uncompiled.com

Automobile giant Ford Motor this year will debut vehicles with built-in WiFi — along with enhanced security features to prevent data breaches via its new cars.

Ford has offered the so-called Sync technology service it co-developed with Microsoft in most of its Ford, Lincoln, and Mercury vehicles since 2008. The technology lets drivers run their Bluetooth-enabled mobile phones and digital media players via their vehicles and use voice commands to operate them, for instance.

The automaker announced today that the second generation of its Sync technology — due out later this year and to include a full Windows CE operating system with a new driver interface called MyFordTouch — will come with a built-in browser and secured WiFi access. It will first debut in the 2011 Ford Edge and 2011 MKX Lincoln, and later, in the 2012 Ford Focus.

“We really began to focus on the security side when we began launching Sync, and it was [originally] for working with phones and media players,” says Jim Buczkowski, director of Ford electronics and electrical systems engineering. “Now we’re extending that system connectivity to include WiFi as another data path for customers in their vehicles … and we’re extending that security model for protecting WiFi.”

The WiFi will be broadcast via Sync using a USB-based modem, and Ford has updated its on-board firewalls to protect both the WiFi network as well as the vehicle’s operations. The WiFi network is set by default to WiFi Protected Access 2 (WPA2) encryption for secured access to the wireless network. It also will provide anti-malware protection for the MyFordTouch system.

Sukhwinder Wadhwa, manager of the Sync platform and technologies at Ford, says Ford doesn’t consider security to be an add-on feature. “We work closely with the Ford enterprise IT security [group] to use basically the same guiding principals for security” as they use for the enterprise security, Wadhwa says.

“Any software is first verified by Ford engineers and signed by Ford enteprise servers before it gets installed [in the vehicles],” he says.

Wadhwa says Ford also uses internal ethical hacking teams as well as third-party consultants to test out the security of the Sync features.

“They are proud that they enable WPA2 and a firewall by default on the access point, perform pairing over Bluetooth, and have some arbitrary DRM for preventing swapping hard drives of MP3s. It all sounds like pretty vanilla stuff, anything a decent home network set-up has,” says Nate Lawson, principal with Root Labs.

Wadhwa says Ford isn’t aware of any car-hacking incidents with its vehicles to date. “We do not want to have any incidents in the first place,” he says. “We are connecting consumer-grade devices [in the vehicle], and we want to make sure out of the chute we are protected from any bad devices out there, like memory sticks or whatever they put [into the vehicle],” he says.

Wadhwa says the hardware-based firewall technology is made up of two “separate entities” so that the consumer side of the firewall that handles what can connect can’t pass information to the vehicle’s processor, or vice versa. ”

All of Ford’s vehicles in the next five years will come with the secure WiFi option, according to Ford.

Meanwhile, the automaker’s Sync service, which comes standard in some higher-end models and for an optional monthly fee in other models, already comes with phone-pairing protection, an encrypted jukebox hard drive for the driver’s music library, a valet-mode option that locks all programmed navigation destinations from view, an engine immobilizer, and keyless entry features.

Source

The former National Security Agency technical director told the RSA Conference he doesn’t trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he says.

Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn’t trust clouds either, but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Crypto AG,” he said.

On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analyzing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country’s financial markets melted down last year, he said network security could face a “trust-bubble meltdown”.

He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. “Fix vulnerabilities before you first smell an attack,” he said. “End of message.”

Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.

“I do believe NSA is still ahead, but not by much — a handful of years,” said Snow, the former technical director for the agency. “I think we’ve got the edge still.”

He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. “Now we are very close together and moving very slowly forward in a mature field,” Snow said.

Source

In theory, biometrics are a great way to authenticate a user: it’s impossible to lose your fingerprint (barring the most gruesome of developments), you can’t forget it like you could a password, and it’s unique to you.

In practice, though, there are so many things that, for now, limit a more widespread use of this technology.

One of the problems has been pointed out by Guy Churchward, CEO of LogLogic. He says that it is its uniqueness the thing that makes using biometric data an inherently flawed choice for a primary method of authentication.

“Once you have your fingerprint scanned it will give a unique data sequence which if compromised is not exactly something you can change,” he says. “Imagine having an option of only one password ‘ever’. One loss and you are screwed.”

Another problem is that current scanners still can’t recognize if the fingerprint is on a real finger or an artificial one. Andrew Clarke, of e-DMZ Security, says that in theory, one could get a hold of the user’s fingerprint using techniques used in crime detection and transfer it on an artificial finger. This will likely change as the technology evolves, but for now the system is still fallible, and not suitable to be a primary solution to the authentication problem.

“As with all authentication, multiple factors increases the effectiveness of the solution. Something you have (fingerprint) combined with something you know (passcode) provides a stronger solution,” he says.

According to SC Magazine, David Ting, CTO of Imprivata, sees the good side of this kind of authentication. Saying that the contents of any computer should be encrypted, and the access to its content secured by a password AND by biometrics. According to him, a biometric password is infinitely more difficult to recover using a brute force attack than a “normal” password.

He is in favor of using a complex passwords initially to thwart cracking, and as regards the secure access to the Windows logon, biometric, one-time password tokens or smartcards should be used because of the aforementioned reason.

Source

Subject: DN: www.cryptome.org; Registrar: Network Solutions; Host: Network Solutions – Demand for Immediate Take Down – Notice of Infringing Activity – MS Ref. 304277
Date: Thu, 25 Feb 2010 12:22:59 -0500
From: “DMCA”
To: “John Young”

We would like to notify you that Microsoft has contacted us regarding www.cryptome.org. Microsoft has withdrawn their DMCA complaint. As a result www.cryptome.org has been reactivated and this matter has been closed. Please allow time for the reactivation to propagate throughout the various servers around the world.

Linda L. Larsen, Designated Agent
Network Solutions, LLC
Telephone: 703.668.5615
Facsimile: 703.668.5959
Email: dmca[at]networksolutions.com

_________

Subject: DN: www.cryptome.org; Registrar: Network Solutions; Host: Network Solutions – Demand for Immediate Take Down – Notice of Infringing Activity – MS Ref. 304277
Date: Thu, 25 Feb 2010 13:09 -0500
To: “DMCA”
From: “John Young”

Dear Ms. Larsen,

You may know we are publishing our email exchanges to help readers understand the process. Could you describe means by which Microsoft withdrew their DMCA complaint?

Regards,

John Young

__________

Subject: RE: DN: www.cryptome.org; Registrar: Network Solutions; Host: Network Solutions – Demand for Immediate Take Down – Notice of Infringing Activity – MS Ref. 304277
Date: Thu, 25 Feb 2010 13:24:52 -0500
From: “DMCA”
To: “John Young”

We received an email from Microsoft’s counsel withdrawing the complaint. Accordingly, we restored access and notified you of our action.

If you have any questions, please feel free to call me.

Linda L. Larsen, Designated Agent
Network Solutions, LLC
Telephone: 703.668.5615
Facsimile: 703.668.5959
Email: dmca[at]networksolutions.com

__________

Subject: RE: DN: www.cryptome.org; Registrar: Network Solutions; Host: Network Solutions – Demand for Immediate Take Down – Notice of Infringing Activity – MS Ref. 304277
Date: Thu, 25 Feb 2010 13:42 -0500
To: “DMCA”
From: “John Young”

Could we get a copy of the Microsoft email? For the public record.

Thanks, John

__________

Subject: DN: www.cryptome.org; Registrar: Network Solutions; Host: Network Solutions – Demand for Immediate Take Down – Notice of Infringing Activity – MS Ref. 304277
Date: Thu, 25 Feb 2010 14:09:47 -0500
From: “DMCA”
To: “John Young”

Mr. Young,

Pursuant to your request, attached please find the email correspondence containing Microsoft’s withdrawal of its “takedown request”.

Respectfully,

Linda L. Larsen, Designated Agent
Network Solutions, LLC
Telephone: 703.668.5615
Facsimile: 703.668.5959
Email: dmca[at]networksolutions.com

__________

X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from opsmail.prod.netsol.com ([10.221.32.60]) by nsiva-exchange4.CORPIT.NSI.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Feb 2010 22:47:25 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-_=_NextPart_003_01CAB5CD.3E340480″
Received: from corpcm3 (corpcm3.mgt.netsol.com [10.221.32.102]) by opsmail.prod.netsol.com (8.12.10/8.12.10) with ESMTP id o1P3lOsM023759 for ; Wed, 24 Feb 2010 22:47:24 -0500 (EST)
Received: from [10.253.64.77] ([10.253.64.77:43581] helo=networksolutions.com) by corpcm3 (envelope-from ) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTP id E2/39-15380-3C2F58B4; Wed, 24 Feb 2010 22:47:15 -0500
Received: (qmail 23471 invoked from network); 25 Feb 2010 03:45:41 -0000
Received: from dchost2.cov.com (HELO CBIEXI02DC.cov.com) (216.200.93.137) by tip2.lb.netsol.com with SMTP; 25 Feb 2010 03:45:41 -0000
Received: from cbiexm02sf.cov.com ([172.16.160.88]) by CBIEXI02DC.cov.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Feb 2010 22:46:57 -0500
Content-class: urn:content-classes:message
Subject: Re: Ticket Number 1-452132847
Date: Wed, 24 Feb 2010 22:46:56 -0500
Message-ID: <54F83DC1AC2D7443AA904FFD32E2DAA40877B437[at]cbiexm02sf.cov.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Re: Ticket Number 1-452132847
Thread-Index: Acq06IFo420gHHQPThWg1v/l3yM7TAAAjYcAAABtzJAAABl6EAAAmcd6ADcZlUA=
From: “Cox, Evan”
To: “DMCA”
Cc: “internet4[at]microsoft-antipiracy.com”

Dear Ms. Larsen:

I am outside counsel to Microsoft Corporation. I am writing to confirm my telephone message left with your nighttime operator at 7:45 PST this evening to withdraw Microsoft’s takedown request with respect to the file available at http://cryptome.org/isp-spy/microsoft-spy.zip which is the subject of the correspondence below.

While Microsoft has a good faith belief that the distribution of the file that was made available at that address infringes Microsoft’s copyrights, it was not Microsoft’s intention that the takedown request result in the disablement of web acess to the entire cryptome.org website on which the file was made available.

Accordingly, on behalf of Microsoft, I am hereby withdrawing the takedown request and asking that Network Solutions restore internet access to http: cryptome.org as soon as possible.

I can be reached at 415-640-5145 if you wish to discuss this request.

Sincerely,

Evan Cox
Counsel to Microsoft Corporation

Source

Cryptome, the whistleblower site that serves as a repository for “documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance”, has been taken down on Wednesday afternoon by its hosting provider, Network Solutions, which also had the domain “legally locked”.

What it means is that domain information can’t be modified and the domain name transferred – only the registration can be renewed. This action from Network solutions was motivated by a Digital Millennium Copyright Act (DMCA) complaint filed by Microsoft against Cryptonome and its owners, regarding the publication of their Global Criminal Compliance Handbook, a document that reveals to users things that Microsoft would not like to become common knowledge.

In it you can find information about what records are retained and for how long, and what information can and will be given to law enforcement and intelligence agencies if requested by subpoena. Microsoft is not the only company whose “spy guide” has been published by Cryptome, but it’s apparently the one with the most clout.

ReadWriteWeb reports that once the complaint was filed and they requested of Paul Young, one of the owners of Cryptome, to take the document off the website, he refused. So the ISP intervened with a warning that said that if the document wasn’t removed by Thursday, they would disable the site. And so they did – one day before the imposed deadline.

In the complaint, Microsoft states as the reason for their request an infringement of copyright laws. The Electronic Frontier Foundation (EFF), the well-known international digital rights watchdog group, spoke up: “We find it troubling that copyright law is being invoked here. Microsoft doesn’t sell this manual. There’s no market for this work. It’s not a copyright issue. John’s copying of it is fair use. We don’t do this anywhere else in speech law.”

Cryptome has been active since 1996, and this is the first time that someone has succeeded in their mission to shut it down. Young has filed a counter-notification, and we probably won’t have to wait long for the next installment of this story. If Microsoft doesn’t forward a notice of litigation, Network Solutions will reactivate the Website and unlock the domain in no more than 14 business days. In the meantime, the website is temporarily available here.

If you want to read Microsoft’s “spy guide”, you can download it at Wikileaks, who has also offered to to host Cryptome on their multi-jurisdictional network-outside the US.

Source

The web site cryptome.org is currently online at http://cryptomeorg.siteprotect.net/ until the domain can be transferred away from Network Solutions. The following is from the temporary site:

This is temporary Cryptome address until the Cryptome.org domain is transferred. Network Solutions shut Cryptome.org and has placed a “legal lock” on the domain name, preventing its transfer, until the “dispute” is settled. Some recent files are available now and the full collection is being transferred.

More than 74,000 PCs at nearly 2,500 organizations around the globe were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks, and e-mail systems, a security firm said Wednesday.

The systems were infected with the Zeus Trojan and the botnet was dubbed “Kneber” after a username that linked the infected PCs on corporate and government systems, according to NetWitness.

The Wall Street Journal reported that Merck, Cardinal Health, Paramount Pictures, and Juniper Networks were among the targets in the attack. NetWitness speculated that criminals in Eastern Europe using a command-and-control server in Germany sent attachments containing the malware in e-mails or links to the malware on Web sites that employees within the companies clicked on.

NetWitness said it discovered more than 75 gigabytes worth of stolen data during routine analytic tasks as part of an evaluation of a client network on January 26. The cache of stolen data included 68,000 corporate login credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, 2,000 SSL (Secure Sockets Layer) certificate files and data on individuals, NetWitness said in a statement and in a whitepaper available for download from its Web site.

In addition to stealing specific data, Zeus can be used to search for and steal any file on the computer, download and execute programs and allow someone to remotely control the computer.

More than half of the compromised machines were also infected with peer-to-peer bot malware called Waledac, the company said. Nearly 200 countries were affected, with most of the infections found in Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The news comes after Google announced an attack targeting it and what is believed to be more than 30 other companies and which was linked back to China. McAfee dubbed that attack “Operation Aurora.”

“While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet,” said Amit Yoran, chief executive of NetWitness and former Director of the National Cyber Security Division. “These large-scale compromises of enterprise networks have reached epidemic levels.”

Source

More computers are hacked in China than anywhere else in the world, a new report from security firm McAfee revealed.

In the last three months of 2009, about 1,095,000 computers in China were hacked, and 1,057,000 in the United States – this on top of the 10 million or so machines already infected in each country. An estimated $1 trillion in intellectual property was stolen worldwide in 2008 through hacking, McAfee estimated.

In China, hacked computers often are clustered into “botnets,” a.k.a. battalions of corrupted computers commandeered to attack websites and spew spam. The growing presence of botnets is yet another sign of network insecurity – already a huge concern for both business and government. The news comes just after China closed down Black Hawk Safety Net, the country’s biggest training website for hackers. The site signed up some 12,000 paying subscribers, providing them with both primers for cyberattack and Trojan software, which hackers use to illegally control computers. The report also comes after Secretary of State Hillary Rodham Clinton’s historic Jan. 21 speech on Internet freedom, where she announced: “An attack on one nation’s networks can be an attack on all.”

China produced 12 percent of the world’s botnet “zombies,” as they’re called. The U.S. was second on the list with 9.5 percent – down from the top spot (and 13.1 percent) in the previous quarter. The rest of the top five: Brazil, Russia, and Germany.

It’s not necessarily the Chinese themselves who are causing the problems. “Just because the attacks original from China doesn’t mean the people behind the attacks are Chinese or even physically in China,” Gideon Lenkey, founder of protection company Ra Security, told Internetevolution.com. “China’s Internet is very closed off from the rest of the Internet so it’s a great position to attack from.”

Other findings from the report:

• A drop in spam: Levels dropped from a record 175 billion a day in the third quarter of 2009 to 135 billion, a 24 percent decline. Don’t get too excited – the “overall historical trend still points upward,” said the report. “Compared with the fourth quarter of 2008, volume is up 35 percent.” For the record, there were about 135.5 billion spam emails sent every day in 2009, compared with 122 billion a day in 2008 and 76.5 billion a day in 2007. The U.S. is the world leader in spam production, but Brazil and India are fast catching up.

• Malware threats are on the rise, nearly doubling over the year. It was a “transformative and evolutionary year for computer threats,” the report said, with portable storage devices becoming a very popular target. This is partly because the hardware is so popular, but also because so many PCs use the Windows autorun feature – meaning no user action is required to become infected.

• Last year saw an increase in bogus antivirus software that convinces web users their PC is infected and asks them to pay for equally bogus security software. Thanks to the growing popularity of Adobe applications, there also was a rise in attempts to exploit vulnerabilities in Flash and Acrobat reader.

Last month a report from McAfee and the Ce nter for Strategic and International Studies revealed a growing threat of cyberattack, with widespread attacks on critical systems.

Source

Cryptographers have broken the proprietary encryption used to prevent eavesdropping on more than 800 million cordless phones worldwide, demonstrating once again the risks of relying on obscure technologies to remain secure.

The attack is the first to crack the cipher at the heart of the DECT, or Digital Enhanced Cordless Telecommunications, standard, which encrypts radio signals as they travel between cordless phones in homes and businesses and corresponding base stations. A previous hack, by contrast, merely exploited weaknesses in the way the algorithm was implemented.

The fatal flaw in the DECT Standard Cipher is its insufficient amount of “pre-ciphering,” which is the encryption equivalent of shaking a cup of dice to make sure they generate unpredictable results. Because the algorithm discards only the first 40 or 80 bits during the encryption process, it’s possible to deduce the secret key after collecting and analyzing enough of the protected conversation.

“This standard, as with everything else we have broken, has been designed some 20 years ago, and it is proprietary encryption,” said Karsten Nohl, one of the cryptographers who helped devise the attack. “It relied on the fact that the encryption was unknown and hence could not be broken. This is a case where something that has some potential for being strong is broken by just this one design decision that in any public review would have been spotted immediately.”

Nohl, 28, is the same University of Virginia microscope-wielding reverse engineer to crack the encryption in the world’s most widely used smartcard. In December, he struck again after devising a practical attack for eavesdropping on cellphone calls.

He and fellow researchers Erik Tews of the Darmstadt University of Technology and Ralf-Philipp Weinmann of the University of Luxembourg, plan to present their findings Monday at the 2010 Fast Software Encryption workshop in Korea.

Like several of Nohl’s previous hacks, it began with nitric acid and an electron microscope. After dissolving away the epoxy on the silicon chip and then shaving down and magnifying the section dedicated to the DECT encryption, he was able to glean key insights into the underlying algorithm. He then compared the findings against details selectively laid out in a patent and exposed during a debug process.

The results of all three probe methods revealed the fatally insufficient amount of pre-ciphering in the DECT Standard Cipher.

In practical terms, the attack works by collecting bits of the encrypted data stream with known unencrypted contents. In cordless phones, this often comes from a device’s control channel, which broadcasts a variety of predictable data, including call duration and button responses. Sniffing an encrypted conversation with a USRP antenna and the average PC, an attacker would need to collect about four hours of data to break the key in typical scenarios.

In others – such as where DECT is used in restaurants and bars to wirelessly zap payment card details – the time needed to crack the key could be dramatically shorter, Nohl said. The time can also be sped up in a variety of other ways, including by adding certain types of graphics cards to beef up the power of the attacking PC. In some cases, the attack can retrieve the secret key in 10 minutes.

“We expect that some smarter cryptographers than ourselves will find better attacks, of course,” Nohl told El Reg. “We found the algorithm and then implemented the first attack. It’s almost guaranteed that this is not the best attack.”

The DECT Forum, the international body that oversees the standard, said it takes the attack scenarios laid out in the paper seriously and “continues to investigate their applicability.”

The crack of DECT is only the latest time Nohl has defeated the proprietary encryption of a device with critical mass. His 2008 attack on the Mifare Classic smartcard used similar techniques of filing down a silicon chip and then tracing the connections between transistors. His proposed attack of GSM encryption affects cellphones used by more than 800 carriers in 219 countries. ®

Source

Three notebook computers were stolen two weeks ago from an office at the Columbia College, containing personal information, including social security numbers, of 1,400 of current and prospective students, alumni, and past and present employees.

Columbia Spectator reports that the fact was revealed only this Friday, some 11 days after the security breach. The University offered to everyone who was affected a two-year subscription to a credit monitoring system (free of charge, of course) and are advising them to activate fraud alerts. They also said that up to that moment, there was no evidence of misuse of that information.

There is a high probability it never will be, since the computers were most likely stolen just to be sold as physical items. But low risk is not no risk, and the victims are not that easily satisfied with the results of the investigation, although they must know that once lost, this information will always present danger and that cannot be helped now. The only thing left to do is to check their credit report for suspicious transactions or the opening of a new credit card they haven’t performed themselves.

The University has promised to step up security. “We have already strengthened the physical security of the office in question and are in the process of increasing our laptop security through the installation of high level encryption programs. We also are taking a more aggressive approach to scanning computer equipment for potential security threats,” the Dean of Columbia College, Michele Moody-Adams, wrote in the letter to the victims.

Source