Security: AT&T Invents Programming Language for Mass Surveillance; dynamic data mining

AT&T Invents Programming Language for Mass Surveillance
Wired News (10/29/07) Singel, Ryan

AT&T researchers have developed Hancock, a C language-based programming language designed to mine the company's telephone and internet records for surveillance data. A recently discovered AT&T research paper published in 2001 shows how the phone company uses Hancock-based software to process tens of millions of long distance phone records to create "communities of interest," or calling circles that show who people are talking to. Hancock was developed in the late 1990s to develop marketing leads and as a security tool to see if new customers called the same numbers as previously disconnected fraudsters, which the research paper called "guilt by association." Hancock-based programs work by analyzing data as it enters a data warehouse, a significant difference from traditional data-mining tools that tend to look for patterns in static databases. A 2004 paper published in ACM Transactions on Programming Languages and Systems demonstrates how Hancock can sort through calling card records, long distance calls, IP addresses and Internet traffic dumps, and even track the movement of a cell phone as it switches between signal towers.
Click Here to View Full Article

FW: Simplest 'Universal Computer' Wins Student $25,000; 1-D Cellular Automata

Simplest 'Universal Computer' Wins Student $25,000
New Scientist (10/24/07) Giles, Jim

University of Birmingham computer science student Alex Smith solved the simplest "universal computer" proof by proving that a simple mathematical calculator can be used as a "universal computing machine," earning a $25,000 prize. The proof involves a mathematical calculator known as a Turing machine, some of which are "universal computers" that given enough time and memory can solve almost any mathematical problem. In May 2007, mathematician Stephen Wolfram announced a contest to see if anyone could prove that the simplest Turing machine, a cellular automaton that uses just three different symbols in its calculations, is also a universal computer. Smith, who is 20 years old and knows 20 different programming languages, including six he describes as "esoteric," solved the proof by showing that the machine is equal to another mathematical device that is already known to be a universal computer. Wolfram says proving that even the simplest machine is capable of being a universal computer indicates that equally simple molecular versions could some day be the foundation for new kinds of computing. "We are also at the end of a quest that has spanned more than half a century to find the very simplest universal Turing machine," says Wolfram.
Click Here to View Full Article

Security: Password-Cracking Chip Causes Security Concerns

Password-Cracking Chip Causes Security Concerns
New Scientist (10/24/07) Brandt, Andrew

Russia's Elcomsoft has filed a U.S. patent application for a technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware. Using an inexpensive graphics card, Elcomsoft was able to increase its password cracking speed by a factor of 25, says Elcomsoft's Vladimir Katalov. The most difficult passwords, such as those used to log onto a Windows Vista computer, would normally take months of continuous computer processing using a normal central processing unit. However, Katalov says they can be cracked in as little as three to five days by using a graphics processing unit. He says less complex passwords can be cracked in a few minutes instead of hours or days. The speed increase comes from how a GPU processes information. Password cracking is an effective way to access information on a computer, but is generally ineffective at accessing online banking services since their Web sites often require multiple passwords and shut down after several incorrect attempts. Cryptography Research's Benjamin Jun says the technique is an impressive achievement that required elegant, intelligent design, and while the ability to crack passwords using GPUs is concerning, it is not a cause for panic. Advancements in cryptographic keys and the growing trend of encrypting entire hard drives is making accessing sensitive data more difficult. "Should I throw away my Web server and run for the hills?" asks Jun. "I don't think so."
Click Here to View Full Article

Security: Identity Theft: Costs More, Tech Less; average loss - $30K+

Identity Theft: Costs More, Tech Less
Network Computing (10/23/07) Claburn, Thomas

A study by Utica College's Center for Identity Management and Information Protection (CIMIP) revealed that the median actual dollar loss for victims of identity theft is $31,356, a much higher figure than suggested by past studies. However, earlier studies primarily concentrated on consumer losses, whereas Utica's study reviewed 517 cases investigated by the U.S. Secret Service, which tend to be major incidents, not minor scams. Indeed, the CIMIP study is the first to review the Secret Services' closed case files, and as such aims to provide empirical data. The report proved that companies as well as individuals are affected by identity theft. The study also discovered that the Internet is not always an essential tool for identity thieves. Of the 517 cases reviewed, 102 cases involved Internet use and 106 involved non-technological means, such as mail rerouting. In other instances, criminals used mail theft to access sensitive information and then used Internet-related tools to create fake documents. Another unanticipated finding was that in the 274 cases with identifiable points of compromise, businesses were the starting point for half of the breaches. Moreover, one-third of the identity theft cases reviewed implicated insiders. Finally, the study's results challenged the belief that most identity thieves are white males, as roughly 50 percent of the offenders were black and roughly 40 percent were white. CIMIP works with corporate, government, and academic institutions to research identity management, information sharing, and data protection, including the Carnegie Mellon University Software Engineering Institute, Indiana University's Center for Applied Cybersecurity Research, and Syracuse University's CASE Center.
Click Here to View Full Article

Security: 'Half-Quantum' Cryptography Promises Total Security; quantum-encrypted key only

'Half-Quantum' Cryptography Promises Total Security
New Scientist (10/21/07) Marks, Paul

Many cryptographers believed that the only way to achieve complete security when transmitting information was to use quantum cryptography to share the key used for encryption. However, researchers say they can achieve the same level of security even if one party stays in the world of classical physics. In conventional quantum cryptography, a sender, dubbed Alice, generates a string of 0s and 1s and encodes them using a photon polarized in either the computational "basis" in which 0 and 1 are represented by vertical and horizontal polarizations, or in diagonal bases in which 1 and 0 are represented by 45 degree and negative 45 degree polarizations. When the photons arrive at their destination, the receiver, dubbed Bob, chooses either the computational or diagonal bases to measure each one, telling Alice which he has chosen. If the chosen basis is wrong, Alice tells Bob to discard that bit. The bits that are guessed correctly form the secret key. If an eavesdropper intercepts any photons, the stream is interrupted and Bob's ability to read a number of the photons he might have read correctly is destroyed. The increase in unreadable photons tells Bob the communication channel has been compromised. Researchers at the Israel Institute of Technology in Haifa and the University of Montreal have demonstrated that only Alice needs to be quantum-equipped. Alice encodes the bits as usual, though Bob can only use the computational basis. Bob randomly measures some of the received photons and returns the rest to Alice untouched. The bits read in the computational basis form the key. The system is still secure because anyone eavesdropping does not know which photons will be returned to Alice unmeasured.
Click Here to View Full Article

Security: Rebinding Attacks Unbound; DNS rebinding vulnerability

Rebinding Attacks Unbound
Security Focus (10/17/07) Biancuzzi, Federico

Stanford University Ph.D. student Adam Barth participated in a study that determined that Web browsers are still vulnerable to DNS rebinding. He says in an interview that rebinding attacks are successful because browsers and plug-ins employ DNS host names to distinguish between different origins, but browsers do not really communicate with the hosts by name--they must first use DNS to align the host name with an IP address and then communicate with the host through its IP address. DNS rebinding can be used to bypass firewalls or to temporarily commandeer a client's IP address to issue spam email or defraud pay-per-click advertisers. Barth says the solution used to fix the classic DNS rebinding vulnerability--DNS pinning--no longer effectively defends against the vulnerability because today's browsers contain many different technologies that allow network access, such as Java and Flash. These technologies support separate pin databases, but are allowed to communicate within the browser. Barth says an effective defense against firewall circumvention is the configuration of DNS resolvers not to bind host names to internal IP addresses, while host name authorization can prevent DNS rebinding vulnerabilities in the longer term. "I'm hopeful the vendors will reach a consensus to fix these issues using host name authorization, but this requires the vendors to cooperate with each other," he notes. Barth says DNSSEC offers no protection against DNS rebinding attacks because it is designed to prevent pharming not rebinding. Barth and fellow members of the Stanford Web Security Lab are presenting a paper on DNS rebinding at the 2007 ACM Conference on Computer and Communications Security, Oct. 29-Nov. 2, in Alexandria, Va. For more information about the conference, visit http://www.sigsac.org/ccs.html
Click Here to View Full Article

Security: Hacker Curriculum: How Hackers Learn Networking

Hacker Curriculum: How Hackers Learn Networking
IEEE Distributed Systems Online (10/07) Bratus, Sergey
The hacker community has devised effective methods for the analysis, reverse engineering, testing, and modification of software and hardware, and it behooves leaders in industry and academia to understand this culture and be cognizant of its values, unique strengths, and weaknesses, writes Dartmouth College's Sergey Bratus. He observes that many quirks of the hacker culture are rooted in frustration with certain industry and academic trends (pressure to follow standard solutions, a limited perspective of the API, a dearth of tools for studying the state of a system, etc.), which he believes contribute to the current abundance of software vulnerabilities. This in turn fuels the hacker culture's impetus to fully comprehend underlying standards and systems, which largely formalize hackers' learning and work ethic. Among the sources hackers tap to acquire skills are classic textbooks highly rated by fellow hackers, electronic magazines, online forums dedicated to specific technical areas, source code from released tools, talks and private communications at hacker conventions, and IRC communities. Hackers have a tendency to adopt a cross-layer approach that tracks data through multiple tiers of interfaces, in accordance with three guiding principles. Bratus lists these principles as inspecting the system state or network on all levels down to the bit level; injecting arbitrary data into the system or network; and identifying and second-guessing deployment peculiarities. The author concludes that in many respects, hacker culture "produces impressive results that enrich other computing cultures, and its influence and exchange of ideas with these other cultures are growing. So, understanding the hacker learning experience and approaches is becoming more important day by day."
Click Here to View Full Article