| |
| Current Topic: Computer Security |
|
How To Save The Internet - SECURITY - CIO Magazine Mar 15, 2005 |
|
|
|---|
| Topic: Computer Security |
11:02 am EST, Mar 17, 2005 |
] "Let's make all end user devices nonprogrammable," he
] says. "No one can connect to the Internet on a machine
] that creates code. If you want a computer to do
] programming, you would have to be licensed. We could
] license software companies to purchase programmable
] machines, which would be completely traceable along with
] the code created on them."
]
] That would blunt the information security
] problems - suddenly all that intelligence at the edge
] of the network that Amoroso wants to pull back in isn't
] just gone; it's physically stripped. On the other side,
] new levels of accountability and liability are created
] through licensing developers and eliminating anonymity
] from coding. A collection of ideas for working on the computer security problem. Some are good, some are naive, some are absolutely orwellian, none of them are new. The fact that they are being considered at this level is worth noting. Its all about power. The way the Internet works today, with the end user controllable devices, and the security problems, is the result of a power stuggle with the phone company about who gets to control innovation. Most of the solutions proposed here involve changing that balance of power. In favor of whom, is the question. All of these things will involve a fight. Some you'll want to fight for, others you'll need to fight against. The reason DHS can't keep anyone in the computer security czar job for very long is that the people who want that job beleive it should be a peer of the surgeon general and the administration doesn't feel that its THAT important. Its all about power. There are a lot of people in this industry who see so red over a few spams that they are ready to lock everyone in a cell. These people need to be checked. My fear is that this list is like Patriot Act ][. A collection of poorly considered authoritarian ideas that is kept close by. Break glass in event of major catastrophy. Then let them all spill out with little or no critical consideration and never get rid of them later. How To Save The Internet - SECURITY - CIO Magazine Mar 15, 2005 |
|
Schneier on Security: The Failure of Two-Factor Authentication |
|
|
|---|
| Topic: Computer Security |
5:35 pm EST, Mar 16, 2005 |
] Two-factor authentication isn't our savior. It won't
] defend against phishing. It's not going to prevent
] identity theft. It's not going to secure online accounts
] from fraudulent transactions. It solves the security
] problems we had ten years ago, not the security problems
] we have today. Schneier has been getting a lot of attention out of this short essay. I don't agree with him. While I seriously doubt Microsoft is really "dropping passwords" from Longhorn, you are going to see two factor authentication systems, likely involving cellphones, get deployed for certain kinds of internet based financial transactions. Its being playtested in Europe instead of here, because they have better cellphone penetration, but its coming. Schneier is right when he points out that two-factor auth doesn't solve the problem with MiTM. I'd also point out that pencils do not enable space travel. That doesn't make them useless. Two factor auth solves the problem of offline credential stealing (in theory). Offline credential stealing is a real problem, and the only way to solve it is with two factor auth. Even if you solve the MiTM problem, you still need to solve the offline credential stealing problem, and you are going to solve that problem with two factor auth. You'll eventually need to get two factor auth, one way or the other. I hope its not a biometric, because biometrics are crap for totally unrelated reasons. The way you address the MiTM problem is with better UI design. The banks and other groups who have an interest in computer security need to pay to get people on the Firefox team to really explore stronger methods of indicating certificate status to end users. The way we do this is really bad. Hell, Safari doesn't even let you pull up certificate details!!! Developers seem to make these security messages either annoying or invisible. It is possible to make them attention grabbing and informative while also not requiring user interaction. Its just a matter of getting it done. As for Schneier's trojan idea, it sounds neat in theory but in practice I don't think its ever been done. There are lots of ways to make it hard. A way to tell browsers never to write a particular cookie to disk is a good start. Another is to log the user out upon cookie replay. Another thing I'd like to see is a standard for HTTP transactions that supports authentication but not encryption. The reason is that encryption is too expensive for many websites to scale. Auth only could happen more cheaply, and that might spur more people to use it and become familiar with it. Authentication is more important then encryption for most threat models in modern networks. We're not worried about the FBI stealing your credit card number. Schneier on Security: The Failure of Two-Factor Authentication |
|
MD5 collision method published |
|
|
|---|
| Topic: Computer Security |
11:05 pm EST, Mar 14, 2005 |
] At last, the secret of how to make MD5 collisions is out! MD5 collision method published |
|
Checklists / Implementation Guides |
|
|
|---|
| Topic: Computer Security |
12:41 am EST, Mar 14, 2005 |
3rd interesting thing learned at Interz0ne. This is a nice collection of federal security hardenning checklists for various commercial systems, including Cisco & Juniper routers, UNIX, and windows varients. The Rainbow series is also linked from this site. Checklists / Implementation Guides |
|
HOWTO Anonymity with Tor and Privoxy - Gentoo Linux Wiki |
|
|
|---|
| Topic: Computer Security |
7:49 pm EST, Mar 13, 2005 |
] This HOWTO explains how to browse the web anonymously by
] using Tor (http://tor.eff.org/) (TheOnionRouter) and
] Privoxy (http://www.privoxy.org/) This howto explains how to use Tor and privoxy together to get fairly strong anonymity protection. Combined with switchproxy in firefox this could be quite useful. Thing is you'd think that a lot of the features of privoxy could be implemented as firefox plugins rather then running this dual proxy setup, but thats just the engineer in me bitching about efficiency. I think that this setup would likely work reasonably well, given the performance impact of onion routing. HOWTO Anonymity with Tor and Privoxy - Gentoo Linux Wiki |
|
proxyjudge.org - anonymity and security |
|
|
|---|
| Topic: Computer Security |
7:43 pm EST, Mar 13, 2005 |
What I found this evening in playing around with switchproxy is that there are a lot of really bad free proxies out there. I really don't understand why if someone was going to go to the time and trouble of running an open http proxy why they would use software that doesn't cull out user agent information, or worse, inserts the IP address of the originating host in the http headers! (Upon further consideration I think what is going on here is that people are using proxies to bypass network layer net-nanny type services that filter by IP. As long as you update your proxy list faster then they update their block list, you can access any website.) A lot of the services that provide proxy lists provide proxies of dubious value. Many that seem to rank proxies don't offer a nice text based output that can be fed into switchproxy. If anyone knows of a solid, filtered list of proxies please let me know. This service will give you some decent information about how good your proxy really is. proxyjudge.org - anonymity and security |
|
Demo: Differences between JPEG Images and their EXIF Thumbnails |
|
|
|---|
| Topic: Computer Security |
6:41 pm EST, Mar 13, 2005 |
] We wrote some software to retrieve images from the Web
] and check if their thumbnails differ from the original
] images. In some cases we found interesting stuff,
] sometimes we even found hidden port but most of the stuff
] was boring.
]
] To give others the opportunity to see what images turn up
] without having to spider the web and help us to weed out
] the interesting images we wrote this simple
] Web-Application which resembles Hot or NOT. Just rate the
] image with the buttons at the top to see the next image. 1st interesting thing learned at interz0ne: EXIF thumbnails are often left unmodified by photoshop manipulations. Demo: Differences between JPEG Images and their EXIF Thumbnails |
|
Tracking PCs anywhere on the Net | CNET News.com |
|
|
|---|
| Topic: Computer Security |
11:08 am EST, Mar 9, 2005 |
] In practice, Kohno's paper says, his techniques "exploit
] the fact that most modern TCP stacks implement the TCP
] timestamps option from RFC 1323 whereby, for performance
] purposes, each party in a TCP flow includes information
] about its perception of time in each outgoing packet. A
] fingerprinter can use the information contained within
] the TCP headers to estimate a device's clock skew and
] thereby fingerprint a physical device." Your TCP packets all contain a cookie. Tracking PCs anywhere on the Net | CNET News.com |
|
|
|---|
| Topic: Computer Security |
2:27 pm EST, Feb 18, 2005 |
] The Texas Instruments DST tag is a cryptographically
] enabled RFID transponder used in several wide-scale
] systems including vehicle immobilizers and the ExxonMobil
] SpeedPass system. This page serves as an overview of our
] successful attacks on DST enabled systems. A preliminary
] version of the full academic paper describing our attacks
] in detail is also available below. RFIDAnalysis.org |
|
|
|---|
| Topic: Computer Security |
1:57 pm EST, Feb 7, 2005 |
Essentially the issue is that you can register domain names using international character sets that look exactly like English, and obtain SSL certificates for them, and it is extremely difficult for the end user to be able to tell that he/she isnt dealing with the English website. Working example of https://www.paypal.com/ demonstrated. Shmoo DNS attack |
|
