Categories
Security

Slowly Moving The Web To HTTPS

The EFF has a pretty good post on the move to make HTTPS closer to the new normal on the web. It’s hardly normal yet, but it’s improving. Already some of the bigger sites on the internet like Google, Facebook and Twitter are serving up HTTPS for almost everything. They do it for security as well as performance (SPDY).

In the longer run (few years from now) I wouldn’t be surprised if the majority of web traffic starts moving over HTTPS. This will not be well accepted by many institutions including all governments, but it’s certainly better for people, especially those in nations who restrict speech and rights the most. We’ll also see a lot of legislation to only use encryption methods with known vulnerabilities and back doors. I wouldn’t even be surprised if some countries try and break the web by using alternate means of encryption similar to what South Korea did years ago. Obviously fighting this is going to prove important.

Categories
Security

Silent Circle Finally Bringing Security To Mobile?

Silent Circle is a pretty interesting sounding app:

It’s a model for the nested cryptography of Silent Circle. The “safe room” is the iPhone processor, where all the encryption happens. By the time your text leaves the phone, it’s been completely encrypted, unrecoverable without the key. To keep the key safe, Silent Circle uses the ZRTP protocol, a dance of data drops and verifications that’s every bit as intricate as the Southern Command’s network of swipes and codes. At the end of each call, the keys are erased, so nothing can be decrypted after the fact.

This sounds like security done right. Why this is newsworthy in 2012 is what saddens me. This should be the standard, not the exception. Regardless, kudos to these folks for shedding light on what so many others are doing wrong.

Categories
Apple Security

iPhone Too Secure From Law Enforcement?

According to the US Department of Justice (DOJ) the iPhone is largely uncrackable at this point:

“I can tell you from the Department of Justice perspective, if that drive is encrypted, you’re done,” Ovie Carroll, director of the cyber-crime lab for the CCIPS division of the Department of Justice, said earlier this month during his presentation at DFRWS. “When conducting criminal investigations, if you pull the power on a drive that is whole-disk encrypted you have lost any chance of recovering that data.”

Of course there are a fair number of tools out there for iOS 4 and below including UFED Ultimate and XRY. There is a lack of iOS 5 tools, at least that are being publicly advertised.

However, there’s arguably little need for such a tool anymore. As users put data on in “the cloud”, law enforcement doesn’t even need the physical phone, they can just send a request to Apple (or Google) for the data they want. I suspect this is at least part of what Steve Wozniak was talking about when he mentioned “horrible problems” in the next five years. It’s worth noting Apple has almost zero transparency regarding law enforcement requests and how they are vetted. It’s not even clear a warrant is necessary to request data. The law certainly isn’t clear in that regard.

If anything, I think it’s becoming easier for law enforcement, not harder.

Categories
Security

GPRS Cracked

I mentioned the work of Karsten Nohl to expose how insecure cell phones really are back in 2009. It’s great work since many people assume cell phones are secure, while they likely aren’t nearly as secure as one would think or hope. He’s done a lot more since then as The Register reports:

“The interception software to be released tomorrow puts GPRS operators with no encryption at an immediate risk,” he told The Register on Tuesday evening. “All other GPRS networks are affected by the cryptanalysis that will be presented but not released at tomorrow’s conference. Those operators will hopefully implement stronger encryption in the time it takes others to re-implement our attacks.”

As the article goes on to say, most use none or weak encryption.

In 2010, he bundled many of the various tools he helped develop into a comprehensive piece of software that gave amateurs the means to carry out many of the attacks. That same year, other cryptographers cracked the encryption scheme protecting 3G phone calls before the so-called Kasumi cipher had even gone into commercial use.

So your best bet to make a secure call right now is to use Skype on a smart phone. So far it doesn’t seem anyone has cracked Skype’s security. If Skype has a backdoor or known vulnerabilities is questionable. If they were considered a phone company (they insist they aren’t) they would be subject to CALEA.

Bottom line: Don’t assume a cell phone call is secure.

Categories
Photo A Day 2011

Project 365 Week 13

Another week, another set. The end of this set and the next set is going to be a bit week, I’ve been fighting a cold among other things that have been distracting me. That said, I kinda like how “Along the NEC” and “Cheap Hack” turned out.

Categories
Mozilla Security Web Development

Wanted: Native JS Encryption