Dutch chipmaker NXP Semiconductors has sued a university in The Netherlands to block publication of research that details security flaws in NXP's Mifare Classic wireless smart cards, which are used in transit and building entry systems around the world.

Dutch chipmaker sues to silence security researchers | Tech news blog - CNET News.com

The computer attackers who took down Comcast's homepage and webmail service for over five hours Thursday say they didn't know what they were getting themselves into.

In an hour-long telephone conference call with Threat Level, the hackers known as "Defiant" and "EBK" expressed astonishment over the attention their DNS hijacking has garnered. In the call, the pair bounded freely between jubilant excitement over the impact of their attack, and fatalism that they would soon be arrested for it.

Neither hacker would identify their full names or locations. Defiant's MySpace profile lists him in Cashville, Tennessee, but he says that's incorrect. His girlfriend lists herself in New York. Threat Level expects both hackers' names and locations will emerge shortly.

This is entertaining... One of those cases where you really gotta sympathize with the perps. It was a prank - fairly innocent. Egg on Comcast's face for getting outsmarted by a couple of teenage pot heads. Hope they don't throw the book at them. This isn't the mafia here.

Comcast Hijackers Say They Warned the Company First | Threat Level from Wired.com

I think the authors have demonstrated a powerful tool that could be a useful asset to a vulnerability analyst, but their abstract, and the conclusions they draw, assume solutions to difficult problems that remain unsolved in the open, public security research space.

Xpost

Frequency X Blog: More on Automatic Exploit Generation

Protecting the Internet Without Wrecking It
How to meet the security threat
Jonathan Zittrain

With responses by Bruce M. Owen, Richard Stallman, Susan Crawford , David D. Clark, Roger A. Grimes, and Hal Varian;

There is a hell of a lot of writing here but the basic idea seems to be that the way to develop secure computers without resorting to the creation of trusted computing type closed systems like the xbox is to create a trusted computer with a more democratic control system instead of putting all of the power in the hands of a signal software vendor.... a reputation system for code.

Boston Review — Jonathan Zittrain on Protecting the Internet Without Wrecking It

Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.

More info here.

Targeted malware attacks against pro-Tibet groups - F-Secure Weblog : News from the Lab

According to his affidavit, Pasdar tumbled to the surveillance superhighway in September 2003, when he led a "Rapid Deployment" team hired to revamp security on the carrier's internal network. He noticed that the carrier's officials got squirrelly when he asked about a mysterious "Quantico Circuit" -- a 45 megabit/second DS-3 line linking its most sensitive network to an unnamed third party.

Quantico, Virginia, is home to a Marine base. But perhaps more relevantly, it's also the center of the FBI's electronic surveillance operations.

"The circuit was tied to the organization's core network," Pasdar writes in his affidavit. "It had access to the billing system, text messaging, fraud detection, web site, and pretty much all the systems in the data center without apparent restrictions."

I hope the feds put a firewall on the other side, otherwise....

Whistle-Blower: Feds Have a High-Speed Backdoor Into Wireless Carrier | Threat Level from Wired.com

Support from studios has been widely cited as the reason for Blu-ray's victory, but few consumers know that the studios were likely won over by the presence of a digital lock on movies called BD+, a far more sophisticated and resilient digital rights management, or DRM, system than that offered by HD DVD.

This is very interesting.

How Crypto Won the DVD War | Threat Level from Wired.com

bucy wrote:

Pakistan Telecom then made an error by announcing that dummy route to its own telecommunications partner, PCCW, based in Hong Kong, shortly before noon New York time on Sunday, according to Renesys.

PCCW then made a second error, accepting that dummy route for YouTube and relaying it to other Internet providers around the world.

Except that everyone makes this "error." No one dutifully filters routes they accept from peers. The core point here is that anyone with a BGP feed can take anyone else out pretty much whenever.

RE: Pakistan Cuts Access to YouTube Worldwide - New York Times

President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems.

Bush Order Expands Network Monitoring - washingtonpost.com

Greg Conti published a book last October!

Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence.

Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities.

Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate.

You'll learn how to use visualization techniques to:

# Audit your network for vulnerabilities using free visualization tools, such as AfterGlow and RUMINT
# See the underlying structure of a text file and explore the faulty security behavior of a Microsoft Word document
# Gain insight into large amounts of low-level packet data
# Identify and dissect port scans, Nessus vulnerability assessments, and Metasploit attacks
# View the global spread of the Sony rootkit, analyze antivirus effectiveness, and monitor widespread network attacks
# View and analyze firewall and intrusion detection system (IDS) logs

Security visualization systems display data in ways that are illuminating to both professionals and amateurs. Once you've finished reading this book, you'll understand how visualization can make your response to security threats faster and more effective

You can download Chapter 5, "One Night on my ISP", from the publisher.

Security Data Visualization: Graphical Techniques for Network Analysis