A light in the quantum cryptography tunnel

Subject: General Tech, Networking | November 21, 2012 - 02:15 PM |
Tagged: quantum encryption, security

One of the biggest hurdles to implementing quantum cryptography has been vaulted, with researchers finding a way to transmit the key over a non-dedicated connection.  Previously because of the inherent noise in a fibre channel transmitting general data the key would be lost and so a separate fibre channel was needed which only the keys were able to transmit but thanks to researchers at Toshiba’s Cambridge Research Laboratory it is now possible to send the keys on existing fibre which also carries other data.  They have created a detector which can open for a mere 100 millionths of a micro-second and receive the key, with the detection window being so quick there is not time for noise to interfere and the wrong photon be detected as the key.  The Register reports they can transmit keys over a line running at 500kbps for 50km and still have the key properly detected.

qcnet_keydist.jpg

"Traditionally it has been necessary to use dedicated fibre to send the single photons (particles of light) that are required for Quantum Key Distribution (QKD). This has restricted any applications of quantum cryptography technology to specialist and small-scale systems in banks and high-level government, essentially because of the extra inconvenience and cost required in allocating a dedicated fibre strand for quantum key distribution."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Apple No Longer Updating Safari for Windows, Users Should Switch To A More Secure Browser

Subject: General Tech | August 6, 2012 - 05:55 AM |
Tagged: windows, webkit, security, safari for windows, safari, browser, apple

The Apple-developed Safari is one of the least popular webkit-based browsers on Windows. Even so, it still commands 5% marketshare (across all platforms), and that is a problem. You see, many sites are reporting that Apple has dropped support for Safari on Windows. Windows users will not get the update to Safari 6–the new version available to Mac OS X 10.6 and 10.7 Mountain Lion users. As well, it seems that Apple has removed just about every reference to ever having a Windows version of any Safari browser from its website.

Safari 5 for Windows.jpg

Image Credit: MacLife

The issue is that the final version that Windows users are stuck with–version 5.1.7–has a number of documented security vulnerabilities that are never going to get patched by Apple. According to Maximum PC, there are at least 121 known security holes listed in Apple’s own documentation. And as time goes by, it is extremely likely that the number of unpatched security holes will increase. Running an outdated browser is not good security practice, and running a browser that is EOL and has known vulnerabilities is just asking for trouble.

While the number of PC Perspective readers running Safari for Windows is likely extremely small, I would advise that you be on the lookout next time you are doing tech support for your friends and relatives, and if they managed to get roped into using Safari thanks to Apple’s Itunes software updater convince them to move to a (dare I say better) more secure browser like Google’s Chrome, Opera, or Firefox. At least those are still getting updates, and some are even automatically done in the background.

Have you ever used Apple’s Safari for Windows browser? What would you recommend as the best alternative? Let us know in the comments below.

Source: Forbes

Firefox 12 will be able to bypass UAC and possibly corporate security settings

Subject: General Tech | April 24, 2012 - 01:01 PM |
Tagged: UAC, security, firefox

One of the causes of the adoption of Google's Chrome browser in the workplace is that for the most part, since it installs under your user directory it can bypass the limited permissions on most business computers, letting the user install something without consulting IT.  This is a minor security concern as Chrome runs with limited permissions and is certainly not more inherently vulnerable than the old corporate standby, IE6.

According to The Inquirer Firefox will be starting to do something similar but with larger repercussions.  FireFox 12 will be whitelisted on UAC, allowing system level access to the program.  While this does mean that if they are successful users will be running up to date software and not require IT resources to upgrade FireFox every month or so, it also introduces a powerful attack vector for infections.  A silent FireFox update might not be from Mozilla and could instead be from malware online, creating a system vulnerability that the user is completely unaware of until obvious symptoms start to show, by which time it could be too late to stop the spread of an infection to the network or to clients machines.  The update is due out today, so keep a close eye on your FireFox installation for now.

 

images.jpg

"SOFTWARE DEVELOPER Mozilla will bypass Windows' user account control (UAC) to implement silent updating in its Firefox 12 web browser.

Mozilla's Firefox 12 is expected to be released today, and the outfit claims it will bypass Windows UAC in order to enable silent updating. Since Mozilla put Firefox on its rapid release schedule, it has put out new versions of the web browser every six weeks, leading some users to complain about the number of releases."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

You might want to rethink enabling RDP unless you have NLA set up

Subject: General Tech | March 14, 2012 - 12:36 PM |
Tagged: remote desktop protocol, patch tuesday, fud, rdp, security

Remote Desktop Protocol is a very handy tool, as the name suggests it allows you to take remote control of a desktop and is commonly used for everything from logging into a remote server to change settings to helping a long distance friend to get their printer installed to logging onto your home machine to start a Steam download and install so your game will be ready for you when you get home from work.  Unfortunately it does open up a way into your PC for attackers, though thanks to the Network Level Authentication feature which was added into Vista and later versions of Windows, PCs on an authenticated network are much safer than they would be without it.  Unfortunately NLA will not exist on home workgroups, nor is it supported by versions of Windows previous to Vista.  That is why The Register warns of a RDP vulnerability that Microsoft will be patching next patch Tuesday, as older machines as well as home machines could be at risk if someone launches an attack before the patch is released and installed.  For the mean time you might want to disable RDP unless you actually use it regularly.

rdp.png

"The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users and above can activate the Remote Desktop’s Network Level Authentication (NLA) to trigger an authentication request. RDP is disabled by default, but is often activated."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

DNS Redirect Provision Suspended From SOPA (and PIPA)

Subject: General Tech | January 15, 2012 - 06:21 AM |
Tagged: SOPA, senate, security, pipa, Internet, house, freedom, dnssec, dns, Copyright, congress, bill

SOPA, the ever controversial bill making its way through the House of Representatives, contained a provision that would force ISPs to block any website accused of copyright infringement from their customers. This technical provision was highly contested by Internet security experts and the standards body behind DNSSEC. The experts have been imploring Congress to reconsider the SOPA DNS provision as they feel it poses a significant threat to the integrity and security of the Internet.

In a somewhat surprising move, on Friday, Representative Lamar Smith of Texas and Senator Patrick Leahy of Vermont both announced that the DNS provisions included in their respective bills (SOPA in the House and companion bill PIPA in the Senate) would be removed until such time that security experts could provide them with more conclusive information on the implications of such DNS interference.

blackout.png

Many sites are preparing protests to SOPA, most will be forced to shut down should SOPA pass.

As a quick primer, DNS (Domain Name System) is the Internet equivalent of a phone book (or Google/Facebook contact list for the younger generation) for websites, allowing people to reach websites at difficult to remember IP (Internet Protocol) addresses by typing in much simpler text based URLs. Take the PC Perspective website- pcper.com- for example; the website is hosted on a server that is then access by other computers using the IP address of "208.65.201.194." Humans; however cannot reasonably be expected to remember an IP address for every website they wish to visit, especially IPV6 addresses which are even longer numerical strings. Instead, people navigate using text based URLs. By typing a URL (universal resource locator) into a browser such as "pcper.com," the software then polls other computers on the Internet running DNS software to match the URL to an IP address. This IP is then used to connect to the website's server. Further, DNSSEC (the Domain Name System Security Extensions) is a standard and set of protocols backed by the IETF (Internet Engineering Task Force) that seeks to make looking up IP addresses more secure. DNSSEC seeks to protect look-up requests by using multiple servers to verify that the URL look-up returns the correct IP address. By securing DNS requests, users are protected from malicious redirects on compromised servers. Browsers will request IP addresses from multiple DNS servers to reduce the risk that they will receive a malicious IP address to a compromises site.

Security experts are opposed to the DNS blocking provisions in SOPA because the methods contradict the very secure environment that standards bodies have been working for years to implement. SOPA would require ISPs to filter every person's DNS requests (the URL typed into the browser), and to block and/or redirect any requests for websites accused of copyright infringement of US rights holders. This very action goes against DNSSEC and opens the door to a less secure Internet. If ISPs are forced to invalidate DNSSEC, browsers will be forced to poll otherwise untrusted servers and what is to stop so called hacking groups and others of malicious intent from compromising DNS servers oversees and redirecting legal and valid URLs to compromised web sites and drive by downloads of malware and trojan viruses? DNSSEC is not perfect; however, it was a big step in the right direction in keeping DNS look-up requests reasonably secure. SOPA tears down that wall with a reckless abandon for the well being of citizens. Stewart Baker, former first Assistant Secretary for Policy at DHS and former General Counsel of the NSA has stated that SOPA would result in "great damage to Internet security" by undermining the DNSSEC standard, and that SOPA was "badly in need of a knockout punch." Various other Internet experts have expressed further concerns that the DNS provisions in SOPA would greatly reduce the effectiveness of the DNS system and would greatly effect the integrity of the Internet including the CEO of (anti-virus company) ESET, the head of OpenDNS, and security experts Steve Crocker and Dan Kaminsky.

While the suspension of the DNS redirecting provisions is a good thing, such actions are too little and too late. And in one respect, by (for now) removing the DNS provisions, Congress may have made it that much easier to pass the bill into law. After all, it would be much easier to amend DNS blocking onto SOPA once it's law later than fight to get the foothold passed at all. From the perspective of an Internet user and content creator, I really do not want to see SOPA or PIPA pass (I've already ranted about the additional reasons why so I'll save you this time from having to read it again). While I really want to be excited about this DNS provision removal, it's just not anywhere near the same thing as stopping the entire bill. I can't shake the feeling that removing DNS blocking is only going to make it that much easier for Congress to pass SOPA, and for the Internet to become much less free. We hear about the death of PC gaming or any number of other proclamations made by content creators expressing themselves and exercising their rights to free speech every year, but PC gaming and most things are still around. Please, call and write you congressmen and implore them to vote against SOPA and PIPA so that the last proclamation I read about is not about the death of the Internet!

Java JRE, Adobe Acrobat and Flash; the triumvirate of malware evil

Subject: General Tech | October 5, 2011 - 12:19 PM |
Tagged: fud, security, microsoft, windows

An interesting study that Slashdot has linked to today breaks down three months of infection data and crunched the numbers to see how the infections made it onto systems and which systems are the most vulnerable.  Fully two thirds of the infections happened to users browsing with Internet Explorer, but you must keep in mind IE's market share.  At this time last year half of all users browsed the internet with some version of IE and while that has fallen to around 40% this year it is still the most commonly used browser and will therefore have a greater representation in the sample of PC s tested.  As long as you keep that in mind, you can then move onto disparaging the average IE user ... especially if it is still IE6.

As well, you can see that Vista has something to be proud of.  Even with the lack of PCs using the OS it has almost as many infections as WinXP machines.  As to the programs most likely to be used as an attack ... Java JRE sits at 37% with Acrobat just behind at 32%, leaving the much maligned Flash responsible for only 16%. 

net-security_research.jpg

"Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Still hope for SSL, the web ain't dead yet

Subject: General Tech | September 26, 2011 - 01:20 PM |
Tagged: fud, security, SSL

SSL and secure data transfer are wounded, but not dying quite yet if you use an elderly encryption protocol called RC4 or ARC4.  Current AES is suggested as the preferred way of encrypting data transfers, but the BEAST (Browser Exploit Against SSL/TLS) attack is capable of defeating AES encryption.  Unfortunately there are attack methods which are able to defeat RC4, specifically as it is implemented for WPA and WES in wireless networks.  Google informed The Register that they have been using RC4, although clients that attempt to connect which don't support that encryption method are offered the vulnerable AES method.  Google also pointed out the latest developer version of Chrome protects against the BEAST attack but don't mention when the main version of Chrome will protect users.

Broken_Key_Extractor.jpg

"The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings "for years."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Sort of secure socket layer

Subject: General Tech | September 20, 2011 - 12:02 PM |
Tagged: fud, SSL, tls, security

The good news about the discovery that the encryption procedure behind Secure Socket Layer and Transport Layer Security has been compromised is that the newest versions of both SSL and TLS are still safe and they have been available for a while now.  The bad news is that not only do only a tiny handful of websites utilize TLS 1.1/1.2 and SSL 3.0, most browsers don't even support the updated protocols.  Oddly Internet Explorer and Internet Information Services both support the newer protocols, though they are not enabled by default; the only one that does have TLS 1.2 enabled by default is Opera.  

You don't have to immediately switch browsers, in order for your secure connection to be compromised the attacker first has to compromise your browser or machine in order to get JavaScript code to run in your browser before they can start the decryption process.  It is not the quickest peice of programming either ... yet.  In the proof of concept that The Register references a 1000-2000 character long cookie will take about a half hour to crack, which is most likely longer than the average connection to your PayPal account will last, which is the site they used as an example.   Of course if you throw a dozen Tesla cards at it and it will probably decrypt the packets at a much quicker pace.

nSSL.gif

"Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Who put antivirus in my Windows disk?

Subject: General Tech | September 16, 2011 - 01:53 PM |
Tagged: win8, security, microsoft

It's confirmed, Windows 8 will have anti-virus rolled into it and it does a wee bit more than you might think.   They have updated and expanded Windows Defender as part of the protection scheme but have also taken advantage of the integration possible when your antivirus becomes part of your OS.  Your boot path will be scanned at every restart to ensure no malware has tainted it and it will be protected while your system is running by Defender, along with a long list of other vectors that are commonly used to attack systems. 

You can see a video of this in action over at The Register.

win8_protect.jpg

"Rumours about Microsoft planning to bundle an antivirus function in its upcoming operating system have caused quite a bit of a stir in the security community over the past couple of days. Some people have declared themselves supportive of the move, while others rushed to point out its possible drawbacks."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Oh joy the BIOS level trojan is finally here

Subject: General Tech | September 13, 2011 - 01:00 PM |
Tagged: security, fud, bios, trojan, bmw

You do not want BMW; it is a Trojan that uses your master boot record and your BIOS to ensure that it remains on your system so even after a format and reinstall of Windows it will still be infecting you.  It originally infects winlogon.exe on Windows XP and Server 2003, and to wininit.exe on Windows 7 and Vista but once it is on it installs and uses HOOK.ROM at the BIOS level to check to see if it has been uninstalled and if so it will reinstall itself.  The Register points out that in this case the enormous variety of BIOS setups is a good thing as it ensures that any BIOS level virus will always be limited in scope even if it is a vulnerability shared by a single BIOS type.

biohazard.png

"SECURITY RESEARCHERS at Chinese antivirus firm 360 have identified a piece of malware that installs rogue code into the BIOS of targeted computers.

Dubbed BMW by 360 and Mebromi by other security vendors, the threat has separate components for the operating system, the master boot record (MBR) and the system BIOS."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer