Wednesday, 6 January 2010

Cryptographic showdown, Round 2: NIST picks 14 hash algorithms

By William Jackson
GCN.com
Jan 05, 2010

The competition to select the new Secure Hash Algorithm standard for government has moved into the second round. The National Institute of Standards and Technology has winnowed the 64 algorithims submitted down to 14 semifinalists.

Of the 64 algorithms submitted in 2008, 51 met minimum criteria for acceptance in the competition. The cryptographic community spent the next year hammering at the candidates, looking for flaws and weaknesses.

"We were pleased by the amount and quality of the cryptanalysis we received on the first round candidates, and more than a little amazed by the ingenuity of some of the attacks," said Bill Burr, manager of NIST's Security Technology Group, in announcing the initial narrowing of the field in July.

Submitters of algorithms that made it through the first round of competition had until September to tweak the specifications or source code, and the final list of second round contenders was recently announced. The 14 second-round candidates are called BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. Candidate algorithms are available online at www.nist.gov/hash-competition

[...]

NZ's cyber spies win new powers

By NICKY HAGER
Sunday Star Times
03/01/2010

New cyber-monitoring measures have been quietly introduced giving police and Security Intelligence Service officers the power to monitor all aspects of someone's online life.

The measures are the largest expansion of police and SIS surveillance capabilities for decades, and mean that all mobile calls and texts, email, internet surfing and online shopping, chatting and social networking can be monitored anywhere in New Zealand.

In preparation, technicians have been installing specialist spying devices and software inside all telephone exchanges, internet companies and even fibre-optic data networks between cities and towns, providing police and spy agencies with the capability to monitor almost all communications.

Police and SIS must still obtain an interception warrant naming a person or place they want to monitor but, compared to the phone taps of the past, a single warrant now covers phone, email and all internet activity.

It can even monitor a person's location by detecting their mobile phone; all of this occurring almost instantaneously.

[...]

Secure USB Drives Not So Secure

By Joan Goodchild
Senior Editor
CSO
January 05, 2010

Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.

When USB maker SanDisk first received news of the problem last month, the vendor issued a security bulletin that warned customers its Cruzer Enterprise series of USB flash drives contained a vulnerability in the access control mechanism. SanDisk offered a product update online to address the issue and made sure to note the problem only applied to the application running on the host, not the device hardware or firmware.

Now USB vendor Kingston has jumped in with a similar warning, probably because their drives utilize the same code from SanDisk. Kingston's alert informs customers that "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained" on the drives. The company has issued a recall on the devices and urged customers to return them. A warning has also been issued by USB vendor Verbatim.

The drives impacted are equipped with AES 256-bit hardware encryption, which is designed to meet the stringent requirements of enterprise-level security. However, penetration testers with German security firm SySS uncovered a vulnerability that exploits the way the flash drives handle passwords. The exact nature of the flaw is not described on any of the vendor bulletins, but according to an article in security publication The H, "the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism." SySS testers found a flaw that allowed them to write a tool that sent the same character string to unlock the drive, regardless of what password was entered.

Hacker pilfers browser GPS location via router attack

By Dan Goodin in San Francisco
The Register
5th January 2010

If you're surfing the web from a wireless router supplied by some of the biggest device makers, there's a chance Samy Kamkar can identify your geographic location.

That's because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device's media access control address with one wayward click of the mouse. Once in possession of the unique identifier, Kamkar can plug it in to Google's Google Location Services and determine where you are.

"It's actually scary how accurate it is," said Kamkar, the author of the Samy Worm, a self-replicating XSS exploit that in 2005 added more than 1 million friends to his MySpace account and in the process knocked the site out of commission. "I've found that with a single MAC address, I've always been spot on with the tests I've done."

Kamkar, who tweeted about the vulnerability Tuesday, has posted a proof-of-concept attack here. For now, it works only on FiOS routers supplied by Verizon, and then only when users are logged in to the device's administrative panel. With a little more work, he said he can make it exploit similar XSS holes in routers made by other manufacturers.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News