david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

How to deal with multiple passwords

posted November 2014

I was reading some articles on the security blog of stackexchange. Ended up there reading articles/comments from Thomas Pornin who is one of the best answerer on stackoverflow.

I ran into this one intitled Is our entire password strategy flawed?

I wanted to bring my point of view on how to deal with multiple passwords. I don't necessarily do this because it's not practical but I'm trying more and more.

So if I were to be extremely paranoiac I would:

  1. use a password manager like 1Password for websites you don’t really care.
  2. use passwords you memorise for websites you care about.
  3. use multi-factor authentification for critical websites.

1. Password Manager

I've never used 1Password but it seems to generate passwords on the fly when you need to sign up on a new website. It's pretty cool! But a problem arises when you need to login on some website when you're not using your computer. If you don't know the passwords it created then you will always be dependent of this password manager.

2. Memorise

A good idea would be to hash the name of the website + some salt only you know, and use it as a password. All of that in your head. That's what one of the famous Blum proposes. More here. He appeared to have invented a hash you could compute mentally.

3. Two-Factor Authentification

I really like the yubikey (and own one). It's literally a secret key. Every time I need to log into gmail from a cybercafe I wish I had it configured with my yubikey.

Bonus

By the way, if you're scared there might be a keylogger but really have to enter some password you could prey on the fact that the keylogger is badly coded and, when entering your password, could move to another input field and write random words, then come back to the password input field and type some more letters of your password, etc.. . Last year I also learned how to read dotsies (I completely forgot how to read it now though...) and I seldom switched all the fonts to dotsies so no one could look over my shoulder and read what I was reading/typing.

comment on this story

Mathematical “urban legends”

posted November 2014

a topic on the math version of stackoverflow, filled with funny stories, anecdotes, urban legends about mathematicians. If you're like me you're gonna love every bit of it.

http://mathoverflow.net/questions/53122/mathematical-urban-legends

Although David Hilbert was one of the first to deal seriously with infinite-dimensional complete inner product spaces, the practice of calling them after him was begun by others, supposedly without his knowledge. The story goes that one day a visitor came to Göttingen and gave a seminar about some theorem on "Hilbert spaces". At the end of the lecture, Hilbert raised his hand and asked, "What is a Hilbert space?"

When the logician Carnap was immigrating to the US, he had the usual consular interview, where one of the questions was (and still is, I think): "Would you favor the overthrow of the US government by violence, or force of arms?". He thought for a while, and responded: "I would have to say force of arms..."

comment on this story

For Sale: 50,000 Bitcoins

posted November 2014

Just a few weeks after Silk Road 2.0 and its owner got seized, the US government posted this:

THIS SEALED BID AUCTION IS FOR A PORTION OF THE BITCOINS CONTAINED IN WALLET FILES THAT RESIDED ON CERTAIN COMPUTER HARDWARE BELONGING TO ROSS WILLIAM ULBRICHT, THAT WERE SEIZED ON OR ABOUT OCTOBER 24, 2013 (“COMPUTER HARDWARE BITCOINS”).

http://www.usmarshals.gov/assets/2014/dpr-bitcoins/

Apparently it's from the first Silk Road. Pretty comical.

comment on this story

The NSA about academic cryptographers

posted November 2014

Scott Aaronson found a 1994 issue of Cryptolog an internal newsletter at the NSA. He's quoting funny extracts from one of its article about a field trip at the 1992 Eurocrypt Conference.

Those of you who know my prejudice against the “zero-knowledge” wing of the philosophical camp will be surprised to hear that I enjoyed the three talks of the session better than any of that ilk that I had previously endured. The reason is simple: I took along some interesting reading material and ignored the speakers. That technique served to advantage again for three more snoozers, Thursday’s “digital signature and electronic cash” session, but the final session, also on complexity theory, provided some sensible listening.

more on his blog: http://www.scottaaronson.com/blog/?p=2059

comment on this story

Hack Summit

posted November 2014

The next Hack Summit will happen entirely online and will start on December the 1st.

https://hacksummit.org/

You can get a free ticket by posting it on twitter/facebook.

An amazing line up of people will be giving talks: David Heinemeier Hansson (creator of Ruby on Rails), Tom Chi (creator of Google Glass), Hakon Wium Le (creator of CSS), Bram Cohen (creator of Bittorrent), Brian Fox (creator of Bash), Hampton Catlin (creator of Sass and Haml), and many more interesting persons and even....... Jon Skeet (#1 answerer on StackOverflow). This is gonna be huge!

comment on this story

Hack of the Day: How do I run untrusted shell code?

posted October 2014

I've run into a nice series of video called "hack of the day" from Vivek-Ramachandran.

In this first video he explains two techniques :

  • jump-call-pop
  • xor decoding

I also got nice tips like the examining string function in gdb : x/s $ebx or the folder usr/include/asm that contains plenty of information about assembly.

The full playlist can be found on securitytube.net

comment on this story

POODLE: new attack on SSL

posted October 2014

A new attack on SSL 3.0 has been discovered. It's relevant because most browsers (except for Opera) allow a downgrade to SSL 3.0 if it cannot seem to use newer versions. Of course an attacker could disturb the connection and force someone to use SSL 3.0 in order to use the POODLE attack.

Full and clear explanation here

You might want a reminder of what is CBC to read it:

CBC

tl;dr: attack happens because of the way padding works in CBC in SSL 3.0

comment on this story

BadUSB

posted August 2014

An interesting read about how any usb device could be a potential threat. Some scary extracts:

Once reprogrammed, benign devices can turn malicious in many ways, including:

  • A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  • The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
  • A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

And a scarier one...

No effective defenses from USB attacks are known.

Once infected, computers and their USB peripherals can never be trusted again.

Some proof of concept should be introduced in a week at the incoming Black Hat convention. This is gonna be good :)

EDIT:

There's actually something similar that you can already buy: The USB Rubber Duck

rubber duck

comment on this story

80s computer hacking: A Supercut

posted July 2014

Pretty funny, and it's sad to see that it hasn't evolved much (besides some rare exceptions like 24 or The Social Network). For example that hacking scene in the last James Bond Skyfall. Never forget.

comment on this story