electricinca.com

Robert Graham of Errata Security has demonstrated at the Black Hat hacker conference in Las Vegas an exploit that allows attackers to login to users accounts without a password on webmail and social networking sites by stealing cookies.

Attackers would be able to real and post messages posing as the genuine user of the account, they would not however be able to make any major changes to any accounts they had hijacked as sites require users to enter a password for such activities.

Labels: Computer security

TrueCrypt is free software that encrypts data “on-the-fly”. You can create an encrypted hard drive, a separate partition or a directory. TrueCrypt is portable -- it works on GNU/Linux and Windows. Worried about losing your valuable data when your laptop gets stolen? Don't wait and encrypt your data now!

read more | digg story

Labels: Computer security, Digg

TrueCrypt is really astonishingly wonderful piece of crytographic software and unfortunately and ironically for me it is too good at what it does.

TrueCrypt is a free and open source utility that performs on on-the-fly encryption allowing the user to create a virtual encrypted disk (TrueCrypt volume). TrueCrypt can either create an encrypted file that acts as a real disk or encrypt an entire hard disk partition or a storage device/medium, such as floppy disk or USB memory stick.

One of the best features of the TrueCrypt software is that allows you to use passwords based upon the content of files. So you designate one or more files as keyfiles and it combines that with the password you type in to create an ultra-secure unbreakable password. So say you choose the password Gazza after your favourite footballer of the 90s this would be a trivial password for a brute force attack to crack but if you were to combine it with a keyfile of an MP3 of Fog On The Tyne then it would become immeasurably more difficult.

However should you ever lose the keyfiles that you chose to use or like me forget which ones that you used the TrueCrypt volume that you have created becomes impossible to open and you lose all the data you have so carefully secured.

Luckily for me the drive that I had encrypted was merely used to back up important data for my publishing business and so I didn't lose anything but the time it took to reformat the disk and back up all my business data yet again.

I do wonder what would have happened should I have been compelled to decrypt the volume under Part III of the Regulation of Investigatory Powers Act 2000 as clearly I really could not have done so.

Labels: Computer security

The Financial Times have asked the readers of their website Should music companies drop DRM? [via]

There appears to be overwhelming opposition to DRM amongst voters as the current tally shows 98% opposed.

Labels: Computer security

Following on from Eliot Van Buskirk's Wired column Who's Killing MP3 and iTunes? (in which he pontificated on the future of the MP3 file format in comparison to DRMed alternatives like Apple's AAC format as sold in their iTunes online store) there is the news that EMI has announced that it will no longer produce CDs with DRM.

One swallow doesn't make a summer but this would seem to be an indication that even the record companies are coming to doubt the efficacy of DRM.

Labels: Computer security

Earlier this year the UK Passport Service (now the Identity and Passport Service) started to introduce Biometric Passports (pdf link) in an effort to vastly improve the security of the passport system. In their words

To:
• help fight passport fraud and forgery;
• help the public and the UK to fight identity fraud;
• ensure the British Passport stays one of the most secure and respected in the world;

However it seems that according to a report in today's Guardian that these new ultra-secure passports aren't all they are cracked up to be and that the security has been severely undermined by a number poor decisions made in the implementation of the sytem.

Firstly they have opted to use RFID chips to store the data in accordance to standards drawn up by the International Civil Aviation Organization. The use of RFID to store the data is bad enough but the ICAO standard also directs that the key used to access the data should be comprised of , in the following order, the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a "machine readable zone."

Bruce Schneier an authority in the area of security has written a number of times about the security wreckage associated with passports containing RFIDs.

• April 28, 2005 RFID Passport Security

• November 03, 2005 The Security of RFID Passports

Including on August 03, 2006 Hackers Clone RFID Passports a very similar hack to the one carried out by Adam Laurie on behalf of The Guardian newspaper.

Most recently Schneier has revealed that The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has recommended against putting RFID chips in identity cards. Whether the US government heeds this advice is yet to be seen but unfortunately for us in Britain our government has already made the poor choice.

The security measures in place to prevent unauthorized access to the data held on the chip work by creating a encrypted 'conversation' between the chip and the reader. Interestingly they have used the Triple DES algorithm for the encryption instead of AES which was introduced to replace Triple DES in 2002 and which is much more efficient. However the choice of algorithm is a secondary concern compared with how it was implemented with a key that is comprised of non-secret information that is published in the passport itself.

As Laurie puts it so eloquently "That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

Labels: Computer security, ID Cards, Security

The BBC reports on a new service that is designed to help users reduce their risk of identity theft through a monitoring facility. The service is kind of like the constant surveillance of the Orwellian Big Brother but where the individual is in control of the surveillance upon themselves.

The Garlik Datapatrol service has been set up by the founders of the internet bank Egg with the intention of putting users back in control of the information that is held on them in public databases that are easily accessible through the internet.

The service brings together from the internet, public databases, and Credit Reports all the personal information it can find on a user and then displays it in a simple online format. Then on a monthly basis users will receive an update summary of additions or changes to their online profile as well as highlighting any risks or suspicious activity.

By facilitating individuals access to the information that is held on them the service puts its users on an equal footing with the criminals that might seek to steal their identities and as irregularities are often the first indication of a problem the monitoring system gives users an early warning and the possibility of nipping it in the bud before any negative consequences have occurred.

My only concerns are the security of Garlik's database and the trustworthiness of the company. They seem to have a fairly robust system to establish user's identity and to then authenticate users accessing the personal information gathered in the server database. But it presupposes that an individual's identifying information hasn't already been compromised or stolen.

I can see this service being a boon for identity theft rings who have enough data to register falsely for the service in order to further the scope of their thefts by letting Garlik do the legwork as it were in accruing further information.

Garlik's secure servers would also be a prime target for criminals and so I would hope that they have taken the security of their servers as seriously as any bank would with theirs. Is the physical access to the servers as well secured as the online access is?

My second concern would be that as a new company they haven't had the time to build a reputation or a record of establishment of trust. Registered users will be empowering the company and placing a lot of trust in the security of the service and the authenticity and accuracy of the personal information data provided to users. Having said that there is nothing to suggest that Garlik is in any way a disreputable company it is merely my natural paranoia.

I would have more faith in Garlik presently than I would in the UK government in securing any personal information I would give them.

Garlik are currently offering free trials to people signing up for the Datapatrol service at their website. http://www.garlik.com.

People with concerns about identity theft and security online should also take a look at the following website Get Safe Online which has been set up by banks and prominent internet companies.

Labels: Computer security, Security, Surveillance

The BBC reports that a senior Microsoft executive has promised that its new operating system will be more secure than ever.

Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista.

I think Microsoft should be applauded for their relatively recent commitment to the subject of security in their products particularly given their laissez-faire attitude to it up until a few years ago. But Microsoft promised the same thing about their previous Operating System release and Windows XP proved to be their least secure system ever until they beefed up the security with the Service Pack 2.

The thing about software security though is that it's effectiveness can only be judged in retrospect because modern software is now so complicated particularly operating systems that the process used to create it inevitably introduces bugs and security holes.

So the Microsoft engineers may well have patched all the security flaws that had been exposed through previous releases and the testing of this release of Windows Vista, but there will no doubt be new holes that have been inadvertantly created that no one has even conceived of yet.

One such newly introduced security hole has been discovered by researcher Joanna Rutkowska and it's a biggie. She describes it a blue pill a reference to the movie The Matrix and would allow a malicious hacker to completely compromise a system and the user would have no indication at all that their syetm had been compromised.

Rutkowska's Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality. She characterized her approaches as "legal," using documented SDK features.

As she says it did not rely on any known bug within Windows Vista so who knows what other security problems might have been engineered into the operating system that haven't yet been uncovered by Microsoft's own testers or by third party researchers.

Labels: Computer security, Security

I think Bruce Schneier's right on the money when he calls this Opinion Monitoring Software Orwellian.

It's like the sort of thing you can imagine a nascent Ministry of Truth using to separate the goodthinkers from the crimethinkers.

It starts out well enough and sounds like a useful tool to track world opinion on the US and its government's policies and as result make the US a more responsible player on the world stage.

A consortium of major universities, using Homeland Security Department money, is developing software that would let the government monitor negative opinions of the United States or its leaders in newspapers and other publications overseas.

Such a “sentiment analysis” is intended to identify potential threats to the nation, security officials said.

But like any tool there is scope for misuse of the technology should the research into it actually bear fruit in this case.

Labels: books, Computer security, Security

I know Microsoft is striving hard to improve the security of their operating systems but this is ridiculous.

At least 18770 Characters! Fucking hell!

Labels: Computer security, Security

"Weird Al" Yankovic amazingly catchy new tune about file-sharing is titled Don't download this song

It doesn't matter if you're a grandma
Or a seven year old girl
They'll treat you like the evil hard-bitten scum that you are.

See the video at Yahoo music or download the song. *wry smile*

Labels: Computer security

Things you might not know about Bruce Schneier

Via Mr Schneier himself.

Labels: Computer security, cryptography, humour

Are you tired of being yourself?

Why not become someone else at random. [via]

Or make up an email address that's usable for 24 hours.

Labels: Computer security, Security

Files are not for sharing is a crazy little webcomic spoof.

Labels: Computer security

There is a new trojan going around that deletes files that it suspects to be downloaded via P2P networks. The trojan unknowingly infects a user's computer and begins deleting files. The trojan, called Erazer-A, targets the default download directories used by numerous P2P programs.

Is the Record Industry resorting to taking desperate measure to combat filesharing? Highly unlikely.

This is probably just some moronic script kiddie who's taken it upon themselves to "save" the record industry. I don't know the full details but it seems like a pretty unsophisticated trojan.

read more | digg story

Labels: Computer security, Digg, Security

How does someone in Moscow step up to a cash machine and withdraw money from an account holder half a world away? Even when the debit card is still in the victim's wallet? To show me how easy it was, two executives from MagTek Inc., one of the largest makers of credit card stripe readers, visited MSNBC.com and gave a demonstration.

read more | digg story

Labels: Computer security, Digg, Security

The 4GB flash drive encrypts all data with 128-bit AES, and then adds an extra layer of security: a self destruct feature. If anyone tries to use a brute-force attack to guess your password, the drive will automatically erase itself after 25 wrong guesses.

Now that's what I call secure, or at least it would seem to be. The 128-bit AES encryption should be enough to prevent a brute-force attack in any case but the 25 guess limit adds a good second tier of security.

A question does come to mind though what is to prevent the copying of the encrypted data off the drive to stage a brute-force attack on the data using a different machine?

read more | digg story

Labels: Computer security, Digg, Security

Most people who use e-mail now know enough to be on guard against "phishing" messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information. But there is evidence that among global cybercriminals, phishing may already be passé.
read more | digg story

Labels: Computer security, Digg, Security

I read an interesting article last week by Edward Felten about a proposal to incorporate RFID chips in US passports.Edward W. Felten: Why Use Remotely-Readable Passports?

Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government's point man on this issue. He had the guts to show up at CFP and face a mostly hostile audience. He clearly believes that he and the government made the right decision, but I'm not convinced.

The new passports, if adopted, will contain a chip that stores everything on the passport's information page: name, date and place of birth, and digitized photo. This information will be readable by a radio protocol. Many people worry that bad guys will detect and read passports surreptitiously, as people walk down the street.

This is a remarkably stupid idea that has little to no tangible benefit and will most likely compromise security and enable identity theft. The only possible reason for this proposal is that some technology company seeking a government contract convinced someone that it was a good idea and no one in the process could understand the repercussions if it were to be implemented.

There clearly is a problem with identity theft and the forgery of identity documents such as passports so governments seek solutions to improve security. As you would expect they seek advice from experts in the field. Unfortunately they seem to be ignoring the advice of independent experts whose advice is that there is no technological solution to the problem and taking the advice of industry experts, which typically will be technology companies seeking to sell the government a solution.

Take for example the intention of the British government to include biometric data on the proposed National Identity Card.

Biometric data systems simply are not capable of working on the sort of scale that the proposed national identity card system would require them to.

They are good enough for their priamry application which is to verify that for example the iris scan of an individual matches within a certain threshold the biometric data held on the person's ID card.

But the system also would be required to prevent an individual being able to get a second ID card with different identity details. The proposed method of doing it would be to check that the individuals biometric data isn't already listed against an identity in the national identity database.

In February 2003 the National Physical Laboratory performed a biometrics feasibility study on behalf of the Home Office, DVLA and the UK Passport Service.

They studied the feasibility of the use of recognition systems for face, iris and fingerprint on the scale needed to cover the population of the UK. No biometric system is perfect and a balance needs to be found between false matches and false non-matches.

A false match is where the biometric template of an individual is matched to that of a different individual i.e. Vera Duckworth of Manchester is falsely recognized as Pauline Fowler of London.

A false non-match is where an individual is scanned and are not matched to their own biometric template i.e. the system has failed to recognize them.

Iris recognition was found to be the best method of distinguishing between individuals.

The results for the iris recognition part of the study were that Iris recognition can achieve a false match rate of better than 1 in a million with a false non-match rate of below 1 in 100.

For the current UK population of 60 million a random individual would be falsely matched with on average 60 other individuals in the national database plus would have a slim chance of not being matched against their own data.

With such a high chance of false matches (in fact it is practically a certainity that every individual will falsely match with another) there is no way to discern the difference between a false match and a true match for an individual who is applying for an ID card with a fake identity. Biometric technology clearly isn't upto the job of preventing multiple legitimate ID cards being issued to an individual until there is no possiblity of matching with another person.

Undoubtably technology will improve over time but will it improve to the required extent, it has a long way to go to do so.

The worse thing about biometrics is the faith in its infallibility, your biometric template is nothing more than a bodypart reduced to a long stream of numbers it is merely a fancy password and it's one that can never be changed. The proposed system treats the biometric template as the core of your identity with all the other information about you such as your name and address of secondary importance.

If the details of your biometric template can be stolen and accurately faked then your whole identity can be stolen.

Shit I've gone into rant mode the gist of this was supposed to be that politicians cannot be expected to be expert in all fields and justifiably must make decisions based upon the advice of experts. But they must listen to all the advice from all sides even if it isn't what they wish to hear as decisions must never be based solely upon the advice of comapnies seeking a huge government contract.

There is a cynical part of me that believes that the reality is probably that politicians are being unduly influenced by such things as campaign contributions and are awarding contracts not based on outside advice at all.

Labels: Computer security, ID Cards, Security

Bugmenot.com now has a registration page for users of the service to fill in. Odd if you consider that bugmenot's service is to give you log in details for sites such as The New York Times that require registration before usage.

However, upon closer examination you may find that it is a spoof with some rather personal information being asked for such as

Out of ten how would you rate your partner's satisfaction with your sexual performance?

and totally crazy ones like

Would you be willing to have an RFID chip inserted under your skin in exchange for a free, 12 month newspaper subscription?

Having to register at websites just to read articles is fucking annoying and bad security as it means yet more passwords to remember. Most people hate to remember many passwords so they will use the same password that they use for sites that actually require some security such as their bank account.

One other thing is that it makes these sites inaccessible to search engines so that when you search for something at Google it's unlikely that you'd get a link to the page of the article from The New York Times that covered it.

Labels: Computer security, Security