Suramya's Blog : Welcome to my crazy life…

June 8, 2021

Great book on Military Crypto analytics by Lambros Callimahos released to public

Filed under: Computer Security,Computer Software,My Thoughts,Techie Stuff — Suramya @ 9:58 PM

I find Cryptography and code breaking to be very interesting as there are huge implications on Cyber security. The current world is based on the presumption that cryptographic algorithms are secure, it is what ensures that we can use the internet, bank online, find love online and even work online. Cryptography historically has been a field working under heavy classification and there are multiple folks we don’t know about because their existence and work was classified.

Lambros Callimahos was one such Cryptologist, he was good enough that two of his books on Military Cryptanalytics covering code breaking (published in 1977) were blocked from public release till 1992. The third and last volume in the series was blocked from release till December 2020. It is now finally available for download as a PDF file so you can check it out.

The book covers how code breaking can be used to solve “impossible puzzles” and one of the key parts of the book is it’s explanation of how to use cryptodiagnosis to decrypt data that has been encrypted using an unknown algorithm. It has a whole bunch of examples and walks you through the process which is quite fascinating. I am going to try getting through it over the next few weeks if I can.

Check it out if you like to learn more about cryptography.

– Suramya

May 20, 2021

Thoughts on NVIDIA crippling cryptocurrency mining on some of its cards

Filed under: Computer Security,Computer Software,My Thoughts,Techie Stuff — Suramya @ 8:11 PM

You might have heard the news that NVIDIA has added code to it’s GPUs that make them less attractive for cryptocurrency mining by reducing the efficiency of such computations using a software patch. On one side this is great news because it means that GPUs will be less attractive for mining and be available for gamers and others to use in their setup. However, I feel that this is a bad precedent being set by a company. In effect they are deciding to control what you do with the card after you have bought it. A similar case would be a restriction in your car purchase to stop you from using it on non-highway roads. Or to stop you from carrying potatoes in the trunk.

This all comes back to the old story about DRM and how it is being used to restrict us from actually owning a device. With DRM you are essentially renting the device and if you do anything that the owner corporation doesn’t agree with then you are in for a fun time at the local jail. DRM/DMCA is already being used to block farmers from fixing their farm equipment, medical professionals from fixing their health equipment and a whole lot more.

Cory Doctorow has a fantastic writeup on how DRM works and the problems caused by it. DRM does not support innovation, it actually forces status-quo because it is illegal to bypass it.

I have an old X-Box sitting in my closet collecting dust, I want to run Linux on it but that requires me to break the law because I would need to bypass the DRM protections in order to install a new OS. Today we are ok when they are blocking cryptocurrency, what if tomorrow the company gets into a fight with a gaming company and decides that they will degrade the game performance because they didn’t pay the fees for full performance. What if tomorrow they decide, to charge a subscription fee to get the full performance from the device? What is to stop them from degrading or crippling any other activity they don’t agree with whenever they feel like? The law is in their favor because of DRM, laws like DMCA (and other such laws) make it illegal to bypass the protections they have placed around it.

This is a slippery slope and we can’t trust the corporations to have our best interest at heart when there is money to be made.

There is more discussion on this happening over at HackerNews. Check it out.

– Suramya

May 9, 2021

Teaching Cyber Security basics to kids

Filed under: Computer Security,My Thoughts — Suramya @ 8:04 PM

There is an ongoing effort over at Australia to teach cyber-security to five-year-old kids. I am sure that it will be no surprise to anyone who knows me that I think that this is a brilliant idea. Security is a mindset and the earlier we can teach kids about the pitfalls and dangers online, the safer they will be online.

Our generation grew up with the internet and still I see that most people are not that serious about security. I had a long argument/discussion with Jani on why she had to have a passcode for her phone and why she couldn’t use the same password for everything. Now she understands what I was talking about and uses a password manager with unique password for each account. But that is not the same with my parents, I still have not managed to convince them to use a password manager. 🙁

A little while ago I was talking to mom and she commented that my nephew Vir doesn’t share his account passwords with anyone and when my mom is typing her password he looks away. I credit Vinit for teaching him this and am really happy about it. This is what you get when a kid is taught about security from the get go. Instead of learning it later as an add on. Another year or so and I will have him start using a password manager as well.

Habits learnt as a kid are really hard to unlearn and that is why I think it is really important that we get to kids as early as possible and teach them about cyber security. I mean we already teach them regular security and safety so why not cyber security and safety? Remember, they are spending a lot more time on the computer and the internet than we ever did and they need to be taught how to be careful online.

Well this is all for now. Will post more later.

– Suramya

March 25, 2021

Fools deleting company data after being fired and how to protect against this threat

Filed under: Computer Security,My Thoughts,Techie Stuff — Suramya @ 4:34 PM

Over the past few years I have seen multiple news articles and stories about idiots who were unhappy with their job or were fired and decided to take revenge by deleting data, accounts or destroying company property. The common factor in all the stories was the fact that the person was subsequently arrested and jailed. The most recent story I saw was this one, where a genius decided to delete 1200 Microsoft Office accounts after being fired and ended up in jail for his troubles.

Destroying company property when you leave is a good way to ensure you are never hired again by any company. I mean if I was interviewing a candidate and I found out that the candidate had deleted critical data when they left the company I would probably never hire them. End of the day if you have demonstrated that you are not mature enough to deal with a loss but rather delete data/information then you are not a fit to work in my team. I know a lot of people will come and say that people should be given a second chance and what not but this is a serious issue. There would be a major lack of trust in play here and with that the person’s efficiency would be horrible and multiple other folks would have to keep monitoring what this person was doing on the servers which is an overhead I wouldn’t need.

So, now looking at this from the company’s side. How do you prevent something like this from happening? The basic step is to ensure that the access rights of the person are terminated as soon as they are let go. Secondly, they should not be allowed to access their system after they are fired. In one of my previous companies, the physical security team would escort a person off-premises without allowing them to log on to their computer or anything. By the time the person was off premises their accounts were already de-activated. They should also be removed from any company related mailing lists, chat rooms, telephone trees etc immediately. Any commonly known account passwords should be changed immediately and if the person had admin access a check should be made for any unauthorized accounts with admin access and for any backdoor’s being installed.

In the case of a threat where the person hasn’t been fired yet you need to have systems in place to perform regular audits of all admin/root activity. There are a lot of other steps that can be taken and out of scope for this blog post. SANS has a great paper on Protecting Against Insider Attacks and RSA has a list of best practices that you can check out as well.

If you need help securing your network/system please reach out and we can discuss in more detail.

– Suramya

October 1, 2020

Windows XP and Server 2003 successfully compiled from leaked source code

Filed under: Computer Security,Computer Software — Suramya @ 9:39 AM

Last week in a major leak the source code for Windows XP & Windows Server 2003 was leaked on the Internet via the 4chan website. Post which it propagated like wildfire across the internet via torrents & mirrors. There were some doubts cast about the authenticity of the leak but knowledgeable folks who reviewed the code claimed that the leak looked authentic.

Now a developer who goes by the name NTDEV successfully compiled Windows XP from the leaked source code. Unfortunately it looks like the XP source code is missing some important files due to which they were unable to compile critical files such as Winlogon.exe. Which makes it impossible to install the compiled Windows XP to try it out. Fortunately they had better luck with the Windows Server 2003 source code and were able to install the compiled copy on a VM successfully.

NTDEV posted a 22 min video showcasing their journey and you can check it out here if you are interested. Their Twitter feed has more information and screenshots of their process & proof.

You can probably expect a lot more information & details on the source to be published over the next few weeks as people go over the code and then start publishing their findings.

– Suramya

September 17, 2020

How HTTPS Works? Explained in a comic!

Filed under: Computer Security,Security Tutorials — Suramya @ 10:41 AM

Found a fantastic explanation of HTTPS works, what is SSL/TLS & why you should care about any of it in a easy to understand comic format. I love seeing comics like this that aim to show concepts in simple ways.

Have you ever wondered why a green lock icon appears on your browser URL bar? And why is it important? We did too, and this comic is for you!
Follow the adventures of Certificat, Browserbird, and Compugter as they explain why HTTPS is crucial for the future of the web and how it all works together.
Don’t let the bad crabs get you (you’ll know what we mean in the comic). Get to know HTTPS and why it is essential to your privacy.

Check it out at: howhttps.works

– Suramya

August 25, 2020

Using Bioacoustic signatures for Identification & Authentication

We have all heard about Biometric scanners that identify folks using their fingerprints, or Iris scan or even the shape of their ear. Then we have lower accuracy authenticating systems like Face recognition, voice recognition etc. Individually they might not be 100% accurate but combine one or more of these and we have the ability to create systems that are harder to fool. This is not to say that these systems are fool proof because there are ways around each of the examples I mentioned above, our photos are everywhere and given a pic of high enough quality it is possible to create a replica of the face or iris or even finger prints.

Due to the above mentioned shortcomings, scientists are always on lookout for more ways to authenticate and identify people. Researchers from South Korean have found that the signature created when sound waves pass through humans are unique enough to be used to identify individuals. Their work, described in a study published on 4 October in the IEEE Transactions on Cybernetics, suggests this technique can identify a person with 97 percent accuracy.

“Modeling allowed us to infer what structures or material features of the human body actually differentiated people,” explains Joo Yong Sim, one of the ETRI researchers who conducted the study. “For example, we could see how the structure, size, and weight of the bones, as well as the stiffness of the joints, affect the bioacoustics spectrum.”

[…]

Notably, the researchers were concerned that the accuracy of this approach could diminish with time, since the human body constantly changes its cells, matrices, and fluid content. To account for this, they acquired the acoustic data of participants at three separate intervals, each 30 days apart.

“We were very surprised that people’s bioacoustics spectral pattern maintained well over time, despite the concern that the pattern would change greatly,” says Sim. “These results suggest that the bioacoustics signature reflects more anatomical features than changes in water, body temperature, or biomolecule concentration in blood that change from day to day.”

Interestingly, while the setup is not as accurate as Fingerprints or Iris scans it is still accurate enough to differentiate between two fingers of the same hand. If the waves required to generate the Bioacoustic signatures are validated to be safe for humans over long term use, then it is possible that we will soon see a broader implementation of this technology in places like airports, buses, public area’s etc to identify people automatically without having to do anything. If it can be made portable then it could be used to monitor protests, rallies, etc which would make it a privacy risk.

The problem with this tech is that it would be harder to fool without taking steps that would make you stand out like wearing a vest filled with liquid that changes your acoustic signature. Which is great when we are just talking about authentication/identification for access control but becomes a nightmare when we consider the surveillance aspect of usage.

Source: The Bioacoustic Signatures of Our Bodies Can Reveal Our Identities

– Suramya

August 6, 2020

Thoughts on Cybercrime in the Covid world

Filed under: Computer Security,My Thoughts — Suramya @ 1:07 PM

The Cyber Security industry has seen a massive boost during the current pandemic, with users working remotely for the first time and permissions granted on the fly the Security teams in the enterprise have been working round the clock to ensure critical data and systems are secure. But due to the general chaos of Covid combined with the need to keep businesses running there are systems that have been less than optimally configured.

All this gives us the impression that the Cybercrime world must be thriving in the current environment. But apparently that is not always the case, the Cambridge Cybercrime Centre has released a series of reports on how the Pandemic has impacted cybercrime. The reports are a fascinating read as they show how even the criminals are facing hardships due to the pandemic. For example, below is an extract from the report on the impact on International drug trade due to the shipping disruptions caused by lockdowns.

“The initial wave of COVID lockdowns in China caused substantial disruption to international shipping,compounded by the subsequent lockdowns in the rest of the world. Despite their ‘online’ character, drugscryptomarkets (online markets for legal and illegal drugs which are accessed securely through anonymitynetworks such as Tor) are reliant on the postal and shipping services for the delivery of drugs and precursorsto suppliers and end users. We have observed, in our scraped datasets of illicit online forums and discussionboards, evidence of significant disruption of these pathways, and a range of effects on these illicit markets.At the initial peak of lockdown measures, shipping times (especially in international routes which passedthrough China) were being routinely delayed by up to three months (as reported in cryptomarket discussions).This caused significant friction to international orders for postal drug delivery, with many dealers reportingthat they were switching to orders within the same nation only, and others struggling to source supply.”

Brian Kerbs from Kerbs on Security wrote a comprehensive article on How Cybercriminals are Weathering COVID-19 and its worth a read as well.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

The same is happening for real world crime also, Jani was telling me about this article on Goa where the local drug dealers are out of job because no tourists are visiting so they all are now selling fish to survive.

Well this is all for now. Will write more later.

– Suramya

October 15, 2019

Theoretical paper speculates breaking 2048-bit RSA in eight hours using a Quantum Computer with 20 million Qubits

Filed under: Computer Security,My Thoughts,Quantum Computing — Suramya @ 12:05 PM

If we manage to get a fully functional Quantum Computer with about 20 million Qubits in the near future then according to this theoretical paper we would be able to factor 2048-bit RSA moduli in approximately eight hours. The paper is quite interesting, although the math in did give me a headache. However this is all still purely theoretical as we only have 50-60 qBit computers right now and are a long way away from general purpose Quantum computers. That being said I anticipate that we would be seeing this technology being available in our lifetime.

We significantly reduce the cost of factoring integers and computing discrete logarithms over finite fields on a quantum computer by combining techniques from Griffiths-Niu 1996, Zalka 2006, Fowler 2012, EkerÃ¥-HÃ¥stad 2017, EkerÃ¥ 2017, EkerÃ¥ 2018, Gidney-Fowler 2019, Gidney 2019. We estimate the approximate cost of our construction using plausible physical assumptions for large-scale superconducting qubit platforms: a planar grid of qubits with nearest-neighbor connectivity, a characteristic physical gate error rate of 10−3, a surface code cycle time of 1 microsecond, and a reaction time of 10 micro-seconds. We account for factors that are normally ignored such as noise, the need to make repeated attempts, and the spacetime layout of the computation. When factoring 2048 bit RSA integers, our construction’s spacetime volume is a hundredfold less than comparable estimates from earlier works (Fowler et al. 2012, Gheorghiu et al. 2019). In the abstract circuit model (which ignores overheads from distillation, routing, and error correction) our construction uses 3n+0.002nlgn logical qubits, 0.3n3+0.0005n3lgn Toffolis, and 500n2+n2lgn measurement depth to factor n-bit RSA integers. We quantify the cryptographic implications of our work, both for RSA and for schemes based on the DLP in finite fields.

Bruce Schneier talks about how Quantum computing will affect cryptography in his essay Cryptography after the Aliens Land. In summary “Our work on quantum-resistant algorithms is outpacing our work on quantum computers, so we’ll be fine in the short run. But future theoretical work on quantum computing could easily change what “quantum resistant” means, so it’s possible that public-key cryptography will simply not be possible in the long run.”

Well this is all for now will post more later

– Suramya

September 5, 2019

Criminals use AI technology to impersonate CEO for a $243,000 payday

Filed under: Computer Security,My Thoughts,Techie Stuff — Suramya @ 10:46 AM

Over the past few years AI has become one of the things that is included in everything from cars to lights whether it makes sense or not and criminals are not behind in this trend. We have AI based systems testing computer security, working on bypassing checks and balances in systems etc and now in a new twist, AI is being used in Vishing as well. Voice phishing or vishing as it’s sometime referred to is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.

Anatomy of Vishing Attack
Anatomy of Vishing Attack. Source: https://www.biocatch.com/blog/detect-vishing-voice-phishing

In this particular instance criminals used commercially available voice-generating AI software to impersonate the CEO of a German Company and then convinced the CEO of their UK based subsidiary to transfer $243,000 to a Hungarian supplier. The AI was able to mimic the voice almost perfectly including his slight German accent and voice patterns. This is a new phase of crime and unfortunately will not be a one-off case as criminals will soon realize the potential then these kind of attacks are only bound to increase in frequency. Interestingly it will also make the biometric voice authentication systems used by certain banks like Citibank more vulnerable to fraud.

To safeguard from the economic and reputational fallout, it’s crucial that all instructions are verified via a follow-up email or other alternative means i.e. if you have an email asking for a transfer/detail call the person and if you get a call asking for transfer follow up via email or other means. Do not use a number provided by the call for verification, you need to call the number in the company address-book or in your records.

Well this is all for now. Will post more later.

Thanks to : Slashdot.org for the original link.

– Suramya

Older Posts »

Powered by WordPress