s about 100 trillion…

Offline attacks are harder to protect against once an attacker gains a hold of the back-end of a system. However, this is entirely the responsibility of the administrators. Once an administrator detects that the system has been breached, a reset of all users’ passwords should occur to ensure the safety of their accounts (so long as they haven’t already been compromised). But again, the responsibility is to be put in the hands of the administrators to protect the user.

Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.

There is an apparent inconsistency in the quality of website administrators. With new breaches being announced almost weekly, there is more than enough proof to back this claim. Some websites remain well defended while others fall victim to the attacks. Many administrators seemingly have given up on their end to defend the user, and have placed all of the responsibility in the hands of the user, who is not often a security professional (or even a person with a strong computer background). In a world of constant online-attacks, website administrators should be beefing-up their efforts to securing the systems they are supposed to protect along with their campaign for users to use stronger passwords.

Source: http://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/