Black Hat paper on breaking Trusted Platform Module withdrawn

This is the abstract for a paper that was scheduled to be presented at Black Hat USA 2007 security conference next month. It was removed without explanation from the conference Web site this week, and promised to circumvent security afforded by Trusted Platform Module chips:

“…The attack procedure (TPMkit) involves an attack on the TPM chip.
TPMkit lets you overcome technologies such as Vista's BitLocker. TPMkit
also bypasses remote attestation and thus, will allow to connect over
Trusted Network Connect(TNC) (although the system might not be in
Trusted state).

TPMkit bypasses the security checks mentioned (in the above paragraphs) and thus, you will never know that you are using a
compromised or changed system.

will be demonstrating how to break TPM. The demonstration would include
a few live demonstrations. For example, one demonstration will show how
to login and access data on a Windows Vista System (which has TPM +
BitLocker enabled).

More information on TPMkit (as it evolves) will be released.”

Read the full abstract on NetworkWorld.


Lumines sales jump 5900% on Amazon

You may have already heard about the latest PSP exploit discovered within the classic puzzler Lumines,
availing owners of any variety of PSP — all the way up to its current
firmware, 3.50 — the opportunity to run homebrew, install custom
firmware, and generally monkey up Sony's plans to get you to play PSP
games on the system over, say, 14-year-old SNES games. Can't stop 'em,
Sony — this is what people want. People want their hardware unlocked,
they want emulation of everything up to PSX, and they don't want you
steppin' on their toes over it. Proof? Hell, look at Lumines.

a big jump for a launch title. Hey, I'm not saying it wasn't a great
game — it's certainly one of my all-time favorite titles to play on
the toilet, that's for certain — but I can't imagine a nearly 6000%
jump just for nostalgia or 'cos word got out that it wasn't half bad.

It's levelled off a bit since then, but still impressive — the force of a wall of gamers all moving towards emulation and maybe-probably piracy. Well, at least they'll actually play the damn things, now. Go buy Crush, jerks!

From Destructoid.

Surf the Net Safely and Privately with JanusVM

This morning, while having a little fun with VMWare Server, I stumbled on VMWare’s list of free virtualized environments.
If you have any VMWare product installed on your box, you’ll definitely
want to check this list out. Anyhow, like I already said, I stumbled on
this list and quickly browsed the available products. That’s when I
ended up on a very interesting security package named JanusVM.
JanusVM is a virtualized security environment that allows you to surf
the internet absolutely securely and privately. It was designed to run
on VMware Player (or Server) and brings together openVPN, Tor, Squid, Privoxy and dns-proxy-tor to give you a transparent layer of security that is compatible with most TCP based applications.

JanusVM Features:

  • WiFi Support.
  • Supports multiple users in a LAN.
  • Protects you from most man-in-the-middle attacks.
  • Protects you from Javascript, Java, and Flash based side-channel privacy attacks.
  • Protects your identity and your true location by masking your IP Address.
  • Encrypts and re-routes your DNS request and ALL TCP traffic to ensure strong privacy.
  • Strips out most privacy sensitive information your web browser may leak.
  • Blocks popups, annoying ads, banners, and other obnoxious Internet junk.
  • Very simple setup and operation.
  • Works transparently for applications using TCP.

Setup is very easy. Just download and install VMWare player, download JanusVM and follow these simple instructions.

After setting up the environment, if you decide to keep JanusVM running on your box, please consider giving a small donation to the developer. Your donations will surely encourage him to keep on working on this fantastic project.

Nice, I'm downloading this now.  Usually the presence of Tor on a corporate laptop is eyed suspiciously.  Found on Geeks are Sexy.

Quicken Backdoor Could Give Feds Access to Finance Data

A Moscow-based
password-recovery vendor Thursday accused Intuit Inc. of hiding a
backdoor in its popular Quicken personal finance program that gives it
— and perhaps government agencies — access to users’ data files.

called the charges baseless, and said that although there is a way to
unlock Quicken’s encrypted data, it’s only used by the company’s
support team to help customers who have forgotten their passwords.

a statement, Elcomsoft Co. Ltd., a Russian maker of password-recovery
tools, said Quicken versions since 2003 have used strong encryption
designed to foil hackers. But those editions also have a backdoor that
unlocks the encryption with the 512-bit RSA key that Intuit controls.

is very unlikely that a casual hacker could have broken into Quicken’s
password protection regimen,” Vladimir Katalov, Elcomsoft’s CEO, said
in the statement. “[We] needed to use advanced decryption technology to
uncover Intuit’s undocumented and well-hidden backdoor, and to
successfully perform a factorization of their 512-bit RSA key.”

“Very unlikely…” my ass.  Read the full article at

Run Homebrew on your PSP v3.50!!

Following research in conjunction with Archaemic, Noobz are proud to
present the first ever all-firmware exploit for the PSP.  Based on
Lumines, the “Illuminati” exploit is a user-mode exploit using a buffer
overflow in the savedata file – similar to the GTA exploit.

That's right – if you've got a legal UMD
copy of Lumines, then you can run homebrew on your PSP – whatever the
firmware version.  That includes v3.50! Right now, the only homebrew is
the Hello World demo released below – but in future we intend to
release a HEN and downgrader.

To make the exploit work:

  • Check that you have an EU or
    US version of Lumines (ULES00043 or ULUS10002).  Currently we don't
    have a version for the Japanese version, but we're working on it, as
    soon as we get hold of a Japanese UMD. 
  • Extract the contents of the 'MS_ROOT' folder from the ZIP file into the top-level of your memory stick. (HINT: If you wind up with an 'MS_ROOT' folder on the stick, you've done it wrong).
  • Start
    the game, and as soon as it gets to the 'Press START' screen, press
    START.  If you wait until the demo has started, the exploit may not
  • The screen should go blank, and the exploit will start
    after a few moments.  It doesn't do anything except look pretty at this
    stage – but feel free to enjoy the first homebrew on your v3.10 – v3.50
    PSP Wink

 Download Illuminati exploit

File Size: 132.65 Kb
Downloads: 8501

From noobz.

The Leopard has been let loose

Arrrrrr. Avast Ye Matey! The cat is out of the bag. The WWDC 2007
beta of Leopard (Build 9A466) has hit the grand daddy of all torrent
sites. Just search for “The Big Cat” on The Pirate Bay and fire up your
favorite BitTorrent client.

For those of you who don’t want to cross over to the shady side of computing you can check out ThinkSecrets gallery.

From UNEASYsilence.

AES seems weak

We describe a new simple but more powerful form of linear cryptanalysis. It appears to break AES (and undoubtedly other cryptosystems too, e.g. SKIPJACK). The break is “nonconstructive,” i.e. we make it plausible (e.g. prove it in certain approximate probabilistic models) that a small algorithm for quickly determining AES-256 keys from plaintext-ciphertext pairs exists – but without constructing the algorithm. The attack’s runtime is comparable to performing 64^w encryptions where w is the (unknown) minimum Hamming weight in certain binary linear error-correcting codes (BLECCs) associated with AES-256. If w < 43 then our attack is faster than exhaustive key search; probably w < 10. (Also there should be ciphertext-only attacks if the plaintext is natural English.)

Even if this break breaks due to the underlying models inadequately approximating the real world, we explain how AES still could contain “trapdoors” which would make cryptanalysis unexpectedly easy for anybody who knew the trapdoor. If AES’s designers had inserted such a trap door, it could be very easy for them to convince us of that.  But if none exist, then it is probably infeasible difficult for them to convince us of that.

We then discuss how to use the theory of BLECCs to build cryptosystems provably
1. not containing trapdoors of this sort,
2. secure against our strengthened form of linear cryptanalysis,
3. secure against “differential”cryptanalysis,
4. secure against D.J.Bernstein’s timing attack.

Using this technique we prove a fundamental theorem: it is possible to thus-encrypt n bits with security 2^cn , via an circuit Qn containing < cn two-input logic gates and operating in < c log n gate-delays, where the three cs denote (possibly different) positive constants and Qn is constructible in polynomial(n) time. At the end we give tables of useful binary codes.

Interesting paper from Warren D. Smith (pdf).