From time to time I am exposed to a new service, sometimes security-related, that promises something new. More often than not, the new security service is novel, but only because either no one really needs it, or because it does not form a good balance between security and other needs. The cases of the latter category are far more interesting.
To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.
It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?
An interesting article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.
The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.
There are two questions that need to be asked:
On January 15th, TechWorld published an article called Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.
“According to a paper [...] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called 'DevicelOControl'.”
And they consider it as a threat:
“Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”
Such “findings” occur often when the security model of a security system is ignored.
Yesterday, I got a US patent application granted by the Patent and Trademark Office. The patent bears the title "SYSTEM, DEVICE, AND METHOD OF SELECTIVELY ALLOWING A HOST PROCESSOR TO ACCESS HOST-EXECUTABLE CODE". Essentially, this patent discloses a technology that allows to boot a computing platform into a trusted state using a cryptography-enabled code storage device, without the need for a cryptography-enabled host processor. In other words, the technology allows to securely boot a platform that has a security module that is coupled with the storage medium (e.g., embedded Flash memory) that stores the software, instead of a security module that is coupled with the host processor.
Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, “Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention,” the report notes. “The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time.”
It seems as people are making an effort to ring the bell on just about anything. Twitter? Twitter is merely an application that facilitates instant messaging, like tons of others. Whatever can be done with Twitter can also be done with IRC, Web chat rooms, shout boxes (those little frames on websites that display whatever is written by guests to the website), and what not.
Yes, someone evil can use Twitter to pass messages to other evil people in the field, but the ability to pass instant messages along is a “problem” of ubiquitous network technologies, not of this or that particular product.
Full-Disk Encryption (FDE) suffers class attacks lately.
As if the latest research (which showed that RAM contents can be recovered after power-down) was not enough, it seems as Firewire ports can form yet an easier attack vector into FDE-locked laptops.
From TechWorld: Windows hacked in seconds via Firewire
The attack takes advantage of the fact that Firewire can directly read and write to a system's memory, adding extra speed to data transfer.
The tool mentioned seems to only bypass the Win32 unlock screen, but given the free access to RAM, exploit code that digs out FDE keys is a matter of very little extra work.
This is nothing new. The concept was presented a couple of years ago, but I haven't seen most FDE enthusiasts disable their Firewire ports yet.