Double Columnar Cipher Challenge

As one of my cybersecurity classes comes to an end, this will be my final blog. Most of my postings have covered Mac OS X security configurations or cryptology, both subjects being a great interest of mine. Other topics, such as National Cyber Security Awareness Month, just happened to coincide with the area I was studying. The Mac OS X source was myself, playing around with the features on my own Macbook. I incorporated other sources into the postings where applicable, and tried to use a variety.

I hope this blog will be useful to other students and security professionals by providing a clear understanding of the chosen topics and resources for more information.

Since the holidays are just around the corner, I thought I would put a little cheer in this finale. Not only will you learn how a double columnar cipher works, but I challenge you to crack my own code!

The first step is to pick two code words or phrases of the same length, and put each letter in its own column. Letter by letter, write out your message under the first code word/phrase, like this:

R	E	D	M	U	S	T	A	N	G
D	O	N	T	F	O	R	G	E	T
T	O	D	R	I	N	K	Y	O	U
R	O	V	A	L	T	I	N	E	R
A	L	P	H	I	E	X	X	X	X

In this example, the first code phrase is RED MUSTANG, and the message is DON’T FORGET TO DRINK YOUR OVALTINE RALPHIE. The message is not long enough to cover all the cells, so X’s are used for padding.

Next, order the code word/phrase according to the alphabet – 1 for A, and so on. If you have duplicate letters, I suggest numbering them in the order of appearance in the code word/phrase. It should look like this:

7	3	2	5	10	8	9	1	6	4
R	E	D	M	U	S	T	A	N	G
D	O	N	T	F	O	R	G	E	T
T	O	D	R	I	N	K	Y	O	U
R	O	V	A	L	T	I	N	E	R
A	L	P	H	I	E	X	X	X	X

Starting with the column under #1, string the message into blocks of 5 letters, continuing on to the next number if needed (do not count the code word/phrase, just the message). This makes the first ciphertext, which is GYNXN DVPOO OLTUR XTRAH EOEXD TRAON TERKI XFILI.

The first ciphertext is used to fill the cells under the next code word, NIGHT MOVES:

6	4	2	3	9	5	7	10	1	8
N	I	G	H	T	M	O	V	E	S
G	Y	N	X	N	D	V	P	O	O
O	L	T	U	R	X	T	R	A	H
E	O	E	X	D	T	R	A	O	N
T	E	R	K	I	X	F	I	L	I

To generate the final ciphertext, perform the same operation in the example above, with letters in blocks of 5: OAOLN TERXU XKYLO EDXTX GOETV TRFOH NINRD IPRAI. To decrypt, the operation is performed backwards, starting with this final ciphertext. If you know the code word/phrase, start by ordering the letters into numbers and place the first block of 5 letters into column #1, moving on to the next column. Once you have the cells filled in, do the same using the first code word/phrase.

Now that you have learned how to compose a double columnar cipher, I have two code phrases for you. The first is APPLE CIDER, and the second is SANTA CLAUS. The final ciphertext is NSAPO VHAAE AHFYA IEDHP YAANS ODSEL.

Happy Holidays!

Kids and Information Security

When most people think about protecting their kids, its usually from bullies on the playground, accidents, and illness. In the past few decades, it extended to censoring their exposure to graphic media such as TV, movies, and music. In today's world, kids are very technology-savvy, yet they know little about the consequences of using it inappropriately. That's where we need to step up as parents and offer our guidance, establish rules, and enforce our restrictions.

When it comes to kids, I feel that some level of censorship should be implemented, depending on their age level. As they get older, it will be increasingly difficult to shield them from every danger, so it is our job to talk to them about what they might encounter, and how to handle it. Why should information security be any different? With the increasing prevalence of online predators, cyberbullies, and malicious content disguised as legitimate offers, your kids and devices are at stake.

At the same time, we all know that kids do the exact opposite of what we want them to do, so some controls will help keep them on track. Installing a pop-up blocker or web filter on your browser is an obvious choice, but if you have read my previous blogs, you know that I advocate features built in to Mac OS X. One feature that addresses this topic is the Parental Controls under Accounts in System Preferences:

With this feature, you can manage areas such as System, Content, Mail & iChat, Time Limits, and Logs:

This example uses the default guest account, but you can set up several accounts and tweak the controls to suit the level of permission for each. Not only does this protect your children from the evil forces that be, but it also prevents other users from accessing sensitive information or modifying controls set by the administrator.

While this is a great way to keep tabs on what your kids are involved in, they still need to know the rules set by your family. Do they know what your expectations are and the risks of deviating from those expectations? Do they know what dangers to look for and how to avoid them? Keeping your kids educated is the best prevention. You will not be able to hold their hand forever.

Firewall for OSX Leopard (10.5)

How many of you knew that a Macbook comes with a built-in firewall? Well, it does, and now is the time to take advantage of it.

To configure this firewall, you will need to open System Preferences and click on the Security icon. The Security menu has three tabs: General, FileVault, and Firewall. Select the Firewall tab, which should look like this:

Three radio buttons appear in the box:

•Allow all incoming connections stops the firewall from running
•Allow only essential services blocks any service from making a connection
•Set access for specific services and applications allows the user to set permissions for trusted connections

The last one is probably the best choice for an average user. The + and - box will let you choose which applications are allowed to make connections. Once you activate the firewall, the Advanced button becomes available. Clicking on it will bring up a submenu:

I recommend checking both Enable Firewall Logging and Enable Stealth Mode. A great way to see if the Enable Stealth Mode option is working is to visit the ShieldsUP! website. From the Home page, click on the Proceed button, and choose All Service Ports. A quick run of my ports aced the test:

This configuration should be done with administrator privileges to avoid any changes being made, and don't forget to click the Lock icon when you are done!



*Answers to last week’s quiz:
1)d 2)b 3)c 4)d 5)b

Take the quiz: Information Security in the Media

Information security is not a new trend. It has masqueraded for ages as a form of entertainment. In celebration of National Cyber Security Awareness Month, I have dug up some fun facts for your own amusement. Go ahead and test your knowledge!



1. Which famous author used a polyphonic substitution cipher in one of his or her short stories?

a. Edgar Allen Poe
b. Washington Irving
c. Stephen King
d. Virginia Woolf


2. What type of cipher did Ralphie use on his Code-O-Graph in A Christmas Story?

a. Transposition cipher
b. Simple cipher
c. Block cipher
d. Stream cipher


3. In 2001, a movie about hackers gaining access to a government slush fund in a counter-terrorism scheme hit the box office. The movie was named for a famously used password. What is the name of the movie/password?

a. Antitrust
b. Hackers
c. Swordfish
d. Takedown


4. Who was the famous hacker that went by the code name c0mrade?

a. Kevin Mitnick
b. Adrian Lamo
c. Kevin Poulsen
d. Jonathan James


5. What breakfast cereal contributed to the popularity of phone phreaking in the 1990’s because the toy whistle inside the box was tuned to the frequency of most AT&T phones?

a. Fruity Pebbles
b. Cap’n Crunch
c. Golden Grahams
d. Frosted Flakes


*Answers will appear in next week’s blog. Happy hunting!

National Cyber Security Awareness Month

October 2011 has been designated as the National Cyber Security Awareness Month (NCSAM) for the eighth year running. It is a cooperative effort between the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Their goal is to promote cyber safety by providing education and awareness to both public and private sectors.

So how can you get involved? NCSAM's motto is "Our Shared Responsibility", which means cyber security starts with you by protecting your own information. Google has started a "Good to Know" campaign that outlines a few simple steps you can take to create a strong defense. The campaign addresses many aspects of information security, such as phishing, malware, and mobile security. Check it out at Google's Good to Know campaign.

Another ongoing campaign that is more widely known is Stay Safe Online. It is a great resource center for a variety of communities, from educational institutions and law enforcement to businesses and individuals. If you have kids, you will definitely want to visit the cyberbullying page.

If you find yourself or someone you love a victim of any kind of security breach or harrassment, please don't hesitate to report it. While local law enforcement may be the obvious choice, a little-known reporting agency is the Internet Crime Complaint Center. The website is ran by the Federal Bureau of Investigations (FBI) and the National White Collar Crime Center (NW3C). It is specifically geared towards cyber crime, and may be better equipped to handle these sensitive situations.

October may be coming to an end, but cyber security is a year-round battle. Be ready for your attackers.

An Overview on Virtualization

How does virtualization work?

Virtualization is the practice of using software on a host computer to simulate a particular computing environment. It works by allowing processes to share system (particularly hardware) resources.

Three main types of virtualization are network, storage, and server. Network virtualization works by splitting bandwidth into channels. Storage virtualization combines physical storage from multiple sources into a centralized source. (What is Virtualization?, n.d.) Sever virtualization disguises the number and components of real servers from guest users by dividing and isolating virtual servers. (What is Server Virtualization?, n.d.)

All three types assign resources as needed rather than committing it to a particular device. The purpose is to free up available components while reducing costs.

What can virtualization be used for?

Virtualization is used for private cloud computing within a network. When a private network is joined to a public one, it creates a hybrid cloud. This method allows businesses to join forces, or for one business to manage internal and external data.

Virtualization on a private level can be used for running multiple operating systems on a single computer. One such method employs Parallels software. (Virtualization & Automation Solutions for Desktops, Servers, Hosting, SaaS – Parallels Optimized Computing, n.d.) Parallels is an application that allows a user to toggle between Windows and OSX (for example) without partitioning the hard drive. The Windows portion would be the virtual machine, sharing resources with OSX on the Macbook hard drive.

What are the security flaws?

Security flaws depend on the management of server configuration and operating system patching. If neither is actively maintained, it leaves a gap for attackers to plunge through. Active maintenance includes patching the hypervisor, following best practices in configuring the host/platform, securing transmissions, managing virtual switches for guests, and preventing malicious activity from the guest.

The best advice is to develop strong policies and procedures, follow best practices, and harden systems. (Shackleford, 2010)

Why is this issue becoming prevalent?

Virtualization is a growing industry because it provides businesses with a solution to consolidate resources; cut costs on hardware, maintenance, and personnel; plan seamless backup and routine maintenance; improve operational flexibility, and securely manage desktop environments.

 

References:

1.     "Virtualization & Automation Solutions for Desktops, Servers, Hosting, SaaS – Parallels Optimized Computing." Virtualization & Automation Solutions for Desktops, Servers, Hosting, SaaS – Parallels Optimized Computing. N.p., n.d. Web. 21 Dec. 2010. <http://www.parallels.com/>.

2.     Assessments, Dave Shackleford - Director of Security, SANS - Tuesday, and 9 March 2010.. "An introduction to virtualization security." Help Net Security. N.p., n.d. Web. 21 Dec. 2010. <http://www.net-security.org/article.php?id=1397&p=1>.

3.     " What is server virtualization? - Definition from Whatis.com ." Server Virtualization: Covering today's Server Virtualization topics . N.p., n.d. Web. 21 Dec. 2010. <http://searchservervirtualization.techtarget.com/sDefinition/0,,sid94_gci1032820,00.html>.

4.     " What is virtualization? - Definition from Whatis.com ." Server Virtualization: Covering today's Server Virtualization topics . N.p., n.d. Web. 21 Dec. 2010. <http://searchservervirtualization.techtarget.com/sDefinition/0,,sid94_gci499539,00.html>.

What is a Buffer Overflow?

A buffer is a temporary data storage area that has a capacity limit. A person running several programs at one time needs the buffer zone to seamlessly process information before heading to its final storage area.

A buffer overflow happens when a program or process tries to store more data than the buffer can hold. The extra data is forced into other buffer zones, possibly corrupting the data already in there. Sometimes the buffer overflow is done intentionally, as in an attack. The buffer overflow works on the “last in, first out (LIFO) principle. The last string of data is the first string to be cut from the buffer and go into overflow. An example is below:

In this example, the program was written to accept 5 bytes in the “name” field. The buffer (small) can only hold two, moving the remaining 3 into the executable stack. Hackers take advantage of this by purposefully inserting malicious code at the end that they know will go into overflow. However, this is not always the case. Sometimes the C/C++ programming language often has errors caused by the limitations of the programmer. (Information Security, n..d.)

Fortunately, there are security features out there to detect and prevent this, such as Comodo Memory Firewall. (TechMixer, n.d.)

References:

1.     " What is buffer overflow? - Definition from Whatis.com ." Information Security: Covering today's security topics . N.p., n.d. Web. 19 Dec. 2010. <http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci549024,00.html>.

2.     " Prevent Buffer Overflow Attack with Comodo Memory Firewall." TechMixer | Review Software, Online services, Freeware and Others.. N.p., n.d. Web. 19 Dec. 2010. <http://www.techmixer.com/prevent-buffer-overflow-attack-with-comodo-memory-firewall/>.

Protecting Folders on Mac OSX

Almost anyone concerned with securing their information is familiar with how to protect important documents, such as the "protect workbook" option built into Microsoft Excel. What happens when you want to protect the entire folder, and it is stored on a Mac? I can show you how in a few simple steps.

1.     Open Disk Utility, found in the Applications folder under “Utilities”

2.     Choose “New” from the File drop-down menu, and then “Disk Image from Folder” from the sub-menu

3.     Browse to where your folder is located, select it, and click “Image”

From here, a new window entitled “New Image from Folder" will pop up, like this:

4.     Choose read/write from the Image format drop-down menu if you want to be able to modify its contents later. Otherwise, compressed is fine. Also, you may choose to encrypt the folder. I recommend 128-bit AES encryption. Save this.

The Disk Utility will now create a disk image (.dmg) file on your desktop. It will prompt you to create a password, and by default will have the “Remember password in my keychain” box checked. This defeats the purpose of securing the folder, so I recommend unchecking it. If you click on the disk image to open it after saving the password in your keychain, it will display the contents without asking for a password.

5.     Click on “Ok”, and you now have a encrypted, password protected folder!

*On a final note, you may delete the original folder for security purposes. However, do so at your own risk.  Your keychain is not storing the password, so you must take care to remember it. The .dmg file may also become corrupted, with no access to the folder you wanted to secure. As mentioned in earlier posts, always back-up your information with a separate device or service!

Explaining Triple Data Encryption Standard (3DES)

There are many questions as to what Triple Data Encryption Standard (3DES) is and how it works. In order to understand it, we need to know what 3DES is and how it originated.

3DES is a modern variation of DES (Data Encryption Standard), which uses a block of plaintext 64 bits in length, with a 56 bit key. The actual key length equals that of the plaintext. However, the last bit on the right of the key is a parity bit (think of it as padding), and is disregarded as insignificant, which is why 56 bits are the result. (It would be helpful to note that 8 bits equal one byte, you have 8 bytes, each containing 8 bits, equaling a 64 bit block) There were many concerns about the weakness of DES against brute force attacks due to the key length, so 3DES was developed in response to needing a stronger encryption method. 

3DES works in much the same way as DES, except that goes through three cycles during the encryption process, using three keys: encryption, decryption, and another encryption. It has a key length of 192 bits (64 bits x 3 keys), but its actual strength is 168 bits (56 bits x 3 keys). This method is three times as strong as DES, yet it also means that it is three times slower because of the triple processing. (Strong Encryption Package, Triple DES Encryption, n.d.)

Encryption using 3DES is represented as C = E(K3, D(K2,E(K1,P))). Similarly, decryption is the same process backwards: P = D(K1,E(K2,D(K3,C))). (Stallings, 2011) So for both algorithms, assume:

P= Plaintext

C = ciphertext

D= decryption function. 

E = encryption function

Kx = key ordered by placement in operation

Think of ciphertext as the scrambled message you get after encrypting a message and the key as the scrambler of the plaintext or other ciphertext. To explain in further detail, assume that your key is A = B, B = C, and so on until you reach the end of the alphabet. (This is a sample key, but you can design it however you choose. However, nobody else but the intended recipients should have access to the key, as then it would be too easy to decrypt the message, defeating the purpose of encrypting it.) Your message in plaintext is “Don’t forget to drink your Ovaltine”. The key scrambles the plaintext, producing the ciphertext “Epou gpshu up esjol zpvs pwbmujof”. This process is known as the encryption function. The decryption function would take the ciphertext and key to produce the plaintext message.

To continue with the 3DES algorithm, the innermost parentheses are worked first according to mathematical principles, moving outward. In this example, the innermost parentheses are K1 and P, which indicate the first key combined with the plaintext, and are encrypted (note the “E” directly outside of the first set of parenthesis). This produces the first ciphertext, which is in turn combined with the second key (K2), and decrypted (“D” on outside of second set of parenthesis). The resulting ciphertext is combined with the third key (K3), and encrypted one more time (E on the outside of the first set of parenthesis). The third ciphertext is the final outcome of this operation (indicated by “C”). This follows the encrypt-decrypt-encrypt cycle (EDE):

1. Encrypt using first key and plaintext to produce first ciphertext
2. Decrypt using first ciphertext and second key to produce second ciphertext
3. Encrypt using second ciphertext and third key to produce final ciphertext

To decrypt the ciphertext, the same operation is performed backwards, as stated in the beginning. The decryption algorithm is stated as P = D(K1,E(K2,D(K3,C))). Recalling the legend in the above example, we are looking to decipher the plaintext, and start with the innermost parenthesis, K3 and C. Starting with the third key (K3), it is combined with the final ciphertext (C) of the encrypted message to perform the first decryption (“D” on outside of innermost set of parenthesis). The resulting ciphertext is then combined with the second key (K2) to encrypt it (“E” on outside of second set of parenthesis), producing the first ciphertext in the example above. The first ciphertext is combined with the first key (K1) to decrypt it a last time (“D” on outside of all parenthesis), producing the original plaintext. This follows the decrypt-encrypt-decrypt cycle (DED):

1. Decrypt using the third key and final ciphertext to produce the second ciphertext
2. Encrypt using the second ciphertext and the second key to produce the first ciphertext
3. Decrypt using the first ciphertext and the first key to produce the plaintext

One thing to remember is that all three keys should be different. If any of the keys are the same, it would be easier for a hacker to discover the plaintext. For this purpose, several modes of operation were designed for symmetric block ciphers such as 3DES. They include the Electronic Codebook mode (ECB), Cipher Block Chaining mode (CBC), Cipher Feedback mode (CFB), and Counter mode (CTR). While explaining these in detail are out of the scope for this discussion, ECB is a good example of why the same key should not be used. ECB uses the same key for each block of plaintext, and is considered unsecure for long messages. If any two blocks are the same, the ciphertext would be identical. A hacker could decipher the message by method of deduction. (Stallings, 2011)

To summarize, 3DES uses 64-bit symmetric block encryption with three keys, each corresponding to an encryption or decryption function, and follows the EDE cycle to encrypt plaintext, or the DED cycle to decrypt ciphertext. The keys must be kept secret to deter hackers from gaining access to the original plaintext, and should all be independent. 

On a final note, 3DES is the current standard adopted by the National Institute of Standards and Technology (NIST). It is only a temporary fix until the next generation of encryption is fully integrated, the Advanced Encryption Standard (AES). (Strong Encryption Package, Triple DES Encryption, n.d.)

References

1.  Callas, J. (n.d.). Expert advice: Encryption 101 -- Triple DES explained. Information Security information, news and tips - SearchSecurity.com. Retrieved September 11, 2011, from http://searchsecurity.techtarget.com/tip/Expert-advice-Encryption-101-Triple-DES-explained 
2. Distributed Security. (n.d.). Microsoft TechNet: Resources for IT Professionals. Retrieved September 11, 2011, from http://technet.microsoft.com/en-us/library/cc767123.aspx
3. Stallings, W. (2011). Symmetric Encryption and Message Confidentiality. Network security essentials: applications and standards (4th ed., pp. 36-53). Alexandria, VA: Prentice Hall.
4. Strong Encryption Package, Triple DES Encryption. (n.d.). Tropical Software, Security and Privacy Products. Retrieved September 11, 2011, from http://www.tropsoft.com/strongenc/des3.html

  .

Tips for Using Online Storage

Online storage has recently become popular for people who wish to access their information from any computer, backup certain data, speedily transfer files to a designated party, or just need additional storage space that is affordable. Unfortunately, many others take advantage of this service to pirate publicly shared information, mostly music and/or movies. Some storage sites include Rapidshare, Megaupload, and Mediafire. Youtube can technically be considered as online storage, though it is limited to videos.

Don't get me wrong - file sharing can be a really convenient way of transferring data to another party, if you follow some hard and fast rules. First, make sure that you own the file, or gain approval from the owner before uploading. If you choose an online storage site, you might want to consider setting your files to "private" so that it does not turn up in search engines. In addition, protect each file with a password, preferably a different one for each file. That way, if someone does gain access to your link, they will not be able to download the file without the password. Likewise, if they gain access to one password, they will not be able to repeat the process with all your stored files. It may seem like a pain to remember all those passwords, but it is better than a lawsuit for leaking information.

In closing, it is probably not a good idea to store files with sensitive information or copyrighted material. I hope I do not have to reiterate that piracy is a criminal offense, and that online storage should NEVER be used to that end.