Viking VPN Security Blog Rollup


Mega

We will start off with one of the biggest stories of this year. The launch of Kim Dotcoms Mega. In a response to the government takedown of Megaupload, Kim Dotcom and an army of lawyers and security experts have developed Mega, located at Mega.co.nz. The site is quite ingenius in its application, because contrary to Megaupload, Mega does not have access to users data in any digestable form. Even the administrators of the site cannot decrypt the data stored on their servers, because it is encrypted client side before upload, and the key to decrypt the code is not stored on the servers.

This in essence absolves Mega of any responsibility for the sites content. It is controlled entirely by the users, who agree not to pirate anything when they sign up for an account.

The security technology appears to be working, fast, and polished. I uploaded a large 1.4GB personal video and downloaded it again at near the capped speeds for my home internet connection. It is impressive in its simplicity. It allows a user to have a fully encrypted digital locker that operates similar to a storage device on your home PC. This technology can change the internet as we know it. As of this writing, Mega has been running uninterrupted for months without a single security breach.

Mega Expands to Fully Encrypted E-mail Services

This may be the biggest step forward for security this year. Kim Dotcom has announced his intentions to expand Mega to fully encrypted email services. Transport encryption is critical to keeping your personal and business emails safe from interception. As it stands now, e-mail is under siege. Both private businesses and governments alike are building massive databases of scraped emails. They dig through all of your personal, private data, without warrants, to find whatever it is they are looking for. It could be digging up informaiton on a decorated American general, or having apps read all of your private email to push advertising. The commitment by Mega to have end to end encryption services promises to stop these activities dead in their tracks.

VMWare ESX Server Source Code Leaked to Public

Members of the hacker group Anonymous leaked the source code (2) for ESX Server to the public. This will allow hackers and coders to pour through all of the code to search for new vulnerabilities and hacks. This leak will dramatically increase the chances of catastrophic security breaches for companies using this Operating System. ESX is commonly used for advanced virtual servers in datacenters and a single ESX based server can support many different hosts at once. At least part of the leaked source code is used in current products and VMWare is treating the leak as a serious threat to its business.

We are entering the the age of the "Open-CL Supercluster" for password cracking.

Researcher epixoip in December demonstrated an Open-CL based cluster of computers, leveraging many graphics cards, to crack moderate strength passwords with moderate strength encryption in mere minutes. Leveraging 25 graphics cards installed in 5 servers, he was able to crack NTLM encrypted passwords that were 14 characters long in under 6 hours. Because of the nature of password cracking, you can use many many processors at the same time to try cracking the hash in parallel. This technology could be scaled up to much larger clusters to make even stronger passwords and encryption methods unsafe. This is why it is important that passwords and encryption methods stay ahead of the technology that can break them. NTLMhas been largely phased out in favor of Kerberos-5 which supports AES encryption which is much stronger and "nearly" bulletproof. Kerberos-5 is used by all Windows 2000 and up operating systems, as well as many flavors of Linux and OpenBSD. This vulnerability would be serious on compromised machines running windows NT4 or earlier, or older versions of Linux operating systems. Watch out, companies that don't respect their IT budgets.

< last
next >