Insecurity of the MD5 Hash
December 30, 2008 in Technology An encrypted digital certificate is used to assure you that you’re really on the website you think you are. But what if the certificate can be faked? That’s the scary scenario painted by researchers at UC Berkeley, who have found a way to crack the MD5 hash used to encrypted some certificates…
The researchers say they implemented an attack laid out theoretically in a published paper last year. To pull off their substitution, the researchers had to generate a CA certificate and a website certificate that would produce the same MD5 hash — otherwise the digital signature wouldn’t match the modified certificate. The effort was complicated by two variables in the signed certificate that they couldn’t control: the serial number and the validity period. To do the actual math of finding the MD5 collision, they used the “PlayStation Lab,” a research cluster of about 200 PlayStation 3s wired together at the EPFL in Lausanne, Switzerland. Using the powerful processors, they were able to crunch out their forgery in about three days.
They recommend signing authorities switch to a newer encryption method and drop MD5, but such changes will take time to occur worldwide. Most certifying authorities have abandoned MD5, but some continue to use it.
Researchers Use PlayStation Cluster to Forge a Web Skeleton Key, Threat Level, Wired
A Nuclear Iran Could Attack U.S., Warns Israel
December 17, 2008 in Intelligence The Israeli Defense Minister Ehud Barak warned the U.S. that allowing Iran to go nuclear could have the worst consequences on the United States. With Russian assistance, a nuclear Iran now seems almost certain:
“If it built even a primitive nuclear weapon like the type that destroyed Hiroshima, Iran would not hesitate to load it on a ship, arm it with a detonator operated by GPS and sail it into a vital port on the east coast of North America,” Mr Barak told a conference of the Institute for National Security Studies at Tel Aviv University. Indicating the possibility of an Israeli military strike on Iran, Mr Barak said: “We are not taking any option off the table, and we recommend to the world not to take any option off the table, and we mean what we say.”
Israel: Iran could attack US with nuclear bomb, London Telegraph
Newsweek Exposes 'Stellar Wind' Program
December 14, 2008 in Intelligence Newsweek looks back at the battle between President Bush and the Justice Department about the scope and manner of one particular NSA surveillance program. The article describes a large data mining effort which analyzed patterns in email and phone traffic…
The NSA’s powerful computers became vast storehouses of “metadata.” They collected the telephone numbers of callers and recipients in the United States, and the time and duration of the calls. They also collected and stored the subject lines of e-mails, the times they were sent, and the addresses of both senders and recipients. By one estimate, the amount of data the NSA could suck up in close to real time was equivalent to one quarter of the entire Encyclopaedia Britannica per second. (The actual content of calls and e-mails was not being monitored as part of this aspect of the program, the sources say.) All this metadata was then sifted by the NSA, using complex algorithms to detect patterns and links that might indicate terrorist activity.
The battle started when Jack Goldsmith at the US Justice Department reviewed the legal justification of the program and believed it to be illegal, an opinion which continues to be debatable.
The identity of the person who called The New York Times has also been revealed. It was Thomas Tamm (also at USDOJ), who was “motivated in part by his anger at other Bush-administration policies at the Justice Department.” Newsweek calls him a “whistleblower who exposed warrantless wiretaps”. It is ironic that Tamm was disturbed by the legality of the methods of intelligence gathering, while less concerned about his own disclosure of classified information to the press. Was there really no internal mechanism for dealing with his concerns?
Now We Know What the Battle Was About, Newsweek
The Whistleblower Who Exposed Warrantless Wiretaps, Newsweek
Insecurity of Wireless
December 9, 2008 in Technology 
Isn’t the concept of wireless security an oxymoron? A recent congressional report says so. InfoWorld’s Ephraim Schwartz says:
The fact is when it comes to security if you’re using a wireless device for voice or data you might as well be standing in any international airport and speaking to a colleague over a megaphone. Oh, and you might want to slow down from time to time to let the crowd around you take notes.The report recommends the creation of a domestic department to maintaining “sufficient manufacturing capabilities” at home to supply components and software that is not dependent on a global supply chain.
Some secure equipment is currently available, but it can be expensive. The Sectéra Edge can use commercial cellular bandwidth and is certified on AT&T, T-Mobile, and Sprint cellular networks, with Verizon due in January. The device goes for $3,150 with a one-year warranty.
No such thing as mobile security?, Info World
Cybersecurity report offers Obama some far-reaching recommendations, Info World
Intelligent Discourse?
November 19, 2008 in Society After listening to the left criticize President Bush for eight years, we move into the era of a new party in the White House, and the party out of power becomes the vocal critics. Unfortunately, I’m already hearing some sink to the same low arguments I was hearing from the left. So I’d like to know, where can I hear the intelligent discourse?
For Goodness’ Sake
November 17, 2008 in Society By Chip Hammond. The American Humanist Association has put up some $40,000 to run a “holiday ad campaign” on D.C. Metro buses. The mobile bill boards read, “Why believe in a god? Be good for goodness sake.” I’ve heard people who should know better trying to make the case that these ads should be taken down because they “violate the separation clause of the first amendment.” Nonsense. No aspect of government is displaying these. It is paid advertising, and provided it is not obscene, as long as Metro takes everyone’s paid advertising, people can ask the questions they want, be it in magazines, newspapers, or on bill boards. There are, however, two problems with the ad campaign…
Insecurity of WPA?
November 15, 2008 in Technology The trades are all talking about a new WPA hack, but is it really a big deal? The media would have you believe so, but Steve Gibson explains exactly what has happened, and what to do to protect your wireless network, on the latest episode of Security Now.
At this point, hackers have discovered that TKIP and QOS together enable them to be a nusance to your wireless network, but it isn’t a complete hack… yet. It is something that could become a point of vulnerability, so it’s a good idea to move toward shutting down the possibility.
Basicly, turn off the TKIP protocol and use AES (CCMP protocol) and don’t use QOS (Quality of Service, a.k.a. WMM) on wireless (VoIP traffic should be connected to your wired router ports, or to put before your router). The combination of TKIP and QOS create the vulnerability, since QOS channels allow more attempts at the crack. Another way to defeat the vulnerability is to reduce the key lifetime to 11 minutes, instead of the default 60 minutes, since it takes a minimum of 12 minutes to perform the hack.
Many routers don’t have QOS, and a lot of routers and wireless devices don’t have AES. But if your equipment is new and WPA2 certified, you probably can switch to AES, and turn off TKIP protocol to be safe.
The TKIP Hack, Security Now, Episode 170
Pearls Before Swine
Day By Day
Cartoons Used With Permission