Best Practices for Government Datasets: Wrap-Up: Via Freedom to Tinker.

[This is the fifth and final post in a series on best practices for government datasets by Harlan Yu and me. (previous posts: 1, 2, 3, 4)]

For our final post in this series, we'll discuss several issues not touched on by earlier posts, including data signing and the use of certain non-text file formats. The relatively brief discussions of these topics should not be interpreted as an indicator of their importance. The topics simply did not fit cleanly into earlier posts.

One significant omission from earlier posts is the issue of data signing with digital signatures. Before discussing this issue, let's briefly discuss what a digital signature is. Suppose that you want to email me an IOU for $100. Later, I may want to prove that the IOU came from you—it's of little value if you can claim that I made it up. Conversely, you may want the ability to prove whether the document has been altered. Otherwise, I could claim that you owe me $100,000. [ Read more ... ]

Wikibooks Cryptography Textbook: Via Schneier on Security.

Over at Wikibooks, they're trying to write an open source cryptography textbook.

Read Original Article:(Via Schneier on Security.)

DMCA Muscle Strong-Arms DVD Copying: Via Threat Level.

Those awaiting a legitimate method to duplicate DVDs for personal use likely will have to wait even longer, perhaps forever, after RealNetworks tossed in the white towel and abandoned litigation toward that end.

RealNetworks spent almost two years in a legal battle with the Motion Picture Association of America, which sued the Seattle-based company to block the sale of its DVD-copying software and hardware –- generally known as RealDVD. The company said late Wednesday it was dropping its appeal of an August federal court decision that declared RealDVD an illegal violation of the Digital Millennium Copyright Act of 1998.

The act, which the Hollywood studios strongly lobbied for, prohibits the circumvention of encryption technology. DVDs are encrypted with what is known as the Content Scramble System, and DVD players must secure a license to play discs. RealDVD, U.S. District Judge Marilyn Hall Patel ruled, circumvents the CSS technology designed to prevent copying and is therefore a breach of the CSS license.

The litigation cost RealNetworks millions of dollars, including $4.5 million to reimburse the MPAA for its legal costs. The outcome cost Rob Glaser, RealNetworks’ CEO, his job. [ Read more ... ]

Web Certification Fail: Bad Assumptions Lead to Bad Technology: Via Freedom to Tinker.

It should be abundantly clear, from two recent posts here, that the current model for certifying the identity of web sites is deeply flawed. When you connect to a web site, and your browser displays an https URL and a happy lock or key icon indicating a secure connection, the odds that you're connecting to an impostor site, despite your browser's best efforts, are uncomfortably high.

How did this happen? The last two posts unpacked some of the detailed problems with the current system. Today I want to explore the root cause: today's system is based on wildly unrealistic assumptions about organizations and trust.

The theory behind the system is simple. Browser vendors will identify a set of Certificate Authorities (CAs) who are trusted to certify identities. Browsers will automatically accept any identity certificate issued by any of the trusted CAs.

The first step in making this system work is identifying some CA who is trusted by everybody in the world.

If that last sentence didn't strike you as odd, go back and read it again. That's right, the system assumes that there is some party who is trusted by everyone in the world -- a spectacularly naive assumption. [ Read more ... ]

Privacy Network Tor Suffers Breach: Via InformationWeek.com .

The virtual network, Tor, designed to provide private and secure Web browsing to people around the world had a number of servers hacked recently. The Tor anonymous network is helpful to those living in nations that oppress free speech, such as China and Iran, and need unfettered access to information.

The virtual network, Tor, designed to provide private and secure Web browsing to people around the world had a number of servers hacked recently. The Tor anonymous network is helpful to those living in nations that oppress free speech, such as China and Iran, and need unfettered access to information.

According to this post in the (Simple End-User Linux) SEUL.org discussion list, three of Tor's severs were compromised earlier this month, two were part of the network's directory structure:

In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.

The breach appears to have been for CPU capacity, according to the post. And the infiltrators were using the server to launch other attacks. [ Read more ... ]

12 Trends to Watch in 2010: Via EFF.org Updates.

It's the dawn of a new year. From our perch on the frontier of electronic civil liberties, EFF has collected a list of a dozen important trends in law, technology and business that we think will play a significant role in shaping online rights in 2010.

In December, we'll revisit this post and see how it all worked out. [ Read more ... ]

Gmail takes the lead on email security: Via EFF.org Updates.

Last night, Google announced that Gmail sessions will now be fully encrypted with HTTPS by default. This is excellent news — EFF congratulates Google for taking this significant step to safeguard their users' privacy and security.

Previously, it was possible to encrypt your access to Gmail, but it required altering the default configuration. Now every Gmail user will get the benefits of encryption without needing to know that they need it.

With this development, Google has taken a clear two-step lead over its competition: other major hubs for personal communication such as Facebook, Yahoo! mail, Hotmail, and LiveJournal do not even make the use of HTTPS possible, let alone the default. A handful of smaller, specialist webmail providers do offer HTTPS, but Google is alone in bringing basic email security to the mainstream Web. [ Read more ... ]

Google Turns on Gmail Encryption to Protect Wi-Fi Users: Via Threat Level.

Google is now encrypting all Gmail traffic from its servers to its users in a bid to foil sniffers who sit in cafes, eavesdropping in on traffic passing by, the company announced Wednesday.

The change comes just a day after the company announced it might pull its offices from China after discovering concerted attempts to break into Gmail accounts of human rights activists. The switch to always-on HTTPS adds more security, but does not help prevent the kind of attacks Google announced Tuesday.

All Gmail users will now default to using HTTPS, the secure, encrypted method for communicating with a remote server, for their entire e-mail sessions, not just for log-in. Session-long HTTPS has been an official option for Gmail users since 2008 (and unofficial for much longer), but Google says it [ Read more ... ]

Judge Slams MPAA ‘Cartel’ Allegations: Via Threat Level.

A federal judge is slamming the door on RealNetworks’ argument the Hollywood studios are a “price-fixing cartel” illegally preventing the distribution of DVD-duplicating wares.

The Seattle-based electronics concern made the anti-trust argument in a failed bid to convince U.S. District Judge Marilyn Hall Patel in San Francisco to lift a distribution ban (.pdf) of its RealDVD software. It allows consumers to make copies of DVDs to hard drives.

The Motion Picture Association of America and others sued RealNetworks more than a year ago, claiming the software is illegal because it circumvents technology designed to prevent copying.

Patel’s decision means that, at least for the foreseeable future, it remains unlawful in the United States to market devices that copy DVDs. Despite a huge black market for them, the MPAA feared that, under a contrary ruling, it would lose control of the DVD as the music industry did the CD, which was not encrypted and protected by the Digital Millennium Copyright Act. [ Read more ... ]

More flash drive firms warn of security flaw; NIST investigates: Via Computerworld Security News.

The drives were certified to meet NIST standards

SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.

The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.

"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier. [ Read more ... ]

FIPS 140-2 Level 2 Certified USB Memory Stick Cracked: Via Schneier on Security.

Kind of a dumb mistake:

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations -- and this is the case for all USB Flash drives of this type.

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program's RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

Nice piece of analysis work.

The article goes on to question the value of the FIPS certification: [ Read more ... ]

FaceBook App Maker Hit With Data-Breach Class Action: Via Threat Level.

>RockYou, the popular provider of third-party apps for Facebook, Myspace and other social-networking services, is being hit with a proposed class-action accusing the company of having such poor data security that at least one hacker got away with 32 million e-mails and their passwords.

The suit accuses the maker of apps like “Slideshow” for MySpace and “Superwall” for Facebook of making its unencrypted customer data “available to even the least capable hacker.”

“RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security,” according to the Monday complaint in San Francisco federal court. [ Read more ... ]

Hackers claim victory in cracking Amazon Kindle DRM: Via Computerworld Security News.

Amazon.com's Kindle e-book reader is coming under assault by hackers, who say they've figured out ways to export protected content for use on other devices.

Amazon sells content for the Kindle in an ".azw" format, some of which is has DRM (digital rights management) technology, which prevents a file from being transferred to an unauthorized device.

But one hacker, who goes by the handle "I love cabbages," with a heart to designate "love," developed a program called "Unswindle" that can convert books stored in the Kindle for PC application into a different file format that can then be imported to another device. Unswindle must be used with MobiDeDRM, another hacker program that can convert protected Amazon content. [ Read more ... ]

Defeating Microsoft BitLocker: Via Schneier on Security.

Defeating BitLocker, even with a TPM.

Related.

Read Original Article:(Via Schneier on Security.)

Predator drones use less encryption than your TV, DVDs: Via Law & Disorder Section - Ars Technica.

What three-letter Internet acronym best fits the bizarre news out of Iraq and Afghanistan that militants there have been intercepting US Predator drone video feeds using laptops and a $30 piece of Russian software: LOL, WTF, or OMG? [ Read more ... ]

Verizon: Data Breaches Getting More Sophisticated: Via Threat Level.

Methods of stealing data are becoming increasingly sophisticated, but attackers are still gaining initial access to networks through known, preventable vulnerabilities, according to a report released by Verizon Business on Wednesday.

“Attacks are getting more sophisticated and more difficult to prevent,” said Wade Baker, research and intelligence principal for Verizon Business’s RISK Team, in an interview. “The attackers still usually get in the network through some relatively mundane attacks. But once they’re in, they’re getting more and more adept at getting the data they want and getting it effectively and silently. And we seem to be on a plateau in terms of our ability to detect [them].”

For example, while companies have been expanding their use of encryption to protect bank card data in transit and in storage, hackers have begun to use RAM scrapers to grab data during the few seconds it’s unencrypted and transactions are being authorized. [ Read more ... ]

AOL Ditches Security Tokens To Make Logging In Easier: Via Threat Level.

AOL customers who sprang for the company’s $10 “PassCode” security token to harden their account can get ready to toss their fancy crypto-numeric keyfobs in the same landfill as all those CD-ROMs AOL mailed them in the 1990s.

As the Virginia-based company prepares for its December 10 spin off from Time Warner, it’s telling customers that it will no longer support RSA’s SecurID tokens, which it began offering as an optional extra in 2004.  AOL drew accolades from security types at the time, for what was ballyhooed as the first broad consumer deployment of two-factor authentication. [ Read more ... ]

Browse Anonymously on Your Android Phone With Tor: Via OStatic.

Many people use the open source application Tor on the desktop for anonymous browsing sessions. Thanks to a grant from the UC Berkeley Human Rights Center Mobile Challenge and the team behind The Guardian Project, now Android mobile phone owners can use Tor to browse privately on their handheld devices, too.

"We have successfully ported the native C Tor app to Android and built an Android application bundle that installs, runs and provides the glue needed to make it useful to end users…. secure, anonymous access to the web via Tor on Android is now a reality," writes Guardian Project team member Nathan Freitas. [ Read more ... ]

"Evil Maid" Attacks on Encrypted Hard Drives: Via Schneier on Security.

Earlier this month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this:

Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.

Step 2: You boot your computer using the attacker's hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever. [ Read more ... ]

Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack: Via Threat Level.

Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain’s point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe, Wired.com has learned.

Internal documents reveal for the first time that the nation’s largest retailer was among the earliest targets of a wave of cyberattacks that went after the bank-card processing systems of brick-and-mortar stores around the United States beginning in 2005. The details of the breach, and the company’s challenges in reconstructing what happened, shed new light on the vulnerable state of retail security at the time, despite card-processing security standards that had been in place since 2001.

In response to inquiries from Wired.com, the company acknowledged the hack attack, which it calls an “internal issue.” Because no sensitive customer data was stolen, Wal-Mart had no obligation to disclose the breach publicly.

Wal-Mart had a number of security vulnerabilities at the time of the attack, according to internal security assessments seen by Wired.com, and acknowledged as genuine by Wal-Mart. For example, at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form. [ Read more ... ]

Breaking Vanish: A Story of Security Research in Action: Via Freedom to Tinker.

Today, seven colleagues and I released a new paper, "Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs". The paper's authors are Scott Wolchok (Michigan), Owen Hofmann (Texas), Nadia Heninger (Princeton), me, Alex Halderman (Michigan), Christopher Rossbach (Texas), Brent Waters (Texas), and Emmett Witchel (Texas).

Our paper is the next chapter in an interesting story about the making, breaking, and possible fixing of security systems. [ Read more ... ]

NSW seeks to build 'unhackable' netbook network: Via Security - Technology - News - iTnews.com.au.

The NSW Department of Education is using asset-tracking software, RFID tags, and BIOS-embedded filtering smarts to roll out 240,000 netbook computers into what CIO Stephen Wilson calls "the most hostile environment you can roll computers into" - the local high school.

The rollout of Lenovo netbooks, funded under the Federal Government's Digital Education Revolution initiative, is a massive logistical and IT security challenge, and the solution Wilson and his team has put together to address these issues could well be applicable to any corporate IT department. [ Read more ... ]

Hey, TI, Leave Those Kids Alone: Via EFF.org Updates.

Graphing calculators have long inspired geeks in remarkable ways. But, sadly, rather than celebrating the hobbyists that love their programmable calculators, Texas Instruments has set the lawyers loose on them, invoking the Digital Millennium Copyright Act (DMCA).

The story is a familiar one: hobbyists started tinkering with their calculators, intent on improving them, much like gearheads have been doing with cars for generations. But TI’s programmable graphing calculators perform a signature check that only allows a signed operating system to be loaded onto the hardware. That didn't stop our intrepid tinkers, however. Researchers used distributed computing to perform a brute-force cryptanalysis of the public keys embedded in each model of calculator to derive the corresponding private keys. (When the keys were discovered, people in the programmer community were excited. Some saw this as the first real world example of "angry mob cryptanalysis," an attack by a bunch of people getting together on the Internet to crack your key.) [ Read more ... ]

Texas Instruments Signing Keys Broken: Via Schneier on Security.

Texas Instruments' calculators use RSA digital signatures to authenticate any updates to their operating system. Unfortunately, their signing keys are too short: 512-bits. Earlier this month, a collaborative effort factored the moduli and published the private keys. Texas Instruments responded by threatening websites that published the keys with the DMCA, but it's too late. [ Read more ... ]

SLIDESHOW: CIO Blast from the Past - 60 years of cryptography - cryptography, history: Via CIO Blast from the Past .

2009 marks 60 years of computer cryptography and CIO takes a tour of the history of secure communication

Read Original Article:(Via CIO Blast from the Past .)