Archive for the 'FIPS' Category
Snowden-Manning Heros?

DISCLAIMER: I have no first hand knowledge of the NSA PRISM program.  This is just my personal opinion of Edward Swowden’s release of classified information and the impacts.

What is PRISM:

PRISM is the code name for the data collection program which was born out of the Protect America Act.

Recently Mr. Edward Snowden released classified information to the international media and fled the U.S.  He was working on the PRISM program and felt that the right thing to do was to tell U.S. citizens about their loss of privacy.



SHH!! Don’t tell anybody this.. but privacy has BEEN gone if you are on Facebook, Google or any other social network.  These organization are storing our private data.  But what do these organizations do with that data?

  • Do they try to protect your data?
  • Do they sometime release it to third parties?
  • Can certain data you store on their system be used against you in a court of law?
  • All of the Above 🙂

Encrypt your data.  That is the only real way to have privacy to a trusted party.   Don’t use FB or Google for stuff you want hidden.

The Need for Some Sort of PRISM:

Spies get a very very bad rap lately.  Analysts are unsung heros.   It that world nothing is what it seems.  The media presents one side of everything.  You have to dig and cross reference to get facts.  Intelligence provides a proactive answer to security.  I am speaking from the perspective of someone who has done security defensively.  There is a need for gathering data within the U.S. infrastructure.  Once data is gathered, it can be correlated to detect patterns of potential threats.

So I think we MUST have something like PRISM (especially in the US) due to the exposure of our assets and the subsequent likelihood of attack. We have a high risk.  And the greatest risk is from INSIDERS (ironically enough PRISM cannot protect itself).

There are three main issues with the programs current setup:

1.  Lack of Oversight & Transparency: There seems to be very little transparency and  oversight that represents US citizens regarding privacy and controlling how far the government can go.  US Senators are led away from what is really going on.

2.  Total Information Awareness:  This system may be too DAMN powerful as far as what it is capable of.  In fact, it seems to be like using GOD Mode 24/7 to gather information.  Snowden mentioned that it can track ANY email.. is this on a whim?  does there need to be some sort of probable cause or “reason to believe” or is this left to the discretion of the guy with his finger on the button.. this leads to the next issue..

3. The Patriot Act II + Protect America Act =  Its too DAMN politically powerful.  This program has the legal backing to do anything with NO checks and balances.


Would I call Snowden/Manning heros/martyrs?  I would not group Snowden with Manning.  The information that Snowden released (so far) is showing a the capability of NSA spying (something that was done by whistle blower William Binney in 2002).  PVT First Class Bradley Manning leaked a lot of war material that risked a lot of people’s lives:

videos of the July 12, 2007 Baghdad airstrike and the 2009 Granai airstrike in Afghanistan; 250,000 United States diplomatic cables; and 500,000 army reports that came to be known as the Iraq War logs and Afghan War logs. It was the largest set of restricted documents ever leaked to the public. —

The problem with this is that it actually endangered the lives of informants, and some people that were on the ground in Afghan/Iraq.  Manning fucked up big time.  Snowden is a hacktivist who will have to spend sometime in prison or in Iceland evading the US government unless the American public rallies to sway the politicians.

Whistleblower Protection:

My hope is that there is due care taken on this issue.  Because there is a real concern regarding the Constitution, Privacy and uncheck powers of the government.  If not, perhaps the next administration will take up the call of the people.  SarbanesOxley Act of 2002 has a Whistleblower Protection Act that would be helpful if such a law could apply to Snowden.  I am not so sure about that.

Transparency & Accountability

I know their needs to be transparency and accountability. But I think its naive to think that we should release all information on all classified data to the world as the Wikileaks crowd believes.  


Organizations & States have an obligation to maintain Confidentiality of critical data.

That means databases with witness protection programs must be kept Confidential, bank transactions must be protected..

Nations have some serious enemies (ESPECIALLY the US).  The US governments duty is to protect its people from those enemies (foreign or domestic).

Consider this:  Certain information on the physical/logical locations of weapons systems, pattens on lethal biochemicals, information on the capabilities of a nation are very effective tools in the hands of really bad people.

Its naive to think that opening up all classified data is going to set the world free.  I wish humanity was in a kinder, gentler situation.. but the reality is some crazy people want to kill as many people as possible.

Yes!  I agree that governments with unrestricted power can be MUCH more dangerous.  Some transparency with check and balances are necessary.



The post modern war conflict is a fight over ideology. Its less about my nation versus your nation and more and more about belief systems.  

RIGHT NOW there is someone with the intent to kill as many people as possible.  With the capability and opportunity they would strike.  There IS an enemy and they are anywhere and everywhere.  You can no longer point at a map and say “All these people are my enemy.”

Now there is an enemy willing to kill you over what you believe, what you represent and what they think you are.  And more than likely, THEY are living in your city.   Who are “THEY”?

Figuring out who THEY are.. is where data mining and correlation comes in.

The threat-source can be from ANY country, race, creed, or religious faction. They are more and more likely to have a citizenship in your country for the sake of having free reign to make the most damage on the most people that represent what they seek to destroy.

Its sounds crazy until a bomb goes off in the middle of a Boston Marathon with the attackers on their way to Time Square.  Luckily, there was surveillance to help deter further killings.

How do we fight against these threats?
Threats can be detected via patterns within information.

Solution:  The government should allow the program manager of the system to explain why its necessary, provide proof of its usefulness.  Limit the use and extent of PRISMs power.

I hope the president will listen to the Internet community on this.  I hope that some political party will hear the cries of thousands of potential constituents then take an intelligent look at the public’s concerns.  Realistically, the American public voted on the reps that backed the laws that created this system.  They accepted it by proxy.  But the shock is from the alleged reach of this program.  Its too bad it took Snowden is risking years away from home and possibly prison for the US to wake up and start talking about something that was leaked years ago.

CISCO LEAP (lightweight Extensible Authentication Protocol) Weak?

Light weight EAP is Cisco's proprietary version of Extensible Authentication Protocol (EAP, used mainly for wireless LANs).  Cisco graciously allowed vendors to support LEAP using Cisco Certified Extenstion (CCX). 

Cisco owns about 60% of the wireless market with 46% of those using Light Weight Extensible Authentication Protocol according to the research group nemertes. 

HAZZAAA!! Cisco is secure…

(except against Dictionary Attacks)

With such a large piece of the wireless market using LEAP, Cisco had sucessfully advertised LEAP as a secure protocol.  Unfortunately, LEAP is weak against Dictionary Attacks (Brewin).

At DEFCON 11, on August 1, 2003, Joshua Wright did a presentation on the weakness of LEAP


Here is Cisco's response to Leap Dictionary attacks:

To help our customers respond to the possibility of dictionary attacks, Cisco strongly recommends that all of our customers to review their security policies and institute the previously published best practices that are outlined below and in the Cisco SAFE White Papers.

Use a strong password policy (as detailed below) and periodically expire user passwords (recommended at least every three months) giving users advanced warning to change passwords before they expire.

If unable to implement a strong password policy, consider migrating to another EAP type like EAP-FAST, PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks:

EAP-FAST is an authentication protocol that creates a secure tunnel without using certificates.

PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network.

EAP-TLS uses pre-issued digital certificates to authenticate a user to the network.



“1 month of audits by l33t security companies: No vulnerabilities
1 month of architecture research by CCIE's: No vulnerabilities
2 days of hacking by DaBubble, Bishop, and Evol: Root.
There's some things that fackers should audit (WEBAPPS) for everything else, get a real hacker.” — SecurityFocus

Why doesn't Cisco become more hacker friendly.  They pissed off the Security Profesionals and Hackers alike with that CiscoGate fiasco, don't have any cool hacker parties at the Defcon.. I mean what is the deal, John Chambers?! 

John, I doubt you will ever read this blog, but here goes anyway, I think that Cisco has great products.  I believe in Cisco's amazing engineering, but if you guys don't aggressively attack security issues PROACTIVELY, you will drop from first class to third class quickly.  I'm not trying to tell you how to run cisco, I'm just saying, why not use hackers and their finding to your advantage. 

Take the IE browser as an example: they used to own 95% of the market, consumners got so fed up with its lack of security that now Firefox (co-created by Blake Ross Intern/Hacker) is doing something not even Netscape could do.  



EAP. RFC 2284. Extensible Authentication Protocol.

EAP, Extensible Authentication Protocol Wiki.

George C. Ou. Leap: A looming disaster in Enterprise Wireless LANs.

nemertes, Cisco Warns its WLAN Security can be Cracked.

Brewin, Bob. Cisco Warn its WLAN Security can be Cracked.

Cisco, Abusing 802.11: Weaknesses in LEAP Challenge/Response. Defcon 11/2003

Cisco. Cisco Response to Dictionary Attacks on Cisco Leap.

Securing Sensitive Data: Understanding FIPS

Every want to know more about the Federal Information Processing Standards (FIPS)? ME NEITHER! Here it is.

With technologies like wireless snowballing into a cultural phenomenon we suddenly can not live without, Federal Information Processing Standards are even more important.

If you are lucky enough to not have to know what FIPS I'll share some of the pain in plain english.  FIPS are all the federal documents addressing how  sensitive data will be processed.  Without these standards any government agency could use any kind of crypto they wanted with no regard of whether or not it is a SHA-1 that has just been cracked by the Chinese

See more FIPS

read more | digg story