« July 2008 | Main | September 2008 »

August 2008

08/22/2008

Google Tech Talk: Cryptography without all the scary math

This has been up for a couple of weeks (it's taken me that long to find an hour to watch), but it's definitely worth passing along. It's a talk given at Google by Harvard Professor Dr. Christopher Thorpe on cryptography titled "Efficient, Secrecy-Preserving, Provably Correct Computation (and Some Cool Applications). It goes beyond some of the very basic crypto that most of us understand into interesting and much more recent ideas.

What makes this video remarkable isn't the crypto he's discussing, it's that he makes it accessible to someone who has forgotten most of their math (such as me). In fact, an attentive viewer with little more than a high-school algebra education can follow most of it.

 

 

Posted at 06:05 PM in Privacy, Security | | Comments (1) | TrackBack (0)

|

Chinese ISP suffers DNS poisoning

Following the AT&T DNS poisoning late last month, one of China's largest ISPs, China Netcom, has suffered a similar setback. In the past, Chinese companies have had little trouble with information security as their domestic hackers primarily target foreign servers. This is starting to change, however, and China is going to have a huge problem trying to both maintain security and continue the fast pace of growth.

From ZDNet Blogs:

The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.

According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer. [From ZDNet: Websense reports China Netcom DNS cache poisoning]

Posted at 08:30 AM in News, Security, Systems | | Comments (0) | TrackBack (0)

|

Nigerian commissioner considers 419 victims criminals

This is especially interesting after attending an IC3 talk on Tuesday morning on the various common types of online fraud. It's true that most of the victims of these scams are complicit in the get-rich-quick schemes, but barring the ones who commit criminal acts such as money laundering or forwarding shipments to Nigeria, it would be difficult to classify them as criminal.

From the Sydney Morning Herald:

THE Nigerian high commissioner says people who are ripped off by so-called Nigerian scams are just as guilty as the fraudsters and should be jailed.

*  *  *
"People who send their money are as guilty as those who are asking them to send the money," he said. [From smh.com.au: Jail the 'greedy' scam victims, says Nigerian diplomat]

Posted at 08:05 AM in Culture, News, Security | | Comments (0) | TrackBack (0)

|

New type of cyptographic attack announced

This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.

From ComputerWorld:

Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".
* * *
Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]

Posted at 07:28 AM in News, Privacy, Security | | Comments (0) | TrackBack (0)

|

08/17/2008

Turkish hacker tortured in reprisal for cooperating with authorities

The stakes have been raised in the battle against online crime. A Turkish hacker who was working with authorities was captured, tortured, and released in reprisal for his cooperation.

From Wired Blogs:

A Turkish computer hacker who was helping that country's media and national police investigate computer crimes was kidnapped and tortured by a notorious ATM hacker, according to a report from the Turkish press.

The victim, known online as "Kier," had been leaking information to Turkish reporters about an underground figure called Cha0, when he briefly disappeared. He resurfaced in May, and described being abducted and beaten by Cha0 and his henchmen. [From Wired Blogs: Hacker Reportedly Kidnaps and Tortures Informant, Posts Picture as a Warning to Others]

 

Posted at 09:02 PM in News, Security | | Comments (0) | TrackBack (0)

|

New Windows vulnerability spotted in the wild

A Windows new remote-code execution vulnerability has been spotted in the wild. A proof-of-concept demonstration is available here.

From CyberInsecure:

a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in 'NSlookup.exe'. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches [From CyberInsecure:Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild]

Posted at 08:24 PM in News, Security, Software, Systems | | Comments (0) | TrackBack (0)

|

Apple users targeted by phishing scams

It looks like glitches in Apple's MobileME rollout and the accompanying user frustration have created opportunities for phishing scams. I think Apple has already burned through their security goodwill. It's time for the company to step up and start dealing with the rapidly emerging threat that targets its customers.

From The Register:

Data obtained by CardCops, a credit card protection service owned by the Affinion Group, shows sensitive information belonging to several hundred people with Mac.com email addresses being traded in underground forums frequented by identity thieves. The details include social security numbers, birth dates, mothers' maiden names, credit card numbers and other sensitive information.

The graphic to the right, which has been edited to remove personally identifying details, shows some of the data that's been available.

The information was phished using emails that began circulating around the same time Apple began its ill-fated transition from Mac.com to Me.com. The scams bore subjects such as "Billing problem." Following the link as recently as Tuesday while using Apple's Safari browser, we were taken to an authentic-looking page purporting to belong to Apple. It asked users to reinstate their accounts by entering a dizzying array of personal details. (Interestingly, while Internet Explorer warned us the page was a scam, neither Safari nor Firefox flagged it.) [From The Register: Apple faithful snared in phishing scam targeting Mac.com users]

Posted at 08:09 PM in News, Security, Systems | | Comments (0) | TrackBack (0)

|

NSA Singalong

This is a couple of years old, but I just saw it for the first time and got a good laugh about it.



Replay video | Share video | Watch more videos

Posted at 07:42 PM in Culture | | Comments (0) | TrackBack (0)

|

08/14/2008

Free and Open Source Nessus replacement released

The OpenVAS project, a free and open source replacement for Nessus, announced its first stable release yesterday afternoon. This release includes server installation packages for OpenSUSE, Fedora, Mandrake, Gentoo, and FreeBSD. A client only package is available for Windows.

Nessus, one of the standards in vulnerability scanners, was an open source project until a couple of years ago. This project is a fork from the last open version.

From Full Disclosure:

The OpenVAS project is proud to announce the release of the first stable
version of the "Open Vulnerability Assessment System". OpenVAS is a fork of
the Nessus security scanner; while Nessus switched to a proprietary license,
OpenVAS will continue to improve the scanner and will provide all components
as Free Software.{From FullDisclosure: OpenVAS Stable Release]

Posted at 10:02 PM in News, Security, Software | | Comments (0) | TrackBack (0)

|

All Airforce Cyber Command activity suspended

According to Wired, the Airforce has stopped work on "Cyber Command" just prior to being declared operational. The new command was controversial, since it was a unilateral move by the Airforce to snap cyberspace into their portfolio.

From Wired's defense blog:

The Air Force is about to suspend its controversial effort to reorganize its forces to "dominate" cyberspace. The provisional, 8,000-man Cyber Command has been ordered to stop all activities, just weeks before it was supposed to be declared operational.

"Transfers of manpower and resources, including activation and reassignment of units, shall be halted," according to an internal e-mail obtained by Nextgov's Bob Brewin -- and confirmed by Air Force sources. Instead, the Air Force's new leadership -- including incoming Chief of Staff Norton Schwartz -- will be given time to rethink how big the command will be, and what exactly it will do. [From Wired.com: Airforce Suspends Controversial Cyber Command]

Posted at 09:43 PM in News, Security | | Comments (0) | TrackBack (0)

|

Next »