First there were wireless networks, then there was WEP. WEP was the protective layer for wireless, so that your data was (kinda) secure when it traveled through the air. This layer was compromised rather quick, so alternatives were needed.
The initial alternative was WPA. This new layer of protection was a lot stronger (there still isn't a way of hacking this quickly). Downside was that it took a while to become a standard, so every vendor was free to use it as they saw fit. This could result into incompatibility issues when you used different vendors in your wireless environment.
The final WPA standard became WPA2, and was to overcome the incompatibility issues with the earlier WPA.... NOT!!!
Most consumer wireless products in my vicinity just won't connect properly using WPA2 (with either AES or TKIP). The only thing that keeps working is WPA. When connecting to a wireless network which is protected with WPA2, everything seems to go fine, but when you want to transfer data, nothing happens. Also, the wireless base station doesn't show any association with the client.
What is wrong with this picture? Does this mean that there are also different implementations of WPA2 among vendors?
A quick WPA2 configuration with a 32 character (or 16 character) WPA2-PSK key just won't work, while the client devices all support at least WPA2-PSK with TKIP.
Perhaps you don't, but your computer does!
At this moment there are over a hundred Trusted Root Certifications Authorities in your browser or Operating System. Many of those don't mean anything to me.
When a Trusted Root Certification Authority is available in your browser or OS, you don't get any questions/pop-up that your entering a secured Internet connection. This means that the certificate was issued by someone trustworthy. Who decides who or what company is trustworthy?
I know most of the commercial SSL vendors like
VeriSign,
Thawte,
Comodo,
Equifax,
Entrust, and
Cybertrust. Those are the companies which sell most of the SSL certificates used on the Internet. But I haven't heard of
Kozjegyzoi Tanusitvanykiado or IPS Seguridad. So do I want to trust certificates issued by them?
It would be nice if the browser had an extra message box (yes, another message box :-) ) to verify with the user if the CA should be trusted from this point on. This way the (pro-)user gets to decide if he wants to trust the CA (without the trouble of manually verifying the CA details on the CA website), and the basic user may rely on the recommendation from the OS/browser.
This way I can decide for myself if I want to trust some post-office in Japan or Germany.
Last week, I recieved my new Nokia E61i. As soon as I tried to connect to my own IMAP server (over SSL/TLS) is started nagging about the (selfsigned) SSL certificate.
The E61 has a certificate store, so I should be able to add other Root CA's to this store, but this is where the trouble began.
The manual has a chapter on certificates, but it lacks a working explanation on "how to import third party root CA's". On my old iPaq, it was simply upload a DER encoded certificate, click on it, and it would install. Well this doesn't work on the E61 (and many other Symbian-based) phones. Just 'google', and you'll find lot's of people with similar problems...
The working solution I found uses a website from which you download the certificate with the phone, but there is a catch; you need to add a MIME-type to the website containing the certificate (hence the admin rights).
The last couple of days were all about the leaked key for decrypting HD-DVD movies. This made me curious about the technology, so I headed to the
AACS LA website.
There's variety of
white papers available, which explain the AACS concept. The same papers were used by
musilix64 in making his first breakthrough on circumventing the AACS protection.
But there is more to be found on their website... There's even a section which explains the
Consumer Benefits of AACS.
- Support a superior viewing experience delivered by next generation media formats
AACS is added to the content. The content itself will probably 'work' better without AACS.
- Enable greater flexibility to manage distribute, and play entertainment content on a wider range of devices
This is a 'feature' for the publishing companies. Without the restrictive AACS protection, the content can be played on virtually every device. With AACS protection 'they' control on which device you can play the content.
- Enable groundbreaking home entertainment choices and the ability to use content on PCs and a range of CE devices
AACS is added to the content. The content itself will probably 'work' better without AACS.
- Work across a variety of formats and platforms
Five letters: L I N U X. AACS protected movies CANNOT be played on Linux. Only movies without the protection can be player on certain Linux players.
As some of you might know, the protection of Blu-Ray, and HD-DVD movies is based on a 'secret' key. You need the key to watch protected movies.
The (software)players for these movies are able to 'decrypt' these keys from the disc containing the movie. So you already have these keys on the disc. They (the movie companies) just try to hide them from the user (security through obscurity).
This is not strange that they use this scheme. It's just the way DRM works on these discs. Due to the lame-ass
DMCA law in the United States, it's ILLEGAL to try to find the key on the disc :???: .
Somehow a
HD-DVD key got discovered (or leaked), and it's going around the great Internet. Several websites have been approached by lawfirms to
take the pages down.
This key is represented by a hexidecimal code. How the hell is it possible to declare a hexidecimal string illegal?? The same string can also be represented by a different format (e.g. BASE64). Is this also illegal?
Since we dont know other hex keys for decrypting copy protected content, every other string of hex codes might also be illegal. Image this; what if the 'next' key might represent the number pi (03 14 15 92 6.....)? Does that mean that all math books need to be burned?
Just another example of the fucked up DMCA law in the US.
B.t.w. wondering what the last part is of the key... just use
Google to search for "09 F9 11 02 9D".... Google knows he rest.
Recently, the dutch
Tweakers website started with dissecting USB flashdrives. Their goal is to see if the so-called secure USB flashdrives are as secure as the manufacturer says they are.
They reviewed the SecuStick, and a BioStick. The first protects the data with a password. The latter (two different versions were tested) uses biometrics (fingerprints) to secure your precious data (in combination with AES encryption).
The full reports can be read
here, (SecuStick) and
here (BioStick). The dutch review can be read on the tweakers.net website (
here, and
here) along with interessting comments on the article.
Conclusion of the articles: Some of these so-called secure USB flashdrives are not as secure as you might think. Oke, the data is 'secure' for the casual user. If real secrets (your private pron collection :-) ) are being stored on those USB flashdrives, you might want to consider using TrueCrypt (with a strong password, and keyfiles) to store your 'valuable' data.
Steganos has a piece of software which allows you to create encrypted containers. The Stagenos software is 'freely' available on the P2P networks. just download it and use a key found somewhere on the Internet. This won't help you though.....
You simply install a copy of Steganos Safe 8 but not the new security suite and when doing this you turn "OFF" the update feature temporarily and use a fake serial code you get off the net. Simply mount anyones .SLE file encrypted drive into the software and it will ask you for their password but won't let you in because it's encrypted.
From this point you want to turn the "update" feature back on and force steganos to update by right clicking it in your system tray or restarting the software. From this point it will detect you had used a fake or known serial after the update and it will now PUNISH you by resetting your encrypted drives passwords to "123" until you buy a registered copy. [SecurityFocus]
This means that
ANYONE is able to open your encrypted content stored in the container. Just use pirated software to open the containers.
Thankfully,
Truecrypt is still freeware :-) . Too bad it still isn't available for OSX :cry: .
I've been a big fan of the
TWiT podcasts. Especially the Apple, Windows and security related podcasts. But lately, the content of those podcasts seem to shift to too much off-topic talk.
Take the latest edition of
Security Now! (Cross-Site-Scripting - Part II). The podcasts is about an hour in length, but the first half hour is nothing but talk about the Sony e-book reader, and favorite writers. What's that got to do with security?? I don't know.
Same goes for
MacBreak Weekly. It's more about having a good time for the authors, than about bringing some news. I don't mind that the authors are having fun creating the content. Hell, I appreciate a good laugh as much as the next guy, but keep it on topic.
Too bad that only about 50% of the content has something to do with the actual title (Mac / Security).
If they keep this up, they will loose a listener (not that they might care).
LOL... I already
reported that Windows Mobile 5 is buggy as hell. Even
Trend Micro thought so. Well, nothing new if you ask me.
A couple of weeks ago was the
HD-DVD protection officially circumvented. Now the Blu-Ray protection (which also uses AACS for protection) is a '
goner'.
I wonder how many trillions of dollars were spent on this protection (which is being paid by the consumers who buy these discs). I just hope that the movie industry follows the music record labels (EMI n this case) in
removing protection on audio CD's.
B.t.w. I saw the ripped HD-DVD movie '
Serenity' on my PC, and must say that the HD quality is phenomanal. Time to become an early-adaptor on the HD format (again :-)). This means a new
Full-HD TV, and an appropriate player.
