[SecurityRatty] tag: key

Identity-Based Encryption and Beyond

Wed, 08 Oct 2008 00:42:07 +0000

In June 2008, the US National Institute for Standards and Technology (NIST) held a workshop entitled, "Applications of Pairing Based Cryptography: Identity-Based Encryption and Beyond," in Gaithersburg, Maryland. In a series of 14 talks and two panel discussions, the presenters at this workshop discussed several aspects of identity-based encryption (IBE) and related pairing-based public-key schemes, including the history of the technology, applications for which it is well suited, and potential future developments. Copies of the presentations are now available on the workshop's Web site (www.nist.gov/ibe/). Close to 100 people from a wide range of security vendors, government agencies and academic institutions attended the event; this installment of Crypto Corner takes a closer look at all the events.

Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

Wed, 08 Oct 2008 00:42:07 +0000

A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Unnoticed for two years, the weak PRNG created a crypto-implementation nightmare with wide-ranging consequences that are difficult to repair. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, I'll examine the issue and its consequences.

Virtual Machine Introspection: Observation or Interference?

Wed, 08 Oct 2008 00:42:05 +0000

As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to provide methods to monitor the behavior of virtual machines. This survey classifies and describes current VMI introspection technologies according to three primary classifications: threat monitoring versus interference, semantic awareness, and event replay. The authors also describe the Virtual Introspection for Xen (VIX) tool suite, which was developed to address key VMI requirements, and outline key research areas for future investigation.

Cambridge lab sets quantum key world record

Tue, 07 Oct 2008 20:00:00 +0000

The hugely promising security technology of Quantum Key Distribution (QKD) has moved an important step closer to commercialization with the announcement by U.K.-based researchers that they can now shift encryption keys around at speeds of 1Mbps.

Brilliant UK Laptop Repair Service

Tue, 07 Oct 2008 07:02:00 +0000

It’s rare these days you get service so good you feel like writing to people about it. This morning (still sweaty from my morning run) I took the kids Vaio laptop (used for educational games and Internet TV (Windows Media Center of course)) to get a broken key repaired at PC World. After 15 mins [...]

Web Based Malware Emphasizes on Anti-Debugging Features

Mon, 06 Oct 2008 22:42:00 +0000

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

New Cross-Site Request Forgery Attacks

Mon, 06 Oct 2008 01:42:04 +0000

Interesting:

CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request.
If a user visits an attacker's website, the attacker can force the user's browser to send a request to a page that performs a sensitive action on behalf of the user. The target website sees a request coming from an authenticated user and happily performs some action, whether it was invoked by the user or not. CSRF attacks have been confused with Cross-Site Scripting (XSS) attacks, but they are very different. A site completely protected from XSS is still vulnerable to CSRF attacks if no protections are taken.

Paper here.

RFID passport hack has scanner seeing visions of Elvis

Fri, 03 Oct 2008 11:53:07 +0000

Building on a security researcher's description of a method of hacking passport RFID chips (and using some of that researcher's code) a group has described how to insert arbitrary data into key fields—in this case, Elvis' personal info.

Really Good Point From Schneier ...

Wed, 01 Oct 2008 10:36:00 +0000

Read all here; the key point is: "The same is true for knitting needles [...] and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer."

Doesn't it just make sense?!

How to Clone and Modify E-Passports

Tue, 30 Sep 2008 08:24:51 +0000

The Hackers Choice has released a tool allowing people to clone and modify electronic passports.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.

Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.

Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.