Thursday, 25 February 2010 04:18
Akuma
Tuesday, Comcast announced a public trial that any Comcast cable Internet access user can participate in. And a year from now, DNSSEC validation will be rolled out throughout all of Comcast's DNS resolvers. Comcast will also be signing all of the domains it hosts, including comcast.com, comcast.net, and xfinity.com.
The DNSSEC extensions to the DNS protocol make it possible for a validating server or a validating host to determine whether information in the Domain Name System is legitimate or not, the same way that it's possible to determine whether a signed e-mail message did indeed come from the holder of the e-mail address. In the past, it was trivial to inject fake information in DNS servers.
Wednesday, 24 February 2010 05:20
Akuma
VeriSign, a prominent vendor of SSL certificates, has announced a new validation service for websites. Companies that sign up for the service will undergo a corporate background check and have their websites scrutinized by VeriSign. Websites that meet with VeriSign's standards will be entitled to post the company's Trust Seal insignia.
VeriSign already offers a similar service to some of its SSL customers. The new service is intended for website operators that offer commercial products and services, but don't need an SSL certificate because they rely on third-parties for processing transactions and performing other activities that require encryption.
The company says that it will conduct daily malware scans of the websites that bear the Trust Seal in order to ensure that they remain trustworthy after the initial examination. According to VeriSign, the $299 per year Trust Seal service will help websites boost traffic and increase customer loyalty. The company claims that the existing SSL variant of its Trust Seal service has generated an average traffic increase of 24 percent for its customers.
Although trust seals might give a warm fuzzy feeling to regular end users, there is little evidence that such validation programs actually guarantee security or trustworthiness. A researcher published a study in 2006 revealing that websites validated by TRUSTe were actually "more than twice as likely to be untrustworthy" compared to unvalidated sites.
The researcher speculated that private validation organizations were reluctant to sacrifice revenue by revoking validations, even in the most egregious cases of abuse. There is also the risk that untrustworthy sites will convey a false sense of legitimacy by displaying a forged seal.
The automated daily scanning that is included in VeriSign's service could give it a leg up in security over some of the alternatives.
Monday, 22 February 2010 07:57
Akuma
The furor over the Harriton High School webcam spying caper continues to grow. The Federal Bureau of Investigation is now investigating whether the school broke any federal wiretap laws when it remotely spied on a student at home, an anonymous official told the Associated Press. A federal grand jury has also subpoenaed the school for records related to the so-called "security" measures implemented on the laptops that allowed officials to activate the webcams to see people using them, according to the Philadelphia Inquirer.
The Lower Merion School District (LMSD) has also started talking to the press about the incident. Spokesman Doug Young told the AP that the school had activated the webcams on the school-issued laptops 42 times over the last year or so, but never to spy on the students. LMSD had said on Friday—when it decided to indefinitely suspend the practice—that the feature was there solely for security purposes in order to locate lost or stolen laptops.
Wednesday, 17 February 2010 04:12
Akuma
The Electronic Privacy Information Center (EPIC), a privacy watchdog and public interest research group, is calling foul on Buzz, Google's recently launched social networking service. The group has filed a complaint with the FTC outlining several major grievances.
Shortly after Google launched Buzz last week, a number of users expressed dismay over the service's loose handling of user privacy. It automatically makes the user's Gmail address book into a public Buzz contact list, a move that is of questionable value to users and subjects some to the risk of exposing sensitive information to the wrong people.
Monday, 15 February 2010 04:06
Akuma
When it comes to cybersecurity, the Obama administration is taking the same approach to the policies of the Bush administration as it has in so many other areas: there are differences, but they're mainly matters of subtle emphasis and focus. Take the Trusted Internet Connection initiative, which the Bush administration launched in late 2007, and which is aimed at securing the government's network infrastructure by routing all of its network traffic through a smaller number of access points.
The original goals of the TIC program were to establish a baseline set of security practices for government systems that access the Internet, to consolidate all federal Internet access points into about 50 officially certified TICs, and to put in place an audit process to ensure that all government agencies stay in compliance with the program. Of these three goals, it was the network consolidation piece—the entire federal government accessing the Internet through only 50 connections total—that grabbed headlines and caused the most push-back from federal agencies. It's this part that the Obama admin has eased up on, but only a bit.
Friday, 12 February 2010 06:31
Akuma
Security researcher Christopher Tarnovsky has successfully subverted an Infineon SLE 66 microcontroller—a hardware component that implements the Trusted Platform Module (TPM) specification. His method of attack, which requires physical access to the hardware, was presented at the Black Hat conference.
TPM chips can be used for a variety of purposes, but are principally employed for data encryption or DRM. Infineon is a well-known TPM manufacturer whose components are shipped in mainstream computing and consumer electronics products including the Xbox 360 and many modern Apple computers. The basic concept behind a TPM is that it has "write-only" memory. A cryptographic key is baked into the chip when it is manufactured. This key can be used to decrypt data, but is only accessible to the chip itself and can't be read.
Infineon integrates relatively sophisticated security mechanisms into the hardware in order to repel a wide range of conceivable physical attacks, thus preventing a third party from reading the embedded key. The SLE 66 is designed to protect against EM snooping, various kinds of side channel attacks, and pretty much any other conventional approach that you can think of.
In order to circumvent the SLE 66's security, Tarnovsky used an electron microscope and needles. After nine months of intricate work, he managed to pull out the "write-only" data. He says that he has reported his findings to Infineon and the Trusted Computing Group, the organization that devised the TPM standard.
Wednesday, 10 February 2010 11:08
Akuma
Botnets, or networks of zombie computers that mount attacks with malicious software against other computers, continue to be a moving target for network protection services. A recent report from Prolexic Technologies describes some of the new strategies that botnets are using to take down their targets in attacks that are increasingly of a political bent.
The Prolexic report focuses on the increase of DDoS attacks, where multiple computers overload the available bandwidth of a system through methods such as IP spoofing or DNS request floods. Botnets like BlackEnergy typically mount attacks consisting of between 1 and 7 Gbps of straightforward requests on the system by computers under its control, but Prolexic has found that the size and techniques of the attacks are changing.
Thursday, 04 February 2010 14:20
Akuma
To meet the needs of law enforcement, most telecommunications equipment includes hardware and software that allow for the monitoring of traffic originating with the targets of investigations. The precise capabilities are often dictated by formalized standards, which allow any hardware maker to implement a compliant system. Unfortunately, these standards often leave the hardware wide open to various attacks that leave regular users vulnerable, and provide savvy surveillance targets the opportunity to evade the snooping. An IBM researcher has put Cisco's system under the microscope at a Black Hat Conference, and found it comes up short.
Although the standard was designed to put Cisco hardware in compliance with EU directives, it has apparently been adopted by a number of other hardware makers. The presentation, described in detail by Dark Reading, describes how its reliance on SNMPv3, creates a variety of options for attack. For example, the protocol was initially vulnerable to a brute force attacks on its authentication system; although Cisco has patched that flaw, there's no way to determine how many unpatched machines remain in the wild.
SNMP also defaults to operating over UDP, and it's relatively easy to spoof things like the source address and port for that protocol. It's possible to use TCP instead, and even limit the addresses that can access the hardware, but the protocol doesn't specify either of these. Communications aren't encrypted by default, and the system won't notify administrators when a trace is activated or disabled, meaning that hackers could potentially set up or eliminate surveillance without anyone being aware of it.
The IBM researcher, Tom Cross, notified Cisco of the issues back in December, and recommends revisions to the standard that will ensure that it is more secure by default. That might be helpful, but it still wouldn't deal with the problems posed by unpatched systems—Cross himself apparently recognizes that network administrators can be hesitant to risk the disruption of service that may come with updating major pieces of equipment.
|
|