VIDEO: NOVA: Quantum Confidential

If you were a spy, how could you ensure that an encrypted message got safely to your allies? Send it using entangled particles! Here, watch how a technique called quantum cryptography could save a state secret from falling into enemy hands.

Watch Quantum Confidential on PBS. See more from NOVA.

Lost UAV or Trojan Horse?

I'm sure you've read all the hoopla about the Iranians capturing a U.S. spy drone.  The news media has asked just about every intelligence "expert" they have on their rosters.  Most have taken the bait and sensationalized the story almost beyond belief.  The other day I heard someone call it a "massive intelligence failure". Others have claimed the Iranians will reverse engineer  this aircraft (actually the Iranians said this) and use its "stealth" technology.  Some have even lauded the "success" of Iran's first unmanned bombing drone also supposedly equipped with "stealth" technology.  You would think these guys were Romulans.

HOT!!:: FREE ONLINE CRYPTO CLASS AT STANFORD

So when Ivy League schools give FREE classes in cryptography, I don't waste any time in signing up.  Looks like Stanford University is doing just that.

Here's some info direct from the FAQ section:

When does the class start?
The class will start in January 2012.

What is the format of the class?The class will consist of lecture videos, which are broken into small chunks, usually between eight and twelve minutes each. Some of these may contain integrated quiz questions. There will also be standalone quizzes that are not part of video lectures, and programming assignments. There will be approximately two hours worth of video content per week.

Will the text of the lectures be available?
We hope to transcribe the lectures into text to make them more accessible for those not fluent in English. Stay tuned.

Do I need to watch the lectures live?No. You can watch the lectures at your leisure.

Can online students ask questions and/or contact the professor?Yes, but not directly There is a Q&A forum in which students rank questions and answers, so that the most important questions and the best answers bubble to the top. Teaching staff will monitor these forums, so that important questions not answered by other students can be addressed. 

Will other Stanford resources be available to online students?No.

How much programming background is needed for the course?The course includes programming assignments and some programming background will be helpful. However, we will hand out lots of starter code that will help students complete the assignments. We will also point to online resources that can help students find the necessary background.

What math background is needed for the course?
The course is mostly self contained, however some knowledge of discrete probability will be helpful. Thewikibooks article on discrete probability should give sufficient background.

How much does it cost to take the course?Nothing: it's free! 

Will I get university credit for taking this course?No.

The course is being taught by Professor Dan Boneh who heads the applied cryptography group at the Computer Science department at Stanford University. Professor Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, web security, security for mobile devices, digital copyright protection, and cryptanalysis. He is the author of over a hundred publications in the field and a recipient of the Packard Award, the Alfred P. Sloan Award, and the RSA award in mathematics. Last year Dr. Boneh received the Ishii award for industry education innovation. Professor Boneh received his Ph.D from Princeton University and joined Stanford in 1997.

Here's another look at the link for the class:

http://www.crypto-class.org/

CONTEST!!! Decipher this and win....

Okay, so I've decided to do another contest.  Some people may be wondering what coded messages and ciphers have to do with security.  Quite simply, none of your secure electronic communications could get done without them.  Plus, who doesn't enjoy a little mental exercise particularly when there is money involved - a $25.00 Amazon.com gift card.  Come on, folks.  It's the holidays.  If you guess wrong, it costs you nothing.  Win and you can use it towards any purchase at Amazon like that book you've been dying to read on your Kindle.

Enough talk.  Here's the message.  Decode it and email the text to scrivenlking@gmail.com.  If you're the first person to solve it, I'll advertise your name as our only winner thus far and email you the gift card.  Easy peasy.  Here's a hint: It's a simple substitution cipher.

jdc9)c9)4ds)9sz21x)z2xs)z214s94!))ud25vx)-25)es4)4dc9)8ced4)q1x)zq1)stqcv)ts)q4)9z8c6s1vfc1e[etqcv!z2t)wc894@)-25)7cvv)es4)q)}+&)ecw4)zq8x)42)Gtq=21!z2t!))jdq1f9)w28)3vq-c1e!

Time for a Product Review - IronKey

Let me say I was a bit skeptical at first. But one day, while listening to my favorite podcast - SecurityNow, I became intrigued by IronKey. If you know me, then you know "intrigued" usually me spending hours on Google learning as much as I can before I put down the cash to buy anything. I did just that.

I'm avid user of encryption so I have a slightly above basic understanding of how encryption works. Looking into the product, my first impression was that it was just another USB drive with the software on it. Nope. This thing has the encryption on its RAM chip - embedded. To say the least, I was impressed. The casing is almost indestructible without destroying the chips inside. It even has an aluminum backing which you use to engrave you signature in pen - very thin overcoat. It also has a serial number.

To make it sound even cooler - would you believe this thing has a self-destruct sequence? I'm not talking about Mission Impossible countdowns, but it only gives you ten tries to guess the wrong passphrase and then it destroys your data to include the encryption making the drive useless. I love this thing. I HIGHLY recommend this product. Did I forget to mention that IronKey also has its own TOR router with FireFox preloaded? Very cool!

COFFEE anyone?

According to IDG News, Microsoft has developed and distributed a program called COFFEE to help cops get around certain encryption software. The program called the Computer Online Forensic Evidence Extractor (COFEE) was sent to law enforcement last June and it's now being used by about 2,000 agents around the world for free.

The creator of the program is former LEO himself. Anthony Fung, senior regional manager for Asia Pacific in Microsoft's Internet Safety and Anti-Counterfeiting group, spent 12 years as a police officer in Hong Kong, with the final seven dedicated to fighting cybercrime. According to IDG, "When he joined Microsoft, he sought to devise a way that agents could do better at finding valuable information on computers used by cyber criminals."

COFFEE was spawned due to the advent of encryption software such as BitLocker which requires a password to gain access to a computer's encrypted data. Most law enforcement agencies are using a procedure which calls for the computer to be turned off and taken back to a lab. Security experts will tell you this is the last thing to do when dealing with an encrypted system. The courts have now allowed for the examination/imaging of computers while on-scene so officers and technicians can conduct a proper search.

Encryption software such as BitLocker or TrueCrypt use very advanced encryption algorithms. So advanced it would take a supercomputer countless years to even decrypt the data. Depending on the size of the drive and the level of encryption it would take a significant leap in computer technology to begin the decryption for most law enforcement agencies.

The article explains that COFEE is actually a set of software tools that can be loaded onto a USB drive.

Brad Smith, general counsel at Microsoft, called it a "Swiss Army knife for law enforcement officers," because it includes 150 tools. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung said. It can be used on a computer using any type of encryption software, not just BitLocker.

Previously, an officer might spend three or four hours digging up the information manually, but COFEE lets them do it in about 20 minutes, he said.

Taking the computer back to the lab is not a bad pratcice. It does have some advantages such as evidence integrity. You always ahve a copy of the original drive. You may not have the time in the field to make such an image.

COFFEE may or may not be tamper resistant and that causes some concern. Rather than depend on programs such as COFFEE, law enforcement can and should in some circumstances use standard evidence collection procedures along with some good old-fashioned police work. It should be noted agents in 15 countries including Poland, the Philippines, New Zealand and the U.S. are using COFEE, Microsoft said. In New Zealand, a forensics examiner recently used COFEE to find evidence that led to the arrest of an individual involved in trading child pornography, said Smith.

Smith and others spoke on Monday at the start of a three-day conference Microsoft is hosting for law enforcement officials at its Redmond, Washington headquarters, inviting U.S. and international police, prosecutors and representatives from agencies like the Federal Bureau of Investigation. Microsoft has been hosting the conferences, which invite feedback from the law enforcement agents, since 2006, Smith said.

Microsoft's Reply To Encryption Weakness

Well, it appears Microsoft says the vulnerability with encryption key programs isn't with software makers. They say its with us. According to SecurityFocus, "A number of simple changes will make sleeping laptops immune to having their encryption keys filched from memory, a Windows Vista security expert said last week."

The article quotes a Microsoft senior product manager for Windows Vista security, Russ Humphries as saying on a company blog,

"The thing to keep in mind here is the old adage of balancing security, usability and risk. For example BitLocker provides several options that allow for a user -- or more likely Administrator -- to increase their security protections but at the cost of somewhat lowering ease-of-use."

It should be noted it was Mr. Humphries' program, BitLocker that was mentioned along with others in the report as being vulnerable to this hack.

UK Card Readers Hack

According to SecutrityFocus, an e-zine which focuses on electronic security issues, UK merchants have a problem. It sounds like a pretty significant problem with their card readers. SecurityFocus' article says the when credit cards are scanned through the readers the information is not encrypted and thus readable by anyone with access to the data stream from that reader.

The University of Cambridge discovered the PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards.

For those of you unfamiliar with the UK's debit and credit setup, I'll explain. Let's say I go to a restaurant and purchase a dinner for two costing a certain amount of money. The waitress brings out a portable card reader in which instead scanning, she can take your debit or credit card from a UK bank and place the card which is embedded with a chip inside the reader. Then the transaction proceeds like it does everywhere else. The readers then transmit the card information through a wireless connection. Catch where I'm going with this? If not, continue reading and you'll get it eventually.

According to SecurityFocus, the researchers stated the vulnerabilities in a paper to be published at the IEEE Symposium on Security and Privacy in May.

"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."

This is not just UK-only vulnerability. There are all sort of vulnerabilities with card readers all over the world. If the card information isn't encrypted on the merchant, purchaser, and bank ends, then there will always be a vulnerability.

Welcome and Encryption Key Madness

Welcome to my first post for this blog. I hope you can tell from my lengthy bio that we'll have plenty to talk about. So lets get started with todays topic: Encryption Keys.

For those of you still stuck in the Paleolithic Age of computing, encryption keys were thought to be some the most secure and efficient means to protect data stored on computers. In essence, you would store whatever data you wanted safe from prying eyes on a computer which would then encrypt the storage medium with a very difficult key secured be an even more difficult algorithm. Without the the right pass code, the data could not be decrypted and the key could not be used. According to the American Society of Industrial Security's publication, Security Management "the game has changed".

The Electronic Frontier Foundation, a non-profit electronic goods consumer advocacy group, along with Princeton have come with an ingenious way to get those keys without having to crack the algorithm. They freeze the medium and then extract the code. It appears because most keys are stored in DRAM where the keys are stored temporarily. Once your computer goes "idle", these keys are vulnerable to this "hack" because the memory takes a while to leave the chip upon shutdown and the freezing method of course slows this process down giving our intruder enough time to grab what he/she needs.

This "hack" effects TrueCrypt as well as other to include BitLocker, FileVault, and dm-crypt. Check out the Security Management website for further details.

Click here for video footage.

Incredible! Once you think you have it made with encryption, somebody not only cracks it but posts it on the Net.