Dragan on Security

This is really interesting reading: invisiblethings’ blog: Tricky Tricks. Joanna Rutkowska says:

…

So, do I want to say that all those years of A/V research on detecting file infections was a waste time? I’m afraid that is exactly what I want to say here. This is an example of how the security industry took a wrong path, the path that never could lead to an effective and elegant solution. This is an example of how people decided to employ tricks, instead looking for generic, simple and robust solutions.

Security should not be built on tricks and hacks! Security should be built on simple and robust solutions. Oh, and we should always assume that the users are not stupid – building solutions to protect uneducated users will always fail.

Interesting blog post from Steve Lipner: The Security Development Lifecycle : The Ethics of Perfection. He says in conclusion:

What does all this have to do with ethics?  Well, I think that given the choice between shipping perfectly secure software (whatever that means) that no customers will use and shipping software with continuously improved security that will actually help customers, the better ethical path is to ship.  That’s a controversial view in some circles, but it’s the view I’ve reached after working in the field for the last 35 years or so.

Bruce Schneier’s DefCon 15 Speaker Badge can be bought on eBay auction.  The badge contains a programmable LED with up to 14 characters.  It uses two Li batteries (included), and was designed by Joe Grand. If you wish it, hurry up. Auction ends Aug-22-07 13:41:36 PDT. Upon completion of this auction, Schneier will donate an amount equal to the purchase price to the Electronic Privacy Information Center.

You can also see post and interesting comments about this auction on Bruce’s blog (here).

This looks like true story, but might be Google - Yahoo battle. Anyway, it is nice to read story about Google at Yahoo: Google mistakes own blog for spam, deletes it - Yahoo! News. It says:

Readers of Google’s Custom Search Blog were handed a bit of a surprise Tuesday when the Web site was temporarily removed from the blogosphere and hijacked by someone unaffiliated with the company.
 
The problem? Google had mistakenly identified its own blog as a spammer’s site and handed it over to another person.

The change was first noticed by the Google Blogoscoped Web site, which noticed that posts on the Custom Search Blog had been deleted and replaced by a strange comment from someone identifying himself as Srikanth.

[...]

Although the cryptographic security standards used in public-key infrastructures, RSA and Diffie-Hellman, have not been cracked, they were introduced in the 1970s and there is growing concern that the standards may soon be outdated. Consequently, the National Security Agency wants to switch cybersecurity to elliptic-curve cryptography (ECC) by 2010, the same year the National Institute of Standards and Technology plans to recommend all government agencies switch to ECC, according to Dickie George, technology director of the NSA’s information assurance directorate. Using current standards requires continually extending the key lengths, which increases processes time and makes it difficult to secure small devices. EEC is a mathematical algorithm that is used to secure data in transit, and because it provides greater security using a smaller key size, it takes less computational time and can be used on smaller devices, like cell phones, wireless devices, and smart cards. Stephen Kent, chief scientist at BBN Technologies, says to make RSA and Diffie-Hellman keys, which currently can extend up to 1,024 bits, secure for the next 10 to 20 years the keys would have to at least double in length, and eventually expand up to 4,096 bits. Switching to EEC, however, will require a massive replacement of hardware and software, and with more than a million different pieces of equipment that need to be changed to EEC, it could take the NSA more than 10 years to complete the process. George says the move to ECC is more than just replacing an encryption system, and is actually upgrading the entire communications structure, which the NSA will use to work more closely with other governments, U.S. agencies and departments, first responders, and the private sector. Interoperability is key to the new communication program and the reason behind the Cryptographic Modernization initiative, which was started in 2001 and promotes ECC. Experts agree that there is no new technology comparable to ECC. “ECC is the only impressive thing out there,” Kent said. “People don’t get excited every time a new thing comes along. We wait several years and let people try to crack it first. ECC definitely passed the test in this regard.” Read full article here: SPECIAL REPORT | NSA pushes elliptic-curve cryptography to secure small devices and lend support to interoperable communication networks. Government Computer News - 08/06/07.

This sounds unbelievable but document marked as strictly confidential, Ericsson Interception Management System Manual is available for free download from Internet. I don’t know is that obsolete document or valid, but anyway it is very surprising that you can obtain document from Internet. I learned about this through an article in IEEE Spectrum related to Greek telephone tapping scandal.

EU is going to inject over €9bn to boost European Information and Communication Technologies (ICTs). Information and Communication Technologies (ICTs) are critical to creating jobs and improving quality of life across Europe. Although the ICT sector is itself worth 6-8% of the EU’s GDP, their importance goes well beyond that - ICTs are also vital to:

• meeting the globalization challenge by boosting innovation, creativity and competitiveness throughout the economy;
• delivering cutting-edge science in all scientific and technological areas; 
• making Europe’s large public sector more efficient, and modernizing sectors ranging from education to energy;
• tackling social challenges, improving quality of life and meeting the challenge of an ageing society.

Europe must therefore master these technologies to remain competitive and safeguard its quality of life, which is why ICT research is one of the key themes of the EU’s Seventh Framework Programme (FP7) for Research and Technological Development, which will fund research across Europe from 2007-2013 .

Seventh Research Framework Programme (FP7) gives special attention to Security, and particularly to ICT Security. Read some details here: CORDIS : FP7 : Cooperation : Security.

There is interesting article at SDL blog titled: SDL and the Unconcerned Pragmatic Fundamentalist.

Related to this is the research done by privacy expert Dr. Alan Westin. Westin divided the respondents of performed survey into the following categories:

The Privacy Fundamentalists: Fundamentalists are generally distrustful of organizations that ask for their personal information, worried about the accuracy of computerized information and additional uses made of it, and are in favor of new laws and regulatory actions to spell out privacy rights and provide enforceable remedies. They generally choose privacy controls over consumer-service benefits when these compete with each other. About 25% of the public are privacy Fundamentalists.

The Pragmatic: They weigh the benefits to them of various consumer opportunities and services, protections of public safety or enforcement of personal morality against the degree of intrusiveness of personal information sought and the increase in government power involved. They look to see what practical procedures for accuracy, challenge and correction of errors the business organization or government agency follows when consumer or citizen evaluations are involved. They believe that business organizations or government should “earn” the public’s trust rather than assume automatically that they have it. And, where consumer matters are involved, they want the opportunity to decide whether to opt out of even non-evaluative uses of their personal information as in compilations of mailing lists. About 57% of public fall into this category.

The Unconcerned: The Unconcerned are generally trustful of organizations collecting their personal information, comfortable with existing organizational procedures and uses are ready to forego privacy claims to secure consumer-service benefits or public-order values and not in favor of the enactment of new privacy laws or regulations. About 18% of public fall into this category.

Funny (from Matt Blaze and Jutta Degener): Security Public Relations Excuse Bingo.

In IEEE Spectrum, July 2007 issue, there is interesting article how some extremely smart hackers pulled off the most audacious cell-network break-in ever. It is still unknown who pulled off the most audacious network hack ever, but here’s (IEEE Spectrum: The Athens Affair) how they did it. This article gives a technical insight.

The illegally wiretapped cellphones in the Athens affair included those of the prime minister, his defense and foreign affairs ministers, top military and law ­enforcement officials, the Greek EU commissioner, activists, and journalists.

The Wikipedia article http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 contains additional links to press stories and background material.

Ericsson’s Interception Management System user manual (marked confidential) is available on the Web through a Google search: http://www.google.com/search?q=IMS+ericsson+manual or at http://cryptome.org/ericsson-ims.htm.