What happens with passwords in other languages, and more specifically forcing the use of UTF-8 double bit characters? What about using passwords in multiple languages?
Most brute force password cracking at least uses a dictionary to get at the low hanging fruit, why not increase the size of the dictionary? What are there like million words or something like that in the English language (guess) vs millions Chinese?
It would seem just branching out to Spanish, German, or whatever combinations would greatly decrease the success of brute force attacks.
I've analyzed password lists in several languages, and it depends on how the hashing algorithm encodes the password, or more specifically how the program sends the password to the hashing algorithm. Aka the MD5 of an UTF-8 encoded password is different vs. the MD5 of a codepage encoded password. That gets really interesting when someone switches between languages mid-password, (aka half of a password in a right to left language such as Arabic, and the other half in a left to right language such as English).
Oh, and yes, increasing the keyspace due to multiple alphabets certainly can hurt a brute-force attack, but not as much as you would expect if the password set is mostly from the same group. There are other patterns as well. For example non-English native speakers tend to use more number replacements, (aka 1 for a 'l', 3 for an 'e', etc), while English speakers favor symbol replacements, (@ for 'a'). Also, in a Spanish set, numbers at the front of the password, such as '123password', were much more frequent then I've seen in other datasets, (most people put the numbers at the end). Like all things though, these are just averages, so it's really hard to nail down the origin of a user based on their password unless they use a non-English word in it.
I managed to obtain a copy of the list, and have been doing some analysis on my blog http://reusablesec.blogspot.com/ with more to come. You can find a list of the top 100 passwords from the RockYou disclosure here:
http://reusablesec.blogspot.com/2009/12/rockyou-32-million-password-list-top.html
I've also been analyzing more lists such as the 10k Hotmail list that was released a couple of months ago. As for the recommendations that Imperva made, I think they are too tough on the users. Let's be honest, someone could have had a 28 character passpharse and it wouldn't have helped them since Rockyou stored all the passwords in plain text. For most people, online password cracking isn't the main problem. Phishing/keystroke loggers are much more prevalent, (due to their low cost to attackers). What this shows though is you really need to have different classes of passwords. You don't have to remember a different password for every site, (which is almost impossible without using some keyvault program), but you should use a different password for your webmail/bank accounts compared to all of the other sites.
How often do people hide data in the background noise of their phones? Is this a big enough problem that we should care about solving it? I mean, first of all you need a program to do the stego, (short of having someone talk really softly in the background). Then you would need to play back the recording during your conversation. Wouldn't it be easier for the criminal to send an encrypted e-mail instead? Given a choice, I'll pick strong crypto over stegonography any day. The only good thing about stego is it's useful if whatever authority in charge blocks all unauthorized messages.
It's along the lines of "How do you tell if there are stego images on someone's computer?"
Answer:You find the stego converter tool on their harddrive.
"I suppose one could argue that various defensive techniques like ASLR should have stopped this, but without knowing the details, that's impossible to say."
Microsoft does not enable ASLR by default for 3rd party applications since it can break software that relies upon absolute memory addresses. I scanned Adobe flash player with lookingglass, (www.erratasec.com), and ASLR was not enabled. They also didn't use NX, which helps prevent buffer overflows from being successful. On the plus side, at least the flash player executable, (not counting all its helper applications), doesn't use any unsafe functins like strcpy, and sprintf.
That's a problem Microsoft has. If they enable security by default, lots of stuff breaks. If make the security settings optional, no one uses them...
Oh, that's no problem. You just encrypt your one time pad with another one-time pad. Then you can transmit it anyway you want.
What, you want to know how to get the second one time pad?
Oh, that's no problem. You just encrypt your one time pad with another................
Heh, or just do what my boss said, and encrypt everything with the same one-time pad....
Personally though, I encrypt everything with ROT26.
There's a big difference between collecting the data and analyzing it. I've seen the results by ISEC Partners in fooling forensics software, (For example, if you want to hide your pr0n, put it on the 26th partition on your hard drive), and it deals with the inability of forensics analysis software to deal with analyzing targeted malicious files. You are going to have these issues with any software that processes files that previous were under the complete controll of a malicious user. In a non-computer forensics example, suppose your friend gives you a cd with a trojan.jpeg file on it. You can make an exact copy of that file to your computer no problem, but when you view the.jpeg file it installs a back door on your computer. Forensic software has to deal with the same issues.
That's where this article is misleading. Their solution does not solve that problem. In fact, it runs Encase right on the box for analyzing the hard drives, (which is one of the tools ISEC Partners looked into breaking). As far as collecting data securely goes, anyone can do that as long as they have a writeblocker, and they do a bitwise copy, (vs a file copy).
What they really needed to say in this review is that Trecorder is a one box solution to both collect and analyze forensics data that was specifically configured for that task. That way you don't have to spend the extra 2 minutes to disconnect a the copy of a hard drive from the duper and connect it to your analysis computer.
There will be rollback features for changing the code so when you break something you can easily recover from it. They are putting a lot of thought into that feature since the whole goal is to make sure kids aren't afraid to experiment. Also, it's easy for kids to share their modified code, and since every program, (from a webbrowser to a solitaire program), runs in it's own sandbox, the threat of malware is significantly reduced.
I was looking forward to using the "show code" button on Windows.
BTW, yes there is an actual "show code" button on the keyboard. It's really cool. You can edit the code of most of the included applications and apply changes on the fly. I know it's for kids, but I REALLY want one of these laptops. Check it out at www.laptop.org
Gotta love a game that's free and I can play on any computer with internet access and telnet.
Specifically, batmud is a great way to waste time. www.bat.org / telnet: batmud.bat.org
I've seen this scam in the wild at St Louis airport. I have screenshots if anyone wants them. I didn't even know that this was a current issue, (I haven't had internet access for a while because the hotel I was staying at charges extra), but when I fired up my computer, I saw "Free Airport wireless", and "Free Public Wifi", as peer to peer connections. It was weird, so of course I started taking screenshots. I didn't try to connect to them though since I had a customer computer that hadn't been patched in forever.
I think I remember reading that MagicQ uses a second data channel for authentication that is not "encrypted" by quantum cryptography, (it's closer to steganography than encryption). The quantum channel has a 50% loss rate due to the craziness of quantom mechanics. In fact that's how they try to prevent replay attacks since if someone sniffs it they only see 50% of the data, and when they resend what they have the receiver see an error rate of 75% instead of the normal 50%, (aka 50% of 50%). The receiver then uses the data channel which is encrypted useing a shared key to relay what it's error rate was, and which quantum bits it was able to read. For example if the sender sent the following message
1011100101
and the receiver replied that it saw bits 1, 2, 5, 8 and 9, both of them would save 10110 as the key to use in a different device, (aka this is a way to transmit keys to be used in conventional encryption devices). You could use this to send conventional traffic as well, but the 50% bit loss rate is a killer.
It's not perfect security since it relies on conventional encryption techniques so it's still possible to do a man in the middle attack against it, but depending on how they implimented the data channel such an attack might be hard to pull off. That being said, I have a hard time thinking of a problem where this would be a good cost-effective solution for it.
Slashdot Mirror
What happens with passwords in other languages, and more specifically forcing the use of UTF-8 double bit characters? What about using passwords in multiple languages?
Most brute force password cracking at least uses a dictionary to get at the low hanging fruit, why not increase the size of the dictionary? What are there like million words or something like that in the English language (guess) vs millions Chinese?
It would seem just branching out to Spanish, German, or whatever combinations would greatly decrease the success of brute force attacks.
I've analyzed password lists in several languages, and it depends on how the hashing algorithm encodes the password, or more specifically how the program sends the password to the hashing algorithm. Aka the MD5 of an UTF-8 encoded password is different vs. the MD5 of a codepage encoded password. That gets really interesting when someone switches between languages mid-password, (aka half of a password in a right to left language such as Arabic, and the other half in a left to right language such as English). Oh, and yes, increasing the keyspace due to multiple alphabets certainly can hurt a brute-force attack, but not as much as you would expect if the password set is mostly from the same group. There are other patterns as well. For example non-English native speakers tend to use more number replacements, (aka 1 for a 'l', 3 for an 'e', etc), while English speakers favor symbol replacements, (@ for 'a'). Also, in a Spanish set, numbers at the front of the password, such as '123password', were much more frequent then I've seen in other datasets, (most people put the numbers at the end). Like all things though, these are just averages, so it's really hard to nail down the origin of a user based on their password unless they use a non-English word in it.
I managed to obtain a copy of the list, and have been doing some analysis on my blog http://reusablesec.blogspot.com/ with more to come. You can find a list of the top 100 passwords from the RockYou disclosure here: http://reusablesec.blogspot.com/2009/12/rockyou-32-million-password-list-top.html I've also been analyzing more lists such as the 10k Hotmail list that was released a couple of months ago. As for the recommendations that Imperva made, I think they are too tough on the users. Let's be honest, someone could have had a 28 character passpharse and it wouldn't have helped them since Rockyou stored all the passwords in plain text. For most people, online password cracking isn't the main problem. Phishing/keystroke loggers are much more prevalent, (due to their low cost to attackers). What this shows though is you really need to have different classes of passwords. You don't have to remember a different password for every site, (which is almost impossible without using some keyvault program), but you should use a different password for your webmail/bank accounts compared to all of the other sites.
And it's still going strong too... Sure beats WoW, that's for sure. Solving a text based quest beats clicking on hellboars anyday.
It's along the lines of "How do you tell if there are stego images on someone's computer?"
Answer:You find the stego converter tool on their harddrive.
"I suppose one could argue that various defensive techniques like ASLR should have stopped this, but without knowing the details, that's impossible to say." Microsoft does not enable ASLR by default for 3rd party applications since it can break software that relies upon absolute memory addresses. I scanned Adobe flash player with lookingglass, (www.erratasec.com), and ASLR was not enabled. They also didn't use NX, which helps prevent buffer overflows from being successful. On the plus side, at least the flash player executable, (not counting all its helper applications), doesn't use any unsafe functins like strcpy, and sprintf. That's a problem Microsoft has. If they enable security by default, lots of stuff breaks. If make the security settings optional, no one uses them...
Oh, that's no problem. You just encrypt your one time pad with another one-time pad. Then you can transmit it anyway you want. What, you want to know how to get the second one time pad? Oh, that's no problem. You just encrypt your one time pad with another ................
Heh, or just do what my boss said, and encrypt everything with the same one-time pad....
Personally though, I encrypt everything with ROT26.
Well, there's always one time pads...
There's a big difference between collecting the data and analyzing it. I've seen the results by ISEC Partners in fooling forensics software, (For example, if you want to hide your pr0n, put it on the 26th partition on your hard drive), and it deals with the inability of forensics analysis software to deal with analyzing targeted malicious files. You are going to have these issues with any software that processes files that previous were under the complete controll of a malicious user. In a non-computer forensics example, suppose your friend gives you a cd with a trojan .jpeg file on it. You can make an exact copy of that file to your computer no problem, but when you view the .jpeg file it installs a back door on your computer. Forensic software has to deal with the same issues.
That's where this article is misleading. Their solution does not solve that problem. In fact, it runs Encase right on the box for analyzing the hard drives, (which is one of the tools ISEC Partners looked into breaking). As far as collecting data securely goes, anyone can do that as long as they have a writeblocker, and they do a bitwise copy, (vs a file copy).
What they really needed to say in this review is that Trecorder is a one box solution to both collect and analyze forensics data that was specifically configured for that task. That way you don't have to spend the extra 2 minutes to disconnect a the copy of a hard drive from the duper and connect it to your analysis computer.
There will be rollback features for changing the code so when you break something you can easily recover from it. They are putting a lot of thought into that feature since the whole goal is to make sure kids aren't afraid to experiment. Also, it's easy for kids to share their modified code, and since every program, (from a webbrowser to a solitaire program), runs in it's own sandbox, the threat of malware is significantly reduced.
I was looking forward to using the "show code" button on Windows.
BTW, yes there is an actual "show code" button on the keyboard. It's really cool. You can edit the code of most of the included applications and apply changes on the fly. I know it's for kids, but I REALLY want one of these laptops. Check it out at www.laptop.org
Gotta love a game that's free and I can play on any computer with internet access and telnet. Specifically, batmud is a great way to waste time. www.bat.org / telnet: batmud.bat.org
I've seen this scam in the wild at St Louis airport. I have screenshots if anyone wants them. I didn't even know that this was a current issue, (I haven't had internet access for a while because the hotel I was staying at charges extra), but when I fired up my computer, I saw "Free Airport wireless", and "Free Public Wifi", as peer to peer connections. It was weird, so of course I started taking screenshots. I didn't try to connect to them though since I had a customer computer that hadn't been patched in forever.
I think I remember reading that MagicQ uses a second data channel for authentication that is not "encrypted" by quantum cryptography, (it's closer to steganography than encryption). The quantum channel has a 50% loss rate due to the craziness of quantom mechanics. In fact that's how they try to prevent replay attacks since if someone sniffs it they only see 50% of the data, and when they resend what they have the receiver see an error rate of 75% instead of the normal 50%, (aka 50% of 50%). The receiver then uses the data channel which is encrypted useing a shared key to relay what it's error rate was, and which quantum bits it was able to read. For example if the sender sent the following message
1011100101
and the receiver replied that it saw bits 1, 2, 5, 8 and 9, both of them would save 10110 as the key to use in a different device, (aka this is a way to transmit keys to be used in conventional encryption devices). You could use this to send conventional traffic as well, but the 50% bit loss rate is a killer.
It's not perfect security since it relies on conventional encryption techniques so it's still possible to do a man in the middle attack against it, but depending on how they implimented the data channel such an attack might be hard to pull off. That being said, I have a hard time thinking of a problem where this would be a good cost-effective solution for it.