Tom Spears / Ottawa Citizens
To people who want to encrypt data, this is a potential source of randomly-chosen numbers that are used as a “key” to lock and unlock sensitive data — military transmissions, banking transactions, or your email.
The idea is that if no one knows how the key was created in the first place, hackers and code-breakers won’t be able to figure out the secret and decode the messages.
Dan Parsons / National Defense Magazine
The goal is to demonstrate better accuracy in predicting near-term and middle-term events than an opinion poll by the end of the four-year experiment. In the first year, Warnaar is seeking to achieve a 20 percent improvement over traditional polling methods. If its predictions turn out more accurate, the program will be made available to government decision makers.
Questions from informed policy makers could then be fed into ACES and predictions would be based on weighted answers from program participants.
Computer World / Lucian Constantin
Researchers Juraj Somorovsky and Tibor Jager from the Ruhr University of Bochum (RUB) in Germany, devised an attack that decrypts data secured with the DES (Data Encryption Standard) or the AES (Advanced Encryption Standard) in CBC (cipher block chaining) mode. They plan to present their findings in more detail at the ACM Conference on Computer and Communications Security later this year.
According to Jrg Schwenk who teaches of Electrical Engineering and Information Technology at RUB, all data encryption algorithms recommended in the XML Encryption standard are affected by this attack, which relies on sending modified ciphertexts to the server and analyzing the errors for clues.
John Cox / CSO
In a Wi-Fi network, the Denial of Service attacks are usually generated by so called ‘backoff misbehavior,’” she says. Based on the Wi-Fi protocols, client radios “listen” to see if the radio channel is being used. If it is, it “backs off” and waits for a set period, and then listens again. If the channel is clear, it can claim it, and send or receive data.
But an attacker can manipulate this process, changing the rules, Wang says. “[W]hen attacks change the rules of backoff time, it is similar to crashing a queue and occupying it forever,” she says. “Of course, [the] other users do not know what happened and would assume the entire network is down.”
By shortening its own backoff time, the attacker “can increase the chances of connecting to the access point dramatically, resulting in a much higher probability of access success.”
Peter Svensson / USA Today
The problem with that black magnetic stripe on the back of your credit card is that it’s about as secure as writing your account information on a postcard: everything is in the clear and can be copied. Card fraud, and the measures taken to prevent it, costs U.S. merchants, banks and consumers billions each year.
The smart cards can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can’t be replicated.
Software Protection Initiative / Department of Defense
Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive. Administrator privileges are not required; nothing is installed.
The idea behind it is that workers can use a CDROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker’s own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so no trace of work activity can be written to the local computer.
John Cox / Network World
Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas.
Corey Harrell / Journey into Incident Response
Google queries show the information currently in Google’s index and cache while Google alerts send email notifications when Google is returning new information. The combination of queries and alerts can be leverage by organizations to identify security issues such as data leakage, website vulnerabilities, and stolen information.
The majority of the data breaches referenced had two things in common. The first commonality was sensitive company information was exposed to the Internet. The second commonality was the companies were notified about the data leakage after a third party located the information through Google searches.
Thomas Claburn / Information Week
Google is fanatically devoted to speed, because Web apps depend on speed to compete with desktop apps and slow response times lead to a poor user experience. So last year, Google’s computer scientists proposed a way to shorten the technical handshake ritual.
Now their proposal, Transport Layer Security (TLS) False Start, has been tested and the results are in: SSL False Start significantly reduces the amount of time required to establish a secure connection.
More and more companies are coming with formal Coordinated Vulnerability Disclosure Processes/Standards
After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem. By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.
NIST has published a Draft Special Publications (SP) “Guidelines on Security and Privacy in Public Cloud Computing”. NIST will accept comments on the draft until February 28, 2011.
NIST SP 800-144 provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
I agree with Apple turning the iPhone into a universal debit card and Google’s Android supporting Near Field Communication (NFC) but not everything discussed in the article will happen that fast!
Why? Because I strongly believe that before Apple and Google implement a workable biometric ID solutions for cell phones or replace current authentication infrastructure with biometric infrastructure, the authentication will pass through other stages…like, two (or multi)-factor authentication (Yubi-key style touch key, some sort of machine tagging for cell phones) or one-time passwords (sent via out-of-bound channel like SMS or email).
The obvious password replacement is biometric identification — the use of a system capable of recognizing unique physical attributes, such as fingerprints, iris patterns or voices.
Far too many people don’t trust biometrics because it feels like Big Brother technology. But I believe that if the biometric system resides on the user’s cell phone, and is under the user’s control, such technology would be far more acceptable to the public.
Fingerprinting is not very reliable, voice recognition tehnology, in general, is suffering from false-positive and false-negative issues, and iris scanners/sensors are costly.
After iPhone Tracker, its Android, which has been in the news for similar reasons – recording credit card or financial account numbers (or any numbers, in general). It’s nothing to do with iPhone or Andriod OS only…it’s the overall mobile platform, which needs to get mature before it can securely process financial transactions or store Confidential data.
While it’s evolving, there are several things we can do — to take advantage of mobile commerce and other opportunities created by mobile technologies – including writing secure code. Even though, in the past year or so, there has been so much focus on incorporating security in the SDLC process, only a small percentage of companies have implemented it as a formal program.
A general SDLC includes five phases: initiation, acquisition / development, implementation / assessment, operations / maintenance, and sunset (disposition). Each of the five phases includes a minimum set of security tasks needed to effectively incorporate security in the system development process. Including security early in the information SDLC will usually result in less expensive and more effective security than adding it to an operational system.
This is the most simple, honest, and practical answer to the question “how can I protect my privacy” – divulge less information about yourself on web and other platforms!
…in many cases, there’s no need for someone verifying your credentials to know everything about you. A bouncer at a nightclub needs to know that you’re 21, not your name or home address. A county database may only require proof that you’re a local resident, not your phone number or e-mail address.
Old rivals, Microsoft and IBM, are developing a solution to this problem using a system called ABC4Trust
Attribute-based Credentials (ABC) allow a holder to reveal just the minimal information required by the application, without giving away full identity information. These credentials thus facilitate the implementation of a trustworthy and at the same time privacy-protecting digital society.
One likely application for the ABC system: electronic identity cards issued by national governments. Microsoft has already demonstrated a system that can verify that someone is at least 18 years old and resides in Berlin, without disclosing an actual birthdate.
If you missed this earlier, FTC has extended deadline for comments on Privacy Report (Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers) until Feb 18th.
Stakeholders emphasized the need to improve transparency, simplify the ability of consumers to exercise choices about how their information is collected and used, and ensure that businesses take privacy-protective measures as they develop and implement systems.
At the same time, commenters and participants urged regulators to be cautious about restricting the exchange and use of consumer data in order to preserve the substantial consumer benefits made possible through the flow of information. Participants noted, for example, that the acquisition, exchange, and use of consumer data not only helps to fund a variety of personalized content and services, but also allows businesses to innovate and develop new products and services that offer consumers convenience and cost savings.
This has been done in past. But now researchers seem to have overcome some of the issues (e.g., apply lookup to a real call). But is it that easy that anyone can do it….probably not -
How easy would it be to exploit the new hack? In short, not particularly easy. Creating a custom lookup table similar to Nohl’s would take months of work and any eavesdropper would still need to break into the handset in question.
The protection of backbone infrastructure is no different from protection of financial and health infrastucture (aka Critical Infrastucture). Zhou makes a good point about regulating and establishing minimum security/safety standards. Why is it unregulated when other critical service institutions are???
Zhou has used SWITCH, the Swiss national network for research and education, as the focus of a case study and simulation of how such physical damage might impact on networks and the internet as a whole in the future.
Her results offer three main recommendations for protecting critical network infrastructure that should be considered at the national level:
- First Common connection points, where several cables or network hubs meet, should be regarded as key protected infrastructure.
- Secondly, backbone and service providers should be persuaded and supported in protecting their network backbone and to diversify the physical routing of fibre optic cables.
- Thirdly, national governments need to cooperate with service providers and define a series of basic safety standards for what is currently an entirely unregulated sector of information and communication technologies.
Google has created a website, called Transparency Report, for Users to know if their local government has been making requests for the removal of any contents.
Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual.
What’s the trigger behind this effort…?
Should we be worried?
When it comes to secure messaging, nothing beats quantum cryptography, a method that offers perfect security. Messages sent in this way can never be cracked by an eavesdropper, no matter how powerful.
At least, that’s the theory. Today, Feihu Xu, Bing Qi and Hoi-Kwong Lo at the University of Toronto in Canada say they have broken a commercial quantum cryptography system made by the Geneva-based quantum technology startup ID Quantique, the first successful attack of its kind on a commercially-available system.
