[SecurityRatty] tag: reputation

Skein and SHA-3 News

Wed, 19 Nov 2008 03:14:48 +0000

There are two bugs in the Skein code. They are subtle and esoteric, but they're there. We have revised both the reference and optimized code -- and provided new test vectors -- on the Skein website. A revision of the paper -- Version 1.1 -- has new IVs, new test vectors, and also fixes a few typos in the paper.

Errata: Version 1.1 of the paper, reference, and optimized code corrects an error in which the length of the configuration string was passed in as the size of the internal block (256 bits for Skein-256, 512 for Skein-512, and 1024 for Skein-1024), instead of a constant 256 bits for all three sizes. This error has no cryptographic significance, but affected the test vectors and the initialization values. The revised code also fixes a bug in the MAC mode key processing. This bug does not affect the NIST submission in any way.

NIST has received 64 submissions. (This article interviews one of the submitters, who is fifteen.) Of those, 28 are public and six have been broken. NIST is going through the submissions right now, making sure they are complete and proper. Their goal is to publish the accepted submissions by the end of the month, in advance of the Third Cryptographic Hash Workshop to be held in Belgium right after FSE in February. They expect to quickly make a first cut of algorithms -- hopefully to about a dozen -- and then give the community about a year of cryptanalysis before making a second cut in 2010.

Lastly, this is a really nice article on Skein.

These submissions make some accommodation to the Core 2 processor. They operate in "little-endian" mode (a quirk of the Intel-like processors that reads some bytes in reverse order). They also allow a large file to be broken into chunks to split the work across multiple processors.
However, virtually all of the contest submissions share the performance problem mentioned above. The logic they use won't optimally fit within the constraints of a Intel Core 2 processor. Most will perform as bad or worse than the existing SHA-1 algorithm.

One exception to this is Skein, created by several well-known cryptographers and noted pundit Bruce Schneier. It was designed specifically to exploit all three of the Core 2 execution units and to run at a full 64-bits. This gives it roughly four to 10 times the logic density of competing submissions.

This is what I meant by the Matrix quote above. They didn't bend the spoon; they bent the crypto algorithm. They moved the logic operations around in a way that wouldn't weaken the crypto, but would strengthen its speed on the Intel Core 2.

In their paper (PDF), the authors of Skein express surprise that a custom silicon ASIC implementation is not any faster than the software implementation. They shouldn't be surprised. Every time you can redefine a problem to run optimally in software, you will reach the same speeds you get with optimized ASIC hardware. The reason software has a reputation of being slow is because people don't redefine the original problem.

That's exactly what we were trying to do.

Where is Robert Morris now?

Wed, 29 Oct 2008 21:00:00 +0000

Robert Tappan Morris, the 21-year-old Cornell University student who unleashed the first worm attack on the Internet in 1988, has fully rehabilitated his reputation in the computer science community.

Shoppers advised about deadly mall attacks

Sun, 26 Oct 2008 12:51:00 +0000

In a joint effort between U.S. Dept. of Homeland Security and Mall retail associations, mall employees and shoppers are being advised on how to protect themselves against assailants armed with guns.

It is a sad reflection of the society in which we live, but statistics show that there is a real need for such training. Between 2004 and 2008, there have been 17 shooting incidents in U.S. malls. The shootings have resulted in 34 deaths and 33 injuries.

The issued guidelines warn that the shootings are often committed by current and former retail employees with grievances against their employers (workplace violence) or are related to an associate with domestic problems (domestic violence).

We continue to advocate for better training for mall security officers. Unfortunately, many times employers have to face huge lawsuits before they are willing to spend money on any additional security training. The ironic part is that had they done the right thing to begin with, in many cases they could have saved tens of millions of dollars in those same lawsuits and not suffered reputation damage and loss.

Malware? We don't need no stinking malware!

Fri, 24 Oct 2008 10:25:00 +0000

Written by Oliver Fisher

"This site may harm your computer"
You may have seen those words in Google search results — but what do they mean? If you click the search result link you get another warning page instead of the website you were expecting. But if the web page was your grandmother's baking blog, you're still confused. Surely your grandmother hasn't been secretly honing her l33t computer hacking skills at night school. Google must have made a mistake and your grandmother's web page is just fine...

I work with the team that helps put the warning in Google's search results, so let me try to explain. The good news is that your grandmother is still kind and loves turtles. She isn't trying to start a botnet or steal credit card numbers. The bad news is that her website or the server that it runs on probably has a security vulnerability, most likely from some out-of-date software. That vulnerability has been exploited and malicious code has been added to your grandmother's website. It's most likely an invisible script or iframe that pulls content from another website that tries to attack any computer that views the page. If the attack succeeds, then viruses, spyware, key loggers, botnets, and other nasty stuff will get installed.

If you see the warning on a site in Google's search results, it's a good idea to pay attention to it. Google has automatic scanners that are constantly looking for these sorts of web pages. I help build the scanners and continue to be surprised by how accurate they are. There is almost certainly something wrong with the website even if it is run by someone you trust. The automatic scanners make unbiased decisions based on the malicious content of the pages, not the reputation of the webmaster.

Servers are just like your home computer and need constant updating. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. Even if you're diligent and keep all your website components updated, your web host may not be. They control your website's server and may not have installed the most recent OS patches. And it's not just innocent grandmothers that this happens to. There have been warnings on the websites of banks, sports teams, and corporate and government websites.

Uh-oh... I need help!
Now that we understand what the malware label means in search results, what do you do if you're a webmaster and Google's scanners have found malware on your site?

There are some resources to help clean things up. The Google Webmaster Central blog has some tips and a quick security checklist for webmasters. Stopbadware.org has great information, and their forums have a number of helpful and knowledgeable volunteers who may be able to help (sometimes I'm one of them). You can also use the Google SafeBrowsing diagnostics page for your site (http://www.google.com/safebrowsing/diagnostic?site=) to see specific information about what Google's automatic scanners have found. If your site has been flagged, Google's Webmaster Tools lists some of the URLs that were scanned and found to be infected.

Once you've cleaned up your website, use Google's Webmaster Tools to request a malware review. The automatic systems will rescan your website and the warning will be removed if the malware is gone.

Advance warning
I often hear webmasters asking Google for advance warning before a malware label is put on their website. When the label is applied, Google usually emails the website owners and then posts a warning in Google's Webmaster Tools. But no warning is given ahead of time - before the label is applied - so a webmaster can't quickly clean up the site before a warning is applied.

But, look at the situation from the user's point of view. As a user, I'd be pretty annoyed if Google sent me to a site it knew was dangerous. Even a short delay would expose some users to that risk, and it doesn't seem justified. I know it's frustrating for a webmaster to see a malware label on their website. But, ultimately, protecting users against malware makes the internet a safer place and everyone benefits, both webmasters and users.

Google's Webmaster Tools has started a test to provide warnings to webmasters that their server software may be vulnerable. Responding to that warning and updating server software can prevent your website from being compromised with malware. The best way to avoid a malware label is to never have any malware on the site!

Reviews
You can request a review via Google's Webmaster Tools and you can see the status of the review there. If you think the review is taking too long, make sure to check the status. Finding all the malware on a site is difficult and the automated scanners are far more accurate than humans. The scanners may have found something you've missed and the review may have failed. If your site has a malware label, Google's Webmaster Tools will also list some sample URLs that have problems. This is not a full list of all of the problem URLs (because that's often very, very long), but it should get you started.

Finally, don't confuse a malware review with a request for reconsideration. If Google's automated scanners find malware on your website, the site will usually not be removed from search results. There is also a different process that removes spammy websites from Google search results. If that's happened and you disagree with Google, you should submit a reconsideration request. But if your site has a malware label, a reconsideration request won't do any good — for malware you need to file a malware review from the Overview page.

How long will a review take?
Webmasters are eager to have a Google malware label removed from their site and often ask how long a review of the site will take. Both the original scanning and the review process are fully automated. The systems analyze large portions of the internet, which is big place, so the review may not happen immediately. Ideally, the label will be removed within a few hours. At its longest, the process should take a day or so.

Malware? We don't need no stinking malware!

Fri, 24 Oct 2008 10:25:00 +0000

Compromised Portfolios of Legitimate Domains for Sale

Fri, 24 Oct 2008 06:24:33 +0000

Is the demand for access to compromised legitimate portfolios of domains -- where the price is based on the pagerank and is shaped by the number of domains in question -- the main growth factor for the increasing supply of such stolen accounting data, or is it the result of cybercriminals data mining their botnets for accounting data that would provide them with access to such portfolios of high trafficked domains with clean reputation? Moreover, would such a data mining approach made easily possible due to the availability of botnet parsing services and stolen accounting data dumps streaming directly from a botnet, would in fact be the more efficient approach in injecting their malicious presence on as many hosts as possible, next to the plain simple massive SQL injection approach?

As always, it's a matter of who you're dealing with, and their understanding of the exclusiveness of a particular underground item at a given period of time. This exclusiveness is inevitably going to increase due to the fact that they're several "vendors" that are already purchasing access to such portfolios, as well as compromised Cpanel accounts as a core business, the access to which they would later on either resell at a higher price enjoying the underground market's lack of transparency, or directly monetize and break-even immediatelly. As for this particular proposition for an account with 404 domains in it, it's interesting to monitor how the seller is soliciting bids from multiple sources by leaving the price an open topic, clearly indicating his low profile into the underground ecosystem. How come? An experienced seller or buyer would be offering or requesting page rank verification respectively.

With nearly each and every aspect of cybercrime already available as a service, or literally outsourced as a process to those supposidely excelling into a particular practice, building capabilities for data mining botnets is no longer a requirement, with the people behind the botnets monetizing all the data coming from it by soliciting deals of accounting data dumps based on a particular country only.

A Diverse Portfolio of Fake Security Software - Part Ten

Wed, 22 Oct 2008 04:49:20 +0000

Popping up like mushrooms, these are the very latest rogue security software domains for your case building, cross-checking, or blackholing pleasure. Interestingly, next to decentralizing the hosting locations, they're also using legitimate hosting providers, whose reputation they've also been abusing for spamming in the past :

go-scan-pro .com (78.157.143.184)
internet-antivirus-2008 .com
ia-stat-ia .com
ia-scanner-pc .com
ia-scanner-pro .com
goscanpc .com
go-iascan .com
ia-install-pro .com
ia-scan-pro .com
ia-scanner-pro .com
ia-scanpro .com
ia-scannerpro .com
ia-free-scanner .com
ia-scan-now .com

online-antivirus .net (91.203.70.57)
virus-scan-online .com
online-virus-scanning .com
scanner-protection .com
online-scan .net

s-avirus2009 .com (92.241.177.70)
sa-vir2009-buy .com
s-avir2009-buy .com

xpas-2009 .com (96.9.135.85; 206.161.120.26)
xp-as-2009 .com

antimalwaresuite2009 .com (58.65.234.193)
cleaner2009pro .com

pcdefender2008 .com (89.149.241.228)
database-virus .com (75.125.215.35)

Moreover, a new template which you can see in the attached screenshots that mimicking a local AV scanning, has been circulating for a while. Naturally, it's localized and based on the browser's default language is serving a local version of the message. Follow the customer and expose the vendor still works, however, in between the average time it takes to track them down, a great number of people have already purchased the rogue software. The rogue security software business model is very similar to the spamming business model in the sense that they don't care whether 5, 10 or 15 people get tricked and install it, since even if 4 people out of the 100,000 unique daily visits fall victim - they break even.

A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

TorrentReactor Compromised, 1.2M Users Database In the Wild

Thu, 16 Oct 2008 10:00:43 +0000

It appears that TorrentReactor.net, a highly popular torrent tracker, got compromised in September, with it's users database concisting of 1.2M users and TorrentReactor's source code stolen.

Despite that the attacker claiming responsibility is citing reputation enhancement as the reason for the attack, sooner or later the personal details will be sold and resold to spammers, with the possibilitity for spear phishing attacks left wide open.

Microsofts CAPTCHA Under Spammers Attack Again

Wed, 01 Oct 2008 18:36:06 +0000

Spammers and malware authors are once again attempting to break Microsoft’s CAPTCHA, and are able to sign up Live Hotmail accounts with a success rate of 10% to 15%, according to an assessment published by Websense. The “DomainKeys” verified server reputation is being abused in order to increase the probability of spam emails reaching the [...]

Case Study - Diadora Maintains Excellence with WatchGuard

Tue, 16 Sep 2008 09:00:00 +0000

(Source: WatchGuard) When it came time for Diadora, a sportswear company with a reputation for high-quality goods, to replace their aging network, they methodically evaluated numerous security solution options before finding one that could grow with their business. In the end, only WatchGuard provided the features, speed, and low cost of ownership needed and was selected for the job.