Monday, May 20, 2013

Do NOT use SHA-1: LUKS disk encryption


What the..?

As the cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

Several years ago, many governments also recommended to stop using this one.

Does linux LUKS use SHA-1?

Yes it does by default. 
Just create a Volume/Container with default values (e.g. cryptsetup luksFormat /dev/loop0).
Did you use the debian installer to encrypt your LUKS device? Same thing.

How do i verify if i use SHA-1 on LUKS?

Thats simple. 
Just fire up "cryptsetup luksDump" on your encrypted volume. (e.g. cryptsetup luksDump /dev/loop0)


Which Hash should i alternatively use?

At time of writing (year 2013) and in this context, we recommend SHA512. 

















Can i change the current hash in LUKS on-the-fly?

No you can NOT. You need to re-encrypt your device. There is a experimental tool from the authors of cryptsetup, called "cryptsetup-reencrypt" which is included in the official source-code. We succeeded in reencrypting a system-volume encrypted with aes and sha-1 hash, and switched to twofish as encryption algorithm and sha512 as hash  by the command: 

./cryptsetup-reencrypt -c  twofish-xts-plain -h sha512 /dev/loop0

Please be very careful and use a backup before using this tool!

So, i am insecure when not switching?

It depends. For the most people the default settings are secure. In LUKS we also have PBKDF2 in front of, which prevents/reduces many forms of attacks. 

The main reason is: why should i use something insecure like SHA-1? Just for comfort? 

Tuesday, April 23, 2013

US Air Force beats off competition in NSA hacking fight


A four-day hacking competition run by the National Security Agency (NSA) to find the top military system designers and administrators has awarded the 13th annual Cyber Defense Exercise (CDX) prize to a team from the US Air Force Academy.
"CDX offers an unparalleled opportunity for some of the nation's top students to showcase their cyber skills to NSA's leading practitioners," said Neal Ziring, technical director of the NSA's Information Assurance Directorate in a statement.

"America increasingly needs professionals with highly technical cyber skills to help the country remain safe and adapt with greater agility. We need the best and brightest to help us defeat our adversaries' new ideas."


Thursday, March 7, 2013

Attacking the Windows 7/8 Address ASLR




The following text is what looks like an attempt to circumvent windows 7 and windows 8 memory protections in order to execute arbritrary assembly code. The presented methods are in particular useful for client-side attacks as used for example in browser exploits.

The topic that is discussed is a very complex one. At the time I started the research I thought the idea behind the attack will be applied to real-world scenarios quick and easy. I had to be convinced by the opposite.
The research was done without knowing much about the real internals of the windows memory space protection but rather using brute force, trial & failure in order to achieve what will be presented in the upcoming text. Be warned - the methods to attack the protection mechanisms hereby presented are not
failsafe and can be improved. Tough in many cases it is possible tocompletely bypass Windows 7 and especially Windows 8 ASLR by using thetechniques.


- Read more -

Tuesday, February 26, 2013

IPtables: drop some silly portscan techniques




To prevent some common portscan techniques (FIN, XMAS,NULL, etc) you can extend your iptables firewall by these rules at top of your incoming interface (replace “venet0″ by your interface e.g “eth0″)



# from iptables-save, for iptables-restore
-A INPUT -i venet0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i venet0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i venet0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -i venet0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i venet0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i venet0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i venet0 -m state --state INVALID -j DROP

Securing Windows with EMET


The enhanced Mitigation Experience Toolkit (EMET) is designed to
 help prevent hackers from gaining access to your system. 

Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc. 

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:

USA: Copyright Alert System "Six Strikes" starts



After some delay, the "Copyright Alert System," which will provide notices to consumers if their ISP suspects illegal downloading, is now ready to go live.
The Center for Copyright Information (CCI), which is overseeing the effort, said in a Monday blog post that "today marks the beginning of the implementation phase of the Copyright Alert System (CAS)."
"The CAS marks a new way to reach consumers who may be engaging in peer-to-peer (P2P) piracy," the group said.




Read the full article

Thursday, February 21, 2013

Skype runs hardened Linux on 10.000 supernodes



Microsoft has drastically overhauled the network running its Skype voice-over-IP service, replacing peer-to-peer client machines with thousands of Linux boxes that have been hardened against the most common types of hack attacks, a security researcher said.
The change, which Immunity Security's Kostya Kortchinsky said occurred about two months ago, represents a major departure from the design that has powered Skype for the past decade. Since its introduction in 2003, the network has consisted of "supernodes" made up of regular users who had sufficient bandwidth, processing power, and other system requirements to qualify. These supernodes then transferred data with other supernodes in a peer-to-peer fashion. At any given time, there were typically a little more than 48,000 clients that operated this way.