Dragan on Security

I had already written the post about NIST Competition for New Cryptographic Hash Function on my blog. Here are updates based on article by William E. Burr, “A New Hash Competition”, IEEE Security and Privacy, vol. 6,  no. 3,  pp. 60-62,  May/Jun,  2008.

Author says in abstract:

Since the discovery of collision attacks against several well-known cryptographic hash functions in 2004, a rush of new cryptanalytic results cast doubt on the current hash function standards. The relatively new NIST SHA-2 standards aren’t yet immediately threatened, but their long-term viability is now in question. The US National Institute of Standards and Technology (NIST) has therefore begun an international competition to select a new SHA-3 standard. This article outlines the competition, its rules, the requirements for the hash function candidates, and the process that NIST will use to select the final winning SHA-3 standard.

And then, in article:

NIST expects to launch a Hash Competition Conference to review the initial submissions in February 2009; the second conference will occur roughly a year later in 2010 to review public comments submitted on the submissions and their analysis. Following this second conference, NIST will select a small number of finalist candidates (probably five or so) for intensive review by the community. If, as we expect, we get 20 or more initial submissions, we’ll inevitably hear some disagreements about the finalists, but we can only intensively analyze a small number of algorithms, and, as in the AES competition, all the finalists will be good hash functions, although we might have to drop some worthy submissions.

Cryptanalysis of the finalists will be the tricky part—the time that skilled cryptanalysts can donate is the limiting resource here.

NIST is building up its limited cryptanalytic resources, but will rely heavily on the global cryptographic research community to do the bulk of the cryptanalysis. If the AES competition is any model, many analysis papers on the candidates will be submitted to various conferences. NIST will tentatively review the cryptanalysis results and review performance in a third workshop scheduled for 2012, after which they will select a winner.

The winning team might get nothing but glory for their huge effort. NIST expects the best people in the world to participate, as they did in the AES competition, because the community believes an open competition is the best way to select cryptographic standards. NIST expects to work hard, have fun, and significantly advance the state of the art while giving the world a valuable, secure hash function standard.

We Are Sorry to Inform You - about rejected papers of famous researchers.

Also interesting: “Once upon a time there was a little-known patent clerk in Bern who received a disappointing annual performance review in ‘05 - Annual Performance Review: Albert Einstein“.

You’ll probably be surprised when you see this.

I was on holidays when new release of WordPress 2.5.1 came out. And I wanted to upgrade immediately from 2.5.0. to new version. But I haven’t got computer with me and had just mobile phone (Nokia N95) with its browser. Anyhow, I decided to try automatic upgrade from mobile. I took the huge risk (I thought). And… it worked fine. Everything was easy and went smoothly with upgrade.

Congratulations to WordPress team. That is really exceptional.

Do you owe cell phone? Yes, of course. Then read this: Cell Phone Spying: Is Your Life Being Monitored?

It says:

It connects you to the world, but your cell phone could also be giving anyone from your boss to your wife a window into your every move.  The same technology that lets you stay in touch on-the-go can now let others tap into your private world — without you ever even suspecting something is awry.

and

You don’t have to plant a CIA-style bug to conduct surveillance any more.  A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

Also:

Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device.  And the scariest part?  They run virtually undetectable to the average eye.

Take, for example, Flexispy.  The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.”  Its tools use a phone’s microphone to let you hear essentially any conversations within earshot.  Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on.  The phone won’t even ring, and its owner will have no idea you are virtually there at his side.

Is that legal?

You won’t find it on the flashy front page, but buried a bit further in the site, the company says you’re fine to use their program only “on a phone that you own, for protecting your children,” or for purposes like “archiving data.”  It’s a bit of a contrast from the bold suggestions of “uncover[ing] employee espionage,” “catch[ing] cheating husbands,” and “bug[ging] meeting rooms” that fill the company’s materials.  After a little more explanation, their answer as to the legality of the service ends with a broad statement: “Please consult a qualified lawyer in your country for the correct answer to this question.”

Let me make it easier for you: Once you get into listening in to private conversations without either party’s consent, you’re treading rough water that could sweep you straight into jail.  Whether it’s an employee or a spouse on the receiving end of your mission, neither federal nor state privacy laws take violations lightly in America.  Getting caught could cost you several years behind bars, among other serious penalties.

And can it be detected?

Finding spyware on your phone isn’t easy.  There are dozens of bug detectors available from surveillance companies, but the only true fix is taking your phone to your provider and having them wipe it out altogether.  That will restore the factory settings and clear out any hidden software that’s running on your phone.

Scary, isn’t it? I would strongly suggest to keep your hands far from this.

But also I would suggest to use security software for your cell. For example, there is F-Secure Mobile and I have been using it for some time. Two products can be very helpfull F-Secure Mobile Anti-Virus(TM) and F-Secure Mobile Security(TM). Here are some details:

F-Secure Mobile Anti-Virus(TM)

• F-Secure Mobile Anti-Virus(TM) is easy to use and does not require excess device resources or unnecessary user interaction.
• It automatically scans all files in the background, both in the device and on the memory cards.
• When an infected file is detected it is immediately quarantined to protect all other data in the system.
• The antivirus database is updated invisibly in the background when a data connection is used for emails, web browsing etc.

F-Secure Mobile Security(TM)

• F-Secure Mobile Security enables secure mobile computing by combining an integrated antivirus and firewall.
• Device-recident protection safeguards the mobile device from any type of attack, from intrusion attempts to malware.
• The solution delivers invisible and automated safety through real-time, on-device protection with easy to use firewall rule sets and automatic over-the-air antivirus updates
• F-Secure Mobile Security scans both incoming and outgoing internet/network data packets. It stops malicious, unwanted, harmful, or possibly dangerous packets.
• F-Secure Mobile Security is designed to be easy to use and delivers protection without need for unnecessary user intervention.

We can expect much more to come soon.