e-ignite

So it turns out that SHA-1 might be broken. If not broken as such, it’s certainly bruised and its ability to be relied upon is in a significant amount of doubt. But why should that matter? We can just use SHA-256 or SHA-512 for more security, can’t we? Well yes we can… but does that actually help the wider issue?

Think about this in another way: If you receive a signed email from a contact of yours and it verifies correctly, do you check what method of signature was used on the email? I’d suggest that unless you’ve fitted yourself for a tinfoil hat, you’re unlikely to do this. Seeing as the signature process is employed to provide verification, we need a method that can use in a widespread manner and that we can rely upon. Is it time to revoke SHA-1 and DSA signatures? Should encryption and signing packages refuse to verify messages and files signed using these methods? Perhaps. However, it’s extremely unlikely that this would be implemented – md5 was broken some time ago and yet it’s still used for verification of file downloads etc in a farily widespread manner. So what should we do to protect ourselves from potentially forged digital signatures?

Read the rest of this entry »

The Raw Story reports that the US are currently drafting a law that will allow them full access to examine any email, file or web search at any time. Currently the plans are at the draft stage, but if passed, this could essentially mean the end to any form of privacy on the internet. Consider that the largest email providers such as Gmail, Hotmail (Live Mail – run by Microsoft), AOL and many others are based in the US but they have international users on a massive scale. This is a frightening plan that has global consequences, and will really pave the way for essential cryptographic systems on email.

From the article:

National Intelligence Director Mike McConnell is drawing up plans for cyberspace spying that would make the current debate on warrantless wiretaps look like a “walk in the park,” according to an interview published in the New Yorker’s print edition today.

McConnell is developing a Cyber-Security Policy, still in the draft stage, which will closely police Internet activity.

“Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the autority to examine the content of any e-mail, file transfer or Web search,” author Lawrence Wright pens.

“Google has records that could help in a cyber-investigation, he said,” Wright adds. “Giorgio warned me, ‘We have a saying in this business: ‘Privacy and security are a zero-sum game.’”

A zero-sum game is one in which gains by one side come at the expense of the other. In other words — McConnell’s aide believes greater security can only come at privacy’s expense. Read the rest of this entry »

Many of you will have heard of the Keylogger – usually a piece of software that records everything you type. Usernames, passwords, personal emails… the risk to your security is immense. However, I’d be willing to bet that you think you’re safe. You run an Anti-Virus application and an Anti-Spyware application, so these things can’t touch you… right?

Wrong. Until very recently, I was unaware of the availability of Hardware Keyloggers just like the ones shown in the pictures on this page. How often do you use a shared computer? When you do use one, do you look at the cables to see if a nasty little device has been clipped to the keyboard input? I’m guessing not – but if you did, do you think you would spot something as small and unobtrusive looking as this?

These things really could be a concern for those of you who use internet cafes, or computers in any shared environment – think schools, universities and even work! All it takes is some unscrupulous person to try to make some money out of these, and you could find your financial details are compromised, usernames and passwords stolen and you may even find that your bank accounts and life savings have been emptied. All because your password was intercepted.

Here’s a quote from a site that sells hardware keyloggers:

[our] hardware keylogger is the smallest and most compact hardware keylogger on the market! [it] is a small device that connects between your keyboard and computer on the back of the PC and directly records every keystroke typed: bar none. [the keylogger] can store up to 64,000 keystrokes, which equates to weeks worth of data.

• Holds 64KB worth of keystrokes (roughly 64,000 typed keystrokes).
• Compatible with all IBM/PC Computers.
• Compatible with PS/2 Keyboards.
• Undetectable by AntiVirus and other third party detection programs.
• Captures passwords, usernames, chats, e-mails, websites, and more!
• Completely Plug-And-Play – installs in seconds

These things are available to buy, and are used much more than we think. Personally, I find it frightening and can think of no legitimate use for a hardware keylogger whatsoever. It is designed to be undetectable by security software and the untrained eye.

So, you think “It’s ok. I only ever bank online at home, so I’m totally safe…” Well, you may be safe from hardware keyloggers (it would be unlikely that someone you allow into your home would have the ability or inclination to hook one of these up to your computer), but trust me… you may be just as vulnerable, if not more vulnerable at home!

Read the rest of this entry »

Recently, there was a virus that, when activated, encrypted all your files and tried to get you to pay money for the unlock code to the files. There’s a full story on the BBC News website, but if you have been affected by this virus, the code you need to recover your files is the following:

mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw

I’ve been working as part of the development team on Mobility Email for quite some time, and release day has finally arrived!

In summary, Mobility Email is a distribution of Mozilla Thunderbird that can be run without installation from a USB Flash Drive, iPod or hard disk for example. It has been authorised for release by the Mozilla Corporation.

Mobility Email allows you to transport your entire email inbox simply on a USB stick, allowing you to plug it into any computer with a USB port and an internet connection, and communicate easily by email.

One of Mobility Email’s key features is that it comes with support for both S/MIME and OpenPGP Signing and Encryption features built-in, allowing users to digitally sign and encrypt their emails wherever they are. It includes a new, cutting-edge CVS version of GnuPG allowing users to utilise the new, more secure DSA2 and SHA224 technologies not yet available in any other standard release email client. Mobility Email truly is a plug-and-go solution, requiring no lengthy set-up procedure. Read the rest of this entry »

As I discussed on my main website, there are two major types of email encryption: OpenPGP and S/MIME. I believe that OpenPGP is a far superior system, although I admit it’s a bit more complex to set up. This is mainly because S/MIME functionality is already built-in to many email client programs.

So first thing’s first: Why is S/MIME built-in to email programs but OpenPGP isn’t? Read the rest of this entry »

It’s been widely published that certain SHA algorithms (used to digitally sign your email) are becoming less and less secure. For example, it’s been proved that the md5 algorithm (widely used for file verification) has been broken. The newer SHA algorithm was also discovered to be very weak when subjected to Cryptographic attack – this lead to a new version of SHA being released called SHA-1 (the original version is now known as SHA-0 and is virtually never used). SHA-1 is a 160 bit hash, and it has been found to have some severe weaknesses too. Read the rest of this entry »

Phil Zimmermann, the inventor of PGP encryption, has now launched a new project: zfone. This is an encrypted VoIP solution for software and hardware VoIP installations. It’s a good idea since the NSA find it much easier to automatically tap VoIP calls than traditional telephone calls, and if you read some of the other news articles I’ve got on my blog, you may feel the sudden urge to install it! Read the rest of this entry »