http://amtrak.bfi0.com/.
Lesson for phishers: If you want your phish to seem more legit, outsource it
to Bigfoot Interactive, which seems to lead back to Epsilon Agency Services,
who specialise in... well, phishing, but for the good guys. I bet the Russian
Business Network could do it for
Steven M. Bellovin [EMAIL PROTECTED] writes:
Remember the Clipper chip?
Clipper (or more specifically Capstone, via the Fortezza card) is a great
example of the NSA's sound engineering approach to generating random data [0].
They used a physical randomness source of an unpublished type,
On Wed, 13 Feb 2008, Dave Korn wrote:
On 11 February 2008 17:37, Crawford Nathan-HMGT87 wrote:
I'm wondering if they've considered the possibility of EMI skewing
the operation of the device, or other means of causing the device
to genearate less than completely random numbers.
Not
David Wagner [EMAIL PROTECTED] writes:
Crawford Nathan-HMGT87 writes:
One of the problems with the Linux random number generator
is that it happens to be quite slow, especially if you need a lot of
data.
/dev/urandom is blindingly fast. For most applications, that's
all you need.
Alas,
From
http://www.heise-online.co.uk/security/Enclosed-but-not-encrypted--/features/110136
The specifications of the 2.5in. Easy Nova Data Box PRO-25UE RFID
hard drive case by German vendor Drecom sound promising: hardware data
encryption with 128-bit AES, access control via an RFID chip
http://news.bbc.co.uk/2/hi/business/7255685.stm
Excerpt:
An internal investigation into billions of euros of losses at
Societe Generale has found that controls at the French bank
lacked depth.
The results of the investigation also show that rogue trades
were first made back in
Ed Felten blogs on his latest research:
http://www.freedom-to-tinker.com/?p=1257
Excerpt:
Today eight colleagues and I are releasing a significant new
research result. We show that disk encryption, the standard
approach to protecting sensitive data on laptops, can be defeated
Greetings--
A new list-member here, so please forgive me if this is off-topic or
has been discussed before. However, I've recently discovered a
problem with the proof of security for the Secure Remote Password
(SRP) Protocol, and Ivan Krstic recommended that I ask about it here.
In
It seems that disk containing records of the Irish Blood Transfusion
service seems to have been stolen in New York:
http://www.rte.ie/news/2008/0219/blood.html
Thankfully, the data was encrypted. The head of the IBTS said on
the news that there was a remote possibility of access, roughly
ANNOUNCING: Allmydata.org Tahoe version 0.8
We are pleased to announce the release of version 0.8 of allmydata.org
Tahoe.
Allmydata.org Tahoe is a secure, decentralized, fault-tolerant
filesystem. All of the source code is available under a Free
Software, Open Source licence (or two).
This
Leichter, Jerry wrote:
While trying to find something else, I came across the following
reference:
Title: Sender driven certification enrollment system
Document Type and Number: United States Patent 6651166
Link to this page:
interesting paper. but i fail to see how this could be deadly (as
the author puts it) to the disk encryption products.
This methods requires the computer to be recently turned-on and unlocked.
So the only way it would work is that the victim unlocks the disks
i.e. enter their preboot password
Ali, Saqib [EMAIL PROTECTED] writes:
This methods requires the computer to be recently turned-on and unlocked.
No, it just requires that the computer was recently turned on. It need
not have been unlocked -- it jut needed to have keying material in RAM.
So the only way it would work is that
On Thu, Feb 21, 2008 at 12:10:33PM -0500, Perry E. Metzger wrote:
Ed Felten blogs on his latest research:
http://www.freedom-to-tinker.com/?p=1257
Excerpt:
Today eight colleagues and I are releasing a significant new
research result. We show that disk encryption, the standard
After thinking about this a bit, i have changed my views on this
attack. i think it is quite easy to perform this attack. i myself have
been in similar situations, where my personal computer could have been
easily compromised by this attack
However, the hardware based encryption solutions like
On Thu, 21 Feb 2008, Perry E. Metzger wrote:
Ali, Saqib [EMAIL PROTECTED] writes:
This methods requires the computer to be recently turned-on and unlocked.
No, it just requires that the computer was recently turned on. It need
not have been unlocked -- it jut needed to have keying material
Hi,
I'm one of the coauthors of the paper and I'd love to chime in.
Perry E. Metzger wrote:
Ali, Saqib [EMAIL PROTECTED] writes:
This methods requires the computer to be recently turned-on and unlocked.
No, it just requires that the computer was recently turned on. It need
not have been
[EMAIL PROTECTED] (Perry E. Metzger) on Thursday, February 21, 2008 wrote:
Ed Felten blogs on his latest research:
http://www.freedom-to-tinker.com/?p=1257
Excerpt:
Today eight colleagues and I are releasing a significant new
research result. We show that disk encryption, the standard
On Feb 21, 2008, at 12:14 PM, Ali, Saqib wrote:
However, the hardware based encryption solutions like (Seagate FDE)
would easily deter this type of attacks, because in a Seagate FDE
drive the decryption key never gets to the DRAM. The keys always
remain in the Trusted ASIC on the drive.
Umm,
Ali, Saqib wrote:
After thinking about this a bit, i have changed my views on this
attack. i think it is quite easy to perform this attack. i myself have
been in similar situations, where my personal computer could have been
easily compromised by this attack
Usually when doing a demo of this
Ali, Saqib [EMAIL PROTECTED] writes:
How about TPM? Would this type of attack work on a tamper-resistant ver1.2
TPM?
The phrase is tamper resistant, not tamper proof. Depending on how
determined your attackers are, pretty much anything depending on
tamper resistant hardware will fall. As
From:David Farber [EMAIL PROTECTED]
Subject: [IP] Cold Boot Attacks on Disk Encryption -- report on
To: ip [EMAIL PROTECTED]
Date:Thu, 21 Feb 2008 16:25:43 -0500
Begin forwarded message:
From: Declan McCullagh [EMAIL PROTECTED]
Date: February 21, 2008 3:57:43 PM EST
To: [EMAIL
i think in most cases tamper-resistant is sufficient - provided the
device that can detect an attempt of tampering, and erase itself. DRAM
chips referred to in this attack are not tamper-resistant.
http://www.linkedin.com/in/encryption
On Thu, Feb 21, 2008 at 2:59 PM, Perry E. Metzger [EMAIL
Ali, Saqib [EMAIL PROTECTED] writes:
i think in most cases tamper-resistant is sufficient - provided the
device that can detect an attempt of tampering, and erase itself.
Clearly, if the anti-tamper mechanisms work, the device will not be
compromised. The problem is, such mechanisms don't
As soon as I heard about this research I had to try it out. My laptop
(Thinkpad) has an encrypted Truecrypt partition. I quickly made a
modified bootable DSL usb memory dumper, powered the machine down,
waited a minute, dumped memory, and found that I could recover passwords
from multiple
Umm, pardon my bluntness, but what do you think the FDE stores the key
in, if not DRAM? The encrypting device controller is a computer system
with a CPU and memory. I can easily imagine what you'd need to build
to do this to a disk drive. This attack works on anything that has RAM.
How
26 matches
Mail list logo