Make it your homepage

Add to favorites

Site map

Ukrainian Information Security Center - all about IT security

Navigation

Microsoft Certified Partner

Read RSS


IT Security
Subscribe to news Subscribe to articles




RSS to email








Advertising


Free online TV and internet radio

News for 29 October 2008 Year

  • 20:07 Notorious registrar gets deactivation notice for president's sin

    • RIP EstDomains

    EstDomains, a domain name registrar with a reputation for catering to cyber criminals, suffered another blow after the organization that oversees the net's address system said it would revoke the company's right to sell domain names because of a recent fraud conviction in Estonia by its president.

    >>>

  • 19:31 DHS cybersecurity boss fights back against critics

    • Shot by both sides

    The man in charge of running the Department of Homeland Security's cybersecurity efforts has defended its efforts in the face of congressional criticism.

    >>>

  • 19:19 Code execution flaws haunt OpenOffice

    • OpenOffice.org has shipped a new version of the open-source desktop productivity suite to patch a pair of highly-critical vulnerabilities that could expose users to arbitrary code execution attacks. The flaws, which affect all versions prior to OpenOffice.org 2.4.2, could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents. The skinny: CVE-2008-2237: A [...]
    >>>

  • 18:30 Schneier sticks it to surveillance

    • Inglorious five-year snoop-plan

    Security guru Bruce Schneier has challenged the view that privacy and security are at loggerheads, suggesting the real debate is between liberty and control.

    >>>

  • 18:27 Off the wire: Whitepaper - In-depth look at deduplication technologies

    • Explore the options and get a clear, unbiased view of the deduplication market. >>>

  • 18:26 Off the wire: Test your security IQ

    • Would you know a security bug if you saw one? Find out by taking this quiz. >>>

  • 17:51 Security World: New AcuSensor Web application scanning technology

    • Acunetix announced the release of the cutting edge AcuSensor Technology with the launch of version 6.0 of Acunetix Web Vulnerability Scanner. AcuSensor Technolog consists of sensors that are strategic... >>>

  • 17:45 CardCops: Stolen credit card details getting cheaper

    • The dynamics of the underground marketplace are pretty similar to that of the legitimate marketplace, with cybercriminals demanding and supplying, consolidating and start to work together, and coming up with new monetization approaches in order to continue enjoying the high profit margins of their goods and services. The once highly exclusive market segment of stolen [...]
    >>>

  • 17:32 End of life beckons for Firefox 2

    • If you have not yet upgraded to Firefox 3, keep in mind that Mozilla is very close to pulling the plug on support for older versions of the browser. Support for Firefox 2, which includes security and stability patches, is scheduled to end six months after Firefox 3 shipped (June 17, 2008), which puts the end-of-life [...]
    >>>

  • 14:14 Network Security Podcast, Episode 125

    • I had to run out the door immediately after recording, but despite technical difficulties, Rich and I recorded a short interview with David Mortman, ‘blogger-in-residence’ for Debix.  Network Security Podcast, Episode 125, October 28, 2008 Show Notes >>>

  • 12:59 Fraudsters get into the cloud

    • Fraud as a service persists post-Dark Market

    Hackers are applying the ideas of cloud computing to online fraud in a move that means even technically illiterate crooks can move into cybercrime.

    >>>

  • 12:59 Crackers get into the cloud

    • Fraud as a service persists post-Dark Market takedown

    Crackers are applying the ideas of cloud computing to online fraud in a move that means even technically illiterate crooks can move into cybercrime.

    >>>

  • 03:45 Security World: New Panda GateDefender perimeter protection appliances

    • Panda Security has launched the new 9000 series of the Panda GateDefender Performa range, a security appliance that offers maximum protection for the network perimeter, preventing malware, spam and u... >>>

  • 03:38 Security World: Q3 spam and malware trends statistics and analysis

    • Spam volume returned to record highs in Q3 with fairly steady monthly increases throughout the summer. The acquisition of innocent machines via email and Web-based infections continued in Q3, with ove... >>>

  • 03:12 Talkback Tuesday: latest MS vulnerability

    • Everyone was discussing the MS08-067 vulnerability and its out-of-cycle patchlast week. My post on the topic elicited several comments from our readers, including the following by frgough: If this had been Apple, the article slant would have been all about poor security models, inherently flawed structure with lots of adjectives like massive, dangerous, overconfident, etc. thrown [...]
    >>>

  • 02:00 TSA News

    • Item 1: Kip Hawley says that the TSA may reduce size restrictions on liquids. You'll still have to take them out of your bag, but they can be larger than three ounces. The reasons -- so he states -- are that technologies are getting better, not that the threat is reduced.

    I'm skeptical, of course. But read his post; it's interesting.

    Item 2: Hawley responded to my response to his blog post about an article about me in The Atlantic.

    Item 3: The Atlantic is holding a contest, based on Hawley's comment that the TSA is basically there to catch stupid terrorists:

    And so, a contest: How would the Hawley Principle of Federally-Endorsed Mediocrity apply to other government endeavors?

    Not the same as my movie-plot threat contest, but fun all the same.


    Item 4: What would the TSA make of this?

    >>>

  • 02:00 Brief: Web security firm warns of obfuscated code

    • Web security firm warns of obfuscated code >>>

  • 02:00 The Skein Hash Function

    • NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.)

    Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper:

    Executive Summary

    Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze.

    Skein is fast. Skein-512 -- our primary proposal -- hashes data at 6.1 clock cycles per byte on a 64-bit CPU. This means that on a 3.1 GHz x64 Core 2 Duo CPU, Skein hashes data at 500 MBytes/second per core -- almost twice as fast as SHA-512 and three times faster than SHA-256. An optional hash-tree mode speeds up parallelizable implementations even more. Skein is fast for short messages, too; Skein-512 hashes short messages in about 1000 clock cycles.

    Skein is secure. Its conservative design is based on the Threefish block cipher. Our current best attack on Threefish-512 is on 25 of 72 rounds, for a safety factor of 2.9. For comparison, at a similar stage in the standardization process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a safety factor of only 1.7. Additionally, Skein has a number of provably secure properties, greatly increasing confidence in the algorithm.

    Skein is simple. Using only three primitive operations, the Skein compression function can be easily understood and remembered. The rest of the algorithm is a straightforward iteration of this function.

    Skein is flexible. Skein is defined for three different internal state sizes -- 256 bits, 512 bits, and 1024 bits -- and any output size. This allows Skein to be a drop-in replacement for the entire SHA family of hash functions. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: a PRNG, a stream cipher, a key derivation function, authentication without the overhead of HMAC, and a personalization capability. All these features can be implemented with very low overhead. Together with the Threefish large-block cipher at Skein core, this design provides a full set of symmetric cryptographic primitives suitable for most modern applications.

    Skein is efficient on a variety of platforms, both hardware and software. Skein-512 can be implemented in about 200 bytes of state. Small devices, such as 8-bit smart cards, can implement Skein-256 using about 100 bytes of memory. Larger devices can implement the larger versions of Skein to achieve faster speeds.

    Skein was designed by a team of highly experienced cryptographic experts from academia and industry, with expertise in cryptography, security analysis, software, chip design, and implementation of real-world cryptographic systems. This breadth of knowledge allowed them to create a balanced design that works well in all environments.

    Here's source code, text vectors, and the like for Skein. Watch the Skein website for any updates -- new code, new results, new implementations, the proofs.

    NIST's deadline is Friday. It seems as if everyone -- including many amateurs -- is working on a hash function, and I predict that NIST will receive at least 80 submissions. (Compare this to the 21 submissions NIST received -- five were rejected as not being complete -- for the AES competition in 1998.) I expect people to start posting their submissions over the weekend. (Ron Rivest already presented MD6 at Crypto in August.) Probably the best place to watch for new hash functions is here; I'll try to keep a listing of the submissions myself.

    The selection process will take around four years. I've previously called this sort of thing a cryptographic demolition derby -- last one left standing wins -- but that's only half true. Certainly all the groups will spend the next couple of years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms; NIST will select one based on performance and features.

    NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. I think that's smart of them; in this process, "best" is the enemy of "good." My advice is this: immediately sort them based on performance and features. Ask the cryptographic community to focus its attention on the top dozen, rather than spread its attention across all 80 -- although I also expect that most of the amateur submissions will be rejected by NIST for not being "complete and proper." Otherwise, people will break the easy ones and the better ones will go unanalyzed.

    >>>

  • 01:36 E-voting fears run high as election day looms

    • 'Flipped' votes reported in three states

    With just a week to go before the US presidential election, academics, politicians, and voters are voicing increased distrust of the electronic voting machines that will be used to cast ballots.

    >>>

  • 01:15 Conference: E-Signatures '08: Business, Legal & Technology Trends

    • The Electronic Signature and Records Association (ESRA) will once again hold its annual conference in Washington, DC in November. This year, the ESRA conference will analyze a remarkably wide range o... >>>

  • 01:12 Security World: iPhone password safe utility SplashID enhanced with new features

    • SplashData announced a major update to the version of its SplashID secure information manager for iPhone and iPod touch. The new SplashID version 4.5 offers significantly faster loading times, improv... >>>


The latest news
Design studio "Clever Crayon"
Created by
"Clever Crayon"
Home | News | Library | About us | Feedback

Яндекс цитирования Рейтинг@Mail.ru Geo Visitors Map
www.bezpeka.com www.bezpeka.biz www.bezpeka.net www.bezpeka.org
Copyright © 2000-2010 "Information Security Center Ltd." All rights reserved.
The link to www.bezpeka.com is required if you use the content or any part of it.