MD5 is a hashing algorithm created in 1991 and still used by many applications for certain features. But MD5 is no longer recommended for many cases due to weaknesses discovered in the last few years, opening up some scary possibilities. At the end of this year, NIST standards for cryptography used by the federal government will no longer permit 160-bit SHA1 hashes or 1024-bit RSA signature keys, since concerns over the long-term security of these technologies are rising.

With cryptographers constantly working on new algorithms and breaking old algorithms, one may get nervous about whether the foundations of today’s secure transactions are really that secure. But despite the occasional ominous forecast of a cryptographic meltdown, you can remain fairly confident in encryption technology.

Just as we’re constantly finding new weaknesses in various approaches, we’re constantly finding new approaches that overcome various weaknesses. For instance, scientists are working to develop “quantum computers” that perform calculations in a completely different way than today’s electronics. These new machines would be powerful enough to crack several of the strongest algorithms currently in wide use. But just this week, several researchers demonstrated that a 30-year-old algorithm, using a different type of mathematical basis, would foil any known quantum attack. This approach has not been widely used due to large key sizes that would hinder performance, but computers are getting faster every year.

Cryptographers also work to maintain a gap between theoretical attacks and practical compromises. NIST does not wait for programs that can crack any key within seconds before deprecating an algorithm. Researchers are constantly working to build stronger systems, and often start recommending replacements when only the slightest cracks begin to show for a particular approach. Also, one type of weakness does not necessarily ruin every possible use of a given encryption method.

But while the mathematics behind today’s systems may be sound for the near future, strong encryption alone does not guarantee you security. In fact, most security problems come through either insecure implementations of a given approach or bad security practices built on top of strong algorithms. Keeping current with effective cryptography is important, but it’s only one part of an effective security strategy.

So you’ve been hearing lately about how some Android applications are going rogue and being used to steal users’ data and infiltrate their phones, to sit idly by only to wreak havoc when the user least expects it (ok, so maybe I exaggerated a little there). But there has been a lot of buzz lately about certain apps not playing by the rules, or including certain calls to leach user information. A lot of this buzz has been spun as backlash against Google for allowing these types of applications to exist (instead of having some asininely draconian filtering process like some ‘other’ phone provider).

Well, to help defend Google (which they’ve done a decent job of doing themselves), this one falls back on the users. If you’re an Android user, you’ve most definitely seen a screen similar to this.

This screen tells you exactly (mostly) [kinda] what the application you’re installing has access to, and how far it can reach. It’s your (the user’s) obligation to agree with this and install, or not agree, and cancel out. See those two buttons at the bottom? If you don’t agree and see something that has “Cost Money” in this section and you presumed it was a completely free (as in beer) app, then you’d better click the right (Cancel) button.

(more…)

Details of this month’s Patch Tuesday updates here:  http://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx

This month, we get a fairly light load of patches for Windows and Office, but there are a few remote code execution vulnerabilities that are addressed.  So, if you run Windows and/or Office, apply these patches as soon as possible. If you’re running Windows XP or Windows Server 2003, you should address these patches post haste, as there is a code execution vulnerability affecting the Microsoft Help and Support Center that is currently being exploited in the wild. (http://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx)

Also, don’t forget to restart your system when the updates are finished installing – don’t be lazy like me and hit “postpone” too much!

The .ORG top level domain (TLD) recently received its DNSSEC signature, and now has the ability to provide integrity information about its underlying domains. This is important because it’s the first TLD to get signed. This also means it might be somewhat of a guinea pig, as any uncaught issues or bugs will probably show up when people invariably start trying to break the system.

We covered DNSSEC a bit in a previous post, and it is interesting to see how much progress has been made since then. DNSSEC isn’t new. In fact, it’s been around for a quite some time in one unfinished form or another. It wasn’t until the Kaminsky DNS cache issue a few years ago that we saw a sudden surge in DNSSEC development and deployment.

But if history is any indication, the transition might not be smooth. Each registrar under a TLD has to support DNSSEC individually. This would create new costs and overhead (especially for small registrars), in addition to exacerbating the issue of fragmentation. And although a spotty DNSSEC is better than none at all, it really needs to be ubiquitous to maximize its usefulness.

Good luck, DNSSEC. You’ll need it.

A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising.

One area to look out for though, just because you have a plug-in like this doesn’t mean every site you go to is going to be secure. You still need to check your browser’s security notifications/icons to ensure you’re on a protected site.

Recently at Gemini we evaluated basic security implications of deploying a particular large-scale desktop virtualization package. Many people have heard of “virtual machines” that enable you to run different operating systems concurrently on one physical computer. But enterprise virtualization solutions go far beyond that scenario, enabling companies to do everything from stream specific applications from a server rather than installing them or have users share the same desktop configuration running on a central server. Companies can even mix and match various types of virtualization in the same environment.

The variety of virtualization options means each situation can carry specific security demands. But certain benefits and risks factor into many deployment decisions. On the positive side, virtualization can simplify maintenance and help ensure consistency by centralizing certain administrative tasks. The added layers of abstraction can also assist in isolating resources or adding flexibility to data storage options.

But those same new abstractions mean increased complexity and potentially much more data flowing between various parts of a network. Administrators also need to stay aware of how data retention is handled in a virtual environment. Adding virtualization to an existing environment can blur traditional notions of access, authentication, and management. Securing each aspect may require rethinking old approaches and policies; for instance, stealing an entire virtual desktop basically involves copying a file.

An article from last month in The Register explores these and other aspects of virtualization security. And as an earlier piece had noted, many deployments introduce security risks from a failure to fully evaluate the effects of such a setup: “Oddly enough, in many cases, security seems to not even be an afterthought, much less a forethought. Gartner’s surveys show that 40 per cent of server virtualization projects were done without bringing the company security experts in from the get-go as the virtualized infrastructure was planned.”

If you’re thinking of adding desktop virtualization to your enterprise, don’t make the same mistake – contact Gemini to ensure your data remains safe.

A couple weeks ago, NASA announced it was all but done with certification and accreditation (C&A), calling it “cumbersome and expensive.” Many were intrigued by such a statement – not because it was wrong, but because it represented a potentially interesting shift in the status quo, done in a somewhat rebellious manner. NASA instead favors a “risk-based approach” that relies more heavily on continuous monitoring. NASA also cited significant cost savings from cutting back C&A activities.

Seemingly in direct response to this outburst, NIST has now released an update to their continuous monitoring FAQ, specifically pointing out that C&A activities are a necessary component of risk-based management of systems, and highlighting that continuous monitoring alone is insufficient.

One of the true oddities of the NASA statement is that continuous monitoring is only one component of the overall NIST Risk Management Framework (RMF). It’s unclear how they concluded that they could just pick one box out of the overall process and claim it covers everything – especially considering their claim to be seeking a risk-based approach.

Of course, in the end it may not matter at all. The House has passed FISMA reform this past week in it’s national security spending bill (also see this Information Week article; didn’t we used to call it “Defense appropriations”? anyway…). The bill also calls for the establishment of a “National Office of Cyberspace” to have better authority than Howard Schmidt currently has in his White House cabinet position. Similarly, the Senate is also pushing through reform, including yet another hare-brained attempt to give the federal government broad, sweeping powers over private critical infrastructure in “emergency” situations. This time around, the bill seeks to authorize DHS with such powers, whereas previous attempts focused on authorizing the President directly. We’ll see what becomes of this, but suffice to say that the move has not gone unnoticed in the security community.

Have you ever looked into researching your family tree? Have you noticed what kind of information you can find out about people, especially older people who have been around since the 1930 census (and pretty soon, the 1940 census)? Upon death, social security numbers are published in the Social Security Death Index, and some of that information is still useful. For example, my father passed away in 2000, my mom still receives social security benefits based on his SSN – which is now public information. All of the joint accounts they had together are mostly still with his social. It would make it easy to steal the identity of a dead person. The SSDI is supposed to prevent that, but it doesn’t always work.

Additionally, genealogy searches turn up information about living people as well – things such as the US Public Records Index – which includes current address information and birthdate – all useful information if you’re searching for someone. By default, most web sites “hide” living relations in your family tree, but you have an option to make it public (and there are incentives to do so to find more about your family).

If you’re interested in genealogy, try using some of your skills to find information about someone not in your family tree (the older they are, the more likely you’ll find information), or if you know how to find information about people, there are genealogists waiting to talk to you to help them find long lost relatives.

This week, I registered for the next Document Interop Initiative (DII) workshop being held at Microsoft. (Details here)

The meet-up is centered around the new XML Advanced Electronic Signatures (XAdES) support in Office 2010. In my opinion, this is a great step forward for Office’s digital signature support, as XAdES provides the appropriate XML schemata to embed timestamps, revocation information and countersignatures within a digital signature on a document. Timestamp and embedded revocation support are two of the chief advantages that Acrobat digital signatures have held over Office for the past several years. Finally enabling this functionality will allow Office to compete with Acrobat on a more even playing field in terms of allowing robust, more auditable signature workflows.

I’m interested in seeing what updates, if any, have been made to the Office digital signature interface to support this new functionality. In current and previous versions of Office, digital signature validation, from a UI perspective, has been abysmal. There has simply been no way to determine *why* a signature is judged as invalid by Office when there are myriad possible causes for such a failure. For example, a signature may be invalid due to an altered document, which is far more of a concern than a signature being invalid due to revocation data being unavailable because the validation was performed offline. These circumstances can lead to different trust levels from the user.

It remains to be seen how well the XAdES support is implemented, but I’ll tentatively state, sight-unseen, that this is at least a step in the right direction.

Did you know that two thirds of all phishing attacks are sourced from a single group? This seems like a staggering statistic, except for the fact that we’ve already seen this before. Maybe those plans for world domination just might pay off…

This whole Facebook privacy scare seems to finally be taking its toll on the general public as it seems Google is showing a major increase in trends data sourced from people wanting to delete their accounts. This doesn’t really surprise me much either, as we’ve talked numerous times about how to secure yourself within Facebook. Let’s hope that emergency meeting that was supposed to take place today actually accomplished something.

One of the pioneers of PKI, Whit Diffie, landed a new position today as VP of information security and cryptography of the Internet’s key oversight agency for domain names. The ICANN doesn’t have that much control over many of the domain providers, but I like to think they have enough influence that if Diffie were to make some serious strides, the world could be a better place.