PaulSpoerry.com

They’ve already released specs for a replacement for HTTP called SPDY. Now it looks as if Google is set for all out Internet takeover by replacing DNS. DNS (Domain Name Service) is used to translate the web friendly named addresses user type in their browser (like www.PaulSpoerry.com) into their machine friendly IP (Internet Protocol) numerical addresses (like 122.222.12.221).

Google Public DNS, announced on Thursday, is still in an experimental phase but will attempt to improve on existing DNS technology with faster, more efficient caching and additional security safeguards against spoofing attacks that try to dupe users into visiting malicious Web sites.

To use Google Public DNS users will have to change network settings so that their Web site requests go to the Google service instead of to their ISP. Google has set up a Web page with detailed instructions on how to do this.

“We believe that a faster DNS infrastructure could significantly improve the browsing experience for all web users. To enhance DNS speed but to also improve security and validity of results, Google Public DNS is trying a few different approaches,” wrote Prem Ramaswami, from Google’s Public DNS Team, in an official blog posting.

This is interesting and I wonder how much better than can do than OpenDNS by rolling out a new DNS infrastructure.

The Evil Maid Attack is an attack type against whole system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.

The Invisible Things blog goes into great detail on how most whole disk encryption is vulnerable in a relatively simple way. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.  So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.

Read the rest of this entry »

Mostly via How-To Geek

There has been a lot of attention in the news lately about email passwords being compromised. Today we take a look at using KeePass to secure your passwords in an encrypted database so no one can get a hold of them.

KeePass

For this article we are using KeePass 2.09 but you can still download the Classic Edition as well, which you may want to do so you can use certain plugins. Installation is straight forward and after installing KeePass, the first thing is to create a new password database by clicking on File \ New.

You will need to come up with a Master Password which is the only one you will need to remember moving forward. Make sure and pick a strong password with several characters, symbols, and numbers. It can be an entire phrase, sentence, or whatever you want it to be with virtually any characters you want.

Alternatively you can use a Key File which a master password in a file. This makes it so you don’t have to remember a long Master Password, but if it gets lost and not backed up you’re out of luck. Also, you want to keep the file in a secret location other than your local hard drive, malware attacks can find it if it’s openly available on your hard drive.

Read the rest of this entry »

Friday evening, in a motion to dismiss Jewel v. NSA, EFF’s litigation against the National Security Agency for the warrantless wiretapping of countless Americans, the Obama Administration’s made two deeply troubling arguments.

First, they argued, exactly as the Bush Administration did on countless occasions, that the state secrets privilege requires the court to dismiss the issue out of hand. They argue that simply allowing the case to continue “would cause exceptionally grave harm to national security.” As in the past, this is a blatant ploy to dismiss the litigation without allowing the courts to consider the evidence.

It’s an especially disappointing argument to hear from the Obama Administration. As a candidate, Senator Obama lamented that the Bush Administration “invoked a legal tool known as the ’state secrets’ privilege more than any other previous administration to get cases thrown out of civil court.” He was right then, and we’re dismayed that he and his team seem to have forgotten.

Sad as that is, it’s the Department Of Justice’s second argument that is the most pernicious. The DOJ claims that the U.S. Government is completely immune from litigation for illegal spying — that the Government can never be sued for surveillance that violates federal privacy statutes.

This is a radical assertion that is utterly unprecedented. No one — not the White House, not the Justice Department, not any member of Congress, and not the Bush Administration — has ever interpreted the law this way.

Previously, the Bush Administration has argued that the U.S. possesses “sovereign immunity” from suit for conducting electronic surveillance that violates the Foreign Intelligence Surveillance Act (FISA). However, FISA is only one of several laws that restrict the government’s ability to wiretap. The Obama Administration goes two steps further than Bush did, and claims that the US PATRIOT Act also renders the U.S. immune from suit under the two remaining key federal surveillance laws: the Wiretap Act and the Stored Communications Act. Essentially, the Obama Adminstration has claimed that the government cannot be held accountable for illegal surveillance under any federal statutes.

Again, the gulf between Candidate Obama and President Obama is striking. As a candidate, Obama ran promising a new era of government transparency and accountability, an end to the Bush DOJ’s radical theories of executive power, and reform of the PATRIOT Act. But, this week, Obama’s own Department Of Justice has argued that, under the PATRIOT Act, the government shall be entirely unaccountable for surveilling Americans in violation of its own laws.

This isn’t change we can believe in. This is change for the worse.

For further reading, we suggest Salon.com’s Glenn Greenwald and The Atlantic’s Marc Ambinder.

Related Issues: NSA Spying

Related Cases: Jewel v. NSA

Source: EFF

BTW… you should consider joining or support the Electronic Frontier Foundation, get more info by visiting the EFF support section of their site.

OpenDNS is a wicked service (and FREE) to use anyway. All my personal PC’s use it. OpenDNS can also speed up your surfing by allowing keyboard shortcuts from any system, work as a parental filter, and prevent you from seeing so many of those “no such site, but here’s a whole bunch of ads!” parking pages. It’s free to use and set up; here’s a detailed guide for home networks.

So how does it help with Conficker? The latest variant of Conficker is now blazing through over 50,000 domains per day in an attempt to thwart blocking attempts. But check this out,  at any given time OpenDNS has filters that hold well over 1,000,000 domains!!! Combine that with their phishing and domain tagging filters and basically 50,000 domains a day isn’t going to put a dent in OpenDNS. So basically even if you HAVE Conficker… OpenDNS will more than likely stop the worm from even being able to contact the site that would tell it what to do. OpenDNS prevents the worms from even contacting its botnet overlords to receive instructions on what to do.

Check out the OpenDNS blog for more about April 1st and Conficker, when you’re done reading that head on over and configure your home network to use OpenDNS, not just to protect you from Conficker but for all the added bonuses it brings as well.