Defendant Ordered to Decrypt Laptop May Have Forgotten Password

wired.com: Defendant Ordered to Decrypt Laptop May Have Forgotten Password

Via: slashdot.org: Defendant Ordered To Decrypt Laptop Claims She Had Forgotten Password

If she does not decrypt the drive by month’s end, as ordered, she could be held in contempt and jailed until she complies. If the case gets to that point, Judge Blackburn would have to make a judgement call and determine whether the woman had forgotten the code or was refusing to comply.

Major Security Flaws Discovered In Internet HDTVs

C’est evidemment juste pour rire un peu que j’ecris a ce sujet. Qui, avec des connaissances minimales et du gros bon sens, pourrait bien s’imaginer que ces produits sont securises correctement 😉 C’est quand meme interessant de penser que la facon d’entrer chez-vous pour hacker le reseau sera la TV ou le lecteur Blu-Ray. La seule facon de se proteger serait-elle d’avoir un firewall/router interne dedie aux cochonneries electroniques comme les TV/Blu-Ray? Remarquez que le probleme existait deja avec les consoles de jeu qui utilisent encore WEP!

“Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it’s likely that similar security flaws exist in other Internet TVs. The security researchers were able to demonstrate how an attacker could intercept transmissions from the television to the network using common ‘rogue DNS,’ ‘rogue DHCP server,’ or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device’s Internet functionality.”

Un commentaire sur slashdot pointait sur xkcd.com:

Hehe.

Disable JavaScript in Acrobat

grc.com: Security Now! Transcript of Episode #231: Mega Security Update & CES Observations

Steve: The one thing I would reiterate saying, and I imagine people have probably already done this if they’re going to, but I have to say it again, is disable JavaScript in Acrobat, that is, in the Acrobat Reader. There just is no need for scripting. I mean, we understand there’s a need for scripting on web pages because it’s being actively used by more and more websites, with it being a mixed blessing. But there’s just no need for scripting in a PDF document.

En passant, je viens justement d’installer une nouvelle version d’acrobat… et il a remis a “on” le javascript. 🙁

Aussi interessant dans cet episode (evidemment aussi disponible en audio):

Steve: And the Verbatim Corporate Secure FIPS Edition. Now, FIPS is the National Institute of Standards and Technology, NIST. That’s its federal security rating system. These devices have all received the FIPS 140-2 Level 2 certificate which validates devices as being secure for use with sensitive government data. And…

Leo: That’s pretty good. I’d take…

Steve: …they are completely hackable.

Leo: Oops.

Steve: They’ve got hardware AES-256 encryption in the key. So they’re not inexpensive. But get a load of this, Leo. You use some software that comes with a key, which of course prompts you for your password. You put your password in. And it does some mumbo jumbo with your password, whatever it is it does. But every single one of them, no matter what your password was, sends the same key string into the AES-256 cipher engine.

Leo: You’d think something at FIPS, at NIST, might have noticed.

Steve: Uh, yes. In fact, embarrassed by this, NIST has said that they will be considering whether they should make changes to their validation process because the USB drives in question met all their criteria.

Leo: Oh, boy.

Steve: So once again, so it’s true that if, as a user, you did not put the right passphrase in, the software would say, oh, sorry, that’s the wrong passphrase. But a security company reverse-engineered the software, wondering what was going on inside. And what they discovered was that there was a fixed key.

Steve: Well, yeah. And what boggles my mind is, again, our listeners understand this. You take and hash the passphrase with a secure hash, and that’s what you use as the key. This is not hard. I mean, that’s all there is to it. In which case the key would be derived from the passphrase through a secure hash and, bang, you’ve got it. I mean, sure, you want to put minimum security requirements on the length of the passphrase and all those things, and it wants to be nonguessable because it would be prone to a brute-force attack, blah blah blah, all the things we know about. But the idea that the passphrase isn’t being used to generate the key, but that the key is fixed, that’s just, I mean, actually it’s a really good lesson because it demonstrates that just saying AES-256 means nothing.