Profile

Cover photo
Claire Farron
Attends Royal Holloway College, University of London
Lived in Egham, Surrey
1,523,259 views
AboutPostsPhotos

Stream

Pinned
 
Whilst we've known about duplicate public/private key pairs for years (see [1]), the importance of what is being shown here is the scale of the duplication.

Nice work done by the +Information Security Group at +Royal Holloway University of London 

  #InformationSecurityGroupRHUL
  #RoyalHolloway  

[1] https://eprint.iacr.org/2012/064.pdf
 
Researchers from the Information Security Group from Royal Holloway, University of London, have discovered a slew of RSA encryption keys have been duplicated thousands of times, with one key having been utilized more than 28,000 times. The researchers... #cryptographickeys #encryption #exploits
1 comment on original post
6
Jim Topbloke's profile photoClaire Farron's profile photo
2 comments
 
+Jim Topbloke  I think that this is a combination of incompetence by some users/administrators (including a sheer lack of awareness about what ot why they are implementing encryption), laziness by others that know better and a drive for functionality by business (meaning security is shunned as a severely limiting factor).
Add a comment...

Claire Farron

Shared publicly  - 
 
 
One step forward, two steps backward...
Encrypted storage will only be required in "future versions of Android."
1 comment on original post
8
Tony Roper's profile photoAlex Ohannes's profile photo
2 comments
 
Good for them. They've finally come to their senses.
Add a comment...

Claire Farron

Shared publicly  - 
 
Wait. WHAT!?
 
HTC just shocked the world with Vive, a hand-tracking VR headset, powered by Valve http://bit.ly/1ArRVCC
4 comments on original post
9
3
David Johnston's profile photod4vid turn3r's profile photoMike Mackley's profile photoLars Brand's profile photo
3 comments
 
Towel. Not much hair though.
Add a comment...

Claire Farron

Shared publicly  - 
 
 
"NIST has identified the SSL v3.0 protocol [...]  as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of “strong cryptography,”"   <- so official now: use SSL -> not be PCI compliant (in force since PCI 3.1, which is coming soon i.e. not yet)
View original post
4
1
Claire Farron's profile photoSven Schwedas's profile photoDavid Johnston's profile photoRobert Partridge's profile photo
4 comments
 
It is however a symptom of a cavalier and glacial approach to security. The world has moved on. We have better algorithms. There have been many generations of products since those standards became widely deployed. It shows there is simply no effort to improve things in any real sense. I printed out the keys from our POS and they were using 1024 RSA. For a new product that may last 10-20 years, that's insane.
Add a comment...

Claire Farron

Shared publicly  - 
 
Definitely worth the share!
 
You use GPG/GnuPG to encrypt your mail? Great! We need more of that.
But we also need more people to support Werner Koch's efforts. To keep up the GnuPG development, donate now at https://www.gnupg.org/donate/index.html!

(via +Robert Sander)
Werner Koch's code powers the email encryption programs around the world. If only somebody would pay him for the work.
4 comments on original post
16
3
Shawn S's profile photoKenneth Schmidtling's profile photo
Add a comment...

Claire Farron

Shared publicly  - 
 
That's one way to do ransomware on a company...
 
To carry out this sneaky ransomware attack the crooks took a surprisingly low-key, annoyingly simple, and hard-to-spot approach.
View original post
2
Jason Weatherly's profile photoPaul Hinchberger III's profile photo
2 comments
 
No word on how they broke in?  I'd say something about tripwire but that depends on the level of access the crooks were able to obtain.
Add a comment...

Claire Farron

Shared publicly  - 
 
Ooh. You might want to read this if you're wondering what ciphers are available in some software :)
 
Deprecating Old Crypto in a Linux Distro: A tale of something that looked obvious but .. there's a lesson in it somewhere.

While working on my Linux distro project at work, one of the things I recently wanted to do is phase out old crypto.

Yes we all read Bruce Schneider's text and how important it is, but nothing drives it home like reading The Guardian articles followed
by OpenSSL downgrade attacks in the last year or two.

Now, nothing should be defaulting to some of the antique crypto, but the only way to know 100% sure  that the algorithms in question aren't being used, is to just not compile them into the various crypto libraries of your distro.

So.. step 1 was to look at the algorithm list of openssl:

arjan@clr:~$ openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA




A few things stand out immediately.

RC4. This like seriously predates MD5, and MD5 is already suspect.

DES. Yes really. DES. in 1995 I worked at a company as an intern that made DES chips that you could use to brute force DES. In 1995, when Twin Peaks was on TV  and you measured transistor sizes of a chip in micrometers not nanometers.

MD5. The general consensus seems to be that for crypto, you shouldn't use MD5 anymore. I'm not talking about SHA1, where one can argue that existing uses are still ok, but MD5.

I decided to draw my first line there, stick to the consensus and all that.

The good news is that OpenSSL is very configurable, and it's pretty easy to say

no-rc4 no-des no-md5

on the configure line (and for good measure, I added no-ssl2 and no-ssl3).

At this point, I thought I was on a roll, removing old crypto is easy, lets finish this 15 minute project before the project meeting starts.

So now on to the bad news. And sadly, there is plenty to be had.

openssl does not even compile with the no-md5 option:

make[1]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/ssl'
In file included from s3_srvr.c:171:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
In file included from s3_clnt.c:158:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
....


Ok, so MD5 is technically not insane broken for small packets, and
it's just consensus not so much hard earned proof, so maybe deprecating md5 is a project for another day.

openssl does not even compile with the no-des option:

make[2]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/apps'
../libcrypto.so: undefined reference to `EVP_des_ede3_wrap'

or when you fix that, it does not pass its test suite (I'll spare you the details). 

Now here I had to draw a line. 20 years ago DES was not secure.. never mind today. I wouldn't  be surprised if someone will chime in and say that their smartwatch can brute force DES in realtime now.
So.. fixing it is.

I suppose the good news is that no-rc4 went just fine.

The success story then, with the list of crypto from openssl after no-rc4 and no-des:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA

no DES, no RC4.




But, as it was a Monday, the misery only started there (Dave Jones should have taught me that misery is like lawyers, it always comes in pairs).

I threw the no-rc4/no-des package into our build system, and in no time the world came apart on me. Half the distro broke!
Well not half, but several very important pieces.

It turns out that components like curl, libcurl (so anything speaking http), wget, openssh, mariadb, ...

all hard-code DES usage. Now, I'll give curl credit, with creative use of configure options, you can make it not compile DES in, but you can't then make it pass its testsuite.

There must be a lesson in here somewhere.

One, our team will be fixing these projects to not require DES (or RC4), and we'll send those patches to the upstream projects of course.

But more, and this is a call to action: If you're working on an open source project that uses crypto, please please don't opencode crypto algorithm usage.
The algorithm may be outdated at any time and might have to go away in a hurry. 
And if you have to use a very specific algorithm anyway (for compatibility or otherwise), at least be kind and make a
configure option for each algorithm in your project, so that when things go bad (be it in 5 or 20 years), its very feasible to disable the algorithm entirely. 
27 comments on original post
4
1
d4vid turn3r's profile photo
Add a comment...

Claire Farron

Shared publicly  - 
 
Anyone remember the UEFI/Windows 8 storm before Windows 8 was released? Well, it's about to start again.
Windows 10 hardware must support Secure Boot and won't have to let you turn it off.
6
4
Nuno Horta's profile photoRobert Partridge's profile photoCarl Draper's profile photoSteve Barcomb's profile photo
20 comments
 
+Claire Farron
UEFI vs BIOS i really can not see the advantages for consumers. For corporations and business it has great benefits but not for anyone else.
Mouse control in the BIOS with UEFI, really. Last time i checked many people rarely if ever went into their bios to change anything.
Today a basic enumeration and initialization of the system is easy done and this is the purpose of the BIOS/UEFI nothing more. Putting a network stack into it and calling it UEFI is a security risk in it self.

Clock speeds as in overclocking does not need to be done in the firmware, it can be controlled in userspace.

TPM is a great technology and UEFI is the only way to initialize this. The crypt keys need to be setup by the consumer not the manufacturer and this again is where the problem really resides. Intel have a great new random number generator for encryption built in so i really see no point in having this done my the manufacturer. It can be a few simple steps after purchase by the consumer.

You buy a TPM and they say you claim ownership which really means you register title to the key but the key is always owned by the vendor.

What we really need is blank TPM chips that we the consumers can burn our own key into. At the moment they will not sell us blank new chips unless we find some on the grey market. Most laptops have them soldered on the the boards making it very hard to change. It needs a modue socket on every hardware device made. Only a warrant and you appearing before court would enable decryption
Add a comment...

Claire Farron

Shared publicly  - 
 
Ooh.
 
This story is so crazy it got "Taylor Swift's" (@SwiftOnSecurity) attention.
4 comments on original post
5
2
Keith Milner's profile photoMike Mackley's profile photoMilton Aronis's profile photo
 
Very interesting!
Add a comment...
 
With some of the rhetoric I'm hearing on  Net Neutrality, I think it's appropriate to dig out this post again:

https://medium.com/the-nib/how-net-neutrality-works-91df3e968a48
151
55
Aaron Springer's profile photoJoel Sass's profile photoMatthew Sable's profile photoXL Comedy's profile photo
101 comments
 
Taylor: I'd like to understand where my logic and understanding of the problem is lacking.

Not attempting to 'appeal to authority', but I will say my logic and understanding of the problem is based on running a startup ISP for 6 years, followed by 3 years designing about 35k miles worth of fiber backbone for a major carrier. I also ran the R&D Lab for that carrier, and got to spend more than a small amount of time with vendors who were inventing the stuff that runs all the transport gear over fiber now.

 I then spent 8 years doing metro fiber deployments, designs, as well as product development for another large telecom company.

I have negotiated peering and transit agreements, right of way access, building access, and done all the math for 'when does this end up paying for itself', professionally, for a very long time.  I have watched over the years as the company Netflix bought mass amounts of bandwidth from at a cut rate, has repeatedly been a plague on the rest of the network, due to their crappy business practices.

They were AGIS, once upon a time, then COGENT (who was notorious for getting de-peered from major carriers about every 2 years, because they refused to abide by their peering agreements properly), and I haven't seen much to make me think they aren't above seriously overselling everything they have, if they can get away with it, to the point their network interfaces are overloaded. 

When you consider the nature of HOW they get peered into a lot of networks, the fact the Netflix chose them as a primary carrier really speaks loudly to why you see the 'facts' people bandy about.

Don't even get me started on the folks who have 'proven' those evil cable companys are rate limiting netflix, because they got a VPN connection that goes to ANOTHER CARRIER (that just happens to have a direct peering connection with said cable company), and netflix worked fine from there.  No network engineer that understands how the network works would every buy such non-sense, esp since it's demonstrably untrue, much in the same way the 'transfer speed' chart being passed around is amazingly poor 'science'. 

Expecting people to make good decisions with bad data is futile. But if you have an axe to grind, maybe that was the whole point, right? :)  
Add a comment...
 
It's a #showyourdesktopfriday , after an absence of a (couple of?) week(s).

Whilst I love the dark Numix themes, there comes a point when not being able to see your battery/volume and network icons for a length of time is just going too far.

So, this week, it's changed. Whilst it's supposed to be the Mist GTK theme, I'm pretty sure the panels aren't supposed to be transparent[1]. Oh well, at least I can see all my icons now, and I'm kinda liking transparent panels.

[1] My guess is that MATE 1.9 GTK3 has no idea what to do, so it's made the panel transparent.

#showyourlinuxdesktopfriday
#mateGTK3  
9
Paul Hinchberger III's profile photoClaire Farron's profile photoMilton Aronis's profile photo
3 comments
 
It. Is biutifful Your presented colors.MAG 
Add a comment...
Work
Occupation
Student
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Previously
Egham, Surrey
Story
Tagline
Loving Linux and Slaying the Undead :D
Introduction

I am Claire, just finished my second degree in Mathematics and going onto a Masters in Information Security (second Masters, third degree) in September.

Oh and guys, if you're following me in the hope of snagging a hot chick, forget it. I'm not interested.

Education
  • Royal Holloway College, University of London
    MSc Information Security, 2014 - present
Basic Information
Gender
Female