Dragan on Security

Neal Koblitz published paper “The Uneasy Relationship Between Mathematics and Cryptography” at Notices of the American Mathematical Society. This article has been commented on Bruce Schneier’s blog on security and rebuttals came from Oded Goldreich, Hugo Krawczyk, Jonathan Katz, Luca Trevisan, and Boaz Barak. This is long reading, if you are going to read all mentioned articles and reactions, but very interesting for everyone who want to know more about concepts and misconceptions of cryptography and mathematic with different points of view.

Oracle 11g password algorithm is revealed. It’s based on SHA-1. The Hacker’s Choice (THC) says:

vonjeek/THC is proud to release the first full blown cracker for Oracle 11g. This tool can crack passwords which are encrypted using Oracle’s latest SHA1 based password protection algorithm.

You can download vonjeek/THC tool here. This page has an interesting title: “unbreakable” Oracle uncertified associate.

Also there is story on Pete Finnigan’s Oracle security weblog (here).

This is a very interesting question that Steve Riley talked about in recent post on his blog (here). And of course, a number of people have asked him if he is recommending such a stance to other individuals or to organizations. Quickly after that Steve gave more detailed explanation (here). More important is that security decisions always involve tradeoffs. They also (should) involve an intimate understanding of what the users will be doing with their computers.

8th IEEE International Conference - TELSIKS 2007 will take place from September 26 - 28, 2007 in Nis, Serbia. Visit conference site here. Paper titled “Reduction of False Positive Intrusions by Using Neural Nets” which I worked on with couple of associates will be presented on this conference. It is scheduled for Wednesday, September 26th, 2007 in session Wireless Communications I as invited paper. Integral conference program document is here.

Ordinary users of search engines, bank portals, e-commerce sites usually don’t care about all various data that these keep about Web site visitors in order to learn more about their behavior, habits and preferences.

In article Barclays Manipulates Online Sales there is one explanation how they collects and uses data about visitors. Also, they have couple of words about what Google do when you install Google toolbar.

It is also well known that other site owners are collecting information about site visitors. Sometimes it is told to users clearly, sometimes less clearly and sometimes not. Advice is: be careful.

Hacking challenge Bangkok 2007: AirRaid2 - Wireless Hacking Tournament.

From tournament description:

Wireless networks using 802.11 and Bluetooth have become common deployments in today’s corporate environments.

To underscore the importance of securing these wireless networking technologies, ThinkSECURE is following up our original and hugely successful AIRRAID wireless hacking tournament (held in 2005 in Singapore), with the new and bigger AIRRAID2!

Mark Kanok from Symantec put interesting post titled Detection and Remediation on Symantec official blog. It contains updated definitions of some of today’s most prevalent threats:

• Backdoors — A backdoor is an undocumented way of gaining access privileges to a program, typically for the intent of opening up further access or vulnerabilities.
• Bots or Zombies — A computer that is under the control of a malicious hacker without the knowledge of the computer owner, and is typically used to execute various nefarious processes in a networked basis (e.g. denial of service attacks, spam, etc.)
• Trojan Horse — A Trojan Horse is malicious software that masquerades as a legitimate or benign program, often exploiting the willingness of users to try “free” software.
• Polymorphic Virus — A polymorphic virus is one that changes its binary pattern, or signature every time it replicates and infects a new file in order to keep from being detected by a signature-based antivirus programs.
• Rootkit — A rootkit is a malicious program that is activated each time the system boots up, making them especially difficult to detect and remove. In some cases, rootkits are counted as Trojan Horses.
• Drive-By Downloads — A drive-by download is a program that is automatically downloaded onto the computer without the user’s consent or knowledge. Drive-by downloads can be initiated simply by visiting a dangerous Web site or by viewing an HTML e-mail message.
• Phishing — A phishing attack is a type of scam designed to lure a victim — typically via a cleverly written, legitimate-looking e-mail — to a false web site, which also tends to look legitimate. The victim’s personal or financial information is then compromised.

If you think your passwords are strong enough, think twice. They are probably not. Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+ Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux. The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.

See more here and here.

Thanks to Dejan for bringing this to my attention.

New security cartoon site: securitycartoon.com by Sukamol Srikwan & Markus Jakobsson. It has:

• geek dictionary
• spoofing
• malware
• phishing
• pharming
• passwords
• fightback
• etc.

Have a fun. :)

Here: Rare 17th Century work on Cryptography.

Title: Cryptomenytices et cryptographiae libri IX. In quibus & planissima Steganographiae à Johanne Trithemio, abbate Spanheymensi & Herbipolensi, admirandi ingenij viro, magicè & aenigmaticè olim conscriptae, enodatio traditur. Inspersis ubiquè authoris ac aliorum, non contemnendis inventis…

Author: Selenus, Gustavus [pseud. of August, Duke of Braunschweig-Luneburg]