João Saramago

Another exploit has been found in the Chip and PIN system.  The exploit is a man-in-the middle attack that wouldn’t take too much know-how to pull off. You can watch the BBC report on the issue or check out the paper (PDF) published by the team that found the vulnerability. A stolen card resides in a reader that connects to a dummy card via a small cable. When the dummy card is inserted into a card reader, any PIN can be used to complete the transaction. The chip on the original card gets confirmation that the sale was completed via signature and the vendor’s card reader gets confirmation that the pin was correct. The UK based Chip and PIN system seems like a great idea, but it has had its share of security loopholes. This makes us wonder how hard it is to roll out security patches to the hardware readers in the system.  Obviously this needs to be patch but does it take a technician visiting each terminal to flash an upgrade?

Switching to the topic of wide-scale attacks, we caught the NPR interview with [James Lewis] on Wednesday when they discussed the growing threat of Cyberterroism. He feels an attack on the US electrical grid is currently the biggest threat and will happen in the next ten years. Obviously taking the grid down would endanger lives and bring things to a standstill; traffic lights, refrigeration, heat, etc. We’re just glad that when asked if he thinks there is already malicious code residing in the control system, he doesn’t think that’s the case.

[Thanks to Whatsisface and Mcinnes]

Link to the original site

Via WebSegura.net: Mais um site que levou o carimbo HbN, desta vez num espaço governamental Português. Concretamente, no sítio das Novas Oportunidades.

Por esta altura já deve ter sido corrigido (?) mas ficou a imagem para a posteridade. Ao original, chega-se por aqui: testemunhos.novasoportunidades.gov.pt/…

(Passe a publicidade, talvez fosse boa ideia fazerem uns testes de segurança antes de lançarem o site em produção, certo?
Fica a sugestão ; ) … )

Link to the original site

Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key. The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.

Link to the original site

… alguém vos pedia um conselho sobre a melhor forma de usar a Internet em segurança, no contexto da sua utilização pessoal, qual seria a vossa resposta? Que tipo de controlos, que tipo de máquinas e software iam sair da vossa cartola? Quais eram os pontos chave? Configurações?…

A pergunta não impõe limites, e as respostas podem ser as que quiserem (dentro do âmbito da questão, naturalmente : ) … )

Os comentários estão abertos: shoot at will ; )

Link to the original site

alphadogg writes “Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux.”

Read more of this story at Slashdot.

Link to the original site

KentuckyFC writes “Quantum cryptography uses the quantum properties of photons to guarantee perfect secrecy. But one of its lesser known limitations is that it only works if Alice and Bob are perfectly aligned so that they can carry out well-defined polarization measurements on the photons as they arrive. Physicists say that Alice and Bob must share the same reference frame. That’s OK if Alice and Bob are in their own ground-based labs, but it’s a problem in many other applications, such as ground-to-satellite communications or even in chip-to-chip communications, because it’s hard to keep chips still over distances of the order of the wavelength of light. Now a group of UK physicists have developed a way of doing quantum cryptography without sharing a reference frame. The trick is to use entangled triplets of photons, so-called qutrits, rather than entangled pairs. This solves the problem by embedding it in an extra abstract dimension, which is independent of space. So, as long as both Alice and Bob know the way in which all these abstract dimensions are related, the third provides a reference against which measurements of the other two can be made. That allows Alice and Bob to make any measurements they need without having to agree ahead of time on a frame of reference. That could be an important advance enabling the widespread use of quantum cryptography.”

Read more of this story at Slashdot.

Link to the original site

bennyboy64 writes “An IT security company has discovered a serious exploit in Apache’s HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache’s core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit.”
Note: according to the advisory, this exploit is exclusive to Windows.

Read more of this story at Slashdot.

Link to the original site

“Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and ecommerce servers.RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. The researchers – Andrea Pellegrini, Valeria Bertacco and Todd Austin – outline their findings in a paper titled “Fault-based attack of RSA authentication”, to be presented 10 March at the Design, Automation and Test in Europe conference.”

Link to the original site

A Microsoft-funded report found that IE 8 outperformed four other browsers in protecting against socially engineered malware.

Link to the original site

Lord West of Spithead, ministro responsável pela segurança no UK:

Não existe nenhuma dúvida que alguns Estados extraíram quantidades enormes de propriedade intelectual, planos completos para motores para aeronáutica, coisas que levaram anos e anos a serem desenvolvidas (…) Se algum Estado patrocinador continuar a tentar entrar nos seus sistemas, provavelmente para espionagem industrial, você vai retaliar? Somos todos capazes de fazer estas coisas. Neste momento não faríamos isso, mas talvez seja neste ponto que temos que focar as discussões.

in Britain fends off flood of foreign cyber-attacks.

Merece um comentario breve, naturalmente. Dois pontos apenas.

Primeiro ponto: É evidente que a legitimidade para contra-ataques, num cenário de guerra electrónica, não pode ser posta em causa, desde que seja muito claro, muito evidente, quem são os nossos inimigos. No entanto, no contexto da Internet, nem tudo é claro, muito pouco é óbvio.

Segundo ponto: Parece-me muito mais útil, em face do estado que podemos observar na segurança da informação — num âmbito global, note-se (!) — parece-me mais útil, dizia eu, focar a nossa atenção, focar os nossos esforços, na concretização de controlos técnicos e processuais que, na verdade, já estão disponíveis há muito tempo, são conhecidos e evangelizados pelos profissionais há muitos anos, e que continuam a ser ignorados sistematicamente.

Terceiro ponto (eram só dois pontos, eu sei, mas apeteceu-me pôr mais um): Enquanto as organizações continuarem a aceitar que os erros na construção das infra-estruturas, na configuração dos sistemas, e no desenvolvimento das aplicações, enquanto continuarem a aceitar que estes erros podem ser corrigidos aligeirando os controlos de segurança, não vai haver defesa possível contra atacantes bem motivados.

Retaliação? Defesa efectiva em primeiro lugar, digo eu, que nem percebo nada disto.

Link to the original site