DPL-Surveillance-Equipment.com

These are new product announcements from my main website (Open 24/7/365). We have a life-time warranty / guarantee on all products. (Includes parts and labor). Here you will find a variety of cutting-edge Surveillance and Security-Related products and services. (Buy/Rent/Layaway) Post your own comments and concerns related to the specific products or services mentioned or on surveillance, security, privacy, etc.

Sunday, October 06, 2013

NSA Compromises Security of Internet, ECommerce And Crypto-Currencies Via "Backdoors" In The Name of Anti-Terrorism



NSA Compromises Security of
Internet, ECommerce And Crypto-Currencies
Via "Backdoors"
In The Name of Anti-Terrorism






Silent Circle Ditches NIST Cryptographic Standards To Thwart NSA Spying

The U.S. National Security Agency's reported efforts to weaken encryption standards have prompted an encrypted communications company to move away from cryptographic algorithms sanctioned by the U.S. National Institute of Standards and Technology (NIST).

Silent Circle, a provider of encrypted mobile Voice over Internet Protocol (VoIP) and text messaging apps and services, will stop using the Advanced Encryption Standard (AES) cipher and Secure Hash Algorithm 2 (SHA-2) hash functions as default cryptographic algorithms in its products.

"We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement," Silent Circle CTO Jon Callas said Monday in a blog post. "We are going to replace our use of the SHA-2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense."

The company also plans to stop using P-384, one of the elliptic curves recommended by the NIST for use in elliptic curve cryptography (ECC).


The NSA has long been a supporter of ECC, an approach to public-key cryptography based on the arithmetic of elliptic curves, arguing that it is more secure and offers better performance than traditional public-key cryptography schemes. P-384 is one of the elliptic curves used in Suite B, a set of cryptographic algorithms used for encryption, key exchange, digital signatures and hashing that was selected by the NSA for use when handling classified information.








Silent Circle plans to replace the P-384 elliptic curve with one or more curves that are being designed by cryptographers Daniel Bernstein and Tanja Lange, who have argued in the past that Suite B elliptic curves are weak.

"If the Suite B curves are intentionally bad, this would be a major breach of trust and credibility," Callas said. "Even in a passive case -- where the curves were thought to be good, but NSA cryptanalysts found weaknesses they have since exploited -- it would create a credibility gap of the highest order, and would be the smoking gun that confirms the Guardian articles."

"Our primary responsibility is to protect our customers, especially in the face of uncertainty."


The New York Times and the Guardian newspapers reported last month, based on documents leaked by former NSA contractor Edward Snowden, that the NSA has used its influence to weaken an encryption standard published by the NIST in 2006.

That standard is the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a secure pseudo-random number generator (PRNG) that's based on the elliptic curve discrete logarithm problem. PRNGs play an important role in many aspects of cryptography, and a vulnerability in one of them could undermine the whole security of a cryptographic system that uses it.

Researchers have warned since 2007 that Dual_EC_DRBG has a serious weakness, but some companies have implemented it in their encryption products anyway because it was a NIST recommendation.







Following the recent reports about the NSA weakening this standard, the NIST reopened Special Publication 800-90A, which includes the Dual_EC_DRBG specification, for public comments. The organization also denied that it would deliberately weaken a cryptographic standard.

However, the harm to the NIST's reputation seems already to have been done.

RSA, the security division of EMC, has since advised customers that its BSAFE cryptographic libraries and its Data Protection Manager products have been using Dual_EC_DRBG by default and strongly recommended that they switch to a different PRNG using instructions in the product documentation.

Silent Circle's new decision to move away from AES, SHA-2 and the P-384 curve doesn't mean that these standards are insecure, Callas said in the blog post. "It doesn't mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA's perfidy, along with the rest of the free world. For us, the spell is broken. We're just moving on."

The company still plans to support the NIST-sanctioned algorithms in its services, but they won't be the default choice anymore.

Asked why Twofish and Skein in particular were chosen to be the new default choices for Silent Circle's products, Callas said via email that both algorithms come from trusted sources, including himself in the case of Skein.

Twofish was a finalist in the NIST's selection of the AES cipher, and the team that developed it included people that Silent Circle's co-founders personally know and trust, he said. "A number of the same people produced Skein -- which was a SHA-3 finalist -- and I am a member of the Skein team."

For Silent Circle this was a "decision of conscience," Callas said. "Our primary responsibility is to protect our customers, especially in the face of uncertainty."



However, Callas doesn't think other vendors necessarily should follow suit and move away from NIST cryptographic standards.

"I wouldn't fault anyone for deciding differently," he said. "We need more of the world coming together with security and respecting each other's decisions even if we make different decisions and do different things. If someone decides to stay the course, I respect that."

"That's also why we're going to allow customers to use the old algorithms," Callas said. "We respect their personal decisions, too."



Should We Trust The NIST-Recommended ECC Parameters?






Also, recent articles in the media, based upon Snowden documents, have suggested that the NSA has actively tried to enable surveillance by embedding weaknesses in commercially-deployed technology -- including at least one NIST standard.

The NIST FIPS 186-3 standard provides recommended parameters for curves that can be used for elliptic curve cryptography. These recommended parameters are widely used; it is widely presumed that they are a reasonable choice.

My question. Can we trust these parameters? Is there any way to verify that they were generated in an honest way, in a way that makes it unlikely they contain backdoors?

Reasons for concern. Bruce Schneier has written that he has seen a bunch of secret Snowden documents, and after seeing them, he recommends classical integer discrete log-based cryptosystems over elliptic curve cryptography. When asked to elaborate on why he thinks we should avoid elliptic-curve cryptography, he writes:

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.


This suggests we should look closely at how the "constants" (the curve parameters) have been chosen, if we use ECC. This is where things look concerning. I recently read a message on the tor-talk mailing list that seems to suggest the NIST curve parameters were not generated in a verifiable way. That message examines how the parameters were generated:

I looked at the random seed values for the P-xxxr curves. For example, P-256r's seed is c49d360886e704936a6678e1139d26b7819f7e90. No justification is given for that value.


and ultimately concludes:


I now personally consider this to be smoking evidence that the parameters are cooked.

Based upon my reading of FIPS 186-3, this appears to be an accurate description of the process by which the P-xxxr curves were generated. So, should people be concerned about this? Or is this just paranoia based upon loss of trust in the NSA?








Secret NSA Documents Show Campaign Against Tor Encrypted Network


On Nov. 1, 2007, the National Security Agency hosted a talk by Roger Dingledine, principal designer of one of the world’s leading Internet privacy tools. It was a wary encounter, akin to mutual intelligence gathering, between a spy agency and a man who built tools to ward off electronic surveillance.

According to a top-secret NSA summary of the meeting, Dingledine told the assembled NSA staff that his service, called Tor, offered anonymity to people who needed it badly — to keep business secrets, protect their identities from oppressive political regimes or conduct research without revealing themselves. In the minds of NSA officials, Tor was offering protection to terrorists and other intelligence targets.

As he spoke to the NSA, Dingledine said in an interview Friday, he suspected the agency was attempting to break into Tor, which is used by millions of people around the world to shield their identities. Documents provided by former agency contractor Edward Snowden show that he was right.

Beginning at least a year before Dingledine’s visit, the NSA has mounted increasingly successful attacks to unmask the identities and locations of users of Tor. In some cases, the agency has succeeded in blocking access to the anonymous network, diverting Tor users to insecure channels. In others, it has been able to “stain” anonymous traffic as it enters the Tor network, enabling the NSA to identify users as it exits.

Tor works by encrypting traffic repeatedly as it flows across a global network of servers, mostly run by volunteers. The traffic, which can include e-mails, information from a Web site and almost anything else on the Internet, is supposed to arrive at its destination with no identifying information about its origin or the path it took.
The Snowden documents, including a detailed PowerPoint presentation, suggest that the NSA cannot see directly inside Tor’s anonymous network but that it has repeatedly uncloaked users by circumventing Tor’s protections. The documents also illustrate the power of the NSA to at least partially penetrate what have long been considered the most secure corners of the Internet.

The U.S. Naval Research Laboratory first developed Tor more than a decade ago as a tool to allow anonymous communications and Web browsing. It was embraced by privacy advocates, including the Electronic Frontier Foundation, and continues to receive substantial federal funding. Tor is now maintained by Dingledine’s nonprofit group, the Tor Project.

The State Department trains political activists worldwide on how to use Tor to protect communications from the intelligence services of repressive governments. But the anonymity service also has become popular with criminals — especially dealers of illicit drugs, military-grade weapons and child pornography — and terrorists seeking to evade tracking by Western intelligence services.

One of the documents provided by Snowden said an NSA technique code-named EGOTISTICALGIRAFFE had succeeded in unmasking 24 Tor users in a single weekend.


The intelligence community “is only interested in communication related to valid foreign intelligence and counterintelligence purposes,” Clapper said.

There is no evidence that the NSA is capable of unmasking Tor traffic routinely on a global scale. But for almost seven years, it has been trying.

Since 2006, according to a 49-page research paper titled simply “Tor,” the agency has worked on several methods that, if successful, would allow the NSA to uncloak anonymous traffic on a “wide scale” — effectively by watching communications as they enter and exit the Tor system, rather than trying to follow them inside. One type of attack, for example, would identify users by minute differences in the clock times on their computers.

Dingledine expressed no surprise that the NSA has tried to defeat efforts at anonymity. In the interview, he said the weaknesses in Tor described in the PowerPoint presentation likely could be exploited only against a relatively small number of individual users. That, he said, is reassuring.

“If those documents actually represent what they can do, they are not as big an adversary as I thought,” he said.

The Tor Browser Bundle, available for free at www.torproject.org, was downloaded 40 million times last year. Until a recent security upgrade to the Firefox browser, which is incorporated in the bundle, the NSA could trick the browser into leaking the real Internet address of a targeted user. One slide described these tactics as “pretty much guaranteed to succeed.”

Mozilla, the nonprofit organization that develops Firefox, declined to comment.

One document provided by Snowden included an internal exchange among NSA hackers in which one of them said the agency’s Remote Operations Center was capable of targeting anyone who visited an al-Qaeda Web site using Tor.
Privacy advocates, however, say Tor is valuable and should be protected even if it is sometimes used by criminals. “Tor is networking technology,” said Christopher Soghoian, an American Civil Liberties Union technology expert. “It is no different from a postage stamp or a highway. Good people use highways, and bad people use highways.”

The NSA documents portray a years-long program to defeat what the agency called “The Tor Problem,” with the agency repeatedly updating its tactics as Tor’s developers made changes to the network.

The NSA also altered tactics as Mozilla introduced new versions of Firefox. In anticipation of a new release of Firefox, one agency official wrote in January that a new exploit was under development: “I’m confident we can have it ready when they release something new, or very soon after :).”

In late 2006, when the NSA prepared a working paper on methods to defeat Tor, the anonymous network had an estimated 200,000 users and 1,000 servers. Among the secret NSA documents were lists of hundreds of servers the agency believed to be “nodes” on that network.

Along with EGOTISTICALGIRAFFE, the agency’s cover names for Tor attacks have included MJOLNIRMOTHMONSTER and EGOTISTICALGOAT. A similar program at Britain’s Government Communications Headquarters, the NSA’s close counterpart, was called STUNT WORM.

One NSA PowerPoint presentation provided by Snowden is titled “Peeling Back the Layers of TOR with EGOTISTICAL­GIRAFFE.”

The agency began identifying browsers that were using Tor by noting how the encryption program reset what’s called the ­BuildID — a 14-digit code representing the exact date and time when that version of Firefox was released. On versions using Tor, the BuildID is reset to “0.” That feature made it hard to distinguish one Tor user from another, but it also allowed the NSA to pick out Tor-enabled browsers from among all others in use at any given moment.

“It’s easy!” a slide describing the technique said.

Mozilla issued a patch to Firefox that would protect newer versions of the browser against such an attack, though the NSA documents make clear that research into new exploits remains active.

One PowerPoint slide sums up a multistep method for learning the identity and location of Tor users and implanting NSA code in the browser. It ends with a final bullet point saying, “Win!”






NSA Paid Tech Firm To Use Weak Encryption

If this Reuters report is true, the National Security Agency paid RSA, the security unit of EMCEMC $10 million to make flawed encryption promoted by the government the default setting in one of its encryption programs, which could have allowed the  intelligence agency to snoop on customer communications that those users thought they were paying RSA to protect.

The program, called Bsafe, is used to protect individual computers on a network through encypting data and communications.

The Wall Street Journal couldn’t confirm that allegation Friday evening; current and former RSA executives did not return repeated requests for comment. The NSA declined to comment.

In a statement given to Reuters, the company said: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”

The Reuters story also doesn’t say that RSA knew the encryption standard was flawed when it agreed to the deal. But the story could deal a further blow to American software and networking companies, some of  which have faced allegations of creating backdoors for U.S. spies after a half-year of leaks from former NSA contractor Edward Snowden about U.S. government surveillance.

Other news organizations had previously reported that the NSA helped promote a flawed formula for encryption software, according to documents leaked by Snowden. It even got the National Institutes of Standards and Technology, the encryption standards body of the U.S. government, to sign off on the standard, according to the Snowden documents.

Shortly after those revelations, RSA told its customers to stop using the suite.


NSA Affair Forces NetSuite’s Hand

Cloud application vendor NetSuite Inc. is accelerating its construction of data centers in Europe as a result of the National Security Agency’s eavesdropping activities. Zach Nelson, the company’s chief executive, said Wednesday that prospective customers in Europe have grown more concerned about whether the U.S. government could access proprietary information stored in data centers around the world. “There’s now a higher level of concern about keeping data in Europe,” he said.

Documents leaked by contractor Edward Snowden revealed that the NSA has been eavesdropping on the data centers of Google Inc., Apple Inc., and other large technology companies. The revelations are particularly thorny for companies like NetSuite, which store data and applications used by businesses on remote servers around the world, which their customers can access via the Internet. Businesses, particularly outside the U.S., are loath to allow the government to pry into their activities.

According to Mr. Nelson, NetSuite will add two new data centers in 2014, picking two from among prospective locations in Germany, the Netherlands and Ireland. NetSuite would have “ultimately” built the new data centers regardless, said Mr. Nelson, but has sped up its expansion “as a result of concerns about the NSA.” Mr. Nelson said he believes the company “will have the same issue in Asia.”

NetSuite, which provides software used to manage corporate financials and other back office operations, currently has five data centers, including one in California and the other in Massachusetts. It has approximately 16,000 business customers globally, about a quarter of which are located overseas. Third quarter revenues were approximately $107 million, 34% higher than the year-previous quarter.

Google, Apple, Microsoft Corp. and five other technology companies last week issued an open letter calling for “global government surveillance reform,” urging world governments to respect the principles of “free expression and privacy.” Specifically, the companies said they wanted to see greater oversight of the government’s surveillance operations and limits on the government’s authority to compel companies to disclose data about their customers.

Several technology firms have said revelations of the NSA’s activities have hurt business, most notably Cisco Systems Inc. chief executive John Chambers, who said “it is an impact in China.” Tom Leighton, chief executive of Akamai Technologies Inc., which helps companies manage Web traffic, said during a conference sponsored by Bloomberg LP that the scandal is being used to “whip up anti-American sentiment” in Germany, and that the company stands to “lose some business there.”

The NSA scandal is “an opportunity for countries to develop protectionist measures,” said Rebecca Wettemann, vice president of research at Nucleus Research. According to Ms. Wettemann, technological solutions, such as encryption, will eventually help companies better protect their data, but perhaps not soon enough to prevent some of those measures. “History tells us legislation is going to lag behind the technology, and perhaps have unintended consequences,” she said.


Monty Henry, Owner










www.DPL-Surveillance-Equipment.com










































NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA.

Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.

NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA: http://www.dpl-surveillance-equipment.com/wireless_hidden_cameras.html

Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.

• Remote Video Access

• Video is Recorded Locally To An Installed SD Card (2GB SD Card included)

• Email Notifications (Motion Alerts, Camera Failure, IP Address Change, SD Card Full)

• Live Monitoring, Recording And Event Playback Via Internet

• Back-up SD Storage Up To 32GB (SD Not Included)

• Digital Wireless Transmission (No Camera Interference)

• View LIVE On Your SmartPhone!

Includes:

* Nanny Cameras w/ Remote View
* Wireless IP Receiver
* Remote Control
* A/C Adaptor
* 2GB SD Card
* USB Receiver



FACT SHEET:  HIDDEN NANNY-SPY (VIEW VIA THE INTERNET) CAMERAS

Specifications:

Receiver Specs:

* Transmission Range of 500 ft Line Of Sight
* Uses 53 Channels Resulting In No Interference
* 12V Power Consumption
* RCA Output
* Supports up to 32gig SD

Camera Specs:

* 640x480 / 320x240 up to 30fps
* Image Sensor: 1/4" Micron Sensor
* Resolution: 720x480 Pixels
* S/N Ratio: 45 db
* Sensitivity: 11.5V/lux-s @ 550nm
* Video System: NTSC
* White Balance: Auto Tracking

Make Your Own Nanny Cameras:  Make Tons Of Money In A Booming, Nearly Recession-Proof Industry!


Your Primary Customers Include But Are Not Limited To Anyone In The Private Investigator, Government, Law Enforcement And/Or Intelligence Agencies Fields!

* You Buy Our DVR Boards And We'll Build Your Products! (Optional)

















Our New Layaway Plan Adds Convenience For Online Shoppers








DPL-Surveillance-Equipment's layaway plan makes it easy for you to buy the products and services that you want by paying for them through manageable monthly payments that you set. Our intuitive calculator allows you to break down your order's purchase price into smaller payment amounts. Payments can be automatically deducted from your bank account or made in cash using MoneyGram® ExpressPayment® Services and you will receive your order once it's paid in full. Use it to plan and budget for holiday purchases, anniversaries, birthdays, vacations and more!


DPL-Surveillance-Equipment's Customers can now use the convenience of layaway online to help them get through these tough economic times.

We all shop now and then just to face a hard reality -- big credit card bills. However, our latest financing innovation can help you avoid that. Find out why more and more shoppers are checking out DPL-Surveillance-Equipment's e-layaway plan.

If you're drooling over a new nanny camera, longing for a GPS tracker, or wishing for that spy watch, but you're strapped for cash and can't afford to do credit, do what Jennie Kheen did. She bought her iPod docking station (hidden camera w/motion-activated DVR) online using our convenient lay-away plan.

Our online layaway plan works like the old-fashioned service stores used to offer. But, in Kheen's case, she went to DPL-Surveillance-Equipment.com, found the iPod docking station (hidden camera w/motion-activated DVR), then set up a payment plan.

"It's automatically drawn from my account," she said. "I have a budget, $208.00 a month.

In three months, Kheen had paid off the $650.00 iPod docking station. She paid another 3.9 percent service fee, which amounted to about $25.35 (plus $12.00 for shipping) for a total of $687.35.

"You pay a little bit each month," Kheen said. "It's paid off when you get it and you don't have it lingering over your head. It's great."

Flexible payment terms and automated payments make our layaway plan an affordable and fiscally responsible alternative to credit cards.

1. Register:

It's quick, easy and FREE! No credit check required!

2. Shop:

Select the items or service you want and choose "e-layaway" as your payment option. Our payment calculator makes it easy for you to set up your payment terms.

3. Make Payments:

Payments are made on the schedule YOU set. Check your order status or adjust your payments online in a secure environment.

4. Receive Products:

Receive the product shortly after your last payment. The best part, it's paid in full... NO DEBT.

More Buying Power:

* Our lay-away plan offers a safe and affordable payment alternative without tying up your credit or subjecting the purchase to high-interest credit card fees.

No Credit Checks or Special Qualifications:

* Anyone 18 years old or older can join. All you need is an active bank account.

Freedom From Credit Cards:

* If you are near or beyond your credit limit or simply want to avoid high interest credit card fees, our e-layaway is the smart choice for you.

Flexible Payment Schedules:

* Similar to traditional layaway, e-layaway lets you make regular payments towards merchandise, with delivery upon payment in full. Payments are automatically deducted from your bank account or made in cash using MoneyGram® ExpressPayment®

A Tool for Planning Ahead:

* Our e-layaway makes it easy for smart shoppers like you to plan ahead and buy items such as bug detectors, nanny cameras, audio bugs, gps trackers, and more!

No Hidden Charges or Mounting Interest:

Our e-layaway makes shopping painless by eliminating hidden charges and monthly interest fees. Our customers pay a flat transaction fee on the initial purchase price.

NO RISK:

* You have the right to cancel any purchase and will receive a refund less a cancellation fee. See website for details.

Security and Identity Protection:

DPL-Surveillance-Equipment has partnered with trusted experts like McAfee and IDology to ensure the security and integrity of every transaction. Identity verification measures are integrated into our e-layaway system to prevent fraudulent purchases.

Note: Simply Choose e-Lay-Away as a "Payment Option" in The Shopping Cart



DPL-Surveillance-Equipment.com is a world leader in providing surveillance and security products and services to Government, Law Enforcement, Private Investigators, small and large companies worldwide. We have one of the largest varieties of state-of-the-art surveillance and counter-surveillance equipment including Personal Protection and Bug Detection Products.



Buy, rent or lease the same state-of-the-art surveillance and security equipment Detectives, PI's, the CIA and FBI use. Take back control!



DPL-Surveillance-Equipment.com

Phone: (1888) 344-3742 Toll Free USA
Local: (818) 344-3742
Fax (775) 249-9320

Monty@DPL-Surveillance-Equipment.com


Google+ and Gmail
DPLSURVE


Twitter
DPLSURVE


MSN
 Monty@DPL-Surveillance-Equipment.com

AOL Instant Messenger
DPLSURVE32

Skype
Montyl32

Yahoo Instant Messenger
Montyi32

Alternate Email Address
montyi32@yahoo.com

Join my Yahoo Group!

My RSS Feed



Bookmark and Share


0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

<< Home