Login
Password
Sources on this Page

> Headlines by Category

 Home / Technology / Security

You are using the plain HTML view, switch to advanced view for a more complete experience.

Mind-reading DNS security analysis offers early warning for APT attacks

Precog security tech looks to predict online typo terror

The application of predictive algorithms to DNS data may be able to spot malware sites before they serve up nasties.…

Bracing for the Cyberthreat Deluge
Almost 17,000 malware alerts surface every week, the Ponemon Institute recently found. Only 4 percent of alerts were investigated, and traditional antivirus products missed nearly 70 percent of malware in the first hour, researchers discovered in a recent Damballa study.Rescanning led to identification of 66 percent of the malware in 24 hours and 72 percent after seven days.
Windows Caught in Path of FREAK Security Storm
Microsoft on Thursday issued a security advisory acknowledging a vulnerability in all versions of Windows that could allow FREAK exploits. Windows systems previously were thought to be immune to FREAK attacks. "The vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," the advisory reads.
FREAK: Security Rollback Attack Against SSL

This week we learned about an attack called "FREAK" -- "Factoring Attack on RSA-EXPORT Keys" -- that can break the encryption of many websites. Basically, some sites' implementations of secure sockets layer technology, or SSL, contain both strong encryption algorithms and weak encryption algorithms. Connections are supposed to use the strong algorithms, but in many cases an attacker can force the website to use the weaker encryption algorithms and then decrypt the traffic. From Ars Technica:

In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site.

This is a general class of attack I call "security rollback" attacks. Basically, the attacker forces the system users to revert to a less secure version of their protocol. Think about the last time you used your credit card. The verification procedure involved the retailer's computer connecting with the credit card company. What if you snuck around to the back of the building and severed the retailer's phone lines? Most likely, the retailer would have still accepted your card, but defaulted to making a manual impression of it and maybe looking at your signature. The result: you'll have a much easier time using a stolen card.

In this case, the security flaw was designed in deliberately. Matthew Green writes:

Back in the early 1990s when SSL was first invented at Netscape Corporation, the United States maintained a rigorous regime of export controls for encryption systems. In order to distribute crypto outside of the U.S., companies were required to deliberately "weaken" the strength of encryption keys. For RSA encryption, this implied a maximum allowed key length of 512 bits.

The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to "access" communications, while allegedly providing crypto that was still "good enough" for commercial use. Or if you prefer modern terms, think of it as the original "golden master key."

The need to support export-grade ciphers led to some technical challenges. Since U.S. servers needed to support both strong and weak crypto, the SSL designers used a "cipher suite" negotiation mechanism to identify the best cipher both parties could support. In theory this would allow "strong" clients to negotiate "strong" ciphersuites with servers that supported them, while still providing compatibility to the broken foreign clients.

And that's the problem. The weak algorithms are still there, and can be exploited by attackers.

Fixes are coming. Companies like Apple are quickly rolling out patches. But the vulnerability has been around for over a decade, and almost has certainly used by national intelligence agancies and criminals alike.

This is the generic problem with government-mandated back doors, key-escrow, "golden keys," or whatever you want to call them. We don't know how to design a third-party access system that checks for morality; once we build in such access, we then have to ensure that only the good guys can do it. And we can't. Or, to quote The Economist: "...mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it."

This essay previously appeared on the Lawfare blog.

Pentagon 'network intruder', dozens more cuffed in British cops' cyber 'strike week

'Just the first step', chuckles fraudbust bigwig

A "strike week" against suspected hackers by the UK's National Crime Agency has resulted in 57 arrests.…

Pentagon 'network intruder', dozens more cuffed in British cops' cyber 'strike week

'Just the first step', chuckles fraudbust bigwig

A "strike week" against suspected hackers by the UK's National Crime Agency has resulted in 57 arrests.…

Two indicted for stealing 1 billion email addresses in historic breach
Two Vietnamese men have been indicted, with one pleading guilty, for hacking into eight U.S. email service providers and stealing 1 billion email addresses and other confidential information, resulting in what's believed to be the largest data breach in U.S. history, the U.S. Department of Justice announced.
IoT's dark side: Hundreds of unsecured devices open to attack

ATLANTA -- A self-described security "amateur" discovered hundreds of Internet-connected devices ranging from cameras to industrial control systems that were connected to the Internet without even basic password protection -- meaning they could be easily turned on and off or otherwise manipulated with a single click of a mouse.

"You would be amazed [what] you could find," Espen Sandli, a journalist at the Norwegian newspaper Dagbladet, told the Computer Assisted Reporting conference Thursday. "The project was made from people who had no idea about data security at the start."

They began by searching for basic security cameras, such as finding and taking control of a surveillance camera inside a nightclub. After that, they graduated to finding compromised control systems at military installations and railroads. In one case, they found a security company's list of clients and passwords in the clear online. In another, they could have accessed who was allowed to enter or leave a military building. Another device on the open Internet could have allowed them to switch off a railway fire-alarm system.

To read this article in full or to leave a comment, please click here

Microsoft warns Windows PCs also vulnerable to 'Freak' attacks

Microsoft Corp shareholders look at Microsoft products before the start of the annual shareholders' meeting in Bellevue, WashingtonBy Jim Finkle BOSTON (Reuters) - Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered "Freak" security vulnerability, which was initially believed to only threaten mobile devices and Mac computers, Microsoft Corp warned. News of the vulnerability surfaced on Tuesday when a group of nine security experts disclosed that ubiquitous Internet encryption technology could make devices running Apple Inc's iOS and Mac operating systems, along with Google Inc's Android browser vulnerable to cyber attacks. Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the "Freak" vulnerability.



[in Reuters]
Containers and Microservices at @CloudExpo New York By @IoT2040 [#Cloud]
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last year, CoreOS shook up the community with its Rocket containers announcement. Part of Rocket's strategy is apparently to return to the notion of a container as, well, a container, in the face of Docker expanding its container strategy upward into the overall PaaS realm. Meanwhile, Red Hat has its own view of containers. Along with that, there are viewpoints that perhaps containers haven't been used well up to this point. Red Hat's Gordon Haff, for example, a regular Cloud Expo speaker, recently wrote that developers and their customers need to re-think the concept of services themselves, and how they should be deployed discretely and loosely. Rather than just stuff an OS into a container, for example, developers and deployers should consider a spectrum of microservices and what they can do. Cloud Expo is still accepting submissions for this new track, so please visit www.cloudcomputingexpo.com for the latest information. As always, Cloud Expo is staying right on top of what's going on in this fast-evolving world. We look forward to seeing you in New York.

read more

Post Selected Items to:

Showing 10 items of about 11000

home  •   advertising  •   terms of service  •   privacy  •   about us  •   contact us  •   press release design by Popshop •   Official PR partner B2BLogger.com •   © 1999-2015 NewsKnowledge