Posted on October 14th, 2010 by dinisc
Filed under: Commentary | 3 Comments »
Here is a question to the Crypto experts (which I’m not).
From a security point of view, is it ok if I publish both Public and Private PGP Keys but keep the PassPhrase secret?
My assumption is that: “as long as the PassPhrase is strong enough, it would be not practical to brute force it (even if the attacker knows the Private Key)”. In fact, should the question be: “How big does the PassPhrase be in 2010/2011 time frame for it to be secure?”
To see this in practice check out the latest script/tool that I just added to the OWASP O2 Platform which dramatically simplifies the process of using PGP (creating keys, encrypting/decrypting text and encrypting/decrypting files):
As you can see, this O2 tool will really enable this workflow (sending the both Public and Private Keys to the client in a non-encrypted zip and then sending the PassPhrase in an offline/out-of-band method), so I’m really trying to figure out if this is a good idea
Finally, for the really hard-core crypto guys, can you take a look at how I implemented the BouncyCastle Crypto APIs to make sure I did it correctly: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs
Posted on October 5th, 2010 by dinisc
Filed under: Commentary | 2 Comments »
Hi SecuriTeam crowd. After much soft-presure from Brian, I’m finally putting my ‘SecuriTeam Blogger Hat’ and hopefully this will be the first of many WebAppSec and O2 Platform related posts.
For my first post I chose the lastest script that I just added to the OWASP O2 Platform (http://o2platform) which is called “Tool – Find Physical Location via MAC Address (using Google’s APIs).h2″ and does exactly that. It will show your current location using your current wireless router’s MAC address (or the location of a provided MAC address)
This is based on the research done by Samy’s on his “How I meet your Girlfriend” presentation (currently on an OWASP EU Tour presenting it) and it is a good example of the O2 Platform’s powerful dynamic scripting environment (I wrote that PoC in a couple hours)
For more details on how this works see
I think that the fact that Google exposes this information is a big deal, and I personally (as a consumer with exposed data) am not happy at all with it. But my personal feelings don’t really matter here, the question I think we should try to answer is: ‘How big is this problem?’
Basically, since MAC addresses are now a valuable asset, let’s go “Phishing for MACs” and figure out all the ways we can calculate/map/find them.
On the O2 script above I used “arp -a” to get the local wireless router, Samy used an XSS on the router, so what other ways there are to find router’s MAC address?
I wonder if we can Brute Force Google’s Location Services database and get a maping of ALL “MAC addresses+Locations” that they have currently stored