Domain: itsecurity.com
Stories and comments across the archive that link to itsecurity.com.
Comments · 21
-
How about state-sponsored trolling?
I can see, how this may defeat (ab)users trolling for fun and not suspecting automated detection before it hits them (though, with only 80% accuracy, I dread the thought of the methods expanding out of the virtual realm).
But what about people "trolling" professionally — paid and/or otherwise compelled into it by a state or corporate actor pretending there to exist some kind of "grass-roots" movement? How would it deal with thousands of fake accounts mounting a coordinated assault, posting (while "liking" and "following" each other)?
Some times you may be able to catch accounts posting identical things at the same exact time (and ban them all in bulk), but Russians seem to have fixed that bug in their bots now...
This is turning into another battle like that, in which spammers have fought the best Information Technology minds into a standstill. I doubt, progress against forum-spammers will be much better than that — not when mere technology, however clever, is up against interests of a reasonably powerful state.
-
Re:Predictable much?
And you just hit right on the head the biggest security measure you can do-get them off IE!
What - precisely - are the problems you see with IE 8?
Firefox has not been proven immune to attack. Security Advisories for Firefox 3.0
Is the technology of the browser still the most significant line of attack?
-
Re:There Already Is One
Here's a fairly balanced article on the CIA/Facebook connection.
-
Re:Looking good, too bad the press didn't understa
There are numerous refutations to your "never suggested that publishing their design or secrets would lead to better security". Many experts have said precisely that.
An IT Security article on full disclosure states that as early as the middle of the 19th century locksmith Alfred C. Hobbes thought full disclosure was important to clear up the rash of lock picking people were experiencing. It goes on to discuss exactly why full disclosure works so well.
David Wagner says in an article on security: "Today, many security companies are strongly resisting this, and I think they will need to learn to accept and embrace public scrutiny as a natural and necessary part of security systems." -- David Wagner and Ian Goldberg are the ones who cracked the security of the SSL layer in Netscape 4.
IEEE article abstract stating that full source code access can have "real benefits for security", although that's not automatic and it has to be done correctly.
Bruce Schneier -- yes, THAT Bruce Schneier -- has an article on his blog that starts "Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure."
Is that enough or do I need to go to the second page of this Google search?
BTW, DJB thinks that both full disclosure and isolation of trusted components are absolutely vital. He's the guy who won the right for Americans to export cryptography technology in court against the Department of Justice. He also found a timing attack against OpenSSL's AES cipher and his Unix Security Holes class of 16 students turned up 91 previously unknown holes in one semester.
As for "Security by design", that helps. However, with many programs being written in languages which allow null pointers, stack overflow, buffer overflow, and array overflow the design can be as secure as you want and the program can still be crashed. In some cases arbitrary code can still be executed. Address randomization, NX bits, run-time bounds checking, and automatic memory management can go a long way. Sanitation of inputs, static analysis, time padding, and more still have to be considered in some cases.
The tests Coverity is running are an example of static analysis. If there's a C routine that can be coerced into smashing the stack or overflowing a buffer in the heap, that can often be automatically caught and reported. Memory leaks often can be, too. They're probably also able to do at least rudimentary checks for sanitizing input values. -
Re:Unfortunately, this is not trueThe initial realization of the scale of the problem came from an FBI study last year. You can start with Malware Trends. However, it is important to note matters are deteriorating faster than anticipated when that article was written last year.
You might also read Bumper crop of malware expected in 2007 which starts with Gartner's prediction that
75% of all enterprises will become infected with undetected, financially motivated malware by the end of 2007.
Unfortunately this is all too real and there are no quick fixes. -
Re:280m Euros
From the FAQ:
Where does the money go?
The penalty payment is paid into the EU Budget. It does not increase the Budget, but reduces the contribution from Member States. The fines therefore reduce the overall tax burden on individuals. -
So let me get this straight
I hadn't ever heard about this two-factor authentication thingy yet. According to this paper, an example of two-factor identification is an atm machine card and a PIN code. One identifies who you are, the other is matched to the first and only if you have both, you're in. Theft of either of the two doesn't compromise security.
So if I got this straight, first MS had two-factor identification (username and password), then allowed the users to click on a username(icon) so that they would only need to enter a password. Now they go back to what they did before and market it as better security. Of course I must be missing something- another poster pointed out two-factor authentication of being a combination of 'something you have and something you know', meaning a tangible object and something that goes along with it. Biometrics come to mind, fingerprint-recognizing keyboards have been around for ages at low price but never seemed to catch on because fingerprint scanners are too easy to fool. With this two-factor authentication thing, finally we would be able to use our fingerprint to for logging in, but without the promise of never needing passwords anymore... instead it is added to the password as an extra layer of security. But in any case the 'something you know' probably keeps coming down to either (still) a password, or answering secret questions about your early childhood that you really wouldn't want anyone to know about. Great opportunity for people to start blackmailing you ;)
Did I get that about right? -
What Is Two Factor Authentication?To review, two-factor authentication consists of:
Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.
Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.
-
Pr0n
At least it will stop them accessing pr0n.
http://www.itsecurity.com/soapbox/corbelli1.htm
-
We need to educate the decision makersWe've got to stop this happening again, we've got to educate the people spending our money on huge computer systems which are prone to failure.
I have found that many MPs when questioned on anything related to technology simply say that "it is a complex issue", which to me isn't good enough when such huge amounts of money and significant impact on people's lives is involved.
There is a huge contract that'll be up for grabbs soon - EDS are preparing themselves to manage the UK national identity database and identity card scheme. This is one we could lobby our representatives on to ensure they do it right..
Where to have the debate where it might be read by those who mater:
Free service to fax your MPBoris
Richard Allan
Tom Watson
Shaun Woodward
Citing the recent and ongoing failures such as that cited in the article, and the UK Child support agency's computer failure. as well as the NHS computer system UK -
Re:DRM
Ok, so let me get this straight:
1. If I ever have a power failure in my house or the battery dies in the computer the encryption key will explode. So I sue Intel over this in a class action suit and they have to fix everyone's cpu chip. Massive recalls, etc.... I can't see Intel doing that.
1a. Besides which - you can buy CPU chips by themselves and they don't have any power being applied to them. You think Intel would develop something that you can only plug in once? Not likely. Man! Would Tom's Hardware have a fit!
2. If I install a watchdog on my computer, install a program which has this technology on it and it shows me how to access the information on the chip my CPU will somehow know and blow itself up. I don't think so. You give too much credit to the PR guys. Either the information can be accessed or it can't. If it can't - then no one else can either. Which makes this technology moot. Use common sense and logic. It is either:
A. You can access this information (albeit in a specific manner).
B. Or you can not access this information.
A program which watches what another program does (Anti-Virus Software anyone?) interrupts whatever the other program is doing to check it. A watchdog program is just doing the same thing. It intercepts whatever the other program is going to do BEFORE it does it, checks it out, and can send that information to a file or the screen. Thus, BEFORE any request goes to the CPU for whatever reason, those commands are intercepted and stored so someone could hack (fairly easily) the command used to access the key information. Once you can do that - the key becomes meaningless because you can then forge the key (captured on output from the CPU by the same program) and make a new disk with this.
Further, what a lot of hackers used to do (and probably still do) is just to find the JSR to the function which does the check and negate it by either putting in their own routine at the end of the program and JSR'ing to it so it can return the key or just NOP'ing it so it is never called. If the function is supposed to return TRUE or FALSE depending upon whether or not the key passed verification, then you just JSR to a function which pushes a TRUE value onto the stack and return.
JSR myFunction . . .
myFunction:
lda a1,1;
push;
return;
What's so hard about that? Then you just load the program in, disassemble it, and do a global replace on that JSR CheckKey function.
After all, why try to disable something when you can just go around it? This is a lot like those dongle things. The people who sold the dongles would also include a set of functions which would check the dongle and the dongle would send back the "special" id. (Sound familiar?) The problem is the same with this Trusted Computing PR BS. Remember that rule #1 says:
"You have to start somewhere."
It is no different with them. Somewhere, somehow, you have to be able to access the key. You find that and the rest is as easy as eating a donut. -
Re:Cost efficiency
NZ isn't that close of an ally to the US actually, we (New Zealand) won't let the US bring nuclear powered or armed vessels into our waters, and the US doesn't much like us for that. Every now and then they try and "convince" us otherwise, like waving FTA's (free trade agreements) under our nose or making thinly veiled threats to take something away or not play ball on something. And every time we give them the finger and tell them to go take thier toys and play somewhere else.
And what of echelon? That's not really giving the NSA the finger.
-
Re:Safety Critical Systems
Is Microsoft Software actually certified for safety critical systems?
Depends on what version of Windows they were running. Windows NT 4 (SP3) is the only version of Windows to have been evaluated against ITSEC criteria. It's unlikely they'd be running a certified product, however, as the second you apply a new Service Pack to the machine, it's no longer certified. Every evaluation I've been part of has been where a vendor has wanted to sell something to the Ministry Of Defence, and have needed to obtain certification under ITSEC or Common Criteria in order to do that. -
NSAKEY
-
Re:Will they apply it?!
Sometimes it is better to not apply a patch. At least not without first checking it out first to verify its authenticity
:-) -
Re:No -- Good talk, BAD idea...
In any case, the fact reamains (sic) that "the unauthorized duplication of copyrighted material" remains illegal.
Of course. I'm not talking about it being illegal or not. I'm talking about the fact that "theft" is what it most certainly is not. In law this is very important. That's why we have different degrees of murder, manslaughter, involuntary homicide, etc etc. The punishment should fit the crime, but so should the vocabulary.
Piracy - whilst part of the problem - is a word I'd prefer not to see, since the real pirates do not use P2P. The top end of the food chain is not on Kazaa or even in IRC, but involved in all sorts of punting of copies of stuff in hidden away markets and often linked to other nefarious activities. By the time stuff gets to most P2P networks it's second or third hand couriers...
-
Re:Page TextCelebrating its 20th anniversary
It really amazes me just how much longevity the CCC has displayed, despite having gotten mixed up in scrambles that would have totally taken apart anyone less hardy. From concerns that one of their members might have been bumped off, working for the KGB, breaking into NASA... and somehow still finding time to run the Blinkenlights and the congress every year.
I know I would have cashed my chips and left a group like that a long time ago. Hats off guys, how do you do it?
YLFI -
Just wondering...
Is this the same Chaos Computer Club whose members sold U.S. military intelligence to the KGB? Did that "make this world a little bit more friendly to intelligent beings"?
-
Re:Languages not necessarily the problem
The reason Perl needs taint mode at all is because it does so many things in a blatantly insecure way...In most compiled languages, a taint mode is not necessary because the language and libraries don't do 'useful' things based on magic characters in strings you happen to pass.
Have you ever used a SQL library that lets you build and pass queries to the server? There are plenty of SQL injection vulnerabilities that would have been thwarted by taint checking in the language. Applications are filled with lots of other "little languages" that can be made to interpret unchecked input dangerously. -
Re:Which are more successful?
[If something does't seem completely logical or contradictory somewhere, like MS being on the same level with RedHat in one place and with Sun in another, that's probably because I'm merging things I found in two different articles that were written almost half a year apart]
You could look at it this way: for the past couple of years, the number of vulnerabilities discovered in WinNT and 2000 combined has been at approximately the same level as that for RedHat linux alone, and at about 50% of all linux distros combined. The absolute leader in the vulnerability top 100 is Mandrake, with M$ sharing the 4th position with Sun.
It's not because headlines don't cry out that the world is about to end everytime a hole is found in linux/solaris/unix, that none are found.
Only this year, and that's because MS expressly started searching for them, the number of vulnerabilities found in Win2000 is rising - above RedHat, but (at the time of the article I can't find anymore - see below) it still looked like it wouldn't surpass all of linux combined.
So where do you think attacks would me more successful?
Source: "here or here, "Windows more secure than Linux?"
I thought I saw another article last Friday with more recent figures (including the first months of 2002) and saying that this ratio, except for the peak in 2002, has been constant for a couple of years, but I can't find the blasted thing anymore.
Also interesting is this page where a number of people explain their ideas about win/lin security. I suppose most /. nerds are going to call it biased because linux doesn't exactly come out good.
Some people reacted to the first article that comparing a single OS to all flavors of linux combined isn't honest, but (1) NT and 2000 aren't a single OS any more than linux is and they represent a larger installed system base, (2) even in the case of a few individual linux distro's MS still wins, and (3) neither is combining all the good sides of different linux flavors, or comparing the holes in an OS plus those in all its apps to just an OS alone, and all of these are daily habits in linux advocacy if it fits the linux side. -
Enercon case
One huge problem is the abuse of the system. Someone could simply set up the knowledge base to go fishing for some secret industrial data, well someone already did.
The story of the german energy company Enercon is a good example here. In short it describes how a german company finds their own invention already patented in the US, by the US competitor Kennentech, with papers bearing even Enercon logos! It sounds funny until you realize that Enercon lost 100 million DM and 300 people lost their jobs, as Enercon was not allowed to sell their products in the US.
So if you are looking for some adversely affected 'decent citizens' (though not US citizens) throw the words 'Enercon' and 'NSA' at your preferred Searchengine. I did so and got some coverage of the case here or a little down the page from heise. German readers might want to look at a script for the "plusminus" show or a "Spiegel" or "Zeit" article. While digging up the case i also stumbled over this nice collection of slides concerning the NSA.