Dragan on Security

The Internet Engineering Task Force (IETF) has turned its attention toward standards for cryptographic algorithms such as Triple-DES and AES. IETF does not research and test cryptographic algorithms, leaving those tasks to government organizations with the council of outside experts, though the group ensures that only secure algorithms find their way into its protocols. IETF is also evaluating standards from other countries, such as Russia, Japan, and South Korea, and has already awarded RFCs to South Korea’s SEED and Russia’s GOST. SEED has enjoyed use in VPN applications and digital rights management. GOST is Russia’s national standard, but was recently modified to enhance its interoperability, though many view the Soviet-era protocol as archaic, despite the fact that it has yet to be broken. Russia is applying GOST to the public-key infrastructure project at its National Treasury to address document coding and signing. GOST is currently being considered for implementation in OpenPGP. IETF standardization is widely viewed as helping a protocol gain popularity, as well as improving its interoperability by fleshing out its technical depth.

Read more here.

Cyber Security Industry Alliance executive director Paul Kurtz, speaking to a House Armed Services subcommittee on Thursday, called for a presidential directive making cybersecurity a top Bush administration objective and encouraging more coordination among the military and the private sector. Kurtz said, “We need a national policy to secure cyberspace.” Others testifying before the committee argued that the current approach to cybersecurity is ineffective because it lacks research funding, has a shortage of suitable researchers, relies too much on vulnerable commercial software and hardware, and does not encourage coordination with any other sectors. Purdue University Center for Education and Research in Information Assurance executive director and professor Eugene Spafford lamented the use of commercial software and hardware, because most manufacturers of such products rely on patches, or quick fixes, to correct vulnerabilities rather than securing vulnerabilities before release. Spafford believes a holistic view is the only way to prevent and effectively respond to a catastrophic cyber attack, which could affect the electric power grid as well as the telecommunications infrastructure. Spafford says, “These systems are interconnected, and we need to protect all of them.” Intel’s David Rawrock said more certified security professionals are needed. He said, “The number of professionals in the field seems to be shrinking and not expanding.”

Read more here.

New fraud-detection software is being developed by researchers at the University of Massachusetts in partnership with the National Association of Securities Dealers that promises to improve upon the ability to predict fraud among brokers. Current software focuses solely on the individual history of a broker, but the program developed at UMass’ Knowledge Discovery Laboratory also takes the history of the brokers they come in contact with into consideration, which is similar to the strategy of predicting the spread of an infectious disease, says David Jensen, an associate professor in computer science and KDL director. The software uses relational probability trees, which considers the characteristics of related objects, to compile information, and then builds a model that shows speculated relationships. Predictions are based on organizational relationships in the securities industry, linking brokers to firms, customer complaints to brokers, and branches to parent firms. The results matched many of the brokers that appear on NASD’s Higher-Risk Broker List, and identified new ones. “That it performs as well as live examiners is fascinating,” says John Komoroske, vice president of the NASD.

Read more here.

The Anti-Spyware Coalition (ASC), an alliance of software companies, security firms and consumer groups, finalised its definitions of spyware on Thursday.

The group defined spyware and other potentially unwanted technologies as those deployed without appropriate user consent and/or implemented in ways that impair user control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; and/or collection, use, and distribution of their personal or other sensitive information.

Read full article here.

Timing their effort to coincide with national Cyber Security Awareness Month and Halloween, the U.S. Federal Trade Commission (FTC), Consumer Action and Microsoft Corp. are urging consumers to protect themselves from the threat of “zombies,” computers that are infected with malicious code so they can be controlled remotely by other people for illegal purposes. Through technological trickery, criminals can use these unconscious accomplices to send illegal spam, launch phishing campaigns to steal personal information, attack Web sites and computers, or engage in other illegal activity.

Read articles in PC World, PC Magazine, and Information Week.

From famous Bruce Schneier’s blog, read here.

Article in New Scientist says:

The hyper-secretive US National Security Agency – the government’s eavesdropping arm - appears to be having its patent applications increasingly blocked by the Pentagon. And the grounds for this are for reasons of national security, reveals information obtained under a freedom of information request.

Most Western governments can prevent the granting (and therefore publishing) of patents on inventions deemed to contain sensitive information of use to an enemy or terrorists. They do so by issuing a secrecy order barring publication and even discussion of certain inventions.

Experts at the US Patent and Trademark Office perform an initial security screening of all patent applications and then army, air force and navy staff at the Pentagon’s Defense Technology Security Administration (DTSA) makes the final decision on what is classified and what is not.

Read it here.

SlashDot says:

“According to an article from newscientist, scientists have devised a system to use microwave energy for surveillance. If people are speaking inside the room, any flimsy surface, such as clothing, will be vibrating. This modulates the radio beam reflected from the surface. Although the radio reflection that passes back through the wall is extremely faint, the kind of electronic extraction and signal cleaning tricks used by NASA to decode signals in space can be used to extract speech.”

This interesting article appeared in New Scientist magazine.
There is also patent application at USPTO titled “Technique and device for through-the-wall audio surveillance”.

IBM researchers in San Jose have come up with new software that uses the unique ways individuals sign their names, such as their hand strokes and pressure exerted on the writing pad, to determine the validity of signatures and to detect forgery. If a signature is a 95 percent match of the one stored by the software, a green check mark appears, but one that is rated only 1 percent or 2 percent gets a red “x” and is rejected as a forgery. The software, dubbed Sign and Go, will be marketed to retail outlets looking for better ways of detecting identity fraud and will allow retailers to set their own policies on how closely a signature must match the data stored in its network, says IBM researcher Thomas Zimmerman. For example, he says a store may tolerate just 50 percent accuracy for a lower priced item, but require 80 percent accuracy for more expensive items such as washing machines. However, Zimmerman says, “If you require a very high threshold–95 percent–you’ll get a lot of unhappy customers.” Analyst James Van Dyke says it is still unclear to IBM just how big the market will be for this kind of verification software, since a growing number of consumers are shifting to debit card sales based on consumers’ personal identification numbers. Still, Zimmerman says signature verification technology is likely more socially acceptable than such biometric systems as fingerprint verification, and many stores already have electronic touchpads as well as the necessary hardware and software to support the new technology.

Read more here.

Microsoft plans to discontinue the use of the SSLv2 (Secure Socket Layer) protocol in the coming Internet Explorer browser refresh.

In its place, he company will fit the stronger TLSv1 (Transport Layer Security) protocol into IE 7 as part of an overall plan to improve the security and user experience for HTTPS connections.

Read details on official IE Blog.