Re: CRIME Re: cryptography

From: Heidi Henry (mcps@private)
Date: Fri Apr 19 2002 - 00:23:16 PDT

Next message: George Heuston: "CRIME FW: NIPC Daily Report 19 April 2002"

Previous message: Toby: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Maybe in reply to: Jere Retzer: "CRIME Re: cryptography"
Next in thread: Alan: "Re: CRIME Re: cryptography"
Reply: Alan: "Re: CRIME Re: cryptography"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zot wrote:You might want to check critical data flows, but I'd be more worried
about data storage than transmission (if the transmission is encrypted).

1.  If the transmission is encrypted: Sophisticated attackers are known to establish encrypted channels, rendering network surveillance ineffective, however it is still effective for proving that a communication occured between IP addresses. If a legal case should develop, this could become a valuable link for evidence.  (If I am wrong on this I am sure someone with more knowledge will correct me, which is very welcome, the technology and evidence rules in this field seems to be constantly changing)

2.  Data storage: Is it still true that PKzip compressed files have no known method to extract well chosen passwords,  (not including brute-force or Beowulf cluster) or are there cracking tools available now that do not take weeks to make a successful crack?   

Heidi Henry
mcps@private

----- Original Message -----
From: Zot O'Connor
Sent: Thursday, April 18, 2002 5:49 PM
To: Seth Arnold
Cc: crime@private
Subject: Re: CRIME Re: cryptography

A few points to add to the fray:

1)  Things like SSL are *minimum* steps.  If a site does not even have
SSL up and running, it tells me volumes about their *lack* of skill.
Having it does not mean the credit card is not stored on a flat file
available via network neighborhood, buts its a start.

2)  Even weak cryptography raises the bar phenomenally.  I have done
clean up jobs on boxes that has every single password for an ISP based
on POP, FTP and telnet passwords.  It was in a nice neat formatted
file.  Had the information been encrypted, it would have raised the bar.

3)  So bad encryption worst problem is a false sense of security.  Had
the script kiddees in the box in #2 had a ssh cracker, ssl crack, or
other, they would of have more password.  The ISP *might* have noticed
the load then.......

So, does this mean you have to sprint out and replace all SSL right
now?  No.  It should be included in all future maintenance and upgrades.

You might want to check critical data flows, but I'd be more worried
about data storage than transmission (if the transmission is encrypted).




--
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com

Next message: George Heuston: "CRIME FW: NIPC Daily Report 19 April 2002"
Previous message: Toby: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Maybe in reply to: Jere Retzer: "CRIME Re: cryptography"
Next in thread: Alan: "Re: CRIME Re: cryptography"
Reply: Alan: "Re: CRIME Re: cryptography"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:16 PDT