Tuesday, August 30, 2011

SECURITY - Fraudulent SSL Certificate for Google.com

"Fraudulent certificate triggers blocking from software companies" H Security 8/30/2011

A fraudulent SSL certificate for "*.google.com" issued by Dutch certificate authority (CA) DigiNotar, possibly to the Iranian government or its agents, has triggered a wave of updates from software makers to stop applications trusting the CA. The certificate was issued on 10 July to unknown persons in Iran.

Several security experts, such as Moxie Marlinspoke, confirmed that the SSL certificate came from DigiNotar; one pastebin entry detailed the contents of the suspicious certificate, while another called for the "internet death sentence" because the company's "carelessness may have resulted in deaths in Iran". The Electronic Frontier Foundation said in a blog posting that it believes the attacks have been used to intercept searches and private email. It is unknown who the certificate was actually issued to and whether or not any other bogus certificates were issued.

The attack was initially noticed by Google Chrome users because Chrome 13 and later implements certificate pinning which ensures that the browser will only accept certificates for Google from a whitelist of certificate authorities; DigiNotar was not a CA on the whitelist and users of Chrome were alerted that something was amiss with the certificate they were being presented. The certificate was revoked yesterday, 29 August, at 16:59 GMT, but because many browsers do not check for revoked certificates by default, software vendors have had to take action to prevent the continued exploitation of the bogus certificate. It is also currently unknown if any other bogus certificates were issued by DigiNotar, therefore the vendors are opting to block all certificates signed by the CA.

Microsoft has released a security advisory and updates for all supported Windows operating systems – including Vista SP3, Server 2008 SP2 and Windows 7 SP1 – which revoke trust in the CA's root certificate. Windows XP SP3 and Server 2003 SP2 will receive separate updates as these systems do not use the centrally managed Microsoft Certificate Trust List.

Mozilla has announced that it is releasing updates for Firefox (3.6.21, 6.0.1, 7, 8 and 9) and Firefox Mobile (6.0.1, 7, 8 and 9), Thunderbird (3.1.13 and 6.0.1) and SeaMonkey (2.3.2), which will also revoke trust in DigiNotar's root certificate. Mozilla has also released instructions on how to delete the DigiNotar Root CA certificate from Firefox manually.

Google is also disabling DigiNotar's certificate in Chrome "while investigations continue" even though Chrome detected the fraudulent certificate. The Chrome browser was only able to do that for google.com subdomains and if there are other fraudulent certificates for other domains Chrome would be unable to detect the deceit.

This is the second fraudulent certificate incident this year: in March, SSL certificates for addons.mozilla.org, Yahoo, Skype, Microsoft Live and Google were created by an intruder into a Comodo reseller.

Friday, August 26, 2011

TECHNOLOGY - Apple Without Steve Jobs?

"What Will Happen to Innovation at Apple With Jobs Out as CEO?" PBS Newshour 8/25/2011

Excerpts from transcript

RAY SUAREZ (Newshour): It was all a far cry from the days when Steve Jobs and co-founder Steve Wozniak began building their now ubiquitous brand, from scratch, in a California garage. They scored an early hit with the Apple II, the first consumer-grade computer to catch on. By the mid-1980s, the company was in a slump, and Jobs was forced out.

But he returned in 1996, and Apple began a turnaround. Still, in a rare interview in 2007, he said his work was never about creating the next big thing.

STEVE JOBS: We don't worry about stuff like that. We just try to build products that we think are really wonderful and that people might want. And sometimes we're right, and sometimes we're wrong.
----
RAY SUAREZ: Walt Mossberg, whether it's consumer electronics, entertainment, even computing, which is where it all started, this has been a big impact player, hasn't it?

WALTER MOSSBERG, The Wall Street Journal: Well, you know, Ray, I think Steve Jobs is a historic figure.

He's not only a historic figure in business, but really in America. He has not only disrupted and innovated in computers and consumer electronics for all those products we saw just now listed, but he has, in the process, shaken up and revolutionized the music industry, the movie industry, publishing industry. Even the retail industry, the Apple store chain that he built, is widely admired.

And on the side, while he was doing all that, he bought a little company called Pixar and turned it into the most successful studio in Hollywood and revolutionized animation.
----
WALTER MOSSBERG: But the devotion to product is -- goes beyond just those words. It's really a devotion to designing products for actual users. You know, a lot of computer companies -- Hewlett-Packard is a good example in what they are doing in spinning off P.C.s -- are really much more interested in selling to businesses, selling to intermediaries, like I.T. departments.

Steve Jobs calls those orifices. He's much more interested in designing something for the actual consumer, whether they're in a big company or just a family. And that -- and he's a perfectionist about it. And he's surrounded himself with other people who are just laser-focused on that.

The other thing, Ray, I think is incredibly important is, they don't just make little innovations based on market research. They take big risks and make big bets on what they think the next thing that people will want is, even if the people don't know it themselves at the time.

Monday, August 22, 2011

SECURITY - AES Crypto Broken

"AES crypto broken by 'groundbreaking' attack" by Dan Goodin, The Register 8/19/2011

Updated, Cryptographers have discovered a way to break the Advanced Encryption Standard used to protect everything from top-secret government documents to online banking transactions.

The technique, which was published in a paper (PDF) presented Wednesday as part of the Crypto 2011 cryptology conference in Santa Barbara, California, allows attackers to recover AES secret keys up to five times faster than previously possible. It introduces a technique known as biclique cryptanalysis to remove about two bits from 128-, 192-, and 256-bit keys.

“This research is groundbreaking because it is the first method of breaking single-key AES that is (slightly) faster than brute force,” Nate Lawson, a cryptographer and the principal of security consultancy Root Labs, wrote in an email. “However, it doesn't compromise AES in any practical way.”

He said it would still take trillions of years to recover strong AES keys using the biclique technique, which is a variant of what's known as a meet-in-the-middle cryptographic attack. This method works both from the inputs and outputs of AES towards the middle, reusing partial computation results to speed up the brute-force key search. The technique is designed to reduce the time it takes an attacker to recover the key.

Lawson continued:

This technique is a divide-and-conquer attack. To find an unknown key, they partition all the possible keys into a set of groups. This is possible because AES subkeys only have small differences between rounds. They can then perform a smaller search for the full key because they can reuse partial bits of the key in later phases of the computation.

It's impressive work but there's no better cipher to use than AES for now.

AES remains the favored cryptographic scheme of the US government. The National Institute of Standards and Technology commissioned AES in 2001 as a replacement for the DES, or Digital Encryption Standard, which was showing signs of its age.

The research is the work of Andrey Bogdanov of Katholieke Universiteit Leuven; Microsoft Research's Dmitry Khovratovich; and Christian Rechberger of Ecole Normale Superieure in Paris. Bogdanov and Rechberger took leave from their positions to work on the project for Microsoft Research. ®

Update

Vulture Central has been deluged with missives from outraged readers complaining about the use of the word “broken” in the headline. "Broken" in cryptography is the result of any attack that is faster than brute force. The biclique technique described here allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it's broken nonetheless.

What's more, theoretical attacks against widely used crypto algorithms often get better over time. As Root Labs' Lawson has noted, MD5 wasn't compromised in a single 2004 paper. Rather, people successively found better and better attacks against it, starting in the mid 1990's.

Monday, August 15, 2011

WINDOWS - MFT and MFT Zone

This is about the Windows NTFS Master File Table (MFT) and MFT Zones.

From SearchWindowsServer.com, Master File Table:

The master file table (MFT) is a database in which information about every file and directory on an NT File System (NTFS) volume is stored. There is at least one record for every file and directory on the NTFS logical volume. Each record contains attributes that tell the operating system (OS) how to deal with the file or directory associated with the record.

Detailed information about a file or directory such as the type, size, date/time of creation, date/time of most recent modification and author identity is either stored in MFT entries or in space external to the MFT but described by the MFT entries. For a complete list of MFT attributes, click on "View" (in Explorer aka My Computer) in an open folder containing at least one file or subfolder and then click on "Choose Details." You can select which attributes you want made visible by checking or unchecking the boxes in the left-hand column of the resulting pop-up window.


Screenshot of MFT Data List
(click for better view)


MFT Zone, excerpt from PCGuide.com

As more files and directories are added to the file system, it becomes necessary for NTFS to add more records to the MFT. Since keeping the MFT contiguous on the disk improves performance, when an NTFS volume is first set up, the operating system reserves about 12.5% of the disk space immediately following the MFT; this is sometimes called the "MFT Zone". This is a substantial chunk of real estate to reserve, but bear in mind that it is still usable. Regular files and directories will not use this space until and unless the rest of the disk volume space is consumed, but if that occurs, the "MFT Zone" will be used. Eventually, if there are enough entries placed in the MFT, as it expands it will use up the "MFT Zone". When this happens, the operating system will automatically allocate more space elsewhere on the disk for the MFT. This allows the MFT to grow to a size limited only by the size of the volume, but this fragmentation of the MFT may reduce performance by increasing the number of reads required for some files, and the MFT cannot generally be defragmented.


WARNING: The main reason for posting this article has to do with a major problem that can occur (and did to me just the other day).

This has to do with the "Delayed Write" on hard drives. On modern hard drives data is not written to the drive real-time. The data is stored in a memory cache, sometimes the drive itself has a cache.

A major problem occurs when the copy of the drive's MFT kept is in memory cannot be written to the drive. You get a error dialog stating that "delayed write" failed and it lists "$MFT" which is the hidden filename. The dialog will also state that "data has been lost."

In my case, this happened when I tried to Restart/Reboot my system, and the error was for to my USB External Hard Drive and the usual tools could not fix (rebuild) the MFT. I suspect a USB hard drive interface hardware failure.

This will make the hard drive inaccessible. Your system may be able to see the hard drive, but it will show as NOT partitioned. Therefore ALL your data on the drive is lost/inaccessible.

This CAN happen to any hard drive, but External Hard Drives are especially susceptible if the interface (USB or Firewire) goes bad during actual operation. I believe that USB External Hard Drive are most susceptible because of all the other USB devices that you connect to your USB ports. A glitch in another USB device at a critical moment, causes a problem on the USB External Drive (like a Delay Write failure of the $MFT).

Friday, August 12, 2011

SOFTWARE - EaseUS Partition Master Pro

An excellent hard drive partition utility, EaseUS Partition Master Professional.

All Partition Master Pro's features can be seen in the sidebar of the screenshot of the Main Dialog.

Especially note the "WinPE bootable disk" under Tools. This is also available from Partition Master's start menu list as "Create bootable disk." Partition Master comes with an ISO image that is written (using either option) to a CD and runs the entire utility when you boot to the CD. This is the best feature, and I suggest using this CD for the most trouble-free method of using this utility especially for operations on your boot disk (C:).

Note the dark purple color designates a Primary Partition, the cyan is a Logical Partition.

In the screenshot, both Disk1 and Disk2 are external Firewire Hard Drives, and are seen by Windows (WinXP SP3) first.


(click for better view)


NOTE: This is better than MimiTool's Partition Wizard Pro.

Friday, August 5, 2011

PRIVACY - Facial Recognition Technology and Social Networking

"Profile pics on social media sites pose privacy risk, researcher warns" by Jaikumar Vijayan, ComputerWorld 8/5/2011

Excerpt

Facial recognition tech makes it easier to combine offline, online identities

Imagine walking down a street and having a total stranger being able to instantly pull up your name, date of birth, Social Security number, your last blog item and other data on their smart phone.

That could soon happen, said Alessandro Acquisti, associate professor of IT and public policy at Carnegie Mellon University's Heinz College.

In a presentation at the Black Hat conference here this week, Acquisti demonstrated how it's becoming easier for strangers to identify people and infer detailed information about them from their publicly available images on sites such as Facebook and LinkedIn.

The trend has "ominous implications for privacy," Acquisti said. "I'm here to raise awareness of what I feel is going to happen."

Acquisti detailed the results of a series of experiments he conducted in which he applied off-the-shelf facial recognition tools to publicly available Facebook profile images to uniquely identify individuals. In one of the experiments, Acquisti and his team of researchers attempted to glean the true identities of individuals who had posted their images under assumed names on an online dating site

First, they used a search engine and an API they developed to automatically extract about 275,000 publicly available profile images of Facebook members in a particular city.

They then did the same with publicly available images of individuals in the same city who had posted on the dating site. Acquisti used a facial recognition tool called Pittsburgh Pattern Recognition (PittPatt) developed at CMU to see whether he could find matches between the dating site images and the Facebook profile pictures.

In all, about 5,800 dating site members also had Facebook profiles. Of these, more than 4,900 were uniquely identified. The numbers are significant because a previous CMU survey showed that about 90% of Facebook members use their real name on their profiles, Acquisiti said. Though the dating site members had used assumed names to remain anonymous, their real identities were revealed just by matching them with their Facebook profiles.

In another experiment, Acquisti's team took webcam photos of nearly 100 students and tried to match those images with the pictures on each student's Facebook profile.

Students were asked to pose for three photos and then fill out a short survey. While the surveys were being filled out, the webcam images were run against PittPatt to see whether a match could be found on Facebook.

In that experiment, about 31% of the students were correctly matched with their Facebook profiles -- in about 3 seconds.

CYBERSECURITY - Massive Spying Campaign

"Massive Campaign of Cyber Spying Uncovered" PBS Newshour 7/4/2011

Excerpts from transcript

MARGARET WARNER (Newshour): For at least five years, a high-level hacking campaign infiltrated the computer systems of more than 70 governments, corporations and public and private organizations in 14 countries. So says the Internet security firm McAfee, which uncovered the massive campaign and dubbed it Operation Shady RAT.

A summary released by McAfee yesterday identified -- identified the perpetrator only as one specific state actor.
----
MICHAEL JOSEPH GROSS, Vanity Fair: This is an unprecedented campaign of cyber-espionage, demonstrates with absolute clarity now that there are just two kinds of organizations, those that have been compromised and those that haven't, as Dmitri Alperovitch, the guy who discovered this campaign, has often said.

What happened is, they went into more than 70 organizations, everything from the International Olympic Committee to giant corporations, to tiny nonprofits, in 30 different organizational categories in 14 countries. They took out government secrets, design schematics, legal contracts, negotiation plans for business deals, every kind of sensitive information you can think of.

In many cases, these organizations were compromised for at least a year, in some cases, more than two years. And there's a really interesting pattern to the evolution of the attacks that suggest where they may have come from.

MARGARET WARNER: And that is?

MICHAEL JOSEPH GROSS: That is China.




"Revealed: Operation Shady RAT" by Dmitri Alperovitch, McAfee Labs 8/2/2011

Excerpt

For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.

Having investigated intrusions such as Operation Aurora and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

McAfee Global Threat Intelligence