[SecurityRatty] tag: electronic

"New Attack" Against Encrypted Images

Thu, 09 Oct 2008 02:44:14 +0000

In a blatant attempt to get some PR:

In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'.

Here's the paper. Turns out that if you use a block cipher in Electronic Codebook Mode, identical plaintexts encrypt to identical ciphertexts.

Yeah, we already knew that.

And -1 point for a security company requiring the use of Javascript, and not failing gracefully for a browser that doesn't have it enabled.

And -- ahem -- what is it with that photograph in the paper? Couldn't the researchers have found something a little less adolescent?

For the record, I doghoused PMC Ciphers back in 2003:

PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory?

EDITED TO ADD (10/9): I didn't realize it, but last year PMC Ciphers responded to my doghousing them. Funny stuff.

A Life or Death InfoSec Subversion

Wed, 08 Oct 2008 00:42:07 +0000

Details about failures of complex and well-implemented information-based attacks on systems are extremely difficult to obtain. However, here the authors examine a real-life analogue—an information attack on a highly complex security system, that of the Colombian guerrilla group FARC. This operation included a man-in-the-middle attack, targeted denial of service (DoS), and authentication subversion. The attack on FARC's communications structure is interesting not only because of its electronic and analog components, but also because it was a life or death matter. The authors examine the hostages' liberation from an information security perspective, compiling data from several Colombian newspapers and magazines and using the most accepted version of the events.

Data Retention and Privacy in Electronic Communications

Wed, 08 Oct 2008 00:42:06 +0000

The retention of communication data by network providers, often mandated by legislation, raises social and technical security concerns. A generic model combining technical, procedural, and legal controls can help secure retained data and minimize privacy threats against users.

Privacy groups praise bill curbing warrantless laptop searches

Wed, 08 Oct 2008 00:00:00 +0000

Privacy and civil rights groups are welcoming legislation that proposes tough new standards for conducting searches of laptops and other electronic devices at U.S. borders.

Data-Mining for Terrorists Not 'Feasible,' DHS-Funded Study Finds

Tue, 07 Oct 2008 15:30:00 +0000

Searching for terrorists in masses of electronic data doesn't work and will lead to unacceptable privacy invasions, a government-funded commission reported Tuesday. Instead, the government should carefully evaluate how it uses the same technology as book recommendation software, and update the nation's privacy laws.

Anatomy of SQL injection attack

Mon, 06 Oct 2008 20:00:00 +0000

While there are a number of security risks in the world of electronic commerce, SQL injection is one of the most common Web site attack techniques used to steal customer data such as credit card numbers, hold customer data hostage by encrypting it or destroy data outright.

Cybersecurity, password recall, IT culture and more

Mon, 06 Oct 2008 20:00:00 +0000

As part of a comprehensive cybersecurity push, the U.S. government will focus on improving its network defense capabilities and revamping acquisition rules to protect against malicious code installed during the manufacturing process of electronic devices.

Government sends auditors to investigate Postapay fraud

Tue, 30 Sep 2008 20:00:00 +0000

Efforts by the Postal Corporation of Kenya to embrace technology have hit a snag, with the government sending forensic auditors to probe the integrity of its electronic money transfer service, Postapay, following reports of millions of shillings lost to fraudsters.

IBM software bundle targets retail theft, data breaches

Tue, 30 Sep 2008 20:00:00 +0000

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.

How to Clone and Modify E-Passports

Tue, 30 Sep 2008 08:24:51 +0000

The Hackers Choice has released a tool allowing people to clone and modify electronic passports.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.

Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.

Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.