The Microsoft System Integrity Team Blog has posted a link to the Bitlocker Cryptographic algorithm.
The amazing thing is that the paper is from Microsoft, on Microsoft’s site, yet its in PDF. I’m kind of used to Microsoft documentation being placed in a signed self-extracting archive. In the article they discuss why existing ciphers were not satisfactory. They are using AES in CBC mode, but using a dedicated diffuser for security against manipulation attacks.
In the crypto world, an algorithm needs to be widely examined before it is trusted for use. In this paper, Microsoft explains why they have combined a widely tested AES-CBC with a new component, the Elephant diffuser. They feel that this gives the best of both worlds, the tested security of AES-CBC, and the additional security properties of the diffuser.
This is a real article in ZDNet Australia. The Australian Army expects suicide hacker attacks.
Now, I’m just rolling on the floor laughing as I read this article. To me, the key part of a suicide attack is when the attacker kills himself as part of the attack. To Colonel Paul Straughair, a suicide attack would be someone willing to go to prison for 30 years for their cause.
Its a slippery slop when you take real warfare terms and apply them to computers. The label cyberterrorism has been applied to the garden variety Internet worm. As Rob Rosenberger has pointed out, there is no where to go when the next event is worse. Are you going to call a major event cyber-genocide? For years people like Richard Clark has predicted a “digital Pearl Harbor”. To me these labels are irresponsible. Comparisons with genocide or Pearl Harbor are inappropriate until thousands of people are killed in a hack attack.
A suicide hack attack would include the death of the attacker, not their loss of freedom, not the deletion of their user account.
Here’s an Australian IT interview with Message Labs executive Adrian Chamberlian.
Sure its a bit of marketing material, but I find it interesting.
Imagine a world in which terrorists target government websites with millions of spam emails.
Or a world in which viruses take over your computer, turn it into a zombie, and use it to send out more spam.
It’s called reality, and it’s going to get worse.
The popularity of mobile phones means text spam will increase, mobile phone viruses will go from concept to reality, and voice spam — automated calls that bombard you day and night — will become common as marketers take advantage of cheap VoIP calls
They expect to see more companies turning to managed services such as what they provide. Actually that worries me a bit. If they are protecting too many desirable targets the bad guys might focus on them and how to penetrate the ML defenses.
Netcraft is reporting that websites hosted at hostgater have been hacked in en mass through a new cPanel exploit. An Iframe was inserted causing visitors to their pages to be hit with the VML zero day.
Cpanel is widely used in Apache based webhosting, so this could be huge.
Wow, that’s some hit piece that Rob Pegoraro writes in today’s Washington Post. To him the 5 year anniversary is not something to be celebrated. That really shouldn’t be a surprise. Newspaper tech writers always spend a disporportional amount of time advocating for Mac and Linux rather than writing about the software people actually use. He thinks because he hates Microsoft everyone else does to. Hey it worked with Haliburton. Just keep repeating “Microsoft sucks” enough times, and sooner or later the sheep will believe it.
Rob ends his article by crapping on Vista (“imagine the unknown bugs in vista”). Well, the fact is that since starting the new secure programming initiatives at Microsoft, the new products they’ve turned out have been rather good. Are there going to be problems? Sure anytime you do something new things dont always go as expected. Will people like Rob scream to high heaven when some backwards compatiability is gone and some insecurely written programs no longer work? You bet they will.
I bet the first days of Vista wont look like this.
Steve Riley mentioned this over at his blog. While defeating a fingerprint lock like this isn’t new, its neat to see on video. I’m not sure of the air date for this.
Steve make some good points about Identification versus authentication in his blog entry.
For a brief moment, I thought to myself, what if software security companies tried to sell software with the same shocking tactics as the Safe Happens commercial series from VW. Then I came to my senses. These companies already do sell based on the idea that your data is toast without them. What is shocking in a car commercial is all too common from security vendors.
In the VW commerical, people get in to a jaring physical accident and in the security commercials people are threatened with losing all their data, the internet melting down, SCADA and a new Y2K. Here’s a clip from 24 where Cisco saves the day. (quicktime required)
Microsoft is reporting that there is a zero day in Vector Markup Language. This can be vulnerability can be exploited to install software (such as spyware) without your knowledge when your visit a website in IE or open an email in Outlook.
Currently there are some workarounds and Microsoft is planning on releasing a patch on patch Tuesday in October. By implementing the workarounds, websites that use Vector Markup Language will no longer work correctly. I have not seen any reports of just how bad that would be.
The mitigation options are deregister the VML DLL or change the ACL for that dll so the everyone group is denied access. Jesper has an example of how to create a security template to deploy this file permission through group policy.
The problem with these methods is that you are making a security change that is really weird, and you dont know how it will effect the patching process when an official patch is released. With the WMF patch, the people who disabled this, needed to re-enable it in order to apply the patch IIRC. While that may be easy on an individual computer, is kind of worrisome for a enterprise.
Microsoft has published a security advisory regarding a DirectAnimation Path ActiveX control vulnerability in Internet Explorer versions prior to IE 7. This vulnerability could be exploited to install software on your computer without your knowledge.
One of the best ways to protect yourself against these ActiveX attacks is to set ActiveX kill bits to disallow execution of the exploitable control. I typically use Java Cool Software’s Spyware Blaster for this purpose. To do this manually,
set the kill bit for a CLSID with a value of {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
“Compatibility Flags”=dword:00000400
Or SANS has provided an app to set/unset this kill bit.
http://isc.sans.org/diary.php?storyid=1706
One note about ActiveX kill bits. They tell an ActiveX control not to run in IE. In the past there have been vulnerabilities that would allow malicious code to ignore this disable bit. It should work now if you are up-to-date on patches.
Until a patch is provided you should take steps to mitigate this risk.
