Dragan on Security

Source: ACM News Service.

Rutgers University-Camden computer science professor Jean-Camille Birget and colleagues have developed a new computer security program that makes use of graphical passwords and an icon system. The new program works by having a user select areas of a complex picture (such as a landscape or cityscape), or “click points” that are easier to remember than a password consisting of letters and numbers because of their selection in a relatively random manner. During the researcher’s study, users chose 10 icons, which were then scrambled with nearly 200 others. Users gained entry into the system by locating the shapes, such as triangles, that have their icons in the corners, clicking inside the shape, and repeating the process 10 times. The program does not require users to click on their icons, which makes it difficult for someone to steal their password by shoulder surfing. “The main idea behind our model is to allow a user to prove knowledge of a secret, without revealing the secret itself to either the authenticating party or a potential observer,” says researcher Leonardo Sobrado.

Click here to view full article.

Antivirus software provider McAfee announced the resignation of President Gene Hodges today, who is stepping down to take the chief executive post at rival security firm Websense.

Hodges will succeed Websense CEO John Carrington, who has served as CEO since 1999. Carrington will remain executive chairman of the board, according to Websense.

Hodges joins the Websense team after holding the position of president at McAfee where he was responsible for technology development, strategy and execution, as well as all sales and marketing for McAfee’s many business units worldwide.

Read more here.

From InternetNews.com:

The Electronic Frontier Foundation (EFF) wants Sony EMI to grant legal protections for computer security researchers examining the copy-protection technologies of the music giant.

In November, EMI — whose labels include Virgin Records, Capitol Records and Liberty Records — sparked a whirlwind of controversy and criticism for issuing music CDs containing a rootkit to cloak the scanning of customer PCs for music-ripping activities.

Although EMI eventually recalled the copyright-protected music and is facing civil lawsuits from both the EFF and Texas, the EFF also is concerned that EMI’s end user license agreement (EULA) forbids reverse engineering for any reason, including security testing.

In addition, the Digital Millennium Copyright Act (DMCA) prohibits the disabling of copy protection technologies.

“Music fans deserve to know whether EMI’s copy-protected CDs are exposing their computers to security risks,” Fred von Lohmann, senior staff attorney with EFF, said in a statement.

“When it comes to computer security, it pays to have as many independent experts kick the tires as possible, and that can only happen if EMI assures those experts that they won’t be sued for their trouble.”

In an open letter to Sony EMI Wednesday, the EFF asked the company to make a public statement that EMI would not bring legal action against researchers who bring security vulnerabilities to the attention of the public.

“Because some copy-protection vendors have leveled legal threats against security researchers in the past, researchers may be reluctant to examine EMI compact discs,” the letter states.

“While legal researchers may be put off by legal risks, criminals intent on exploiting security vulnerabilities, of course, will have no such legal compunctions.”

Read interesting WTN News article here.
Also read what Bruce Schneier has been talking about electronic voting here (2004), here (2003), and here (2000).

Pervasive bugs in Web applications contributed to the first major increase in publicized security vulnerabilities in three years, though different databases offer competing figures on the number of security risks discovered in recent years. A recent examination of four major databases consistently indicated a spike in vulnerabilities stemming from easily discovered flaws in Web applications and a doubling of the number of errors found in software, and security analysts believe that such vulnerabilities will not disappear any time soon. The National Institute of Standards and Technology (NIST) has developed the National Vulnerability Database that uses the Common Vulnerability Scoring System to produce a standardized reading of security flaws. Because each of the four databases surveyed uses different cross-referencing techniques and editorial policies, meaningful comparisons are difficult. CERT, which was one of the databases surveyed, reported 5,198 vulnerabilities in 2005, though that finding has been disputed. Whatever the figure, CERT’s conclusion that 2005 saw a spike in vulnerabilities is legitimate and widely agreed upon. Most vulnerabilities are not catastrophic, however. “Web-based vulnerabilities are all over the place and they are really easy to find–they are the low-hanging fruit,” said Symantec’s David Ahmed. “We have had high-profile vulnerabilities, but that is not what is driving this increase.” Computer scientists are more concerned with flaws embedded in the software developed by major companies. It should also be noted that any analysis of software vulnerabilities does not concern products developed in the current year. “These numbers are showing the state of practice from a few years ago, rather than what the current state of practice is today,” said CERT’s Jeff Havrilla.

Read full article here.

Quantum cryptography (QC) can deliver utterly secure data transmission through the harnessing of the laws of physics, photon quantum states, and Heisenberg’s uncertainty principle. BBN Technologies devised a fully operational, multi-node QC system that has been running for over two years, connecting a trio of Boston-area institutions through a 12-mile loop of unused dark optical fiber. The system, which was developed under a 2002 Defense Advanced Research Projects Agency grant, was based on the random polarization of photons, and subsequent selective polarization filtering and polarization-direction detection. A QC system can be employed for either one-time pad or key-exchange cryptography. The generation of a single photon with known quantum states involves the stimulation of a nonlinear crystal by a laser pump, which consequently creates twin photons with identical quantum states, also known as “entangled” photons. Completing a quantum-encrypted link between sender and receiver requires a setup that includes all-optical, electronic, and electro-optical components, including sources, delay lines, phase shifters, couplers, splitters, and optical fibers that incorporate elements that both do and do not maintain polarization. Although very sophisticated, the system can operate by itself with autocalibration, start-up mode, and self-test mode. Continuous data throughput is also supported. BBN Technologies’ Chip Elliott says the next step is to make the systems smaller, cheaper, and more hardware-based.

Read full article here.