This week the Federal Reserve Bank of St Louis confirmed earlier rumours that they had been victims of a domain name server hijacking attack which compromised a number of user credentials related to their research services and products. The Bank has responded by resetting user passwords and emailing subscribers to alert them to the fact their credentials are likely in the hands of the hijackers.
Category Archives: Security
Weak 4096 Bit RSA Key in Strong Set Factored, More Factored Keys Follow
Update: No Such lAbs reports that other Phuctored keys have valid signatures.
Update 2: More factored RSA Keys and their purported owners have been disclosed
This morning the Phuctor operated by No Such lAbs broke its first RSA key. The compromised key in question which was a 4096 bit key which had a subkey divisible by 231, which is further divisible by 3, 7, and 11. This factorization was shortly followed by two other factorizations of identifiable keys. Each identifiable key has a companion which is similarly weak but they have yet to be identified. Continue reading
Williams Pleas Guilty to Debunking Polygraph Pseudoscience
Douglas Williams, proprietor of the now defunct polygraph.com, has plead guilty in Federal court to five counts of obstructing justice and a single count of mail fraud on the second day of his trial. Williams had for years dedicated considerable time to the cause of debunking polygraph "lie detection" as a dangerous pseudoscience by coaching applicants for "national security" jobs with the United States Government in ways to pass the tests while providing answers with no connection to actual truth. Continue reading
Liberland "President" Arrested
Croatian forces have reportedly arrested the founder and "President" of Liberland Vít Jedlička. Jedlička founded Liberland in a disputed stretch of territory along the Danube river between Serbia and Croatia and declared Bitcoin the official currency. The micronation of Liberland has only a month of history and given present opposition it seems unlikely to enjoy the longevity of the Principality of Hutt River or Sealand. Given Liberland's geographic situation prospects for establishing lasting security seem unlikely.
Bitcoin ISP Unveiled
Today Mircea Popescu announced the creation of a Bitcoin Internet Service Provider adding to the increasing amount of infrastructure outside of the fiat regime's grasp and available to those aligned with Bitcoin's Most Serene Republic. The Bitcoin Internet Service Provider rather than offering any sort of shared or virtualized product instead offers raw metal, dedicated servers for which customers may have a Linux of their choice provisioned. Any system administration beyond provisioning a server is the responsibility of the customer, though some limited support may be provided and referrals for further service may be offered. Continue reading
Phuctor Begins Processing SKS Keyserver Dump
The Phuctor, a service for testing the strength of RSA public keys used by the Gnu Privacy Guard and other PGP encryption software has begun digesting the output of an SKS keyserver's public key inventory. The Phuctor is a service provided by No Such lAbs. As of the time of this publication the Phuctor has processed more than 6500 public keys and found 60 with one or more duplicate moduli.1 The Phuctor, as announced on Stanislav "asciilifeform" Datskovskiy's blog Loper OS utilizes Euclid's algorithm for testing the quality of RSA moduli. The Phuctor has already been integrated into the Web of Trust explorers for both the #bitcoin-otc and #bitcoin-assets WoTs allowing users to check the key quality of potential counterparties. As the number of keys processed by the Phuctor increases the quality of feedback in can provide for keys already in its database grows.
Likely the same keys found in different places or with different information attached. ↩
Google Password Alert Already Subverted
This week Google released a browser extension designed to warn users when they enter their Google password on any page that is not controlled by Google, and this piece of security theater has already been subverted. Researcher Paul Moore has already created of Proof of Concept (Not a Google Login Page) which subverts the browser extension using a few lines of Javascript. The snippet of Javascript in question is below:
<!-- BYPASS GOOGLE'S PASSWORD ALERT "PROTECTION" -->
<script type="text/javascript">
setInterval(function() {
if(document.getElementById("warning_banner")) {
document.getElementById("warning_banner").remove();
}
}, 5);
Windows Servers Pwn'd By JPEG Uploads
The Register reports that researcher Marcus Murray has demonstrated an attack which allows malicious parties to take control of servers running modern versions of Microsoft Windows Server by uploading JPEG images. Murray demonstrated this attack at the RSA San Francisco conference and asserts he used this same method on a photo upload portal to crack a United States Government agency's web server. This is one of many ways Microsoft Windows has shown itself to be unsafe for any purpose.
Police Send Spyware To Lawyer For Whistle-Blower
FSPD Chief Lindsey
Police in Fort Smith Arkansas have been caught embedding malware in a collection of documents requested by the lawyer for a whistleblower reporting on misconduct in the department. Attorney Matt Campbell reports that upon the return of a drive he provided to the Fort Smith Police Department for the purpose of receiving evidence, three common pieces of spyware targeting Microsoft Windows computers were implanted into a sub folder on the drive. The spyware includes a keylogger, backdoors, and a command and control utility.
Campell is representing whistle-blower Don Paul Bales in a lawsuit against the Fort Smith Police Department for retailing against Bale's reports of illegal practices within the department concerning employee termination and payroll procedures. Arkansas State Police have declined requests by Campbell to investigate the incident claiming that any potential violations would be merely "misdemeanors" insufficient to involve their investigators. Similarly local Sebastian County Prosecuting Attorney for the 12th District of Arkansas Daniel Shue has declined to investigate citing a lack of resources even though their own web page declares Shue's office is "one of the busiest Prosecuting Attorney’s offices in the state." (archived) It remains to be seen if this can be investigated and prosecuted at the Federal level. Continue reading
"Bitcoin Baron" Vigilante Vandal Caught
The Internet vigilante who has gone by the name "Bitcoin Baron" has been caught for attacking a Mesa, Arizona government website. He previously attacked the website of Columbia, Missouri and has an open investigation in Wisconsin. Police have said he uses a "hacker" operating system.