Twitter
Jan
2
Welcome to a New Year... All I seem to read over the past few days are predictions for 2009.. what's going to be hot and what is not.. Of course I have a few ideas of my own and I think that one of prevalent things for 2009 will be digital media streaming. Typical network media tanks like the popcorn hour box or the egreat box will become more diffused as people opt to stream media over their local LAN to their full HD LCD TV's. Will BlueRay catch on? Hmm.. I dunno. The idea of replacing my current library of DVD's with BlueRay ones seems quite expensive. Moreover, I need a BlueRay DVD player. Personally I'd opt for video on demand, streamed in HD quality
Some security news that caught my geek eye on the first few days of the year revolve around the elegant MD5 attack. Some people are considering it harmful today especially once you see how they managed to create a web skeleton key with 200 PS3's that can perfectly impersonate any website on the internet. Ouch........
Our research team, consisting of 7 researchers from the United States, Switzerland and the Netherlands, was able to execute a practical MD5 collision attack and create a rogue Certification Authority trusted by all common web browsers. This allows us to perform transparent man-in-the-middle attacks against SSL connections and monitor or tamper with the traffic to secure
websites or email servers.
The infrastructure of Certification Authorities is meant to prevent exactly this type of attack. Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.
So how will this affect current forensic tools that use this cryptographic mathematical function? Surely yes. As processor speeds and general computing power increase, forensic software like Encase must evolve if decisions in a court of law are based on such cryptographic functions used in official forensic packages. An interesting read is how NVidia GPU's crack WPA2, 100 times faster than conventional CPU's - and here we're talking WPA2!! Besides being a serious threat to online trust, the search for new hashing algorithms goes on as the NIST publishes its first round of candidates... Schneier has a good article posted here on this. My guess is that we are to expect this area to evolve.
2nd ouch hit me when I read about the DECT standard adopted by common day cordless phones and several other devices having been hacked...
The standard is also used in baby monitors, emergency call and door opening systems, wireless debit card readers and even traffic management systems. In Germany alone, where 25C3 is held, there are an estimated 30 million active DECT devices. DECT uses standard cryptographic procedures for authenticating the base station and terminals and for encrypting data transfers.
So what's in store for security people in the coming year? ComputerWorld seems to think that professionals with SAP security experience are probably the hottest of the hot right now... and that interest in security professionals remains strong across the board. I would tend to agree...
When it comes to demand for certain types of security professionals, those with SAP security experience "are probably the hottest of the hot right now," says Herrin. But interest in security professionals remains strong across the board. "Companies can't ignore security requirements, even in tough economic times," says Stephen Pickett, CIO at Penske Corp. and past president of the Society for Information Management. There's also strong interest in people with network and wireless security skills, as well as those with Certified Information Systems Security Professional accreditation.
Source
So it's looking grim, but hopefully not for long... nevertheless, eye's open next time you checkout online.. meanwhile checkout the Browser Security Handbook written by Google's Michal Zalewski - to easily figure out what works where!
More details...
0 Trackbacks