Privacy, Security Archive

"Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and ecommerce servers.RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. The researchers - Andrea Pellegrini, Valeria Bertacco and Todd Austin - outline their findings in a paper titled "Fault-based attack of RSA authentication", to be presented 10 March at the Design, Automation and Test in Europe conference."

Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key. The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.

"At the Black Hat DC Conference 2010 security researcher Christopher Tarnovsky of FlyLogic Engineering has demonstrated a way to defeat the Trusted Platform Module chips widely used to secure data in computers, identity cards, gaming systems like the Xbox 360, cable set-top boxes, and other electronics. TPM modules are widely used in enterprise, health care, government, and military applications to protect data through encryption, particularly on portable devices that might be easily lost or stolen. Although Tarnovsky's process is labor intensive and requires both specialized equipment and a significant period of physic access to the device to be cracked, his step-by-step instructions do outline how to get data out of a TPM-protected system, including encryption keys and manufacturing information that could be used to create pre-cracked counterfeit chips."

"An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-language books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China."

I was reminded of Sun Microsystems' Scott McNealy's infamous sound byte (used as the title of this article) when I read about Google CEO Eric Schmidt's foot-in-mouth moment during a recent CNBC interview (YouTube Link). Here's what Schmidt said: "I think judgment matters. If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities."

Websense has made ten predictions about security/vulnerability trends for 2010. There's no crystal ball, so we're not talking about malicious innovation, but mostly a recognition that certain nefarious activities are gaining traction and will expand in the near future. Of particular interest to OSNews readers: exploitations of Windows 7 and IE 8 vulnerabilities, the beginning of the end of the Mac's reprieve on security issues, and increasing targeting of mobile devices (beyond Rickrolling your iPhone, presumably). Read on to learn OSNews 2010 security predictions.

"Researchers say they've uncovered a flaw in the secure sockets layer protocol that allows attackers to inject text into encrypted traffic passing between two endpoints. The vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the bug. A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to sneak password resets and other commands into communications believed to be cryptographically authenticated. Practical attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix the flaw. A draft is expected to be submitted on Thursday to the Internet Engineering Task Force."

From Smashing Magazine: "A few months ago, Anton Isaykin, in collaboration with the company 2comrades, found a huge vulnerability that is quite typical of big projects (we do not name names here). To test it, they obtained the file structures and even the source code of about 3320 Russian websites and some major English-language websites. Serious vulnerabilities like this aren't supposed to exist nowadays. Every serious or visible exploit is found and fixed quickly. But here we will show you something simple and ordinary yet very dangerous."

In some sense, home security systems suffer the same fate as mobile phone handsets. Most people, if they have one, have the one that a security monitoring company installed, and their only interaction with it is to turn it on or off. But some people want more than just a security system. Some people want a security system that can be expanded to perform almost any kind of home monitoring and automation task. You know, lunatics. Lunatic geeks. Enter the Elk M1.

This week in Greece Peter Hustinx, the European Data Protection Supervisor shared the latest Eurobarometer (a series of surveys regularly performed on behalf of the European Commission) findings that show that 2/3 of European Union citizens are very concerned about the security and privacy of their information. The figures are even higher in Austria and Germany, with over 90% respondents sharing their concerns on these important topics. Countries like the United Kingdom do this kind of research on a yearly basis and the results show the same trend in awareness of data security and privacy issues.

Blackberry phones in the United Arab Emirates recently received a text from Etisalat, a major provider in the UAE, prompting for users to download and install an update to enhance performance. It was an ill radio wave that brought that text to phones because it turns out that the "update" downloaded was really software designed to collect received messages and send them back to a central server: essentially spyware.

"Is password protection an inherently flawed security model? A hack into a Twitter employee's Gmail provided access to a number of confidential Twitter docs housed in Google's cloud. What does that say about cloud security? Information from the docs was leaked to the media and published on various outlets." This may be a hard blow to those who have hopes in tossing sensitive data into the cloud.

The Safari 4 beta is having a little bit of trouble cleaning up after itself, as has been revealed by C. Harwic on his blog. Safari 4 is still in beta, so it's easy to forgive the browser for this rather sloppy housekeeping, which left gigabytes (!) of browsing data in weird places all over your filesystem, even after cleaning the caches or history. Still, this does raise a few questions.

InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break -- not at all hard to accomplish, Grimes writes.