Categories
Computing

TrueCrypt Tutorial: Truly Portable Data Encryption

TrueCrypt is free software that encrypts data “on-the-fly”. You can create an encrypted hard drive, a separate partition or a directory. TrueCrypt is portable — it works on GNU/Linux and Windows. Worried about losing your valuable data when your laptop gets stolen? Don’t wait and encrypt your data now!

read more | digg story

Categories
Computing

CAPTCHA book digitizing

You have almost certainly come across a CAPTCHA before if you’ve tried to sign up for a webmail account or a forum.

A CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human.

This has developed into a kind of arms race with spammers come up with better CAPTCHA solving software and organisations trying to improve their CAPTCHA generating algorithms.

Throwing themselves into the ring is reCAPTCHA with a brilliant new twist on the idea because reCAPTCHA has two words. Why? reCAPTCHA is more than a CAPTCHA, it also helps to digitize old books. One of the words in reCAPTCHA is a word that the computer knows what it is, much like a normal CAPTCHA. However, the other word is a word that the computer can’t read. When you solve a reCAPTCHA, we not only check that you are a human, but use the result on the other word to help read the book!

Categories
Computing

TrueCrypt irony

TrueCrypt is really astonishingly wonderful piece of cryptographic software and unfortunately and ironically for me it is too good at what it does.

TrueCrypt is a free and open source utility that performs on on-the-fly encryption allowing the user to create a virtual encrypted disk (TrueCrypt volume). TrueCrypt can either create an encrypted file that acts as a real disk or encrypt an entire hard disk partition or a storage device/medium, such as floppy disk or USB memory stick.

One of the best features of the TrueCrypt software is that allows you to use passwords based upon the content of files. So you designate one or more files as keyfiles and it combines that with the password you type in to create an ultra-secure unbreakable password. So say you choose the password Gazza after your favourite footballer of the 90s this would be a trivial password for a brute force attack to crack but if you were to combine it with a keyfile of an MP3 of Fog On The Tyne then it would become immeasurably more difficult.

However should you ever lose the keyfiles that you chose to use or like me forget which ones that you used the TrueCrypt volume that you have created becomes impossible to open and you lose all the data you have so carefully secured.

Luckily for me the drive that I had encrypted was merely used to back up important data for my publishing business and so I didn’t lose anything but the time it took to reformat the disk and back up all my business data yet again.

I do wonder what would have happened should I have been compelled to decrypt the volume under Part III of the Regulation of Investigatory Powers Act 2000 as clearly I really could not have done so.

Categories
Computing Security

The Psychology of Security

Bruce Schneier’s Essay The Psychology of Security

Categories
Computing

Re-writing the rules of online ID

BBC columnist Bill Thompson discovers that forgetting a password might be an opportunity for reinventing yourself.

An employee who forgot their password to log in to the corporate network would probably get a withering look from the support staff as they grovelled to have it reset.

By contrast it seems that young people who forget their MySpace logins are just as likely to make a new account as fret over their lost friends or painstakingly constructed homepage decorations.

Multiple personalities is the new black.

Categories
Computing Security

Gold standard for identity. Yeah right!

BBC News: Giant ID computer plan scrapped

Not unfortunately the scrapping of a plan for a government computer the size of a building like they had at Bureau West near where I live.

P5150072 In fact the government has announced that the proposed National Identity Register which underpins their ID Card scheme will not be created anew so as to be clean and error-free but instead will be constructed from the current databases of various government agencies.

The information will be stored in three separate databases including the Department of Work and Pensions’ Customer Information Service, which holds national insurance records, and the Identity and Passport Service computer system.

Mr Reid denied IT companies had wasted millions on preparation work for an entirely new system, saying the industry had been consulted on the move.

The government has reportedly spent about £35m on IT consultants since the ID cards project began in 2004.

“Doing something sensible is not necessarily a U-turn,” Mr Reid told reporters.

“We have decided it is lower risk, more efficient and faster to take the infrastructure that already exists, although the data will be drawn from other sources.”

So we’ll have a National Identity Register that is as full of errors as the current ones are, hardly the ‘Gold Standard’ for identity that the Home Office proudly announced it would be is it.

Interestingly the Press Release from the Identity and Passport Service makes no reference to this at all other than in passing.

This news comes as Home Office Minister Liam Byrne published a Strategic Action Plan for the National Identity Scheme and the Borders, Immigration and Identity Action Plan, which follow the wider Home Office review earlier this year and signal the countdown to the introduction of ID cards to UK citizens in 2009.

The Strategic Action Plan being the document where the new plans for the National Identity Register are laid out. Instead the press release focuses on the part of the plan that describes how the fingerprinting of foreign nationals will help secure Britain’s border and crackdown on illegal working and fraudulent access to services. Immigration Minister Liam Byrne said:

We’re determined that Britain won’t be a soft touch for illegal immigration. Compulsory biometric identity for foreign nationals will help us secure our borders, shut down access to the illegal jobs, which we know attracts illegal immigrants, and help fight foreign criminals.

But all this is completely irrelevant when we are talking about the establishment of a biometric based National Identity Register of UK citizens.

As NO2ID theorize this is about the establishment of the ‘database state’.

There is a growing list of planned systems.

* So-called ‘biometric’ ePassports that log data about your travel when used – see www.RenewForFreedom.org
* Centralised medical records without privacy – see www.TheBigOptOut.org
* Biometrics in schools – see www.LeaveThemKidsAlone.com
* Recording of all car journeys as a matter of course, using ANPR.

Categories
Computing Security

British biometric passports’ security cracked

Earlier this year the UK Passport Service (now the Identity and Passport Service) started to introduce Biometric Passports (pdf link) in an effort to vastly improve the security of the passport system. In their words

To:
• help fight passport fraud and forgery;
• help the public and the UK to fight identity fraud;
• ensure the British Passport stays one of the most secure and respected in the world;

However it seems that according to a report in today’s Guardian that these new ultra-secure passports aren’t all they are cracked up to be and that the security has been severely undermined by a number poor decisions made in the implementation of the system.

Firstly they have opted to use RFID chips to store the data in accordance to standards drawn up by the International Civil Aviation Organization. The use of RFID to store the data is bad enough but the ICAO standard also directs that the key used to access the data should be comprised of , in the following order, the passport number, the holder’s date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a “machine readable zone.”

Bruce Schneier an authority in the area of security has written a number of times about the security wreckage associated with passports containing RFIDs.

April 28, 2005 RFID Passport Security

November 03, 2005 The Security of RFID Passports

Including on August 03, 2006 Hackers Clone RFID Passports a very similar hack to the one carried out by Adam Laurie on behalf of The Guardian newspaper.

Most recently Schneier has revealed that The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has recommended against putting RFID chips in identity cards. Whether the US government heeds this advice is yet to be seen but unfortunately for us in Britain our government has already made the poor choice.

The security measures in place to prevent unauthorized access to the data held on the chip work by creating a encrypted ‘conversation’ between the chip and the reader. Interestingly they have used the Triple DES algorithm for the encryption instead of AES which was introduced to replace Triple DES in 2002 and which is much more efficient. However the choice of algorithm is a secondary concern compared with how it was implemented with a key that is comprised of non-secret information that is published in the passport itself.

As Laurie puts it so eloquently “That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.”

Categories
Computing Security

Bruce Schneier’s analysis of electronic voting and revoting

Security expert Bruce Schneier turns his eye to the subject of voter recounts in elections and the effect of electronic voting machines.

When a candidate has evidence of systemic errors, a recount can fix a wrong result — but only if the recount can catch the error. With electronic voting machines, all too often there simply isn’t the data: there are no votes to recount.

This year’s election in Florida’s 13th Congressional District is such an example. The winner won by a margin of 373 out of 237,861 total votes, but as many as 18,000 votes were not recorded by the electronic voting machines. These votes came from areas where the loser was favored over the winner, and would have likely changed the result.

The spread of electronic voting machines which have no paper backup is of concern to many people especially when the result is of such importance as deciding who might be the next government and doubts remain to the security of the systems.

Categories
Computing Security Surveillance

Identity Theft monitoring by Garlik

The BBC reports on a new service that is designed to help users reduce their risk of identity theft through a monitoring facility. The service is kind of like the constant surveillance of the Orwellian Big Brother but where the individual is in control of the surveillance upon themselves.

The Garlik Datapatrol service has been set up by the founders of the internet bank Egg with the intention of putting users back in control of the information that is held on them in public databases that are easily accessible through the internet.

The service brings together from the internet, public databases, and Credit Reports all the personal information it can find on a user and then displays it in a simple online format. Then on a monthly basis users will receive an update summary of additions or changes to their online profile as well as highlighting any risks or suspicious activity.

By facilitating individuals access to the information that is held on them the service puts its users on an equal footing with the criminals that might seek to steal their identities and as irregularities are often the first indication of a problem the monitoring system gives users an early warning and the possibility of nipping it in the bud before any negative consequences have occurred.

My only concerns are the security of Garlik’s database and the trustworthiness of the company. They seem to have a fairly robust system to establish user’s identity and to then authenticate users accessing the personal information gathered in the server database. But it presupposes that an individual’s identifying information hasn’t already been compromised or stolen.

I can see this service being a boon for identity theft rings who have enough data to register falsely for the service in order to further the scope of their thefts by letting Garlik do the legwork as it were in accruing further information.

Garlik’s secure servers would also be a prime target for criminals and so I would hope that they have taken the security of their servers as seriously as any bank would with theirs. Is the physical access to the servers as well secured as the online access is?

My second concern would be that as a new company they haven’t had the time to build a reputation or a record of establishment of trust. Registered users will be empowering the company and placing a lot of trust in the security of the service and the authenticity and accuracy of the personal information data provided to users. Having said that there is nothing to suggest that Garlik is in any way a disreputable company it is merely my natural paranoia.

I would have more faith in Garlik presently than I would in the UK government in securing any personal information I would give them.

Garlik are currently offering free trials to people signing up for the Datapatrol service at their website. http://www.garlik.com.

People with concerns about identity theft and security online should also take a look at the following website Get Safe Online which has been set up by banks and prominent internet companies.

Categories
Computing Security

Vista security

The BBC reports that a senior Microsoft executive has promised that its new operating system will be more secure than ever.

Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista.

I think Microsoft should be applauded for their relatively recent commitment to the subject of security in their products particularly given their laissez-faire attitude to it up until a few years ago. But Microsoft promised the same thing about their previous Operating System release and Windows XP proved to be their least secure system ever until they beefed up the security with the Service Pack 2.

The thing about software security though is that it’s effectiveness can only be judged in retrospect because modern software is now so complicated particularly operating systems that the process used to create it inevitably introduces bugs and security holes.

So the Microsoft engineers may well have patched all the security flaws that had been exposed through previous releases and the testing of this release of Windows Vista, but there will no doubt be new holes that have been inadvertantly created that no one has even conceived of yet.

One such newly introduced security hole has been discovered by researcher Joanna Rutkowska and it’s a biggie. She describes it a blue pill a reference to the movie The Matrix and would allow a malicious hacker to completely compromise a system and the user would have no indication at all that their syetm had been compromised.

Rutkowska’s Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality. She characterized her approaches as “legal,” using documented SDK features.

As she says it did not rely on any known bug within Windows Vista so who knows what other security problems might have been engineered into the operating system that haven’t yet been uncovered by Microsoft’s own testers or by third party researchers.