The Electronic Frontier Foundation (EFF) has a new tool called Panopticlick that examines you browser configuration (or at least what it announces about itself) and compares against it's database to determine how unique your presense is. It turns out that significant identifying information is available even with IP obfuscation and cookies disabled; Private browsing doesn't quite cut it ...
Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.
Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.[from panopticlick.eff.org]
In case you didn't catch Clinton's address on cybersecurity last night, I'm imbedding it here:
Generally, she's saying the right things -- an open and uncensored Internet is a tremendous force for good in the world. She should also be addressing net neutrality in this context, but I can understand that she didn't want to broaden her scope too much.
Then, a couple of minutes in, she says this:
Now, all societies recognize that free expression has its limits. We do not tolerate those who incite others to violence, such as the agents of al-Qaida who are, at this moment, using the internet to promote the mass murder of innocent people across the world. And hate speech that targets individuals on the basis of their race, religion, ethnicity, gender, or sexual orientation is reprehensible. It is an unfortunate fact that these issues are both growing challenges that the international community must confront together. And we must also grapple with the issue of anonymous speech. Those who use the internet to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities. But these challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes.[Full text of the speech here]
So, privacy, anonymity, and an open economy of ideas is good except when our enemies have it? Despite all of the rhetoric to the contrary, I don't think she really wants a free Internet. She just wants an Internet that promotes US best-interests.
Considering some of the electronic surveillance actions our government took after 9/11, adminishing China is a little bit of the pot calling the kettle black. I was hoping that we'd also take this opportunity to embrace these ideas domestically as well as promoting them overseas.
Embracing a free exchange of information means embracing the exchange of dangerous and radical ideas along with the popular and prosperous ones. You cannot selectively grant privacy and anonymity -- either you support it or you don't.
The second, a static code analyzer called CAT.NET is an extraordinary tool. If used with some discipline, it can virtually eliminate XSS and SQL injection vulnerabilities in managed code.
Today, we’re very excited to announce the availability of our next version of the Anti-Cross Site Scripting Library (Anti-XSS) v3 BETA as well as Code Analysis Tool .NET (CAT.NET) v1 CTP. Anti-XSS v3 BETA includes performance improvements, localization enhancement as well as a Security Runtime Engine (SRE) that uses an HTTP module to provide a level of protection against XSS for your application without the need to rebuild your code. CAT.NET v1 CTP is a binary analysis tool that can be used by developers to identify some common vulnerabilities that can lead to attack vectors such as XSS, SQL Injection and XPath Injection in your code. [From Announcing CAT.NET CTP and AntiXSS v3 beta]
If you're working in any .NET language on the web, including non-Microsoft languages, you should check CAT.NET out.
I haven't been publishing very much for the last month or so. Simply put, I've been spending that time writing constantly during the day documenting everything I could think of before starting a new job. Well, last Friday I turned over a massive and hopefully complete set of documentation at the University of Washington.
Today I began a now job as a Security Advisor at Microsoft. At this point, I'm not what that means about my ability to blog about Microsoft, but will do my best to include full disclosure whenever necessary.
At the very least, I should be able to look at a keyboard again without flinching; it should mean I have more effort to put towards the blog.
SAN FRANCISCO: NASA confirmed that a computer virus sneaked aboard the International Space Station only to be tossed into quarantine on July 25 by security software.
A "worm type" virus was found on laptop computers that astronauts use to send and receive email from the station by relaying messages through a mission control center in Texas, according to NASA spokesman Kelly Humphries on Wednesday. [From Computer virus goes into orbit | Hacking Truths]
The trojan is also referred to as the kavo.exe virus and is designed to gather information on ten online games:
ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver
Following the AT&T DNS poisoning late last month, one of China's largest ISPs, China Netcom, has suffered a similar setback. In the past, Chinese companies have had little trouble with information security as their domestic hackers primarily target foreign servers. This is starting to change, however, and China is going to have a huge problem trying to both maintain security and continue the fast pace of growth.
The DNS server of one of China's largest ISPs has been poisoned to
redirect typos to a malicious site rigged with drive-by exploits.
According to a warning
from Websense Security Labs, the DNS poisoning attacks are affecting
customers of China Netcom (CNC) and are using a malicious iFrame to
launch exploits for known vulnerabilities in RealNetworks' RealPlayer,
Adobe Flash Player and Microsoft Snapshot Viewer. [From ZDNet: Websense reports China Netcom DNS cache poisoning]
This is especially interesting after attending an IC3 talk on Tuesday morning on the various common types of online fraud. It's true that most of the victims of these scams are complicit in the get-rich-quick schemes, but barring the ones who commit criminal acts such as money laundering or forwarding shipments to Nigeria, it would be difficult to classify them as criminal.
This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.
Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".
* * *
Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]
The stakes have been raised in the battle against online crime. A Turkish hacker who was working with authorities was captured, tortured, and released in reprisal for his cooperation.
A Turkish computer hacker who was helping that country's media and national police investigate computer crimes was kidnapped and tortured by a notorious ATM hacker, according to a report from the Turkish press.
Recent Comments