uncompiled.com

The UK’s Cyber Security Challenge has announced the winner of its prologue crypto puzzle, as well as the solution – for anyone still struggling to find an answer.

Successful code crackers had to solve a three-stage puzzle of increasing complexity. The task tested basic cryptoanalysis skills, as well as the ability to apply lateral thinking and “read between the lines” to figure out how to proceed from one stage of the puzzle to the next. The first stage involved recognising that the initial ciphertext took the form of a .jpg image, encoded in the base64 system. This .jpg image cartoon contained a binary string on its border, encoded using a simple substitution cipher.

Having solved that stage of the puzzle, would-be codebreakers recovered a message inviting them to visit a specified website. The third phase of the challenge was based on making sense of a bitshift operation applied to a string hosted on this site.

More than 1000 contestants submitted responses to the puzzle with 152 hitting on the right answer. Winner Paul Mutton cracked the code before anyone else and wins a season ticket for Bletchley Park and a personal tour of the refurbished WWII-era Colossus code-breaking computer.

Cyber Security Challenge said it planned to run another code-cracking puzzle at an unspecified time over the coming months, following the success and obvious interest generated by its initial brain teaser.

The cipher challenge was essentially a bit of fun designed to publicise the wider ambitions of the UK’s Cyber Security Challenge, which aims to hunt for would-be information security experts and stimulate interest in the topic. The scheme, launched on Monday, aims to address a looming skills shortage by inspiring under-graduates and teenagers to consider a career in cybersecurity.

More than 30 prizes will be awarded during the competition, including internships at net security companies and university bursaries. The scheme has the support of private security firms such as Sophos and Qinetiq, as well as the UK government.

Source

Web Development Framework is a software framework that is designed to support the development of a Websites, Web applications and Web services. Many frameworks provide libraries for database access, templating frameworks and session management, and they often promote code reuse.

Web development can be little tough if there had been no frameworks to make our life easier. Any Web Framework is a boon to a web developer as it provides so many options, flexibility and its a big time saver.

Here, we have compiled the best of web development frameworks in PHP, CSS, JavaScript, Python and Java. All these frameworks have there pros and cons, they can help you make your project look clean and robost. For future reference, you can bookmark this post and share it with your friends and web-programmers.

Source

This is what I’ve been talking about… Here is the first part of the docs I wrote up – make sure you see that I’m not
yet supporting huge files unless you have huge RAM. **.Net 4.0 Client profile is required to run this.**

Right now the install bits are only available on the pilot site at: http://www.owa.hammerofgod.com in the downloads
section. I have to wait on Raging Haggis to return from Canada before posting on
www.hammerofgod.com .

Here’s a bit from the TGP Overview document included with the install and on the web site. Please read through it
before asking silly questions. :)

Also, feel free to hack it up as much as you would like. I know this is full disclosure, so feel free to zing them at
me, or if you prefer, I can work with you on any issues you might have.

Remember, this is totally free, so my ability to handle custom requests will be limited. For those looking to break
it, I would look at fuzzing the XML documents and the “drag and drop public XML” parsing feature.

If you have questions or challenges about any of the security, I would ask to keep it on the list so that everyone can
get the full benefit of productive security development. The read-me should pretty much lay everything out for you.
If not, we’ll take it up from there.

t

TGP – “Thor’s Godly Privacy”
06/13/10 v1.1.06

TGP is a small yet very powerful encryption utility. With all eyes on “the cloud,” I decided to write an encryption
application better suited to an environment where portability and security were, at the least, challenging. In cloud
computing, not only is the use of file structures becoming more abstract, but the very concept of a “file server” is
becoming more and more ubiquitous.

As such, I designed TGP with “encryption for the cloud” in mind. That means that not only does TGP do everything your
normal PGP-type applications do, but it does things a bit differently – differently in a way that can change the way
you work with your encrypted data. At the simplest level, this is done by encrypting data into byte arrays, and then
converting those byte arrays into Base64 encoded text wrapped inside XML tags. In this way, not only do you get your
typical file-based encrypted representation of your data, but you also get data that you can copy and paste directly
into any email, mailing list, blog-page, or social networking site.

What I think is interesting about this is that if we choose to, we no longer have to be the custodians of our encrypted
data – we don’t have to worry about actually housing the files: we can just post them to the internet and let someone
else assume the burden of storing the files for us.

If I want to share encrypted files with someone or secure my own files, all I have to do is TGP encrypt the data I
want, and post it to a mailing list somewhere. In the case of a list like Bugtraq or Full Disclosure, the data is
actually automatically replicated out to any number of archive sites, thus distributing my data for me. I can
literally be anywhere in the world and just do a quick search for my post to retrieve my data. And since the TGP
public key files are also text representations of encrypted key data, I can do the same with my keys.

Normally, you want to keep your private keys as safe as possible. This is still the case with TGP. However, it is
trivial to build as many private keys as you wish to use for anything you want to use them for. TGP Private Key files
are password protected and individually salted, so with a strong passphrase you have very reasonable assurance that no
one is going to get to your key any time soon. So, you can create a private key with a strong password, post that, and
then, say, encrypt a scan of your passport and post that. Then if you are ever in a pinch while travelling or
something like that, you can simply use Google or Bing to access your data wherever you are.

Of course, that’s just an example, but I think it illustrates the power of encrypted file structures like this. You
can literally use Facebook to post encrypted documents that you don’t have to maintain.

That’s really the main different between TGP and an application like PGP. That and of course, TGP is free, and
personally, I think PGP is tardware. It’s bloated, it’s far too expensive, it’s hard to use, and if you don’t watch
your licensing, you can get screwed hard like I did when I didn’t want to buy the extended support and one day my
encrypted drives stopped working until I paid them. That doesn’t fly. TGP also doesn’t require that you are an admin
to install. However, the .NET installer for the 4.0 client profile does – that’s not my doing. Regardless, here are
the file structures TGP uses:

Things that still suck about TGP
Currently TGP uses a memory stream for the destination of the AES cryptostream. This sucks because it makes the
maximum file one can encrypt based on available memory. It’s not a huge deal, but it does keep you from encrypting a
gigabyte file. I’ll be changing that soon.

[Description: Description: Description: TimSig]
Timothy “Thor” Mullen
Hammer of God
thor () hammerofgod com
www.hammerofgod.com
[cid:image002.png@01CB0B06.EED273B0]

Source

2010 ACM Cloud Computing Security Workshop (CCSW) at CCS

9 October 2010, Hyatt Regency Chicago

http://crypto.cs.stonybrook.edu/ccsw10

Dear Colleagues,

The CCSW submission website is up! Please submit your papers at

http://hotcrp.cylab.cmu.edu/ccsw10/

CCSW is back! The 2009 workshop was a tremendous success, with 80+
people in the audience, several sponsors (NSF, Microsoft), 5 invited
talks (Whitfield Diffie, Ian Foster, Peter Mell, Lenore Zuck, Kristin
Lauter) and excellent papers. This year we hope you will join us in yet
another successful event.

This year’s SPEAKERS (preliminary list) are:

——–

Leendert van Doorn
AMD Senior Fellow

Eric Grosse
Google Security Engineering Director

Steve Riley
Amazon Web Services Sr. Technical Program Manager

Michael Waidner
IBM Chief Technology Officer for Security
IBM Distinguished Engineer

——–

Notwithstanding the latest buzzword (grid, cloud, utility computing,
SaaS, etc.), large-scale computing and cloud-like infrastructures are
here to stay. How exactly they will look like tomorrow is still for the
markets to decide, yet one thing is certain: clouds bring with them new
untested deployment and associated adversarial models and
vulnerabilities. CCSW aims to bring together researchers and
practitioners in all security aspects of cloud-centric and outsourced
computing, including (but not limited to):

+ secure resource virtualization
+ secure data management outsourcing
+ practical privacy & integrity for outsourcing
+ foundations of cloud-centric threat models
+ secure computation outsourcing
+ remote attestation mechanisms
+ sandboxing and VM-based enforcements
+ trust and policy management in clouds
+ secure identity management mechanisms
+ web service security paradigms and mechanisms
+ cloud-centric regulatory compliance
+ business & security risk models and clouds
+ cost & usability models and their interaction with security in clouds
+ scalability of security in global-size clouds
+ trusted computing technology and clouds
+ binary analysis of software for remote attestation and cloud protection
+ network security mechanisms for clouds
+ emerging cloud programming models security
+ energy/costs/efficiency of security in clouds

We would like to especially encourage novel paradigms and controversial
ideas that are not on the above list. The workshop is to act as a
fertile ground for creative debate and interaction in security-sensitive
areas of computing impacted by clouds.

CCSW is soliciting full papers of up to 12 pages and short papers of up
to 6 pages. Submissions must be in double-column ACM format with a font
no smaller than 10 point (note: pages must be numbered). Only PDF files
will be accepted. Submissions not meeting these guidelines risk
rejection without consideration of their merits. Accepted papers will be
published by ACM Press and/or the ACM Digital Library.

*** Both research and position/vision/white papers are invited ***

Submissions must not substantially overlap with papers that have been
published or that are simultaneously submitted to a journal or a
conference with proceedings. All authors and their affiliations must be
listed.

Proposals for panels are also solicited. The proposals are to be
concise, up to 2 pages in length, describe the handled topics, name
potential panelists and briefly scope the panel for CCSW. Disruptive and
controversial panels are particularly encouraged.

Organizers ———————————————————

STEERING

Kristin Lauter, Microsoft
Adrian Perrig, Carnegie Mellon
Radu Sion, Stony Brook (chair)
Gene Tsudik, UC Irvine
Moti Yung, Google Inc.

CHAIRS

Adrian Perrig, Carnegie Mellon University (PC co-chair)
Radu Sion, Stony Brook University (PC co-chair)

COMMITTEE (preliminary)

Steven Bellovin, Columbia
Christian Cachin, IBM Zurich
Jan Camenisch, IBM Zurich
Bogdan Carbunar, Motorola Labs
Jeff Chase, Duke
Mihai Christodorescu, IBM Research
Weidong Cui, Microsoft Research
George Danezis, Microsoft Research
Xuhua Ding, Singapore Management University
Maria Dubovitskaya, IBM Zurich
Philippe Golle, Palo Alto Research Center
Markus Jakobsson, Parc
Yuecel Karabulut, SAP Office of the CTO
Yongdae Kim, University of Minnesota at Twin Cities
Kristin Lauter, Microsoft
Wenke Lee, Georgia Tech
Di Ma, University of Michigan – Dearborn
Patrick McDaniel, Penn State University
Peng Ning, NC State University
Cristina Nita-Rotaru, Purdue University
Dave O’Hallaron, Intel Research / CMU
Alina Oprea, RSA
Dimitris Papadias, Hong Kong University of Science and Technology
Anand Rajan, Intel
Tom Ristenpart, UCSD
Reiner Sailer, IBM Research
Pierangela Samarati, University of Milano
Matthias Schunter, IBM Zurich
Elaine Shi, PARC
Dawn Song, UC Berkeley
Wade Trappe, Rutgers University
Leendert Van Doorn, AMD
Giovanni Vigna, UCSB
Cliff Wang, US Army Research Office
Nicholas Weaver, International Computer Science Institute Berkeley
Peter Williams, Stony Brook University

Source

It’s been a while since the stars aligned and I had made it out to NOTACON. More importantly than the conference though, are the people who make the conference more than just another U.S. technology “to-do”. NOTACON is, has been, and I hope will continue to be, one of most interesting mixture of talents and brillance you can ask for. When I last had attended the conference, I was still working with the core team to put the whole weekend of insanityfun together — this time, I was just a presenter and attendee.

This year’s conference really gave me a smack on the head. It reminded me of not only how many friends and colleagues I had missed, but also the blast of energy you get by seeing so much passion for such a diverse group of topics in one short weekend. NOTACON allows someone like myself to speak about education, while another person is showing off their electronically-infused clothing, and another to do demos of PDF exploitation. Few places short of a local hacker-space will you find such a menagerie of content.

Presentations That Rocked
To start, I thought Sacha DeAngeli’s presentation called “Mine’s Smaller Than Yours: Nanotechnology and Chemistry in a DIY Setting” was super interesting and appropriate for this kind of conference. He combined not only live chemistry on a topic most people were fairly captivated by, but also integrated the message that we really need to save chemistry experimentation as a culture. He had great parallels between ‘hackers’ and chemists (hobby and professional), invigorating at least my opinion that saving chemistry as something that everyone should dabble in as part of their youth is important. Toss it up there with music education as something that is being cut out of schools in lieu of safer and cheaper alternatives — computer simulated chemistry. Boring.

It was really fun to see int eighty (who’s the rapper for Dual-Core) drop the mic, so to speak, and instead give a really easy-to-follow explanation and demonstration of how to deconstruct PDF files and look for potential malicious code streams. His presentation had great structure and provided the tools to follow-along with his demonstrations, making for an interactive presentation that was really fun to watch. He was both humbled by the work of other’s in this field (such as the often mentioned Didier Stevens) and highly competent on the topic, making for an enjoyable hour. It was great to see someone I’ve watched rap so many times really come into his own in another light.

Saturday started early with Adrian Crenshaw covering aspects of Anti-Forensics. While I had personally heard a lot of these areas in a previous Cybercrime class, it was nice to get a more technical overview of some techniques. He provided some interesting notes about ‘data recovery’ and I really enjoyed his muted humor throughout. Seems like a really nice guy in general, too.

Later in the day, I was really impressed with James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight’s skit-based presentation called “Social Engineering Security Into Your Business”. It was a collection of situations in which they demonstrated the right & wrong ways to have security people interact with various members of their company/organization. In one example, they showed how and how not to speak with a developer about an XSS issue. Another, they spoke to management about purchasing a new product to help their infrastructure. I found their examples and dialogs both realistic (at least 90% of it) and accurate to situations I have been in. Frankly, some scenes were uncanny! They did a great job of integrating humor and reality. I think they certainly got a message across which is very important: don’t be an asshole if you want to get stuff done.

The end of the day comprised of “Surviving the Zombie Apocalypse”, another in the series of conference talks put on by Tom Eston, Chris Clymer, and Matthew Neely. Hilarious as ever, and now with costumes, props, and a cast of zombie actors. A great 30 minutes of just pure fun and energy. Might I add, this was just prior to my own presentation so I appreciated not only the relaxing fun it provided for me, but also that they were done way before my presentation which gave me extra prep time.

My presentation, “What’s a Linux?: Creating & teaching college courses at 24″
I was pumped to be able to speak to what was quite a large crowd in the palace east room of the hotel. While it was the smaller of the two rooms, it seemed to be quite filled which was great. I’d guess probably 40+ people showed up and they were all really attentive, appreciative, and fun. It seemed like everyone enjoyed my random humor and appreciated what I had to say on education in general. It was a really rewarding experience. I hadn’t spoken at NOTACON since 2005 so I was both glad to be back at the conference as an attendee, but pumped to have had another opportunity to talk about something I was passionate about. A sincere thanks again to everyone who attended my presentation as well as was wearing my uncompiled.com stickers throughout the weekend!

As promised, here are my presentation slides in PDF and if anyone has any questions or follow-ups, feel free to give me a shout. My e-mail is mark.stanislav@gmail.com and my Twitter is mstanisl. It was great seeing so many of you guys again and even better meeting a lot of great new people as always. Feel free to send me any pictures or video you have have from my presentation; I appreciate it.

See everyone next year!

Targeted cyberattacks of the sort that hit Google and more than 30 other tech firms earlier this year are testing enterprise security models in new ways and pose a more immediate threat to sensitive data than a full-fledged cyberwar.

Is the U.S. the nation most vulnerable to cyberattack?

They’re also an “existential threat” to the U.S., a top FBI official said last week.

Unlike older e-mail and network-borne worms and viruses, targeted attacks are stealthier and can give adversaries a way to break into an enterprise network — and stay hidden there for a long time. Typically, the goal behind such attacks is to snoop and to steal sensitive information.

State-sponsored groups with deep technical skills and computing resources have been directing such attacks against government and military targets for several years now. But the increasing number attacks, and the fact that they have begun to spill over into the commercial arena, have prompted some people to speculate about whether the U.S. is in the midst of a cyberwar.

Not war — yet

The consensus: Not yet. Instead, the targeted attacks highlight what’s called the advanced persistent threat (APT) facing U.S commercial entities. The attacks typically rely on sophisticated social engineering techniques to exploit previously unknown security vulnerabilities, and they’re difficult to fend off because they’re designed to elude the signature-based malware-detection tools traditionally deployed at most companies.

Most attacks use social engineering to trick people with access to key information into opening tainted e-mails or other communications.

The malicious messages are crafted to look as if they’re from someone the recipient knows and has been communicating with, said Paul Wood, a senior intelligence analyst in Symantec Corp.’s MessageLabs Intelligence unit. They can even be inserted into an ongoing e-mail exchange, gaining authenticity because they include familiar subject headers and references to ongoing conversations.

Who’s most at risk? Company directors, vice presidents, managers and executive directors — especially at smaller companies, according to MessageLabs. Because larger companies tend to be better protected than smaller ones, cybercriminals aim for small firms that might be suppliers or business partners to big ones, Wood said.

Dealing with these threats requires a new ways of thinking, said Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services. Because the attacks often take advantage of zero-day threats for which no defense exists, blocking them with signature-based anti-malware tools is almost impossible, he said.

Detection is key

As a result, companies need to strengthen their ability to detect intrusions and respond quickly, Arries said. Since targeted attacks are designed to siphon out data via the network, keeping a close eye on network traffic can help detect anomalies. A gusher of data going out over the network is a warning sign that something’s amiss.

Source

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE’s Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.

The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses. This year’s Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective “Monster Mitigations,” which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE. Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more actionable.

Source

Booting an operating system has always been considered a challenging task. In this document we will take a look at the different aspects of the boot process. Such as the BIOS which is the first code which runs, the boot loaders that can load different operating systems, pass arguments to the kernel, load it from different sources like a hard drive, a flash, and network & finally the kernel itself. Though loading the kernel & setting it up to execute is not all that is to be done, we need to bring the system up with different user specific configurations. We will look at the scripts, which deal with this.

Linux has grown from a system that used to boot from a floppy providing no luxurious features to the user, to the current jazzy Linux systems. It is important to have an insight of the Linux boot procedure. Say for Linux to serve the purpose on embedded systems, the generic boot procedure must almost always be modified to meet the needs of the target application.

Source

The most common digital security technique used to protect both media copyright and Internet communications has a major weakness, University of Michigan computer scientists have discovered.

RSA authentication is a popular encryption method used in media players, laptop computers, smartphones, servers and other devices. Retailers and banks also depend on it to ensure the safety of their customers’ information online.

The scientists found they could foil the security system by varying the voltage supply to the holder of the “private key,” which would be the consumer’s device in the case of copy protection and the retailer or bank in the case of Internet communication. It is highly unlikely that a hacker could use this approach on a large institution, the researchers say. These findings would be more likely to concern media companies and mobile device manufacturers, as well as those who use them.

Andrea Pellegrini, a doctoral student in the Department of Electrical Engineering and Computer Science, will present a paper on the research at the upcoming Design, Automation and Test in Europe (DATE) conference in Dresden on March 10.

“The RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. We’ve shown that that’s not true,” said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science.

These private keys contain more than 1,000 digits of binary code. To guess a number that large would take longer than the age of the universe, Pellegrini said. Using their voltage tweaking scheme, the U-M researchers were able to extract the private key in approximately 100 hours.

They carefully manipulated the voltage with an inexpensive device built for this purpose. Varying the electric current essentially stresses out the computer and causes it to make small mistakes in its communications with other clients. These faults reveal small pieces of the private key. Once the researchers caused enough faults, they were able to reconstruct the key offline.

This type of attack doesn’t damage the device, so no tamper evidence is left.

“RSA authentication is so popular because it was thought to be so secure,” said Todd Austin, a professor in the Department of Electrical Engineering and Computer Science. “Our work redefines the level of security it offers. It lowers the safety assurance by a significant amount.”

Although this paper only discusses the problem, the professors say they’ve identified a solution. It’s a common cryptographic technique called “salting” that changes the order of the digits in a random way every time the key is requested.

“We’ve demonstrated that a fault-based attack on the RSA algorithm is possible,” Austin said. “Hopefully, this will cause manufacturers to make a few small changes to their implementation of the algorithm. RSA is a good algorithm and I think, ultimately, it will survive this type of attack.”

Source

Cryptographers are expecting several of the major cryptographic systems in use today to be broken in the near future.

In the Cryptographers Panel session at the RSA Conference Tuesday, Adi Shamir said that he is working with a team of researchers who have put together a paper that describes an attack that will break AES 128 within 10 rounds.

“And if you go to AES 256, we can break the entire cryptosystem,” Shamir said.

Shamir, one of the inventors of the RSA algorithm, was speaking on the panel with Ron Rivest, Brian Snow of the National Security Agency, Martin Hellman of Stanford University, Whit Diffie, and Ari Juels of RSA Security. The panel, which is an annual event at the RSA Conference, usually provides some of the more interesting anecdotes of the conference, and this year’s was no exception.

In addition to the work against AES, which is the encryption standard used in many cryptosystems today, Rivest said that he expects 1024-bit RSA encryption to be broken relatively soon.

“I expect that RSA 1024 will be broken within a decade,” Rivest said. “People should start moving to 2048 soon.”

Rivest, a professor at MIT who worked with Shamir and Len Adleman to design the original RSA algorithm, also said that he still gets email and calls from people wanting to use the MD5 hash function, which he designed in 1991. MD5 was widely used, but has been shown to have several weaknesses in recent years.

“I always say to them, ‘Don’t you understand that MD5 is an extinct hash function? It’s dead,’” Rivest said.

Juels, chief scientist at RSA Labs, moderated the panel and asked all of the speakers whether they had ever done anything foolish.

“I’ve rarely done anything else,” Diffie said, which got a nice laugh from the crowd.

Hellman took the question a bit more seriously, but essentially echoed Diffie’s answer, saying that his original research with Diffie in the 1970s that led to the invention of public-key cryptography was looked at as a black hole when they started it.

“I was told by all of my colleagues that cryptography was a waste of time. The NSA had a massive budget, we didn’t know how big at the time, and they had been working on the problem for decades. We were told there’s no way we’d discover anything that they hadn’t already found, and if we did, they’d classify it,” Hellman said.

Source