Privacy, Security Archive

From Smashing Magazine: "A few months ago, Anton Isaykin, in collaboration with the company 2comrades, found a huge vulnerability that is quite typical of big projects (we do not name names here). To test it, they obtained the file structures and even the source code of about 3320 Russian websites and some major English-language websites. Serious vulnerabilities like this aren't supposed to exist nowadays. Every serious or visible exploit is found and fixed quickly. But here we will show you something simple and ordinary yet very dangerous."

Software Engineer and encryption aficionado Jeff Moser has created an XKCD-esque stick figure comic explaining the Advanced Encryption Standard (AES): where it came from, why it was necessary, and most-illuminatingly, how it works. Your eyes may glaze over toward the end when it gets into some hefty math, but even if you skim that part, you'll know a lot more about encryption when you're done.

This week in Greece Peter Hustinx, the European Data Protection Supervisor shared the latest Eurobarometer (a series of surveys regularly performed on behalf of the European Commission) findings that show that 2/3 of European Union citizens are very concerned about the security and privacy of their information. The figures are even higher in Austria and Germany, with over 90% respondents sharing their concerns on these important topics. Countries like the United Kingdom do this kind of research on a yearly basis and the results show the same trend in awareness of data security and privacy issues.

PandaLabs has issued a ranking of the most insidious malware threats that have surfaced in the past 20 years. Threats have been selected for the notoriety they achieved through widespread epidemic and the damage caused. Some of the "stars" from the list include Melissa from 1999, ILoveYou from 2000 and Nimda from 2001.

"Is password protection an inherently flawed security model? A hack into a Twitter employee's Gmail provided access to a number of confidential Twitter docs housed in Google's cloud. What does that say about cloud security? Information from the docs was leaked to the media and published on various outlets." This may be a hard blow to those who have hopes in tossing sensitive data into the cloud.

Kon-Boot seems to be a similar alternative to Ophcrack that also runs on Linux as well as Windows operating systems. It doesn't crack the password but instead bypasses it and lets the user into any account. Those who are admins may want to take a gander at Kon-Boot in case someone with ulterior motives and physical access to vital computers happens to stumble across this tool. Those who have ulterior motives, enjoy. "According to the description at the tool's site, Kon-Boot alters a Linux or Windows kernel on the fly during boot up. The result is that you can login to a system as 'root' or 'administrator' without having to know the associated account password."

InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break -- not at all hard to accomplish, Grimes writes.

The past few years, it seemed as if virus writers had moved away from doing actual damage to systems to instead focus on stealth, so that infected machines can silently, and unknowingly, be used for all sorts of malicious practices. Sadly, there are still those crackers out there that prefer the old-fashioned approach to these matters. The result: 100000 ruined Windows machines.

Researchers at security firm Finjan have uncovered a massive botnet of Windows machines. The botnet is 1.9 million machines strong, with many of the machines located in the United States: 45% of them are located in the US. The researchers detailed their findings at the RSA Conference in San Fransisco.

Many have gotten antsy the past months about the Conficker worm, and all with good reason. Though the worm hasn't done much of anything (yet) except spread like the plague, it's infectious if one doesn't have his or her Windows operating system up-to-date with the most recent security updates. The worm is supposed to execute on April 1st, and the computer world is holding its breath to see if a disaster comparable to the hyped-up supposed Y2K doomsday will ensue or if it's just someone's idea of a sick April Fool's Day joke.

As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.

Remember Conficker, the worm that wouldn't have been as devastating as it has been had people just kept their machines up to date? Even though the critical patch had already been released way before Conficker started its rampage, the worm became one of the worst infections to date. A Romanian company has found a cure for the worm.

It's time for another security report. You know, those reports that tally vulnerabilities, and then plot or graph them in such a way that their benefactors or clients come out most favourably. Ok, that might be a bit cynical, but fact remains that there is usually something wrong with such reports. The one that's making its rounds across the internet today is certainly one of them. According to IBM, AIX is the most secure operating system, and Mac OS X the least secure. Not only is the report rather slim on details when it comes to operating system vulnerabilities, it seems like most websites reporting on this story have misunderstood what it was about.

Yesterday, we reported on the security flaw in Windows 7's UAC slider dialog, and today, Microsoft has given a response to the situation, but it doesn't seem like the company intends to fix it. "This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level." I hope this reply came from a marketing drone, because if they intend on keeping this behaviour as-is in Windows 7 RTM, they're going to face a serious shitstorm - and rightfully so. Let's hope the Sinfoskies and Larson-Greens at Microsoft rectify this situation as soon as possible.