We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

MD5 considered harmful today

Ross Anderson gave a TechTalk last week.

Computer security has recently imported a lot of ideas from economics, psychology and sociology, leading to fresh insights and new tools.

I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed.

Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution.

I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Ooh ... I went to that :)

Searching For Evil

In an effort to protect users from fraud and phishing schemes, eBay subsidiary PayPal is preparing to offer secure key fobs. The devices, which display a six-digit code that changes every 30 seconds, will be made available free to all PayPal business users, and will cost $5 for all personal PayPal account users. Those who opt in on the key fob will have to enter the six-digit code when logging in to PayPal.

PayPal to combat phishing with key fobs

Microsoft Research has released a new tool to help pinpoint large-scale typo-squatters that are known to be gaming pay-per-click domain parking services.

Microsoft Ships 'URL Tracer' to Hunt Down Typo-Squatters

Decius wrote:

While some storage-product companies already support one sort of encryption or another, having standard implementations could make it easier for customers to safeguard data across heterogeneous storage environments, standards supporters say.

The proposed standards define three encryption algorithms and a method of key management designed to ensure the compatibility and interoperability of different storage gear. For encryption on disk, the specification proposes using the new Liskov, Rivest, Wagner-Advanced Encryption Standard (LRW-AES) cryptographic algorithm. For tape encryption, it proposes using the National Institutes of Standards and Technologies' (NIST) AES Galois/Counter Mode (AES-GCM) and AES Counter with CBC-MAC Mode (AES-CCM) standards.

Galois/Counter Mode? BTW this article's comments about CBC are wrong. You cannot do arbirary data mangling in CBC. He is thinking of ECB. The problem with CBC is its slow...

Until relatively recently, many folks didn't really understand the gravity of chosen ciphertext attacks on the standard modes of encryption. The common attitude has been that the ciphertext is opaque somehow and tamper-resistent because if anyone changes it, it will just decrypt to "garbage."

In fact there are practical attacks on some implementations of CBC (e.g. Vaudenay's "padding oracle" attack (Vaudenay02)) that can completely unravel it. Standard cipher modes tend to have the characteristic that every ciphertext will decrypt to "something" so if your adversary has an opportunity to submit arbitrary ciphertexts to you for decryption, you absolutely must authenticate the ciphertext somehow.

The obvious thing to do here is to run some MAC over your CT but there have been some efforts recently (e.g. Rogaway's patent-encumbered OFB mode) to devise authenticated encryption modes with marginal overhead above and beyond that of encrypting the data.

Black and Uturbia's Usenix Security 02 paper on this.

RE: Standards on the way for encrypting data on tape, disk

A more important issue, one on which the silence is deafening, is that authentication systems are useless without some sort of reputation database. You get a message, it’s 100% authenticated that it came from flurble.net but you’ve never heard of flurble.net. Now what? The unstated assumptions seem to be that for now we all have our informal private lists of friendly domains that we will whitelist, and eventually there will be shared reputation systems to plug into. The faith in shared reputation systems is touching, particularly considering all of the moaning and groaning there is about DNSBLs, the reputation systems that exist now.

The Politics of Email Authentication, 2006 Edition

Decius wrote:

The Department will also implement Basic Access Control (BAC) to mitigate further any potential threat of skimming or eavesdropping. BAC recently has been adopted as a best practice by the ICAO New Technologies Working Group and will soon be formally added to the ICAO specifications. BAC utilizes a form of Personal Identification Number (PIN) that must be physically read in order to unlock the data on the chip. In this case, the PIN will be derived from the printed characters from the second line of data on the Machine-Readable Zone that is visibly printed on the passport data page. The BAC also results in the communication between the chip and the reader being encrypted, providing further protection.

Most of the folks commenting on the new RFID rule didn't mention this. This will satisfy most of the security concerns.

But see Schneier's piece on Wired about it.

RE: Anti-skimming covers are not the only feature in new passports.

The company has identified 13 different spamming operations that use such "zombies," it said Thursday. A lawsuit was filed against unnamed defendants in August. Since then Microsoft has tracked down some of the people behind the operations, said Tim Cranton, director of Internet Safety Enforcement Programs at Microsoft in Redmond, Wash.

My new day job is keeping gmail safe from the undead hordes. Zombies are bad. bad bad bad bad bad bad!

Microsoft takes on spam zombies

] A locally exploitable flaw has been found in the Linux
] ELF binary format loader's core dump function that allows
] local users to gain root privileges and also execute
] arbitrary code at kernel privilege level.

This affects all of 2.2/2.4/2.6.

Linux ELF Core Dump Priviledge Escalation

Decius wrote:
] ] The Handbook was reprinted (5th printing) in August 2001.
] ] The publisher made all the various minor changes and
] ] updates we submitted.
]
] While this reference is a bit more academic then Schneier's
] book, it is quite useful, and now its available for free
] online. Enjoy!

Nice ... we had access to it online while I was taking such a class in the spring.

I have to say that knowing what I know now, Schneier's
has some shortcomings. e.g. Schneier doesn't give any
analytic framework whatsoever to reason about the security of various constructions from crypto primitives.

What's worse, though probably far from Schneier's intent, it has the effect of giving a lot of folks just enough knowledge to be dangerous. They read AC and then feel empowered to go roll their own crypto for some project instead of using off-the-shelf standards (PGP, X.509, even RSA PKCS, etc). And they get it wrong every time.

RE: Handbook of Applied Cryptography