Researches prove its possible to extract an RSA key from the noises your computer makes, the NSA foils the great BIOS plot, but we’re a little skeptical….

Then it’s a batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

RSA Key Extraction via Acoustic Cryptanalysis

• Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components.
• These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.
• In the report they describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG\’s current implementation of RSA.
• The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.
• Experimentally they demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters (13 feet) away.
• A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.
• They have disclosed the attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resisting our current key-extraction attack, were released concurrently with the first public posting of these results
• PDF Report
• Adi Shamir – Wikipedia
• Inventor of SSSS (Shamir\’s secret-sharing scheme)
• CVE – CVE-2013-4576

NSA Says It Foiled the BIOS Plot

• Called a BIOS plot, the exploit would have ruined, or \”bricked,\” computers across the country, causing untold damage to the national and even global economy.
• Debora Plunkett, director of cyber defense for the The National Security Agency described for the first time a cataclysmic cyber threat the NSA claims to have stopped On Sunday\’s \”60 Minutes.\”
• CBS suggest China is to Blame, the NSA does not confirm or deny that in the interview.
• CBS reported the “virus” would be delivered via a software update to every computer’s BIOS.
• The NSA says it closed this vulnerability by working with computer manufacturers.
• No further technical, or general details provided.
• CBS Airs NSA Propaganda Informercial Masquerading As \’Hard Hitting\’ 60 Minutes Journalism By Reporter With Massive Conflict Of Interes
• In the end, this appears to be the NSA stealing the plot from our book recommendation a few weeks ago. Mark Russinovich’s Zero Day – which is very much the same plot (Copyright March 2011), except the attackers were wealthy backers of Al Qaeda instead of the Chinese
• In the sequel Trojan Horse , China uses APT techniques to compromise computers at the UN Office for Disarmament Affairs, and alter a report about Iran’s Nuclear Weapons Program to disrupt international attempts to prevent Iran from getting Nuclear Weapons. Look for this story on the news next year…

Krebs: The Case For a Global, Compulsory Bug Bounty

• Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products
• This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products
• Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices.
• The director of research for Austin, Texas-based NSS Labs examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed.
• Even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies\’ annual revenue
• To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers.
• The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations.
• The Case for a Compulsory Bug Bounty — Krebs on Security
• How many Zero-Days hit you today?

Feedback:

• How do you verify if a website is legitimate or not?
• Ghostery
• DNSSEC Validator

• Chrome Web Store – DNSSEC Validator

• IPMI

Round Up:

• Report: Bot traffic is up to 61.5% of all website traffic
• The inspiration behind many of todays tech symbols and icons
• Google Said to Mull Designing Server Chips in Threat to Intel
• Google blocks ability to search for credit cards (in hex), but snubs researcher who reported it
• DRM has always been a horrible idea
• NSA Spying costs Boeing $4.5 billion military contract in Brazil
• NSA has long had the ability to crack the encryption used by GSM phones, and the carriers have known about it
• Security Researcher Bruce Schneier leaves British Telecom
• The Year in Downtime: The Top 10 Outages of 2013