Keyczar – Google’s crypto for non-cryptographers

Google has released Keyczar, billed as a “Toolkit for safe and simple cryptography”, under an Apache 2.0 open source licence. Keyczar has been developed by members of the Google security team and aims to make cryptography more accessible to application developers.

Keyczar’s design goals were to manage the complexity of cryptography for developers who are not cryptographically aware. Keyczar’s developers point to how these developers may choose wrong cipher modes, use an obsolete algorithm or just forget they will need to rotate keys. To avoid this problem, Keyczar abstracts ways these issues with a simple programming interface and adds a key versioning system which tags output with version information and makes it easy to rotate and revoke keys.

Source:
http://www.heise-online.co.uk/news/Keyczar-Google-s-crypto-for-non-cryptographers–/111293

Posted in General BS, Internet, Linux, Networking, Privacy, Security, Software, Windows | No Comments

Surf Jack – HTTPS will not save you

Say hello to a new security tool called “Surf Jack” which demonstrates a security flaw found in many public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. I’ve been working with two banks and some of the vulnerable sites to get this fixed before publishing my research. Mike Perry gave a talk at Defcon involving the exact same vulnerability – so there is no point in keeping this from the public.

You can download the tool from here and a paper with more details on the subject.

Source:
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/

Posted in Internet, Linux, Networking, Privacy, Security, Windows | No Comments

New Tool to Automate Cookie Stealing from Gmail, Others

A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).

When you log in to Gmail, Google’s servers will place what’s called a “session cookie,” or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don’t manually log out (after which the cookie expires and you are forced to present your credentials again).

The trouble is that Gmail’s cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as “secure,” meaning they can only be transmitted over your network when you’re using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie — regardless of which of the above-described methods a Gmail subscriber is using to read his mail.

As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine.

Source:
http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html

Posted in Internet, Privacy, Security | No Comments

Microsoft changing Patch Tuesday process

Microsoft is to release fixes for a dozen serious vulnerabilities next Tuesday, seven of them ranked critical. But the firm has also announced a three-stage process to reducing the effects of future vulnerabilities.

Next week’s update (the regular ‘Patch Tuesday’ release which comes in the second week of each month) includes critical fixes for Windows, Internet Explorer, Media Player, Access, Excel, PowerPoint plus Office in general.

The full details are, as usual, kept under wraps until the release comes out (to avoid hackers getting so much information they can prepare for attacks). However, all seven critical fixes involve plugging gaps which could have allowed remote code execution.

The notification process will be one of three changes to the update process from October. In future, third-party manufacturers of security software can become eligible to receive advance notice of the full details of impending updates.

This follows a growing trend by which hackers were able to break down the details of each fix as it came out, figure out the original vulnerability, and exploit it among unprotected computers before security firms had found a way to deal with the consequences. In one recent case, hackers were exploiting a loophole just two hours after the relevant update came out.

To receive the advance notice, firms must have “a significant Microsoft customer base” and sign non-disclosure agreements promising to keep the details secret.

Microsoft also plans to introduce an ‘Exploitability Index’ which effectively serves as a prediction of how likely it is hackers will target particular vulnerabilities. The idea is to give customers a better idea of which are the most important fixes. Rather than apply a score, there will be a three-level rating, predicting either a consistent exploit likely, an inconsistent exploit likely, or exploit being unlikely. The critical/important/moderate/low ratings will remain, showing how serious the effects of an exploit would be.

The firm is also launching a programme to work with third-party software developers to find fixes for problems in non-Microsoft software which could still have serious consequences for Windows users.

Source:
http://vista.blorge.com/2008/08/09/microsoft-changing-patch-tuesday-process/

Posted in General BS, Security, Windows | No Comments

Windows Jingle Attack Exposed

At the Black Hat conference in Las Vegas on Thursday, Eric Filiol, the head scientist at the French Army Signals Academy’s Virology and Cryptology Lab, explained how to steal data from a computer without a network connection.

Filiol demonstrated what he called the Windows Jingle Attack, a method for encoding a user’s password into audio data and concealing that data into the Windows startup tone, a publicly audible sound that can be read from afar with a local or remote microphone and then decoded.

Filiol’s work builds on what’s known as Tempest. Filiol said the term stands for Temporary Emanation and Spurious Transmission, though others suggest alternate terms to explain the acronym.

Tempest refers to research done by the NSA into the signals that emanate from electronic devices and how to prevent the interception of those signals. The reason is that those signals may reveal the information being processed by a device or may be altered to do so.

Programmer Eric Thiele has written a demonstration program called Tempest for Eliza that uses a computer monitor to send out AM radio signals.

The Windows Jingle Attack requires malware on the target machine, so in that respect it’s not as easy to execute as other attacks that allow remote code execution. Nonetheless, there are certain scenarios when being able to obtain data from a computer without a network connection would be valuable.

Source:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=209904565

Posted in General BS, Security, Windows | No Comments