In a practical course this summer term the task was to implement the twofish block-cipher, a former AES candidate, on an embedded device, a smart card with an ATMega163 microcontroller on board. A prize was promised for the team that has the best performance based on clock cycles per key schedule/encryption/decryption and code size. 3 weeks of time were given, 10 teams participated and we made third, yeah!

In particular, the main decision was to handle the S-Boxes. The S-Box keys are derived from the main key and can be precomputed. So the main questions was whether we save clock cycles and precompute them or compute them on-the-fly while running enrcyption/decryption and save SRAM in the microcontroller. We decided to precompute them, as this would bring our implementation a significant performance increase.

These are the statistics..

Statistics Diagram

Statistics Table

..aber interessante Zahlen! So könnte man den heutigen HGI-Vortrag zusammenfassen. Zu Gast war der Chef der Security Labs der G DATA Software AG, einem in Bochum beheimateten IT-Sicherheits Softwarehaus, das für Privat- und Geschäftskunden u.a. Anti-Viren Software anbietet.

Das Thema des Vortrags “Schadcode im Internet” wurde zu Beginn gleich in “Schadcode in Webseiten” umbenannt, denn darum ging es im Vortrag eigentlich. Begonnen wurde zugleich mit den beiden aktuell am weitesten verbreiteten Infektionsmethoden: Direct Downloads und Drive-by-Downloads. Das ist für Sicherheitsspezialisten sicher nichts Neues, wenn man jedoch bedenkt, dass noch vor einem Jahr der bekannteste Weg der Infektion verseuchte E-Mail Anhänge waren, die jetzt so gut wie nicht mehr auftreten, sieht man die Weiterentwicklung der Schutztechniken in E-Mail Programmen nun deutlich. Die Angreifer haben sich ein leichteres Angriffsziel gesucht: Den Browser.

Nun aber zu den interessanten Zahlen (ca-Werte):

• 10-12 Mio. Bots sind weltweit aktiv
• 30.000 neue Bots kommen täglich hinzu
• über 80% des Spams kommt von etwa 200 Organisationen
• 10.000 Webseiten-Defacements pro Tag
• 3000 DDoS-Angriffe pro Tag! (seit Anfang des Jahres stetig steigend)

Insgesamt ein recht interessanter Vortrag, wenn auch etwas zu wenig detailliert, aber mit Malware kann man auch Abende füllen!

This is a paper I wrote for one of my courses at university.

From the abstract:
In this paper we determine the security of user passwords on Linux
based operating systems. We have a look at the two basic security mech-
anisms passwords are created and stored using a reference Linux distri-
bution, locate common attack vectors and propose available countermea-
sures.

link to paper

As we are dealing with e-passports in one of our courses, we got to read some very interesting and quite shocking literarure.

I highly recommend everyone to read these ones:
1. The Evolution of RFID Security (take this as an introduction to RFID in general), link
2. Protection Profile for Machine Readable Travel Documents - Basic Access Control (BAC), link
3. Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC), link
4. E-Passport: The global Traceability or How to Feel Like an UPS Package (now it gets interesting), link
5. Security and Privacy Issues in E-Passport (personal favourite), link

Two fellow students of IT-Security at my university recently came up with an idea [paper] on catching phishers and tracing their identities. The idea is quite simple:

1.) collect some recent phishing sites, e.g. from Google or Microsoft
2.) create user credentials such as name, bank, account number, TANs etc. (e.g. from wordlists, dictionaries)
3.) send these special credentials (called ‘phoneytokens’) to the phishing sites

When the phisher[s] now visit the bank site and enter a phoneytoken, it is detected by the system and the phisher is being redirected to a honeypot system (called ‘phoneypot’) instead of the real banking application. This phoneypot looks like the real banking application and can collect data about the phisher, revealing organizational structures of the phishing system and hopefully the phisher himself.

Talks with German banks are currently in progress, let’s see how this will work in practice. I’ll keep you up to date.
If you have any input, you can write to the authors mentioned in the paper or to me, of course.

see you, cordney*