Recently in Privacy Category

This has been up for a couple of weeks (it's taken me that long to find an hour to watch), but it's definitely worth passing along. It's a talk given at Google by Harvard Professor Dr. Christopher Thorpe on cryptography titled "Efficient, Secrecy-Preserving, Provably Correct Computation (and Some Cool Applications). It goes beyond some of the very basic crypto that most of us understand into interesting and much more recent ideas.

What makes this video remarkable isn't the crypto he's discussing, it's that he makes it accessible to someone who has forgotten most of their math (such as me). In fact, an attentive viewer with little more than a high-school algebra education can follow most of it.

 

 

This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.

From ComputerWorld:

Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".

* * *

Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]

Clearly, the mortgage industry had its hands full before Friday's arrest of a Citywide Financial Corp. employee for allegedly stealing sensitive personal information for up to two million mortgage applicants.

From CyberInsecure:

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants. The breach in security, which occurred over a two-year period though July. Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company. [From Countrywide Financial Insider Steals And Sells Thousands Of Private Customer Records | CyberInsecure.com]

Congress has decided to look into behavioral advertising. It will be interesting to see how the committee proceeds -- Congress doesn't have a sterling record in dealing with complex issues. On one hand, I hope they decide to forbid ISPs from the practice as the neutral carriers of traffic that they should be, but I'm not sure that intrusion would be warranted if the behavior tracking is internal to a site's operation (such as Amazon, Google, or Microsoft).

From arstechnica:

"Committee on Energy and Commerce" and "rampage" don't often appear in the same sentence, but the House committee is certainly on a tear when it comes to behavioral advertising. Not content with firing off a bipartisan list of sharp questions to ISPs who installed NeduAd traffic analysis hardware, the Committee on Friday expanded its nastygram list to include "33 leading Internet and broadband companies" including Google, Microsoft, Time Warner, AT&T, Verizon, and Comcast. Legislation on the issue could be coming. [From Congress wants privacy answers from Google, MS, AOL]

Timed to coincide with the FCC's decision against Comcast over network netutrality, the Free Software Foundation has released a tool that can test your ISP for violations.

From fsf.org:

"The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit."

"Until now, there hasn't been a reliable way to tell if somebody -- a hacker, an ISP, corporate firewall, or the Great Firewall of China -- is modifying your Internet traffic en route," said Peter Eckersley, EFF Staff Technologist and designer of Switzerland. "The few tests available have been for narrow and specific kinds of interference, or have required tremendous amounts of advanced forensic labor. Switzerland is designed to make general-purpose ISP testing faster and easier." [From EFF Releases "Switzerland" ISP Testing Tool - eff.org]

It looks like deniability may become a thing of the past, in which case the FCC might have it's hands full in the forseeacble future. Perhaps some still fines would serve as a better deterrant then a slap on the wrist ...

The FCC has stopped short of fining Comcast over the p2p network throttling I mentioned several weeks ago.

From ZDNET:

The Federal Communications Commission on Friday ruled 3-2 that Comcast overstepped its network management authority by blocking BitTorrent peer to peer traffic, but stopped short of fining the cable company. The move clarifies the boundaries a bit for other carriers and sends the message that the FCC enforces network neutrality principles. [From FCC slaps Comcast's wrist over network neutrality; sets precedence -- zdnet.com]

While a demonstration of teeth behind the net neutrality principals would have sent a clearer message to ISPs. Hopefully, the FCC will also start looking at mobile providers as well as home ISPs.

Just what the world needs, another Storm campaign. This is an example of the mixed threat that modern worms such as Storm and Kraken pose. It uses social engineering -- in this case threatening Facebook users' privacy -- to bring victims to a page that launches both browser-based threats (an iFrame attack) and a trojan horse download.

From the Trusted Source blog:

It's another new Storm campaign on the loose, with a minor change in the social-engineering trick. Mail with subjects like "FBI wants instant access to Facebook" is hitting users' inboxes at the moment. If a user follows the trick, he will be presented with the following web site:

As usual the fake web site is hosted on an infected Storm web proxy. The text states that "Your download will start shortly. If you are unable to read the article, save it in and run on your computer". If you follow the lure and click the link you'll end up with an executable named "fbi_facebook.exe". This is the malware - don't run it. Again the malware authors don't just rely on pure social-engineering, the web site also fires a set of browser exploits leveraging known vulnerabilities. [From TrustedSource - Blog - FBI vs. Facebook - Makes Any Sense?]

The Identity Theft Resource Center has released the 2008 Breach List. The 117 page document identifies 377 specific breaches that expose 17,011,691 identities as of July 22. It's a very specific and interesting look into data breaches so far this year.

About the center:

Identity Theft Resource Center® (ITRC) is a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides consumer and victim support as well as public education. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of identity theft. [From Identity Theft Resource Center | A Nonprofit Organization]

Here's the full report.

In a prime example of better living through math, the group behind the Pirate Bay wants to encrypt everything, or at least everything that moves across a network.

From newteevee.com:

The team behind the popular torrent site The Pirate Bay has started to work on a new encryption technology that could potentially protect all Internet traffic from prying eyes. The project, which is still in its initial stages, goes by the name "Transparent end-to-end encryption for the Internets," or IPETEE for short. It tackles encryption not on the application level, but on the network level, the aim being that all data exchanged on your PC would be encrypted, regardless of its nature -- be it a web browser streaming video files or an instant messaging client. As Pirate Bay co-founder Fredrik Neij (a.k.a. Tiamo) told me, "Even applications that don't supporting encryption will be encrypted where possible." [From The Pirate Bay Wants to Encrypt the Entire Internet « NewTeeVee]

This is sure to annoy Comcast. Here's the project page.

The United States was ranked 48th in press freedom by Reporters Without Borders 2007 index. Countries with greater freedoms include Estonia, Boznia, Ghana, and Taiwan.

From the announcement:

There were slightly fewer press freedom violations in the United States (48th) and blogger Josh Wolf was freed after 224 days in prison. But the detention of Al-Jazeera's Sudanese cameraman, Sami Al-Haj, since 13 June 2002 at the military base of Guantanamo and the murder of Chauncey Bailey in Oakland in August mean the United States is still unable to join the lead group. [From Reporters sans frontières - Annual Worldwide Press Freedom Index - 2007]

Here's a link to the index itself, and its methodology.

I've been on the road for almost a week and am finally able to catch up on everything, so here are some of the more interesting tidbits that I've been reading while I'm away.

A bit on log policy from Anton Chuvakin:

I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers. BTW, LogLogic product-specific questions can be found on LogLogic website; I am not answering them here. [From Anton Chuvakin Blog - "Security Warrior": More Log Management Questions - Answered!]

Some questions about the ethics of vulnerability research from Information Security Magazine via TaoSecurity:

One of my favorite sections in Information Security Magazine is the "face-off" between Bruce Schneier and Marcus Ranum. Often they agree, but offer different looks at the same issue. In the latest story, Face-Off: Is vulnerability research ethical?, they are clearly on different sides of the equation. [From TaoSecurity: Response to Is Vulnerability Research Ethical?]

Now some Bruce Schneier on selling security:

It's a truism in sales that it's easier to sell someone something he wants than something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they don't ever buy these things, but it's an uphill struggle. The reason is psychological. And it's the same dynamic when it's a security vendor trying to sell its products or services, a CIO trying to convince senior management to invest in security or a security officer trying to implement a security policy with her company's employees. [From Schneier on Security: How to Sell Security]

I'll post the latest vulnerabilities I've been following in the next post.

There are always going to be studies that show how much data breaches cost companies, mostly because it's a factoid that security researchers think will persuade the C-level types.

The flip side is that the frequency of these data breaches among peer organizations lessen the impact when it "happens here" and that the financial downside is just a cost of doing business.

It can also promote a culture of cover-ups. If it's a common thing, then there's no reason to make a big deal of it.

From Gene Schultz over at Hightower Software:

A recent study by the Ponemon Institute shows, for example, that 55 percent of participants in this study said they had been informed of more than one security compromise involving their personal data over the last two years, and eight percent said that they have been informed of four or more of such compromises.

The Ponemon Institute's study also shows that 63 percent of the survey participants reported that the letters they received after data security compromises had occurred contained no information concerning what to do to safeguard their data afterwards. Furthermore, the majority of the respondents indicated that more than a month had transpired before they were finally informed that their personal data were compromised. At the same time, however, 98 percent of those who had fallen victim to a data security compromise actually became victims of identity theft afterwards. Most significantly, almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident. [From High Tower Blogs > Security Insights » Blog Archive » The Business Costs of Security Compromises]

from Adam Shostack at Emergent Chaos, 6/16th of Chileans personal information leaked by hacker:

A hacker in Chile calling himself the 'Anonymous Coward' published confidential data belonging to six million people on the internet.

Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.

Chile has a population of about 16 million, so that's 3/8ths of the country.

See "ALERTA: Se filtran datos personales de 6 millones de chilenos vía Internet" (Google translated). The blogger, Leo Prieto, gets a rude awakening when he reads the law, "¿Es privada la información personal en Chile?" (see translated version)

More than a third of a nation has been compromised by this "Anonymous Coward" (Slashdot reference anyone?), making this one of the most significant data releases to date. I bet the American media ignores it completely ...

from O'Reilly Radar, Google Friend Connect Previews Tonight:

Later today Google is going to preview Friend Connect (it's not live yet at http://www.google.com/friendconnect), a product that lets any website host OpenSocial applications. These applications will enable a site's user to interact with their social network from other sites (assuming they are logged in). Initially users will be able to see their networks from Facebook (using their APIs), Google Talk, and Orkut. Future participants will include hi5 and plaxo.

Initially Google will be letting websites in slowly. Upon acceptance webmasters will be able to submit their website (URL and name) and select colors. They can then select applications for their site from a new application gallery.

The user experience is simple. When a user comes to a site in the Friend Connect program they can sign into any social network that is sharing their data. Their data is not actually shared with the site. Impressively Google is supporting OpenID and OAuth in addition to their own standard OpenSocial.

This sounds like it's expanding identity management from the authentication piece that projects such as OpenID and Shibboleth tackle to explore a richer version of identity.