One Shot Design

Ubuntu already featured by default security enhancements developed by the U.S. National Security Agency, but version 9.04 of the Linux distribution now brings seamless file encryption for added protection of critical data. When activated, the option automatically mounts the encrypted home folder without asking for a password, and the user can browse and work with files at normal speed. Should the encrypted folder need to be recovered, there is a hash passphrase.

This new feature could prove useful should the computer gets stolen: in case critical data was not already encrypted through Keepass or Truecrypt, the thief won’t be able to read anything from the home folder. File encryption is not virtually unbreakable, so for added security one should combine all those different layers of security.

This should be something mandatory for all government laptops, which are particularly at risk.

A flaw in most browsers could allow crackers to trick the application in diplaying a connection as secure when in fact it is not.

Websites that use an enhanced form of digital authentication remain just as vulnerable to a common form of spoofing attack as those that use less costly certificates, two researchers have found.

Researchers poke holes in super duper SSL • The Register

Founded in the Baltic area in 2003, Skype released a cross-platform software allowing to carry out chat, VOIP and later, video-calls, over a theoretically encrypted¹ network. The startup was acquired by eBay in 2005 and it steadily grew in popularity to become the World’s #1 chat and VOIP software, boasting over 300 million users. Skype doesn’t charge calls to other Skype users, but the charge for calls to landlines is hard to beat, sometimes amounting to a meager thousandth ($ 0.001) of dollar per minute.

The software has been ported to Microsoft desktop Windows, Windows Mobile, Apple Inc. OSX, GNU/Linux, FreeBSD and AmigaOS. A version for Google’s android platform is available since January 2009 and the company announced today that a release of the application will be available on the iPhone application store.

I had reported on a SMC Skype WiFi phone used to make € 0.003 a-minute-calls to landlines in Western countries. Last week I decided to subscribe for unlimited calls to Europe and a real phone number for receiving calls. I can make calls either with my SMC WiFi handset, my Windows Mobile WiFi-enabled PDA or one of my GNU/Linux laptops with appropriate headset. All in all, it costs much less than a traditional phone line from my ISP. The Skype network is still unstable, with a few seconds of communication mash-up every 30 minutes and a communication drop every 2 hours, but the appeal of huge savings makes me bear with the flaws.

Skype for the iPhone (and the iPod Touch) is great news for Apple Inc. product owners, who will now be able to make some phone calls for free using WiFi or their subscription’s unlimited internet traffic. Needless to say, it will leave network carriers who planned to cash in on mobile phone traffic with a bitter taste. they might not let Apple Inc. get away with it.

¹: Reports do suggest that in 2006 Skype agreed to implement keyword filters to be allowed by authorities to run services in China. Several Western governments are talking about attempts to crack down the encryption or simply putting pressure to allow wiretapping; and the proprietary nature of Skype software does fuel suspicion over some sort of backdoor access.

WEP used to be the most common wireless encryption standard for Wi-Fi before being replaced by WAP and WAP2, but the recent discovery of a weakness and the apparition of “password recovery” software mean that more reliable encryption standards must be devised.

US-based AccessData has been providing law enforcement and government agencies with digital forensic software intended for cracking encrypted data. Their competitor, Russian software developer Elcomsoft, has unofficially been selling password-cracking software to government staff in the USA and Germany. Elcomsoft was brought to court in 2001 for violation of the Digital Millennium Copyright Actand found not guilty. They claim their software is legal as long as the licence owner uses it on his own files. The array of software can conveniently “recover” passwords from Microsoft Office files, Adobe Acrobat documents, ZIP and RAR archives, SQL databases, Wordperfect and Lotus documents, POP3 and IMAP mail accounts, instant messenger accounts and Internet Explorer.

In January 2009, the company launched a ”Wireless Security Auditor”, an application that listens to WiFi data packets between two devices and makes use of the staggering processing capacity and acceleration technology of video cards to cracks the key in a few dozen hours, instead of the usual hundreds.

Basically, no data encryptions method is 100% crack-proof so the only solution for the moment is generating complex and long passwords, favoring Open-Source software encryption with the highest key size (each additional bit exponentially strengthening the password) and encrypting everything in a cascade, like Russian nesting dolls: store your critical data in an encrypted file in an encrypted folder, and only communicate it through encrypted email over an encrypted server connection over an encrypted Wi-Fi hub. Got it?

Now first things first: where did I put my old ethernet cable?

According to experts from Accenture, Gartner and the Daiwa Institute of Research, netbooks may be particularly vulnerable to crackers. Cutting costs on netbooks often means doing without optional proprietary applications like firewalls and anti-virus, that would otherwise slow down the processor.

But when a Symantec marketing manager draws on their conclusions to advocate for paid anti-virus software, it is merely laughable. The efficiency of anti-virus software is arguable since the 2006 finding that 80% of malware bypassed the most popular AV software. That’s like playing the Russian roulette with a five-bullet barrel minus one… and thinking that you’re safe. Less advertized-for licensed and free anti-virus software sometimes do perform better than the major league, “So why bother paying for the premium licenses?” one might ask. On Linux, firewalls can be set up for free, an operation that still requires a fair level of computer literacy… not exactly your average user here.

The experts did however outline that crackers attacks tend to focus on servers or networks, so a 300$ netbook with photographs of your last fishing trip and your MP3 song collection might not be their top priority. Still, Trojan horses or malware could threaten to put critical information at risk or turn the computer into a botnet.

Unix-based operating systems are more fool-proof by design than Windows: there is a clear separation between user and administrator mode and in 2003 Linux only had 40 know viruses, while the Windows family had more than 60,000. So Linux-based netbooks are probably less vulnerable than Windows ones.

In any case, computer users should always apply data responsibility patterns by using priviledge-limited sessions, secured and authenticated Internet connections, storing critical information in encrypted databases (Keepass) or encrypted virtual folders (Truecrypt); and ideally accepting PGP-signed emails only.