| |
| Current Topic: Computer Security |
|
MD5 considered harmful today |
|
|
| Topic: Computer Security |
11:39 am EST, Dec 30, 2008 |
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
MD5 considered harmful today |
|
|
| Topic: Computer Security |
9:22 am EST, Dec 11, 2008 |
This report, provided by MIT ANA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage.
State of IP Spoofing |
|
RE: U.S. Is Losing Global Cyberwar, Commission Says - BusinessWeek |
|
|
| Topic: Computer Security |
2:27 pm EST, Dec 8, 2008 |
Report here. In particular note recommendation 17, in which the government is encouraged to enable drivers licenses or national ID cards to work online. The words "consistent with privacy and civil liberties" are thrown in there, but I think this development, and the massive civil liberties battles that will be associated with it, are inevitable. Its kind of like watching the birth of skynet. RE: U.S. Is Losing Global Cyberwar, Commission Says - BusinessWeek |
|
Chertoff: We're Closing that Boarding-Pass Loophole | Threat Level from Wired.com |
|
|
| Topic: Computer Security |
12:32 am EST, Nov 18, 2008 |
DHS's Transportation Security Administration is currently testing an encrypted 2-D bar code that includes all the information from a boarding pass and is digitally signed to ensure the data hasn’t been altered. In the pilot, passengers show the bar code to TSA identity checkers, who use a scanner to read the image off the passenger’s smartphone, and then check the person’s identification against the decrypted information. The system also works using public-key cryptography, which lets the TSA use scanners that don’t need to connect to airline databases, and they don’t store records of who is traveling.
Really, really cool. Smart use of crypto to solve a real security problem. I never thought I'd say these three words but: Good job TSA! Chertoff: We're Closing that Boarding-Pass Loophole | Threat Level from Wired.com |
|
RE: Microsoft Security Bulletin Advance Notification for October 2008 |
|
|
| Topic: Computer Security |
5:40 pm EDT, Oct 23, 2008 |
noteworthy wrote: Things that make you go "hmmm..." This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on October 23, 2008.
If you haven't seen it, Microsoft has just recently started publishing an immense amount of technical detail about these vulnerabilities. Look here and here. RE: Microsoft Security Bulletin Advance Notification for October 2008 |
|
Do You Email Under the Influence? Try ‘Mail Goggles’ » The StartUp Blog at PartnerUp |
|
|
| Topic: Computer Security |
12:11 pm EDT, Oct 20, 2008 |
Google’s new test feature, “Mail Goggles,” part of the free Gmail service, can save those who send the occasional (or frequent) tipsy (or inebriated) email a whole lot of regret and an even bigger headache in the morning. When the goggles are active, they will require you to solve a few easy math problems before you hit “send.” Basically Google’s logic is that if you’re sober enough to solve the problems, then you’re sober enough to deal with the repercussions of your actions.
Ha! Do You Email Under the Influence? Try ‘Mail Goggles’ » The StartUp Blog at PartnerUp |
|
|
| Topic: Computer Security |
10:12 am EDT, Oct 9, 2008 |
VeriSign, often criticized for trying to exercise too much control over the net, counter-proposes that its role be enlarged. Under its proposal (.pdf), the root zone file will be signed using keys it distributes to the root server operators and if enough of them sign the file, then it is considered official.
For some reason Verisign thinks they should be able to sign the root keys instead of ICANN. I can see absolutely no reason why that would be a good idea. Verisign and DNS Sec |
|
DNSSEC-bis for complete beginners (like me) |
|
|
| Topic: Computer Security |
5:48 pm EDT, Sep 24, 2008 |
Below you will find explained all concepts of DNSSEC-bis in a way that furthers understanding.
A quick primer on DNSSEC, which you will need to understand shortly, I think. DNSSEC-bis for complete beginners (like me) |
|
Feds tighten security on .gov - Network World |
|
|
| Topic: Computer Security |
2:33 pm EDT, Sep 22, 2008 |
All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites.
Feds tighten security on .gov - Network World |
|
More on BGP Attacks -- Updated | Threat Level from Wired.com |
|
|
| Topic: Computer Security |
11:17 am EDT, Aug 27, 2008 |
you can read how Anton Kapela and Alex Pilosov conducted their interception of the DefCon network traffic in the slides from their talk (.ppt). Their DefCon presentation, by the way, was an unscheduled, last-minute talk that occurred at the end of the last day of the DefCon conference, so it hadn't appeared on the conference schedule.
Worth a look. More on BGP Attacks -- Updated | Threat Level from Wired.com |
|