Free Republic

The growing use of encryption software -- like Microsoft's own BitLocker -- by cyber criminals has led Microsoft to develop a set of tools that law enforcement agents can use to get around the software, executives at the company said...Microsoft first released the toolset, called the Computer Online Forensic Evidence Extractor (COFEE)...Microsoft gives the software to agents for free.

Security approach common on Vista, Apple and Linux laptops The disk encryption technology used to secure the data in your Windows, Apple and Linux laptops can be easily circumvented, according to new research out of Princeton University. The flaw in this approach, the researchers say, is that data previously thought to disappear immediately from dynamic RAM (DRAM) actually takes its time to dissolve, leaving the data on the computer vulnerable to thievery regardless of whether the laptop is on or off. That's because the disk encryption key, unlocked via a password when you log on to your computer, then is...

Today eight colleagues and I are releasing a significant new research result. We show that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux. The research team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Our site has links to the...

A recently released tool that allegedly was designed to help al-Qaeda supporters encrypt their Internet-based communications is a well-written and easily portable piece of code, according to a security researcher who has analyzed the software.

An Arabic-language Web site hosted on a server located in Tampa, Fla., is apparently offering a new version of software that was designed to help al-Qaeda supporters encrypt their Internet communications. The new encryption tool is called Mujahideen Secrets 2 and appears to be an updated version of easier-to-crack software that was released early last year, said Paul Henry, vice president of technology evangelism at Secure Computing Corp. in San Jose. The tool is being distributed free of charge on a password-protected Web site that belongs to an Islamic forum known as al-Ekhlaas, according to Henry and a blog posting...

A couple of years ago, Michael T. Arnold landed at the Los Angeles International Airport after a 20-hour flight from the Philippines. He had his laptop with him, and a customs officer took a look at what was on his hard drive. Clicking on folders called “Kodak pictures” and “Kodak memories,” the officer found child pornography. The search was not unusual: the government contends that it is perfectly free to inspect every laptop that enters the country, whether or not there is anything suspicious about the computer or its owner. Rummaging through a computer’s hard drive, the government says, is...

An international team of mathematicians announced in May that they had factored a 307-digit number—a record for the largest factored number and a feat that suggests Internet security may be on its last legs. “Things are becoming less and less secure,” says Arjen Lenstra, a computer scientist at the École Polytechnique Fédérale (EPFL) in Switzerland, who organized the effort. Messages in cyberspace are encrypted with a random 1,024-bit number generated by multiplying two large primes together. But if hackers using factorization can break the number into its prime multipliers, they can intercept the message. Factorization currently takes too long to...

Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency. Generating random numbers isn't easy, and researchers have discovered lots of problems and attacks over the years. A recent paper found a flaw in the Windows 2000 random-number generator. Another paper...

Canadian encryption vendor Certicom yesterday filed a wide-ranging lawsuit against Sony, claiming that many of the products offered by the electronics giant infringe on two Certicom patents. This might sound like business as usual until you realize what's being targeted: AACS and (by extension) the PlayStation 3. Certicom has done extensive work in elliptic curve cryptography (ECC), and the patents in question build on this work. The patents have already been licensed by groups like the US National Security Agency, which paid $25 million back in 2003 for the right to use 26 Certicom patents, including the two in the...

Excerpt - The folks at Digg.com have let the social news genie out of the bottle, and now they can't control it. Since the HD-DVD encryption code was discovered and published, readers at Digg have been repeatedly submitting stories with the 16 digit hex code in the titles and bodies. Just as quickly as these posts crawl up the Digg charts, admins seem to be deleting them. Just search Google for 09 F9 and you'll find the key. Will AACS send a Cease and Desist to InfoWorld because I posted the text "09 F9"? If so, we might as well...

TAIPEI—Within four years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) for digital signatures, and convert to a new and more advanced "hash" algorithm, according to the article "Security Cracked!" from New Scientist . The reason for this change is that associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. Wang also cracked MD5 (Message Digest 5), the hash algorithm most commonly used before SHA-1 became popular. Previous attacks on MD5 required over a million years of supercomputer time, but Wang and her research team obtained...

"Second Life," the fast-growing online site where hundreds of thousands of people play out fantasy lives online, has suffered a computer security breach that exposed the real-world personal data of its users. Linden Lab, the San Francisco-based company behind the "Second Life" site, said in a letter to its 650,000 users this weekend that its customer database, including names, addresses, passwords and some credit card data, had been compromised. All users--or residents in "Second Life" parlance--are being required to request a new password. Some 286,000 residents have used the site in the past 60 days, according to a count on...

Two Atlanta-area men met with Islamic extremists in Toronto, where they discussed "strategic locations in the United States suitable for a terrorist strike," according to an FBI affidavit made public Friday. Syed Haris Ahmed and Ehsanul Islam Sadequee -- U.S. citizens from the Atlanta area -- met with at least three other targets of FBI terrorism investigations during a trip to Toronto last month, according to the affidavit. The affidavit said the men discussed attacks against oil refineries and military bases. They also planned to travel to Pakistan for military training at a terrorist camp, which authorities said the 21-year-old...

INTELLIGENCE OPERATIONS: Phone Taps Just Got Impossible April 12, 2006: Eavesdropping on phone calls just got a lot harder. Phil Zimmermann, the guy who invented PGP encryption for Internet mail, has developed a similar product, Zfone, for VOIP (telephone calls over the Internet). Zfone, like PGP, is free and easy to use. PGP drove intelligence agencies nuts, because it gave criminals and terrorists access to industrial grade cryptography. PGP doesn't stop the police or intel people from reading encrypted email, but it does slow them down. Zfone, however, uses stronger encryption. This means more delays, perhaps fatal delays, in finding...

BEIJING (AP) - The world industrial-standards association has rejected China's controversial wireless encryption standard for global use, news reports said Monday, dealing a blow to Beijing's effort to promote its own standards for computers and telecoms. China is promoting its WAPI system in a campaign to reduce reliance on foreign technology and give its companies a competitive edge. Members of the International Organization for Standardization rejected WAPI in favor of an American standard known as 802.11i in balloting that ended March 8, the U.S.-based electronics industry newspaper EE Times and the Chinese government's Xinhua News Agency said. But Chinese officials...

UK officials are talking to Microsoft over fears the new version of Windows could make it harder for police to read suspects' computer files. Windows Vista is due to be rolled out later this year. Cambridge academic Ross Anderson told MPs it would mean more computer files being encrypted. He urged the government to look at establishing "back door" ways of getting around encryptions. The Home Office later told the BBC News website it is in talks with Microsoft....

New 'spy' cell phone costs $2,500 06/11/2005 13:59 Russian Federal Security Service (FSB) has unveiled a cell phone at the International Show of Military Equipment, Technologies, and Arms VTTV-Omsk-2005 held in the city of Omsk. The special cell phone SPM-Atlas (M-539) was developed by Atlas Research and Development Center under the FSB. It is designed for scrambling voice data transmission. According to a representative of the FSB, the phone is already on sale in Moscow cell phone stores, its retail price is $2,500, Newsru.com reports. Western data encoding algorithms used to ensure the safety of cell phone conversations have not...

A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent. Ari David Levie, who was convicted of photographing a nude 9-year-old girl, argued on appeal that the PGP encryption utility on his computer was irrelevant and should not have been admitted as evidence during his trial. PGP stands for Pretty Good Privacy and is sold by PGP Inc. of Palo Alto, Calif. But the Minnesota appeals court ruled 3-0 that the trial judge was correct to let that information be used when handing down a guilty verdict....

Internet security takes a hit Report says computer-code experts concerned after flaw discovered in popular encryption technique. NEW YORK (CNN/Money) - The discovery of a crack in a commonly used Internet encryption technique raised concerns among government agencies and computer-code experts, according to a report by The Wall Street Journal. "Our heads have been spun around," Jon Callas, chief technology officer at encryption supplier PGP Corp., told the newspaper. The technique, called a "hash function," has been commonly used by Web site operators to scramble online transmissions containing credit-card information, Social Security numbers and other personal information. Hash functions were...

Microsoft RC4 Flaw One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques. It's an amateur crypto mistake. The easy way to prevent this attack is to use a unique initialization vector (IV) in addition to the key whenever you encrypt a document. Microsoft...