Time for some quickies…
—
This short article seemed in line with some of my ramblings here (e.g., this and this), albeit quite sparse.
Enterprises must invest more heavily in staff training and social engineering tests to ensure corporate data cannot be compromised by outsiders who trick their way into the company, according to experts at this years ISSE event in Warsaw.
I discussed training and testing in a long ramble, where I sort of combined the training and testing into one service. I thought along the lines of utilizing testing to not only monitor the effectiveness security efforts (including training) and to identify security strengths and weakness, but also to help tailor the training to a particular organization based on real feedback and to provide relevant examples during the training that have a strong impact on attendees of training. The third part part of this ramble covers these thoughts in a messy fashion.
Now, pull the results of these attacks into your security training. Will there be an impact?
Well, I think so. You don’t quickly forget seeing yourself and/or those around you up in lights, as it were, and the attacks can certainly be used to increase the sense of responsibility felt by every employee. The demonstrations hit home because they can be related to – the attacks happened to you, your neighbors, your community. Whether the attacks succeed or fail, they amount to a shared experience for the organization, and teach people their importance to the security of their organization.
The next paragraph of that article goes on to say…
Sharon Conheady, a consultant in social engineering for consultancy Ernst & Young, explained that the scale of the problem is often underestimated by firms, because many are unaware it is even going on. She revealed criminals are using tools such as Google and company web sites to research and gather information about a particular firm, before conning their way into the building with the aim of stealing sensitive data.
I talked about this sort of intelligence gathering back a few months ago in this post.
Mapping out organizations is often one of the tools used in social engineering, and there is a wealth of information to be gathered from OSINT and HUMINT. For example, when you can talk the organizational lingo, it is much easier to convince people within that organization you can be trusted.
Of course, while I like playing with in person attacks (with a bit of a focus on beauty) and would wager that conning one’s way into many a building is quite trivial, physically entering a place and/or interacting with people can be a high risk game. As such, phone calls, email/IM, etc. might be the more popular, safer mediums here for most attackers.
So, I’d be curious to know the “scale of the problem” out there in the real world. I know I play with this in some ways, but not enough to have generalizable, concrete numbers. Perhaps the presentations on which this article was based had some detail here.
In any case, I think the testing and training mentioned here can be applied equally well.
(That reminds me – just entering my reading queue, “Choices, Values, and Frames” edited by Daniel Kahneman and Amos Tversky.)
-
Since lots of FIPS people visit this blog, I thought pointing out this paper might be useful, which looks at the security properties of the underlying primitives utilized in the PRNGs recommended by NIST in SP 800-90 in relation to the security of the output of the said PRNGs. Their conclusions are as follows.
In general, block cipher DRBG should not be used in any circumstances. If block cipher DRBG is currently implemented, then, if possible, one should change the DRBG immediately; otherwise, one should be certain that the outputs generated are as short as possible relative to the output block size of the block cipher used. The other three DRBGs are secured under the current knowledge we have about the underlying mechanisms. Elliptic curve DRBG is the most computationally expensive DRBG. However, it is also the one that is the best understood. ECDLP has been researched for many decades and is still believed to be a hard problem, whereas many hash functions are failing collision resistance as time passes. Two major advantages elliptic curve have over hash or HMAC based DRBG are that the maximum length of output is significantly greater and that it is a number theoretic based instead of heuristic based. If elliptic curve computations can be done as efficiently as hashing (via improve algorithms or hardware), then elliptic curve DRBG is currently the best DRBG out of the recommendations from NIST.
If elliptic curve DRBG is implemented, it is necessary to not follow the NIST generation process exactly due to the poor choice of truncation function1. Refer to Appendix B of [4] for more detail on TPP.
A few other cares must be taken before a DRBG is implemented. See Appendix C for a brief discussion on additional aspects to consider.
FYI, I think the block cipher based PRNGs (namely the ANSI X9.31 Appendix A.2.4 PRNG and its NIST derivatives) are the most commonly implemented in PRNGs in the FIPS world due to their simplicity and open source availability. A quick scan of this list might confirm or deny that.
Update: I haven’t directly dealt with modules that implement the EC based PRNG recommended in 800-90, but, before you do undertake such an implementation, you may want to take note of these slides. [via Schneier commentary]
On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng
Conclusion
• WHAT WE ARE NOT SAYING:
NIST intentionally put a back door in this PRNG
• WHAT WE ARE SAYING:
The prediction resistance of this PRNG (as presented in NIST SP800-90) is dependent on solving one instance of the elliptic curve discrete log problem.
(And we do not know if the algorithm designer knew this before hand.)
-
I’ve mentioned remailers on here, so I thought this might interest some of you. It sounds like the mixmaster and mixminion remailer networks have suffered from a bit of a flood in traffic, malicious or otherwise.
The Mixmaster flood we saw in the last two weeks
is unprecedented, as volume of mail that flow
*successfully* throught the remailer.
Most trafficked ones remailers a tenfold raise of their
normal traffic for days; George peaked as 60K message
a day.
Nothing major it seems, but it did reinforce the need for a new release of mixminion.
Mixminion 0.0.8alpha3 is now available. It fixes a bug that crashed some servers over the last month; if you’re running a server, you should upgrade. There are some other small bugs fixed too.
Anyway, I thought these words important.
In the mean while, if people can post stats about the flood, and if someone wants to port my timestamp hack to Mixminion and start recording the rate at which these messages are arriving and share that data, it may help. (Just don’t do any kind of logging that could reveal identity/break anonymity. Let’s hold remop ethics to a higher standard than some recent Tor operators have shown.)[1]
-
Finally, I found this a bit interesting.
CAPE CANAVERAL, Florida (Reuters) – Web search leader Google Inc. will sponsor a $30 million competition for an unmanned lunar landing, following up on the $10 million Ansari X Prize that spurred a private sector race to space.
Of course, I must point out Koman’s Kings Of The High Frontier is sitting on my bookshelf.
.