Chrome Extension for gpg in Gmail

Last month we released an alpha version of cr-gpg. This is a simple Chrome extension to enable gpg functionality in gmail (or Apps for Domains). (If you don't know what gpg is, you should first read this and this.)

Installation :






You can grab the extension from [here] and a double click should install it , after the install is completed you should see the image above if you navigate to chrome://extensions :

Options :


Once you have installed the plugin, there are 2 required configuration options:
1) Directory with gpg binary
2) Temp folder path (writable by the browser)

(cr-gpg simply calls out to the gpg installation on your machine. Option [1] therefore is asking where it can find the gpg executable, and Option [2] is looking for a scratch directory to do its work). (We make some effort to ensure that the temp directory is well maintained). You should be able to click "Use Default" on most installations.

The "Encrypt to self" option is fairly self explanatory. If i encrypt (and send) an email to you, the encrypted email will be in my sent-items. I would be unable to read this mail though (since it has been encrypted with your public key, not mines). If you would like to be able to read the mails as well, then simply select this option (and enter your email address in the next field: "Encrypt to self Email Address")

Now click "Save" to save these options. (cr-gpg will do some basic sanity checking on your options). You can return to these options through the extensions window or by clicking the lock icon added to your browser chrome

Convenience Functions :



The other convenience functions enabled through the lock icon allow you to do simple gpg key management, encrypt and sign blocks of text.

Embedded Functions :



When typing an email in GMail, we should now see an additional link: "Encrypt Message"
(If we have the recipients public key,) simply clicking this should encrypt the mail to the recipient as seen below.



When you receive an encrypted email, simply click on "Decrypt Message".



Decrypting an email requires access to your private key (which is usually password protected.) Enter the password, Click "OK" and you should be good to go..



Give it a try [here], and let us know if you have bugs [here], comments, complaints or suggestions..

BlackHat according to Twitter

For the first time in a decade I didn't attend BlackHat USA in Las Vegas. I learned that South Africa in August is much colder than i recalled, but also had the chance to observe the conference from through a twitter-lense.

It seemed as if there was more talk about parties, than content so I decided to grab all the tweets i could (#blackhat through the twitter search API) to do some simple grouping*.

Whats clear straight off is that my intuition was wrong. Although party talk makes up a significant percent of all tweets, tweets about "talks & training" clearly dominate. (This possibly means that i need to start following a better class of hax0r)

A quick explanation of the grouping (which was done pretty coarsely):

• Talks & Training : Tweets related to a talk (or training session)
• Misc : (General catch-all for tweets about coffee / *)
• Spam : People who stole the hashtag to push traffic to their own site (used by quite a few big name vendors to draw traffic to their reports *cough* shady rat *cough*
• Pimpage : Speakers / Vendors / People shamelessly self promoting
• Vegas/Parties/Social : This are the typical "Vegas Baby!" tweets
• Bluehat Prize : This are tweets about the Microsoft Bluehat prize
• Not There : Tweets from people who wish they were at BlackHat
• Recruitment : erm.. recruitment related
• Pwnies : pwnies related tweets
• BoothBabes : the kerfuffle over McAfees use of booth babes
• anonymous,antisec,lulzsec : Tweets about Anon doing BlackHat

Since we have this data, we can extract some other (arb) pieces of information like:

Most commonly used words in tweets about "talks & training"

(this is a quick (cheap) way for us to see which talks /speakers dominated the twittersphere)

It also (kinda) interestingly allows us to list the top tweeters by volume (with 1318 individual tweeters in total):

• 36 @TechJournalist
• 32 @wireheadlance
• 30 @chriseng
• 25 @jadedsecurity
• 23 @IOActive
• 21 @Llana
• 18 @click_finders
• 18 @cindyv
• 18 @bdognet
• 18 @InsiderThreats

Finally (because we couldn't help but add another pie graph,) we can check the most popular twitter clients used to create this traffic:

(Its worth noting that we only grabbed data for the #blackhat hashtag. This is in part because it was most obvious, and in part because we were afraid to grab the results of #barcon)

You should follow me on twitter: here

* We made use of the python twitter module. You can download a python pickle object here, which is a dictionary of all tweets snagged.

ShoulderPad Slashdotted! (and two clarifications)

(because we can't have enough posts with exclamation marks in them)

Our previous post (and research) seemed to go by pretty silently initially and then suddenly was everywhere. Andy Greenberg wrote a piece over at Forbes which really does deserve special mention. Tech journalists so often sensationalize security stories that many security researchers are quite afraid to even talk them. I certainly was, but his piece was fair, balanced and covered all the interesting points. +1 to him.

The Forbes post was copied almost verbatim by a ton of other "news" sites on the 'net, but we beamed with some measure of geek pride at making the front page of Slashdot (and for featuring on the front page of Hacker News, The Unofficial Apple Weblog and HackADay).

Two Clarifications:

1. A surprising number of people reacted to the work (on slashdot, or other forums) with: "FAKE! The iPad Keyboard is not black!". One thread even went into detail about how this meant that the video is doctored (while others opined that the keyboard was on a non standard jailbroken iPad and therefore invalid). The video taken is on a standard iOS5 iPad and is exactly the same as the 4.X iPad (once complex passwords have been enabled).
2. The folks at Politecnico di Milano did some previous work in this field, using computer vision to detect keyboards (on mobile devices) which magnify the alphabets on key-press. Their excellent paper covers their technique and impressive results. (One of the authors commented on several sites that covered the ShoulderPad post about their version working "without needing blue color detection" and also made the mistake of initially assuming our keyboard was non-standard. (Their attack targeted the normal keyboard whilst mines aimed at the Password keyboard).

I've published a few papers and done a few talks, so it's slightly strange for a weekend bit of hackery to have hit such headlines (but it was fun seeing it all over the tubes at any rate).

On-screen Keyboards Considered Harmful

(aka: Shoulder Surfing: There's an App for that!)

We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again.

In an effort to (help) bring back the 90's we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads.

(You can read more about it [here], download a short pdf on it [here] or just watch the youtube video below (but we think the pdf is more fun!))

There are a few more videos (available after the break)

Simple Graphs with Arbor.js

We recently released a tool at http://cc.thinkst.com to capture and collect infosec conference details. We commented on it [here]. One of the cooler components of it, is the ability to view the relationships between speakers/researchers who have collaborated. This post is a quick introduction to the library we used to build our graphs, with enough info to get you up and running in minutes.

ThinkstScapes (Quarter One Recap)

In February this year we launched ThinkstScapes as a Security Intelligence subscription service. It was originally aimed chiefly at adding context & clarity to newly published research and conference proceedings. The subscription also catered for periodic updates and commentary via "Ad Hoc" updates. We just wrapped Quarter-1, so figured a quick round-up of Q1 would make sense.

Interestingly the adhoc updates turned out to be quite popular with customers (forcing us to pay far more attention to them) and in 3 months we ended up distributing four of them. Our next Ad Hoc is currently in the oven, so should be hitting customer inboxes soon.
Subscribers so far have received:

• HBGary, Anonymous & Lessons for the Rest of Us


• PWN2OWN - What it Means to You


• ComodoGate, SSL & Iran


• Verizon DBIR-2011 & You


• Quarter-1: Research & Conference Round Up

It's been well received (and at just $8k per year we think it's awesome value). If you are interested in the service, drop me an email (haroon@thinkst.com) and I'll send through some of previous issues.

Cyberwar, Stuxnet and people in Glass Houses

I wrote a piece for Al Jazeera on cyber-war, asymmetry and the recent news around possible military reprisal for cyber attacks. You can read the full piece [online here.]