Updated May 25 2016
I located another copy of the video on the Internet, https://tune.pk/video/6528544/hack

Updated May 22, 2016
I noticed Youtube removed Phineas Fisher’s video.  The reason listed, “This video has been removed for violating YouTube’s policy on spam, deceptive practices, and scams”.  I watched the video.  There was no spam, deceptive practices, or scams.  The material was somewhat embarrassing for the Catalan Police Union.  Even so, there’s no short supply of inflammatory and embarrassing videos on Youtube; especially ones involving government officials.  It’s difficult to understand why this particular video received extraordinary attention.Instructional video by Phineas Fisher demonstrating his hack of the Catalan Police Union in 39 minutes.  Anything that could go wrong for the Police did go wrong but here’s the short-list.

1) Police using WordPress, WordPress is amazing blog software but it has a long history of security problems.  Wordpress provides a very rich extensibility framework of plugins written by almost anyone.  These plugins extend many desirable features to WordPress but there is little to no quality control over these plugins and it’s vulnerability Disneyland for bad guys.  Wordpress is great for running your personal blog but probably not the best choice if your a big target like a government agency (or security professional).

Applications DB Account Running w/MySQL Administrative Privileges, best practice is that the DB account used by the application run with the lowest privileges possible while still meeting the needs of the application.  In this case, application designers were unaware or lazy and used an account with administrative privileges.

3) Twitter Password for Police Same as WordPress Account, once the attacker had the WordPress password he was able to sign into Twitter and deface the Police department’s Twitter account.  Best practices is not to use the same account across different web applications.  If you are going to bend this rule then at least don’t use your shared password across sites you think could be hacked, sites that place less emphasis on security, etc.  For example, don’t use the same password you use with your Facebook or Google password with smaller, less known sites, sites that may invest less into security.  At least your cutting your risk with this approach.

deepviolet-logoDeepViolet(DV) open source TLS/SSL DAST tool updated to Beta 4.  The major improvement for Beta 4 is the addition of an API so Java designers can implement DV features in their own projects.

Following are a summary of improvements for Beta 4.

  • Added API support for those who want to use DeepViolet features in their own Java projects. See package com.mps.deepviolet.api
  • Added samples package with sample code to demonstrate new API
  • Refactored existing code for the command line support and UI to use the new API.
  • 2 new command line options for debugging added, -d and -d2. d turns on Java SSL/TLS debugging. -d2 assigns DV debug logging priority.
  • Generated JavaDocs for Public APIs, see com.mps.deepviolet.docs
  • javadoc.xml added to generate JavaDocs
  • Support for dock icon on OSX for the UI

To learn more about the DeepViolet refer to the projects GitHub page or click DOWNLOAD to try DeepViolet now.

UPDATE, March 10, 2018: computing technology update, Google’s Bristlecone Quantum Processor.

Throughout the week of April 11th, 2016 Stanford held is annual affiliates Computer Forum on the campus.  Participation in the forum is available to affiliate members.  If your interested to be an affiliate send a note to me, see About page.   Stanford security forum is a great place to unplug from the day-to-day business and consider broader security challenges.  The campus is beautiful and the projects are interesting.  Attending the forum is always uplifting, I usually meet leaders from industry I know, university staff, and I always learn something new from their research.

The forum is a week long but attendees can sign up for individual days depending up interests.  I attended 2 days of the week long forum.  Monday was dedicated to security.  Thursday was dedicated to IoT.  Research projects and themes change from year to year.  This year cryptography and IoT where the broad themes.  Full media from the week long forum trails the post.

A Few Thoughts or Impressions
Following are some of the more important points I learned or points that captured my interests, not in any particular order of importance.

Why are quantum computers fast?
Traditional computers process information in bits.  A bit is either “on” or “off”, a 1 or a 0 respectively but quantum computers also provide an Amplitude property associated with each quantum bit.  Remember Schrödinger’s Cat?  The cat was in a Superposition of States where the cat is both alive and dead.  Amplitude is the measurement of the superposition which is the probability the cat is in one state or the other.  A point of some utility is that amplitude is not a simple percentage but instead is a complex number.  The the value combined with the amplitude of the bit form a quantum computational unit known as the Qubit.  In a traditional computer, increasing the number of bits increases the computers word size and address space which increases the processing power in polynomial time.  Increasing the number of qubits in a quantum computer increases processing power in exponential time.  Unlike a traditional computer, doubling the size of a quantum more than doubles computational power.  The increase in computational power is due to two major factors, 1) unique superposition properties of the qubit, 2) higher dimensional algorithms applicable specific problem spaces.  Quantum computers provide a different operational computing model when compared to a traditional computer.  Rather than serialized approach to computing using logic gates, lasers and radio waves interfere with each other and operate across many qubits simultaneously.  In some qubits, interference is constructive and in others interference is destructive.  The design of the quantum computer and algorithms seek to reinforce constructive interference patterns that produce the desired results.  I realize this answer is not satisfactory for everyone.  Take a look at the presentation materials in the links at the of the post.  Also take a look at, The Limits of Quantum article.

Quantum computers not likely to replace traditional computer
Quantum computers are fast at solving specific problems where an algorithm exists.  Quantum computers are not necessarily fast at solving all problems.  It’s unlikely a quantum computer will replace your desktop; however, if a quantum computer could be made small enough it could make an addition to your desktop for specialized functions (e.g., 3D graphics).

Implications for web browser security
A quantum algorithm exists for finding large prime numbers, Shore’s Algorithm.  Web browser security is predicated on the fact that large prime numbers are difficult to factor.  A quantum computer along with Shore’s Algorithm can factor primes fast.  However, the state of the art in quantum computers today is about 9-qubits.  According to Professor Dan Boneh, we don’t need to be concerned about quantum computers cracking browser security until quantum computers reach around 100-qubits.

Browser security in a post-quantum computing world
Professor Boneh elaborated, post-quantum computing encryption algorithms remain an area of interest.  Algorithms that are useful in a post-quantum world favor smaller primes within higher dimensional number spaces(>1024).  A research paper, Post-Quantum Key Exchange – A New Hope provides details.

TLS-RAR for auditing/monitoring SSL/TLS connections
A new protocol has been developed to monitor SSL/TLS.  TLS-RAR does not require terminating the SSL/TLS connection and establishing a new connection to the end-point.  Instead TLS-RAR works by dividing TLS connections into multiple epochs.  As a new epoch is established, between client and server, a new TLS session key is negotiated.  Meanwhile, the TLS session key for old epochs is provided to the observer which may be an auditor or monitoring tool.  In this way the observer has access to view old TLS epoch information.  The observer cannot view or alter information from the current epoch.  Data integrity and confidentiality between client and server is maintained.  Some of the advantages, no changes to the client are required(no new roots to add), and support for current TLS/SSL libraries.  This means TLS-RAR is compatible with a host of IoT technologies and components already deployed.

Session Media from the Forum
The following links provide access to session materials throughout the form.