Category Archives: In the News

Security issues should always be taken seriously. Then again, so should consistent exercise and taking regular breaks from madness. Notwithstanding, here's the recent news in the field of security.

Maxell 256AES USB Drive

Maxell Launches Compact, Secure, Extremely Durable USB Drive That Exceeds Government Encryption Standards

(Woodland Park, New Jersey–January 6, 2011) Maxell Corporation of America introduces its Guardian USB Backup Drive, a USB flash drive with 256-bit AES hardware encryption for complete file security during storage and transport. The 256-bit AES hardware encryption and anodized aluminum housing protect the device even if it is lost or stolen, exceeding the government’s standard level of data protection.

The Guardian USB is extremely durable, including protection from water, sand, dropping the device and even crushing forces, making it well suited for government applications, as well as for any professional who needs to store sensitive footage.

The Guardian is an ultra-fast, high-performance backup solution, perfect for transferring important files for the professional photographer or videographer. The mandatory 256-bit AES encryption provides a perfect solution when shooting sensitive material, including government or corporate footage that could be detrimental if lost or stolen. Easily portable, the Guardian easily fits in a pants pocket or briefcase.

The Guardian’s straight forward interface requires a user to enter a complex password consisting of upper and lower case letters, numbers and symbols upon first use. Once the drive is locked, users have eight attempts to unlock the drive before the saved data is completely and securely erased. The drive also allows a user to include contact information in case it is lost.

Maintaining the form factor and affordability of slim USB stick drives, Maxell’s new Guardian USB Backup Drive expands the company’s offering in storage media. The Guardian USB has a read speed of up to 20MB/sec, due to its fast dual-channel NAND flash memory. The Maxell guardian is backed by a lifetime warranty.

The Guardian USB is currently available in 2GB, 4GB and 8GB storage capacities at list prices of $49.99, $54.99 and $69.99, respectively.

Maxell is widely recognized as a major supplier in the data storage media industry and has remained at the forefront of the data recording business, with an emphasis on quality, reliability and innovation. In addition, Maxell continues to develop new products utilizing digital storage formats and technologies.

http://www.maxell-usa.com

Beware the Firesheep

It’s even more dangerous if you’re not making secured connections to the websites themselves. Sites that use a secure, encrypted connection have https in their Web address – rather than just http – and show a lock icon in most browsers.

In the past, you could take some comfort in the fact that it requires some skill to launch one of these attacks. Most people are honest, and even more people are clueless as to the hackery needed to access someone else’s online accounts.

From the San Francisco Gate article: 
Firesheep: Making Web-connection hijacking easy : Hot Topics

Firesheep changes all that. It’s a Firefox extension that makes it ridiculously easy to log into certain sites as another user. It’s as simple as this:

1. Launch the Firesheep extension in a Firefox sidebar.
2. Click the Start Capture button.
3. See who’s connected to which sites.
4. Double click on one of those connections.
5. You’re logged in as someone else on that site.

Ian Paul at PCWorld has a good explanation of how Firesheep works.

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database. When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access.

Read the rest of the article at the link: 
Firesheep: Making Web-connection hijacking easy : Hot Topics

Find suggestions for use at:
Firesheep, A Day Later
or the forum at:
Firesheep | Google Groups

Other links:
http://brakertech.com/firesheep-wifi-hacking-facebook-twitter-google-flickr/
http://github.com/codebutler/firesheep/downloads
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html 

[Addendum] At this moment, it seems that Firesheep is unavailable for download. The author seems to have made his point though. Free, open access WiFi hotspots are bait shops for predators. 


 

There are tools to help prevent this type of invasion. Large corporations will have a VPN that places all data through an immediately made and constantly used pipe through their servers. Private access by non-corporate users can be made through companies like proXPN and simple extensions like Hotspot Shield.

Encrypt the Web with the HTTPS Everywhere Firefox Extension – An EFF and Tor Project

 

 

Infected USB caused biggest US military breach ever

 

Read the entire ITPro article at:
Infected USB caused biggest US military breach ever | IT PRO
By Tom Brewster, 26 Aug 2010 at 14:57


An infected USB drive was at the heart of the most serious breach of US military networks ever in 2008, a senior US Government figure has confirmed.

 

US Deputy Defense Secretary William Lynn explained how the provenance of the infection stemmed back to a drive being inserted into a laptop at a US base in the Middle East.

“The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the US Central Command,” Lynn noted in an article on theForeign Affairs website.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.”

This incident led to the creation of Operation Buckshot Yankee, a Pentagon initiative designed to help counter the cyber threat facing the US.

Lynn admitted even since Operation Buckshot Yankee was set up, foreign enemies have managed to acquire thousands of files from US networks and from allies’ systems, including weapons blueprints, operational plans and surveillance data.

“When an organisation, such as the US military holds sensitive information, it is important that they ensure the security of all devices entering the network,” Ash Patel, country manager for UK and Ireland at Stonesoft, told IT PRO.

Patel stressed the importance, especially for bodies such as the US military, to completely lock down USB ports.

“Never leave a USB lying about unattended, this can lead to a quick win for a hacker but leave devastating consequences for an organisation. Never insert a USB stick into a company machine unless you know exactly what it contains and where it has come from,” he added.

Earlier this year, McAfee reported spreading malware on USBs was a technique being used heavily by cyber criminals, even though many would have been forgiven for thinking it was a dying art.

Remote wiping technology Hard Disks

[For the DCinema business, this isn’t in the direct line of possible solutions…but good to know. The original article is at:
Secure Business Intelligence Magazine: Remote wiping technology introduced for Toshiba products]

The company said that Wipe can automatically invalidate a hard disk drive security key when its power supply is turned off, instantly making all data in the drive indecipherable. Also, copier and printer systems vendors can now use Toshiba’s Wipe technology to securely invalidate sensitive document image data by automatically erasing the SED’s internal encryption key.

This feature can be used prior to system disposal or re-purposing to ensure that private data never leaves the control of the responsible business unit or IT department.

!!! Browser Auto-Complete–All Vulnerable

This article takes a while to say that all browsers, except possibly Internet Explorer 8, are vulnerable to a simple attack that will cough up any data you have in your auto-complete file. That is, names, password, credit data? (who keeps credit card data in auto-complete? Have you checked your auto-complete file recently?)

Read the article: Auto-complete: browsers disclose private data – Update

Comments on original proof of concept site says some Mac OSX systems are giving the data, yet some not, even with Auto-Complete turned on.

Advice: Turn off Auto-Complete in all browsers until this is solved…regardless of what a pain in the ass this is. Oh, and don’t go to those hacker sites.

Security: Connect the Dots–Ongoing

This article will be an ongoing list of interesting articles in the security arena, none earth-shattering (which will have separate articles), but each one a dot that might connect to other data. Please add other news in the comments or write editor at dciematools.com 

15 August–Welcome to the future: cloud-based WPA cracking is here

Cloud computing is the latest effort to put data off site, to let professionals handle the IT details, or to put large amounts of data close to the user, while allowing the users to concentrate on their application. Dolby, for example, uses the well-regarded Salesforce solution (as do many large corporations) to monitor equipment and solutions in the field. Thus it is news…and really really really points to the need for using excellent passwords.

In 2008, I speculated about the future of distributed security cracking. That future has arrived, in the form of a $17 “cloud” based service provided through the efforts of a security researcher known as Moxie Marlinspike. It is effective against pre-shared key deployments of both WPA and WPA2 wireless networks.

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. …Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

If you opt to use the service, you will of course leave a money trail via Amazon Payments — which is probably a bad idea if you are attempting to gain unauthorized access to a secured network illegally. For the good guys testing the security of a client’s network, however, this is an incredibly handy tool to have at one’s disposal.

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.


 

Please report any security news which you think that community could benefit from in the comments.

More SSL Flaws Found by MS

Users of Internet Information Services (IIS) < 6.0 in default mode are not affected by potential man-in-the-middle attack…kinda…must use workarounds…Microsoft advises not to use their workarounds though. In fairness to MS, this is old SSL exploit news that they are acknowledging affects all their current OSs. 

Read the ars technica report…and read a newspaper instead of using wifi at the coffeeshop, or at your clients…or on the trian.

Microsoft warns of TLS/SSL flaw in Windows

By Emil Protalinski | Last updated February 9, 2010 4:12 PM

Microsoft has issued Security Advisory (977377) to address a publicly disclosed vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The TLS and SSL protocols are implemented in several Microsoft products, both client and server. Currently Microsoft has concluded that it affects all supported versions of Windows: Windows 2000 SP4, Windows XP (32-bit and 64-bit), Windows Server 2003 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows Server 2008 (32-bit and 64-bit), Windows 7 (32-bit and 64-bit), and Windows Server 2008 R2. Microsoft says it will update the advisory as the investigation progresses.

FIPS 140-2 Level 2 Certified USB Memory Stick Cracked

This is from the H-Online Article:
NIST-certified USB Flash drives with hardware encryption cracked
Yes; DCI specifies that the euqipment meets FIPs Level 3, not level 2. But 3 huge companies making the same mistake? Hmmm. Plus, this is not just a DCinema issue, this affect everyone who tries to keep their personal or work computer safe, trusting devices and technology of this type. My guess is that there was an Application Note that specified how to make a particular chipset work (which all the manufacturers used.) It was the Application Note that everyone followed and which had the implementation flaw. Just a guess.

The article continues, excepted below. There is also some fine commentary about this issue at: Schnieier on Security.

 

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. … the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers’ nets. … the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations…

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool … The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a “potential vulnerability in the access control application” and provided a software update.

Flash Cookies | Your Privacy

Security and Privacy are parallel tracks. Letting someone into your computer for purposes that you are not allowed to control, or even know about, is fraught with potential points of failure down the line. Do I, or you, need to know how or why right now? Is there always someone who is trying to exploit was to find hidden files to do something nefarious? Just allowing someone, anyone, to put 100k (the standard setting, not a limit) of info on your computer without asking, without allowing you to see what it actually does or says, is wrong.

CCleaner, FlashCookiesView and Flash Cookie Cleaner get good reviews. If you are using Firefox, you can use Foxit and flashblock, but remember, these files are ubiquitous – they are shared by all browsers on your system.

Here is the link for the settings manager at Adobe — feels like fox in the henhouse, and is not easy to use…

[Update: I just used a nice program from MacHacks named Flush.app – Flash Cookie Removal Tool For OS X. Quick to download and simple to use, for Mac users it seems a nice way to go.]

 

Sure: Resort to OverSieving…RSA 768 Modulus Fail

Read ArsTechnica; 768-bit RSA cracked, 1024-bit safe (for now)—768-bit RSA cracked, 1024-bit safe (for now)

Researchers have posted a preprint that describes their method for factoring a number used for RSA 768-bit encryption. By John Timmer | Last updated January 7, 2010 5:20 PM

With the increasing computing power available to even casual users, the security-conscious have had to move on to increasingly robust encryption, lest they find their information vulnerable to brute-force attacks. The latest milestone to fall is 768-bit RSA; in a paper posted on a cryptography preprint server, academic researchers have now announced that they factored one of these keys in early December.

Most modern cryptography relies on single large numbers that are the product of two primes. If you know the numbers, it’s relatively easy to encrypt and decrypt data; if you don’t, finding the numbers by brute force is a big computational challenge. But this challenge gets easier every year as processor speed and efficiency increase, making “secure” a bit of a moving target. The paper describes how the process was done with commodity hardware, albeit lots of it. 

Their first step involved sieving, or identifying appropriate integers; that took the equivalent of 1,500 years on one core of a 2.2GHz Opteron; the results occupied about 5TB. Those were then uniqued and processed into a matrix; because of all the previous work, actually using the matrix to factor the RSA value only took a cluster less than half a day. Although most people aren’t going to have access to these sorts of clusters, they represent a trivial amount of computing power for many organizations. As a result, the authors conclude, “The overall effort is sufficiently low that even for short-term protection of data of little value, 768-bit RSA moduli can no longer be recommended.” 1024-bit values should be good for a few years still.

Given that these developments are somewhat inevitable, even the authors sound a bit bored by their report. “There is nothing new to be reported for the square root step, except for the resulting factorization of RSA-768” they write. “Nevertheless, and for the record, we present some of the details.” Still, they manage to have a little fun, in one place referencing a YouTube clip of a Tarantino film following their use of the term “bingo.”

[Another good article at: New Record in the Area of Prime Number Decomposition of Cryptographically Important Numbers – not that the article gives more, but the Related Stories are interesting.]

Nuclear Plants Cautiously Phase Out Dial-Up Modems

This story comes from Wired: Read the entire piece at:
Nuclear Plants Cautiously Phase Out Dial-Up Modems | Threat Level | Wired.com
By Kevin Poulsen

“Licensees currently use analog modulator/demodulators (modems) to establish point-to-point data connections,” the NRC wrote in a memo (.pdf) to plant operators late last month. “Although this technology was state of the art when ERDS was first implemented, it is now obsolete, and replacement equipment is no longer available.”

The NRC notes several advantages … in a crisis all the plants could report … simultaneously, without the hassle of busy signals. In addition, “The use of modems inherently introduces cyber security vulnerabilities to the systems to which they are attached.”

The ERDS ties into plant computer systems … a “near real-time” view … including reactor core and coolant conditions, and radioactivity release rates.

…operators of 19 plants had expressed interest in getting rid of their modems. One hopes the other 47 will soon follow those early adopters.

Next year…

Modem photo courtesy SecretLondon123.

Major SSL Encryption Flaw Hits Web/Tech Companies Using SSL | IT Pro

[Editor’s Note: At first glance, this story looks a lot like last September’s and last August’s stories of SSL vulnerabilities. In fact, this is far worse. It is not our purpose to make your life harder by forcing you to know how often SSL encryption is used in your life. Suffice to say, this is not going to get handled by a simple patch a week later Firefox or Apple. And now, even worse, is that it is in the open…the bad guys know where to attack.

How does it affect you as the above average user? First off: Everything that you learned about trusting the little lock on the browser window is no longer valid.

  1. Make certain that your employees are extra vigilant with all computers, and with all USB sticks. We don’t know how the BlackHats are going to exploit this yet.
  2. Don’t download anything that doesn’t come directly from someone that you know.
  3. Don’t trust any email that says that “We are helping you, just click here.”
  4. Don’t trust any email with a link where the link isn’t showing and where the section of the address immediately before any slashes isn’t .com or .org or .co.uk. For example, http://www.ebay.com.hacker.ru shouldn’t make you feel comfortable that it came from ebay.com – the end of the URL (Uniform Resourse Locator) just before the / is the controlling item.
  5. And, of course, right now —
  • a) make certaint that your back up system is working, and it makes several iterations of the back-up, and
  • b) make certain that your virus software is up to date, and
  • c) make certain that all wifi signals are using WPA2 security with a password that doesn’t have any dictionary word, and
  • d) systematically reformat the USB sticks that are being used to take keys to your Digital Cinema Servers.

My suggestion:

  • If you have a computer network in your office, hire a security expert to come and train your employees on security for an hour or two, in addition to checking our your network for vulnerabilities and un-updated software (including Flash/Shockwave, Reader, Firefox and all virus software. They’ve all been updated recently for multiple security reasons.)
  • Wait one week, then have the expert return and answer any questions that the employees now have since they learned what to look for.

For the ultra techs, here is the links for the basic research on this:
MITM attack on delayed TLS-client auth through renegotiation
Renegotiating TLS

End Editor Note]

For the original article, please read:
Major SSL encryption flaw hits the web | IT PRO

By Asavin Wattanajantra, 6 Nov 2009 at 15:53

Researchers Marsh Ray and Steve Dispensa are believed to have shown the flaw to a working group of affected vendors, which included Microsoft, Intel, Nokia, IBM, Cisco and Juniper.

In a statement, PhoneFactor said: “[We] volunteered to delay disclosure on the vulnerability until early 2010 to allow time for vendors to make the necessary patches available.”

“However, an independent researcher discovered the vulnerability and posted it to Internet Engineering Task Force (IETF) mailing list on November 4th… News of the vulnerability quickly spread through the IT security community,” it added.

PhoneFactor added that this was a protocol vulnerability rather than an implementation flaw, so the impact was far reaching.

“All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products,” the firm said.

“Most users will eventually need to update any software that uses SSL.”

Andrew Clarke, senior vice president for Lumension, said in a statement that the SSL flaw was likely to bring a large number of patches in the near term from vulnerable vendors.

Urgent – Adobe fixes five critical Shockwave flaws | IT PRO

See the full article at: Adobe fixes five critical Shockwave flaws | IT PRO
By Asavin Wattanajantra, 4 Nov 2009 at 15:51

Nicolas Joly of VUPEN security was credited for reporting the four issues and working with Adobe to protect customers.

The update also solves a boundary condition issue that could have lead to Denial of Service (DoS).

Shockwave Player is described as the ‘web standard for powerful multimedia playback’ by Adobe, and allows users who download it to see interactive web content such as business presentations, advertisements, entertainment and games.

The flaws can be patched by downloading the latest Shockwave update.

Upgrade Firefox 3.5.4 and Reader 9.2

The latest upgrade to Firefox, dated 27 October, in particular for the Mac 3.5.4, has 6 “Critical Vulnerabilitioes” listed sine the September 3.5.3 update – See: Security Advisories for Firefox 3.5 – This rounds out to 25 Critical fixes since the June release of 3.5

Should you update? No question. Just look at the definition of Critical – Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

There will be confusion by those who have heard that there is a new release that is a beta. Do not be confused. A beta of 3.6 is iminent – it was expected on the 28th, but has been delayed.

=-=-=

Reader Update: 2 weeks ago Adobe Reader was upgraded to 9.2 – This release of Reader is mandatory as well. 9.1 was plagued with vulnerabilities and required many updates to stay current and secure. It is best that you and that everyone you know is upgraded.

Spread the word.