Researchers at the University of London are going public with a paper that claims to have found a flaw in the specification for Transport Layer Security (TLS) that could leave supposedly secure Web, IM, VoIP and other online sessions exposed to prying eyes. The researchers, Nadhem Al Fardan and Kenny Patterson of the Information Security Group at Royal Holloway, University of London said that the security hole stem from a flaw in the TLS specification, rather than a bug in how TLS is implemented. The two researchers have developed proof of concept attacks that take advantage of the flaw, and that could be used to recover a complete block of TLS-encrypted plaintext, the researchers said. Al Fardan is a Ph.D student in the Information Security Group. Patterson is a professor of Information Security there. The two have discovered other, serious holes in TLS before. Notably: the two discovered a critical […]
Reports
New York Times Hack Puts Antivirus on Defensive
The big news this morning is the New York Times’ scoop on…well…itself. According to a report in today’s paper, the Times’s computer network was compromised for more than four months by attackers believed to be located in China. The attacks followed a Times exposé on the wealth accumulated by family members of China’s prime minister, Wen Jiabao – one of a series of reports in Western media outlets that raised questions about corruption and influence peddling in China’s ruling Communist Party. Attackers planted 45 pieces of information-stealing malware on Times systems, despite the presence of antivirus software from Symantec Corp. protecting those systems before, during and after the hack. The story is fueling debate about the value of anti-virus software and prompted Symantec to issue a statement defending its technology, but warning that signature-based antivirus is not enough to stop sophisticated attacks. According to the Times report, the attacks used compromised systems on […]
Funding Cut, Military’s List of Critical Defense Technologies Languishes
The U.S. Department of Defense is failing to adequately maintain its main reference list of vital defense technologies that should be banned from export, despite rules requiring its use and upkeep, according to a new report from the Government Accountability Office (GAO). The Militarily Critical Technologies List (MCTL) is “outdated and updates have ceased,” the GAO found in a report released this week. The list was intended as the DOD’s main resource for tracking sensitive technology and preventing its export to foreign nations or entities. But the government agencies charged with using the list say it is too broad and out-of-date to be of much use and have long since abandoned it. Now budget cuts to the program that maintains the list are forcing export control officials in the government to use alternative information sources and informal “networks of experts” to tell them what technologies are in need of protection, […]
Microsoft Rushes Fix for IE Hole Used in Attacks on DC’s Elite
Microsoft issued an emergency fix for its Internet Explorer web browser on Monday, just days after security researchers reported finding a previously unknown (zero day) vulnerability in IE that was being used in targeted attacks against members of Washington D.C.’s media, government and policy elite. Microsoft’s Security Response Center (MSRC) released the fix for IE versions 6, 7 and 8 on Monday following reports of sophisticated and targeted attacks using the vulnerability were detected on the web site of the Council of Foreign Relations, a leading think tank whose members include senior government officials. In a Security Advisory (#2794220), Microsoft described the flaw as a “remote code execution vulnerability” in code that governs the way that “Internet Explorer accesses an object in memory that has been deleted or (improperly) allocated.” The vulnerability could allow a malicious attacker to create a malicious web page that would exploit the vulnerability to corrupt memory in […]
Report Warns of Growing ‘Dark Side’ of Cyberspace
The head of a prominent human rights groups has warned that increased state involvement in cyberspace, including surveillance, censorship, propaganda campaigns and offensive cyber operations threatens the future of the Internet as much as endemic problems like cyber crime – part of a growing “dark side” to cyberspace. Writing in the Penn State Journal of Law and International Affairs, Ronald Deibert, Director of Citizen Lab and Canada Centre for Global Security Studies said that threats to human rights and individual liberties come from a variety of states – from authoritarian regimes, to Latin American narco-states to liberal democracies in the West, as governments increasingly leverage the power of the Internet to monitor citizens’ behavior and impose limits on free expression. Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, has played a key role in high-profile investigations of cyber espionage including the now-infamous Ghost Net attacks on […]
