The Federal Bureau of Investigation (FBI) has issued a code cracking challenge today. This was in response to a similar challenge the FBI issued last year, which proved to be hugely popular with many thousands responding to the crypto challenge.

The FBI Code Cracking Challenge

FBI

The FBI embedded the above code as a flash file. The code for all you cryptanalysts

VFWTDLCSWV. YD NSLMIJFWEJFD GSW SL NIJNQBLM FOBV EJFDVF DLNIGTFBSL.KBVBF YYY.AHB.MSK/NSCDC.OFZ FS EDF WV QLSY SA GSWI VWNNDVV.

More resources to solve this challenge

2008 FBI Code Cracking Challenge: http://www.fbi.gov/page2/dec08/code_122908.html

2007 FBI Code Cracking Challenge: http://www.fbi.gov/page2/nov07/code112107.html

Analysis of Criminal Codes and Ciphers: http://www.fbi.gov/hq/lab/fsc/backissu/jan2000/olson.htm

Spoiler Alert: How to solve the 2008 FBI Crypto challenge

** try to solve this before scrolling down **

Solving FBI 2008 Crypto Challenge

1. An easy giveaway was the 5th line from the crypto picture embedded above

YYY.AHB.MSK/NSCDC.OFZ

substituting www for yyy. Another hint it is likely they were pointing to fbi.gov. So far we have

Y – W

A – F

H – B

B – I

M – G

S – O

K – V

2. Substituting in the word before that URL. For KBVBF, we can deduct it is VISIT

3. Next word to guess is FOBV in the 3rd line. Substituting we can deduct is is THIS

4. Next word is YD on the first line. The only alphabet that made sense there is E. So we have D – E

5. Next, I would try to start solving any 2, 3, 4 alphabet groupings.

Following is a screenshot of my whiteboard. The numbers on the left to each word represented the order in which i tackled the words

My Whiteboard

Once you solve and substitute the cipher comes out as

Stupendous. We congratulate you on cracking this latest encryption. Visit www.fbi.gov/coded.htm to let us know of your success.

Visiting the URL above gives us this

Congratulations, you did it! Thanks for participating, and happy holidays.

Congratulations!

I think I came across one of the best strong password generators on the Internet at Password Chart. Picking a strong password is very important. A strong and secure password should go beyond just a simple number such as passw0rd where you replace the o with a zero(0) or a special character in the end such as password!. However, when you have to go picking numbers, special characters for a strong password of more than 7 characters, it can become hard to remember such a strong password.

For using the password chart, enter any common phrase you might use or known to you. For example, I used the phrase “the ipod rocks“. Now, using this phrase, the password chart generates a chart for you. If you are online, you can enter a password you wish to convert using this chart. You can enter a simple word or words here. For example, I used the word “zune” as a password I wished to convert to generate a strong password. I end up with a strong password of “%^Ed8u63G“. Once you generate a password chart, you can also print it out and use it for generating other strong passwords without the need to access the internet.

Click here to access Password Chart and generate a strong password

Technical Information. How the Password Chart Generator works

1. An MD5 hash of the chart selection phrase is performed and the first 4 bytes of the hash is used as a random number seed to a Mersenne Twister pseudo-random number generator.
2. The password chart is then filled using sequences of 1 to 3 random upper and lower case letters and optionally numbers and punctuation by grabbing successive numbers generated from the Twister. The reason for the random sequence length is to make reversing the substitution cipher a bit harder.
3. The alphanumeric characters in the password is then converted using the chart.

The Enigma was a rotor machine used by the German Military during WW II to encrypt messages they sent to each other. It was invented by German Engineer Arthur Scherbius in 1923. The Enigma Code Machine consisted of a plugboard, three rotors and a reflector which redirected the electrical current. Each letter entered by a keyboard was matched by an encrypted letter by closing an electrical circuit which was reconfigured after each entry.

We need to use secure passwords for our everyday computing. So how about using the Enigma Code Machine to generate secure passwords for us. Dr. Frank Spiess helps us out here with a very good flash Enigma Code Machine.

A brief example: Open the machine window, click on the “Input:” textbox and enter “c” on the keyboard. The plugboard leaves C as C while highlighting the specific wire in red. The electrical current then moves to the rightmost rotor, that is, to its letter A. A is then connected to B. The current enters the middle rotor, that connects G with R. The third (leftmost) rotor maps V to I. In the next step, the reflecor maps B to R. Then the current moves way back along the green wires through the rotors back to the plugboard, where Q leads to Q. As a result, we have the encryption of C to Q. If you now enter “c” again, you see that in this case it yields G! This is because the rightmost rotor moves one step to the left before a letter is entered.

So, click here to access the Flash Enigma Code machine built by Dr.Frank Spiess

In my example of a secure password, I enter a simple plain text of “securityblog”. This plain text is converted to a cipher text by the Enigma Code Machine resulting in a secure password of “BMGNHOIPWRNB”

I admit that there are limitations to using the Enigma Code Machine for generating secure passwords. For starters, you don’t have numbers and special characters as part of your final secure password. This I believe could be improved… but again, this is the limitation of the Enigma Code Machine.

Defense-in-depth is fundamental to the design of a secure system. It stems from the idea that software can have flaws; people can make configuration mistakes; and hardware devices can fail. To compensate for events like these, we do not want to rely on a single mechanism to defend our resources. Instead, we deploy multiple layers of protection to account for the possibility that one of them may fail.

Let us apply this concept of defense in depth for securing your home network.

1. Router: You probably have a router(maybe wireless) connected to your cable or DSL modem. The router acts as a firewall protecting you from direct malicious attacks originating from the internet.

2. Anti-virus: Now, while the router acting as a firewall can help you against internet attacks, it cannot protect you against say an email based computer virus or a worm that got downloaded when you visited a malicious web site. An Anti-virus software with the latest signature updates, can protect you from such an attack.

3. Fully patched operating system: A virus probably needs access to some Windows service or a port. A fully patched operating system can add an additional layer of security.

4. Patched applications: More and more malicious worms/viruses are making use of un-patched applications such as Adobe Acrobat, Flash, Apple QuickTime and mostly targeting the web browser. It is very important to update the software running on your machine to provide this later of defense.

All the systems above provide individual security but combine together to provide defense in depth. Not relying on a single security mechanism is the core foundation od defense-in-depth.

You can read more about Defense-in-Depth at Wikipedia

http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)

Protecting yourself is very challenging in the hostile environment of the internet. Imagine a global environment where an unscrupulous person from the other side of the planet can probe your computer for weaknesses, and exploit them to gain access to your most sensitive secrets.

They can even use your computer to store data like stolen credit-card numbers or child pornography, or to attack another innocent home user or business from your system.

Here’s Kevin Mitnick’s Top 10 list of steps you should take to protect your information and your computing resources from the bad boys and girls of cyberspace.

#1. Back up everything! You are not invulnerable. Catastrophic data loss can happen to you — one worm or Trojan is all it takes.

#2. Choose passwords that are reasonably hard to guess — don’t just append a few numbers to a no-brainer. Always change default passwords.

#3. Use an antivirus product like AVG or Norton, and set it to update daily.

#4. Update your OS religiously and be vigilant in applying all security patches released by the software manufacturer.

#5. Avoid hacker-bait apps like Internet Explorer and disable automatic scripting on your e-mail client.

#6. Use encryption software like PGP (pretty good privacy) when sending sensitive e-mail. You can also use it to protect your entire hard drive.

#7. Install a spyware detection app — or even several. Programs that can be set to run frequently, like SpyCop, are ideal.

#8. Use a personal firewall. Configure it to prevent other computers, networks and sites from connecting to you, and specify which programs are allowed to connect to the net automatically.

#9. Disable any system services you’re not using, especially apps that could give others remote access to your computer (like Remote Desktop, RealVNC and NetBIOS).

#10. Secure your wireless networks. At home, enable WPA (Wi-Fi protected access) with a password of at least 20 characters. Configure your laptop to connect in Infrastructure mode only, and don’t add networks unless they use WPA.

Hackers are becoming more sophisticated in conjuring up new ways to hijack your system by exploiting technical vulnerabilities or human nature. Don’t become the next victim of unscrupulous cyberspace intruders.