Blog Archives

Disturbing Trends Across the Pond

Two convicted for refusal to decrypt data Since October 2007 when the refusal to disclose decryption keys was made criminal in the UK, the buzz around the smallish digital forensics research community has been alarm. Security researcher, by definition always

Posted in Digital Forensics, Law Tagged with: , , ,

Microsoft Office RC4 Decryption

Microsoft Office has several available cryptographic options for encrypting office documents. In the 97-2003 doc format the RC4 stream cipher with 40bit key is used by default. The 40 bit key was chosen at a time when export restrictions on

Posted in Computer Science, Hacks, Cracks, and Attacks Tagged with:

Users are the weakest link

Not a week goes by without some new problem surfacing in day to day communication security. The newest stems from a black hat talk by Moxie Marlinspike of thoughtcrime.org. This attack is not sky-is-falling immediate action required bad, but is instead of the depressingly presentable variety. Moxie’s new attack is actually quite elegant and has a retro vibe to it in exploiting the most vulnerable link in any security chain: the user.

His setup for the attack examines website deisng as it relates to SSL security. He observes users do not type HTTPS, but rather encounter it from HTTP such as login boxes which post to HTTPS urls. Seperating the feedback mechanisms into positive and negative, he also notes triggering the positive mechanisms (little locks, changing colored address bars, etc) is not so bad while triggering negative mechanisms (invalid security certificate, problem encountered with the website’s certificate etc) are game killers.

Posted in Hacks, Cracks, and Attacks Tagged with: , ,