Liudvikas Bukys

Phil Wainewright:
XKMS is key

David Berlind (ZDNET):
Is that a firewall on your perimeter or just some Swiss cheese?

InformationWeek: Category: LINKS, security  |  Comment

RSA Seeks to Fix RFID Worries

RFID readers can’t talk to more than one tag at a time, so when multiple tags reply to a query, the readers detect a collision and revert to what’s known as a singulation protocol to communicate with each tag individually. To accomplish this, the reader queries each tag for its next bit, which identifies which portion of a binary tree the tag resides on. When queried, a blocker tag responds with a ‘0’ and a ‘1’ bit. This causes the reader to start over and explore the entire tree.

Such a tag could be programmed to block only a certain range of RFID serial numbers. This would still allow for benign uses of RFID tags while enabling users or corporations to control which tags are readable.

EcoTalk and
Scoop:
E-Voting Expert Ousted From Elections Conference:

Dr. Rebecca Mercuri, a leading expert in voting machine security, had her conference credentials revoked by the president of the International Association of Clerks, Records, Election Officials, and Treasurers (IACREOT), Marianne Rickenbach. …
David Chaum, the inventor of eCash and a member of Mercuri’s ‘voter-verified paper ballot’ group, had his credentials revoked on the first day of the conference. On the second day his credentials were partially restored. Chaum was allowed to visit the exhibitors hall, but not attend the IACREOT meetings.

If, as demonstrated above, the security strategy of the voting machine industry is security by obscurity, then it is doomed to perpetual failure. That’s not good enough!

Joe Stewart (LURHQ):
Migmaf Reverse-Proxy Spam Trojan

In late June 2003, spam-fighters from the news.admin.net-abuse.email Usenet group noticed a particular spammer seemed to be able to move his websites around at will, minute-by-minute. This activity was also pointed out in an article by Richard M. Smith of computerbytesman.com.

It appeared at first that the spammer had managed to infect thousands of systems with a small webserver trojan – rotating them in and out of the DNS for the domain names he owned every 10 minutes. It made it nearly impossible for ISPs to track and shut down, as the IP addresses were largely owned by dialup users, so ISPs would be fighting a constant battle to keep track of all the reports.

The sites being advertised in the emails were generally Russian porn sites, and Richard Smith pointed out the same servers were involved in a Paypal scam email he had seen.

LURHQ was able to obtain a copy of the trojan – detected from suspicious activity originating from a VPN user on a firewall on a network we monitor. What we found was the trojan was not a webserver at all, but instead: a reverse proxy server. Instead of hosting the content on the victim’s computer, the spammer instead maintained a “master” webserver. We have dubbed this trojan “Migmaf”.

Philippe Oechslin:
Making a Faster Cryptanalytic Time-Memory Trade-Offs
«In 1980 Martin Hellman described a cryptanalytic time-memory trade-off which reduces the time of cryptanalysis by using precalculated data stored in memory. This technique was improved by Rivest before 1982 with the introduction of distinguished points which drastically reduces the number of memory lookups during cryptanalysis. This improved technique has been studied extensively but no new optimisations have been published ever since. We propose a new way of precalculating the data which reduces by two the number of calculations needed during cryptanalysis. Moreover, since the method does not make use of distinguished points, it reduces the overhead due to the variable chain length, which again significantly reduces the number of calculations. As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the param-eters used.
»

[Via SecurityFocus HOME Mailing List: BugTraq]

Dissertation Could Be Security Threat (TechNews.com)
«this George Mason University graduate student has mapped every business and industrial sector in the American economy, layering on top the fiber-optic network that connects them»

Marty Roesch (Snort) dismisses the

“IDS is dead” message of Gartner analysts. Here’s the middle ground: Making the transition from potentially useful to really useful is hard, and requires lots of dedicated effort and talent. Most IDS deployments are fig leaves, buying some product because it
seemed like the right thing to do, but without committing the resources to keep it alive. Failure to actually make use of the data spewing out of it makes it a bad investment. Yes, the technology is improving, producing data that is more to-the-point. However, non-serious deployers are likely to maintain equilibrium by putting even less work into using the system.

Ed Felten illustrates the persistence-of-information issues raised by Memex, DARPA’s LifeLog, journalists, bloggers, expectations of privacy, and the incentives of individuals, in
Freedom to Tinker: Privacy, Blogging, and Conflict of Interest