Dragan on Security

Computer experts at University of California have invented a listening device that can figure out what you’re typing. It detects the subtle differences in the sound each keyboard letter makes. In other words, the software may be able to learn your passwords just by listening in to the tapping of your fingers.
Read more here and here.

According to Symantec’s report, the first six month of this year saw a 54 percent increase in malicious code attacks that exposed confidential information. That means 74 percent of the top 50 malicious code samples reported to Symantec from January to June this year involved attacks from new types of rogue code.
Read more here.

Researchers at the University of Nottingham want to use the human body’s immune system as a model for protecting computer systems. Computer science professor Uwe Aickelin and his colleagues are collaborating with immunologists at the University of the West of England in Bristol to build a computer intrusion detection system that has an artificial immune system. “The University of the West of England is carrying out ‘wet’ experiments to look at various aspects of cell behavior and passing on their findings to us,” explains Jamie Twycross, research associate with the Automated Scheduling Optimization and Planning Lab at the University of Nottingham. “We use the results to try and build a computational model.” The immunologists are employing the controversial “danger theory,” which holds that a complex system that accesses the origin, seriousness, and frequency of the danger signals the human immune system. Twycross is working to recreate, for an artificial immune system, the process in which garbage-collecting dendric cells that roam the body transform into fighter cells to battle an infection. Similarly, the software would be able to assess threats to computer systems by gathering information from a number of sources.
Read more here.

The practice of Google hacking, the penetration of computer networks through Google search queries, owes its start to Computer Sciences researcher and author Johnny Long, who created the Google Hacking Database initially as a joke. The database now serves as a repository for about 1,500 queries, while the Google hacking community is composed of approximately 60,000 members. The search engine is used to not only to unearth credit card numbers, passwords, and unguarded Web interfaces to Web sites, routers, and other things, but also to perform hacker reconnaissance. “Nowadays, pretty much any hacking incident most likely begins with Google,” says F-Secure chief research officer Mikko Hypponen. One method is for a hacker to await a security bulletin and then employ Google to find Web sites that use the vulnerable software. Google’s database can also be employed to map out computer networks and thwart network administrators’ attempts to hinder eavesdroppers. Long reasons that Google’s greater involvement in the security community could present new business opportunities. Google could, for instance, create a Google Security Alerts system that notifies customers when their Web sites harbor bugs discovered by Long and other Google hackers.
Read more here.

Irresponsible security researchers can cause more harm than good, but letting firms sweep flaws under the carpet is just as bad.
Read more here.

Experts such as MIT professor F. Thomson Leighton and Purdue University professor Eugene Spafford painted a bleak picture of U.S. cybersecurity at the July 26 Forum on Cybersecurity on Capitol Hill. Leighton, a senior member of the recently disbanded President’s Information Technology Advisory Committee (PITAC), called for a dramatic increase in funding for basic research and development in civilian cybersecurity. He said the country’s IT infrastructure still faces grave and immediate threats despite positive steps such as Congressional approval of the Cyber Security Research and Development Act of 2002 and the establishment of a new position of assistant secretary for cybersecurity at the Homeland Security Department. Leighton said the private sector plays an important role in securing IT infrastructure, but the federal government must sponsor the discovery and development of cybersecurity technologies underlying private-sector security products and services. He also said the federal cybersecurity effort has shifted toward classified military rather than civilian R&D, concurrent with a move favoring short-term over long-term research across all sectors. Spafford warned that public support for better cybersecurity measures will not be spurred until U.S. IT infrastructure suffers “a very large and significant failure.” PITAC issued a report in February recommending a $90 million a year increase in the National Science Foundation’s budget for civilian cybersecurity research; more DHS and DARPA-directed investment in civilian cybersecurity R&D; and a stronger effort to promote recruitment and retention of university cybersecurity researchers and students.
See more here and here.

Cisco company, which sells much of the hardware that runs big part of Internet and many private networks, has admitted that some of the newest versions of its Internetwork Operating System (IOS) have a serious security hole. According to a security warning, users should upgrade to alternate editions or install fixed versions of IOS.

The hole is in the Firewall Authentication Proxy for FTP and/or Telnet Sessions in versions of IOS 12.2 through 12.4. It can be used for a denial-of-service (DoS) attack which would likely bring down the device or take control of it.

All the attacker has to do is complete a TCP connection to a IOS-running device, launching the exploit when the device is performing an user authentication.

If you don’t want to upgrade to more secure versions, Cisco suggests disabling any firewall authentication feature for Telnet and FTP sessions and instead deploy firewall authentication for HTTP and HTTPS sessions.

There is “Cisco Security Advisory: Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow” at:
http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

There is interesting article about credit card fraud at: http://www.guardian.co.uk/uk_news/story/0,3604,1562638,00.html

Quote from this article:

“…the focus has been changed to finding the pin first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale…”

So, once again, Bruce Schneier was right in his book “Secrets & Lies: Digital Security in a Networked World”. He said: “Security is not a product; it itself is a process. And if we’re ever going to make our digital systems secure, we’re going to have to start building processes. If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Very important security weak points are in people.

Market surveys performed in USA suggest that unwanted mobile spam continues to grow with as many as 10 percent of all U.S.-based mobile-phone subscribers having already received and been annoyed by SMS spam, according to Jupiter Research.

According to joint study conducted by Intrado, Switzerland’s University of St. Gallen and the International Telecommunication Union, more than 80 percent of Europe’s mobile-phone users received at least one unwanted spam message cloaked as a short messaging service (SMS) transmission during 2004. Moreover, the results indicate that 83 percent of all mobile users responding to the survey expect mobile spam to become a critical issue for them within the next one to two years.

Although the U.S. lags far behind Europe with respect to the prevalence of SMS technology, at least 75 percent of the mobile phones used in North America today are SMS-capable. This percentage will rise to 100 percent by the end of 2006, predicts IDC senior research analyst Lewis Ward. In addition, by the end of 2005 there will be 65 million subscribers to SMS services, or 36 percent of all wireless subscribers, Ward said.

Given the technology’s increasing traction in the U.S. mobile marketplace, is it likely that North America will become the next big battleground for mobile spam? The short answer is “no,” said Jim Manis, the global chairman of the Mobile Marketing Association (MMA).

According local news in some countries, there is SMS spam that has been happening from time to time. These messages sometimes could be boring at least, but also very annoying and disturbing, by its nature and contents. This is warning that SMS spam appeared here in very bad and annoying way and mobile / wireless operators should be ready for fight with this kind of attacks.

There is practice used by many software companies to silently fix bugs, especially security related bugs and flaws. It is intelligible in some way, if those flaws are not publicly known. But, otherwise if those bugs are known and publicly reported by various incident response teams, this silent practice could be strange in some way. This practice has been used by some big companies also, for example by Oracle.

At http://www.red-database-security.com/whitepaper/cpu_july_2005_silently_fixed_bugs.html you can find interesting list of silently fixed security bugs in Oracle Critical Patch Update July 2005.

Red-Database-Security GmbH (http://www.red-database-security.com/) is specialized in Oracle security only. As it is stated on web site, their mission is: “Make Oracle software more secure and help our customers to protect their most valuable data”. Also, according Red-Database-Security, Oracle is really slow in fixing security issues.