Fred Palma | Computer Scientist

http://www.truecrypt.org/ It’s open source!
http://www.truecrypt.org/downloads

Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.

Not even FBI was able to decrypt it.

Tags: security by Fred
2 Comments »

Scene: The White House Situation Room.

Event: A massive cyber attack has turned the cellphones and computers of tens of millions of Americans into weapons to shut down the Internet. A cascading series of events then knocks out power for most of the East Coast amid hurricanes and a heat wave.

Is the assault on cellphones an armed attack? In a crisis, what power does the government have to order phone and Internet carriers to allow monitoring of their networks? What level of privacy can Americans expect?

A war game, sponsored by a nonprofit group and attended by former top-ranking national security officials, laid bare Tuesday (02/16/2010) that the U.S. government lacks answers to such key questions.

Half an hour into an emergency meeting of a mock National Security Council, the attorney general declared: “We don’t have the authority in this nation as a government to quarantine people’s cellphones.”

The White House cyber coordinator was “shocked” and asserted: “If we don’t have the authority, the attorney general ought to find it.”

The Bipartisan Policy Center, which focuses on issues such as health care, energy and cybersecurity, staged the war game to demonstrate to a complacent public the plausibility of an attack that could in many ways be as crippling as the Sept. 11, 2001, terrorist strikes. Organizers said they wanted to prod Congress and the Obama administration to act.

“We were trying to tee up specific issues that would be digestible so they would become the building blocks of a broader, more comprehensive cyber strategy,” said Michael V. Hayden, former CIA director and the principal creator of the “Cyber ShockWave” simulation.

During the war game, held over four hours at the Mandarin Oriental Hotel, three wide-screen monitors flashed maps of the United States showing network coverage and electric power ebbing. The breakdown was covered by a faux news network, GNN. Senior administration officials watched the reporting of the unfolding crisis — 40 million people without power in the eastern United States; more than 60 million cellphones out of service; Wall Street closed for a week; Capitol Hill leaders en route to the White House.

Former senior officials from Republican and Democratic administrations participated in the war game, as did one former senator. Jamie S. Gorelick, a deputy attorney general under President Bill Clinton, pressed the issue of individual privacy. In a crisis, she said, “Americans need to know that they should not expect to have their cellphone and other communications to be private — not if the government is going to have to take aggressive action to tamp down the threat.”

She recommended that the Obama administration seek legislation for comprehensive authority to deal with a cyber emergency.

Participants also wrangled over how far to go in regulating the private sector, which owns the vast majority of the “critical” infrastructure that is vulnerable to a cyber attack. Stewart Baker, a former assistant secretary at the Department of Homeland Security who played the “cyber coordinator” on Tuesday, said that the private sector was not prepared to defend against a cyber act of war and that the government needed to play a role.

“People have trouble understanding warnings,” said John McLaughlin, who served as acting CIA director in 2004 and who played the director of national intelligence. “It was only after Sept. 11 that people could visualize what was possible. The usefulness of the simulation is it will help people visualize [the threat].”

Former Clinton press secretary Joe Lockhart, who played a presidential adviser during the simulation, said it was immaterial whether the attack was an act of war; it had “the effect” of an act of war, he said.

Lockhart said that people would be scared by the simulation but that “that’s a good thing.” Only then, he said, would Congress act.

Sponsors, most of whom made financial donations that ranged up to $150,000, included General Dynamics Advanced Information Systems, PayPal, Symantec, SMobile Systems, Georgetown University and Southern Co. The Chertoff Group contributed guidance, not money. The BPC, sponsors and CNN contributed to production costs.

By Ellen Nakashima from Washington Post

Tags: security by Fred
No Comments »

Australia’s biggest banks, telcos, and utilities have handed sensitive data to government for the protection of critical infrastructure (CI) against terrorism and natural disasters.

The rare move, which began in 2009, makes the country one of a few in the world with a centralised national critical infrastructure protection model.

The Critical Infrastructure Protection Modeling and Assessment (CIPMA) program was launched in 2007 and received a $23.4 million funding boost to 2012 in last year’s budget.

It is spearheaded by the Federal Attorney-General which received a $15.2 million share and its research department Geoscience Australia which scored $800,000.

The CIPMA program is also an initiative of the Trusted Information Sharing Network formed to examine the relationships and dependencies between CI systems and how failures in one sector affect other sector operations.

A spokesperson from the Attorney General’s Department responding to Computerworld questions said the program is on time and budget, and owes its success to the industry’s willingness to trust the government with highly sensitive data.

“Identifying, tracking the cascading effects of [CI] and quantifying these consequences is a key rationale for establishing the CIPMA program,” the spokesperson said.

“Direct relationships with industry means that there is a high level of trust to enable the provision of accurate data for modelling and analysis.”

The department would not elaborate on what scenarios are being tested or what organisations are participating but said all scenarios use factual data and produce realistic results, something few countries have the ability to do.

Participants with approval can use the data to defend Australia in the annual international wargame Cyberstorm, which pits countries against each other including the US, UK and New Zealand in a mock online attacks on CI.

They can also use the models to cut internal costs by examining supply chain data and manufacturing processes.

About 4Tb of CI data will be stored in central databases, eliminating the need to retrieve information from knowledge experts who may be unreachable in a disaster.

System Dynamic Models are used to examine stock and flow data in CI such as network connectivity and the energy output of generators, to create an amalgamated output to be fed into a People, Building and Infrastructure profile. Data is then broken down into demographic, economic and business profiles, and statistical divisions to create unique disruption footprints.

An ASIO T4 approved security system protects stored data which includes highly secretive industry information entrusted to CIPMA.

The Attorney-General’s Department is establishing a panel of additional technical providers for the 2010 service delivery phase, following an expression of interest process. Work will be guided from the results of a pending interim review.

The CIPMA program is one of many actions that have been taken by authorities in recent times to counter the growing number of threats from cyber space, including those such as those undertaken this week by a group calling itself ‘Anonymous’, whichlaunched a denial of service (DoS) attack on two government websites to protest the Federal Government’s plans to introduce mandatory ISP-level Internet content filtering.

The attack, named “Operation Titstorm”, hit the Australian Parliament House and the Department of Broadband, Communications and the Digital Economy (DBCDE) websites.

In January, the Federal Government moved to step up its cyber warfare defence capabilities with the opening of the Cyber Security Operations Centre (CSOC) announced as part of the Defence White Paper released last year.

The centre, housed inside the Defence Signals Directorate (DSD) headquarters in Canberra, will provide critical understanding of the threat from sophisticated cyber attacks, according to the minister for defence, senator John Faulkner.

In November 2009, Computerworld revealed the CSOC had already reached some operational capability but an acute lack of information on the offensive capabilities being developed remains with the government and Defence department refusing to divulge details.

There is also little clarity around its governance or oversight mechanisms, a circumstance that sparked calls from academics and information security analysts for greater public debate and disclosure.

Also in early November, the Australian Security Intelligence Organisation (ASIO) confirmed that Internet-based attacks have been used by hostile intelligence services to gain confidential Australian Government and business information. That same month the Government created a new national computer emergency response team, CERT Australia.

From: computerworld.com.au

Tags: security by Fred
2 Comments »

Watch the videos and presentations of Brazilian Technical Committee for the Implementation of Free Software in Federal Government:

http://www.softwarelivre.gov.br/palestras-tecnicas-cisl

Some themes are:

Virtualization with KVM

http://streaming.serpro.gov.br/cisl/kvm.html

RLSL – LAN Free Software: a technical approach
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/palestras-tecnicas-cisl/apresentacao-rlsl-v4-1slide.pdf
http://streaming.serpro.gov.br/cisl/rlsl.html

Open JDK: the reality of Free Java
http://streaming.serpro.gov.br/cisl/jdk.html

Computer forensic tools using GNU / Linux
http://www.softwarelivre.gov.br/clientes/softwarelivre/softwarelivre/palestras-tecnicas-cisl/forense.pdf
http://streaming.serpro.gov.br/cisl/forense.html

Lecture Technique Zope / Plone
http://streaming.serpro.gov.br/cisl/zope-plone.html

Development of Free Software – Technological and Cultural Aspects
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/SERPRO-CulturaSoftwareLivre.pdf

Pentaho
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/ApresentacaoTecnicaPentaho.odp
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/Pentaho% 20Server% 20Structure.pdf

Voip + Free Software
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/VoipCobra.odp

Open Document Format – ODF
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/ODF_CISLJul_2008.pdf

Free Software in the Bank of Brazil
http://www.softwarelivre.gov.br/palestras-tecnicas-cisl/Apresentacao_BB_CISL2008.pdf

More information:
http://www.softwarelivre.gov.br

Tags: Open Source, Softwares, politics, research, security by Fred
No Comments »

A team of researchers has implemented support for ‘trusted computing’ in a commercially available version of the open source operating system Linux, breaking new ground in the global drive toward more secure computing environments.

The latest release of openSUSE, a Linux version sponsored by software maker Novell, comes packaged with software that allows users to set up a trusted computing (TC) environment on their computer, enhancing security beyond the antivirus programs and firewalls that frequently prove inadequate at keeping bugs, viruses and spyware at bay.

Promoted and developed by major chipmakers and software companies in the international Trusted Computing Group, trusted computing uses both hardware and software to create a trusted and secure environment, whether on a home PC, a web server, in a data centre or over a corporate network. At the core of the technology is the trusted platform module (TPM), which is a chip that, among other security-boosting features, generates and manages cryptographic keys, verifies the identity of the computer on a network and protects software and data from malicious changes.
Awakening the dormant chip

Many new laptops and increasing numbers of desktop PCs and servers already have TPM chips as standard, while chipmakers such as Intel and AMD have started incorporating the technology directly into their latest generation of processors. However, most TPM chips are currently lying dormant, awaiting activation with the arrival of software that can make use of their enhanced security features.

“The hardware is there… what is needed are operating systems and software to exploit it,” says Herbert Petautschnig, a researcher at Austrian technology group Technikon.

Technikon led a consortium of 23 research and business partners, including AMD, IBM, HP, Infineon and Novell, in developing open source software and applications for TC environments as part of the EU-funded OpenTC project. The group’s implementation of TC support in openSUSE version 11.2 involved building a trusted software stack (TSS) for Linux, developing universal virtualisation layers (including improvements to the Xen hypervisor virtual machine monitor) and creating TC and TPM management software. It constitutes a pioneering implementation of TC technology.

“openSUSE is now the first operating system to offer full TC support,” Petautschnig notes. “Until now, TC had been implemented for specific applications, such as Microsoft’s BitLocker hard drive encryption in Windows Vista and Windows 7 or the fingerprint reader on some HP laptops… With the OpenTC platform we are extending the TC environment to the full operating system and beyond,” the project manager adds.

Unlike traditional security technology that operates only at the software level and only starts protecting a computer after it is loaded, TC technology provides security from the moment the power button is pressed. As the system boots and runs, the OpenTC platform continually monitors the computer for changes and ensures that only trusted, verified software is functioning. In a networked environment, it verifies the identity and integrity of the computer. And it allows different pieces of software and data to be “compartmentalised” so there is no exchange between them even as they share the same computing and/or network resources.
Safer online transactions, trusted corporate networking

OpenTC developed several proof-of-concept applications for the technology. In one, called private electronic transaction (PET), the team showed how it can verify and secure online transactions, such as accessing a bank account. In another, they showed how TC compartments can provide secure remote access to corporate networks, both keeping company information safe on an employee’s home PC and ensuring that the employee’s personal information, photos and games are not visible to their employer.

The ability of TC technology to keep data and processes safely isolated from each other can be extended to enable virtual data centres. As demonstrated by IBM in the OpenTC project, TC software could be used by data centre operators to provide virtualised resources to different clients while sharing the underlying physical infrastructure, thereby ensuring different companies’ data remain separate and secure.

The logical next step, which members of the OpenTC consortium plan to explore in a new project, is to extend TC to cloud computing to enhance the security of services and computational resources provided over the internet. Another project, TECOM, a follow-up initiative to OpenTC that has also received EU funding, will aim to develop TC solutions for embedded platforms, focusing particularly on smart phones and mobile computing applications.

Several of the project partners are commercially exploiting the results of the OpenTC project internally. Petautschnig says they are also open to investor interest to support further development of TC technology. Consortium members are also active in standardisation efforts, helping to extend trusted computing to mobile platforms and the Java programming language, for example.
Despite controversy, a bright future

In the past, TC technology has stirred controversy, not least over its potential for abuse by software and hardware makers to restrict what computer users can do and its applications for digital rights management. However, Petautschnig believes the future for trusted computing systems is bright as the technology starts to be seen as an essential tool in the fight against an intensifying onslaught of hack attacks, viruses and spyware bombarding the world’s computer users.

“Most people will not know that TC components are running on their computers keeping them safe. Conversely, at present most do not know what information is being leaked and stolen by spyware and viruses running on their machines,” Petautschnig notes.

OpenTC project
OpenTC fact sheet on CORDIS

From: Cordis – ICT Results

Tags: Linux, security by Fred
No Comments »

A new MIT programming tool would automatically plug holes that hackers exploit.
Larry Hardesty, MIT News Office

More and more, malicious hackers are exploiting web site security holes to attack their victims’ computers. Programmers try to identify those holes in advance and plug them with code that performs security checks; but if they find a hundred holes and miss one, their programs are still insecure. At next week’s ACM Symposium on Operating Systems Principles, however, MIT researchers will present a new system called Resin, which automatically calls up security checks whenever they’re required, even in unforeseen circumstances.

Typically, web programmers will associate security checks with particular application functions. If you belonged to a social-networking site, for instance, you might be able to e-mail your friends, or post remarks on their pages, or comment on their own posts, or tag their pictures, and so on. Each of these operations executes its own chunk of code, and the developer will usually attach a security check to each chunk, to ensure that the user is authorized to invoke it. (These types of security checks operate in the background: they don’t require you, for instance, to reenter your user name and password.) Many web applications also “sanitize” data posted by their subscribers: if a friend posts something to your social-network page, the application probably won’t show you the post without inspecting it for malicious code.

“We’ve looked at a lot of these web applications, and there’s literally hundreds of places where these checks happen,” says Nickolai Zeldovich, an assistant professor in MIT’s Computer Science and Artificial Intelligence Lab. Indeed, Zeldovich and his colleagues identified one popular web application that sanitized data in more than 1,400 places (but still had about 60 security holes).

They also, however, identified a feature that web application security checks usually had in common: “Namely,” Zeldovich says, “it’s that the same data is being handled in all these hundreds of places.”

So Zeldovich, grad students Alexander Yip and Xi Wang, and Professor Frans Kaashoek developed a system that associates security checks with particular chunks of data rather than with particular chunks of code. Any attempt to access the data, by any imaginable route, invokes the check.

The researchers modified 12 existing applications written in the popular web programming languages Python and PHP so that they used the Resin system. In experiments, the modified applications repelled attacks that exploited known security holes. But the researchers also developed their own attacks, which Resin thwarted as well.

For programmers, the new system should be easy to adopt. They’re already writing code for security checks and sanitization anyway; now, they’d have to write it only once, instead of pasting it into their programs in hundreds of different places.

But the MIT system relies on additional software that tracks data as they flow through an application, to make sure that security rules remain associated with the information wherever it’s being stored and however it’s being used. And the data tracker presents the biggest obstacle to commercial adoption.

Web applications need to run on any type of computer, regardless of the operating system or web browser being used, so web languages like Python and PHP require an extra layer of software called a “runtime” to translate code into the language spoken by a given machine. Generally, the organizations that develop new programming languages also maintain the runtimes, which undergo sequential releases, just like any commercial program. The MIT system’s data tracker would have to be incorporated into several different languages’ runtimes, which could be a hard sell.

“At least in PHP, the focus tends to be on performance,” says Eddie Kohler, an assistant professor of computer science at UCLA. Resin, Kohler says, “shows that you can do it without too much of a performance loss,” but “it’s not zero; it’s not a performance gain.” Kohler points out, however, that Resin could gain traction with the runtime gatekeepers if it first proves itself in some particular, real-world instances. “A place like, maybe Facebook, say, that runs other people’s code on their servers already has an environment where they’re much more worried about people stealing data out of their servers than they are necessarily about getting the last two percent of performance,” Kohler says. “I expect that as it gets deployed, it would get deployed by individual companies first.”

Tags: security by Fred
No Comments »

By SIOBHAN GORMAN from WSJ

WASHINGTON — Russian hackers hijacked American identities and U.S. software tools and used them in an attack on Georgian government Web sites during the war between Russia and Georgia last year, according to new research to be released Monday by a nonprofit U.S. group.

In addition to refashioning common Microsoft Corp. software into a cyber-weapon, hackers collaborated on popular U.S.-based social-networking sites, including Twitter and Facebook Inc., to coordinate attacks on Georgian sites, the U.S. Cyber Consequences Unit found. While the cyberattacks on Georgia were examined shortly after the events last year, these U.S. connections weren’t previously known.

The research shows how cyber-warfare has outpaced military and international agreements, which don’t take into account the possibility of American resources and civilian technology being turned into weapons.

Identity theft, social networking, and modifying commercial software are all common means of attack, but combining them elevates the attack method to a new level, said Amit Yoran, a former cybersecurity chief at the Department of Homeland Security. “Each one of these things by itself is not all that new, but this combines them in ways we just haven’t seen before,” said Mr. Yoran, now CEO of computer-security company NetWitness Corp.

The five-day Russian-Georgian conflict in August 2008 left hundreds of people dead, crushed Georgia’s army, and left two parts of its territory on the border with Russia — Abkhazia and South Ossetia — under Russian occupation.

The cyberattacks in August 2008 significantly disrupted Georgia’s communications capabilities, disabling 20 Web sites for more than a week. Among the sites taken down last year were those of the Georgian president and defense minister, as well as the National Bank of Georgia and major news outlets.

Taking out communications systems at the onset of an attack is standard military practice, said John Bumgarner, chief technical officer at the USCCU and a former cyber-sleuth at the National Security Agency and the Central Intelligence Agency.

The USCCU assesses the economic and national-security implications of cybersecurity threats and briefs top U.S. officials, officials in key industries and international institutions.

“U.S. corporations and U.S. citizens need to understand that they can become pawns in a global cyberwar,” said Mr. Bumgarner, who wrote the report.

The White House completed a review of cybersecurity policy in April. Among the issues Obama administration officials are now studying is how laws of war and international obligations need to be reworked to account for cyberattacks.

Homeland Security department spokeswoman Amy Kudwa said she couldn’t comment on a report that she hadn’t seen and hadn’t been released yet.

Last year was the first time such cyberattacks were known to have coincided with a military campaign.

The Georgian attacks, according to the group’s findings, were perpetrated by Russian criminal groups and had no clear link to the Russian government. However, the timing of the attacks, just hours after the Russian military incursion began, suggests the Russian government may have at least indirectly coordinated with the cyberattackers, Mr. Bumgarner’s report concluded.

“Russian officials and the Russian military had nothing to do with the cyberattacks on the Georgian Web sites last year,” said Yevgeniy Khorishko, a spokesman at the Russian Embassy in Washington.

The USCCU plans to release a nine-page report on the attacks to the public on Monday.

Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information stolen from a person in France.

The 10 sites were used to coordinate the “botnet” attacks, which harnessed the power of thousands of computers around the world to disable the Georgian government sites as well as those of large Georgian banks and media outlets. The botnet attack commandeered thousands of other computers and instructed them to try to access the target Web sites all at once, overwhelming them.

The Russian and Turkish computer servers used in the attacks had been previously used by cybercriminal organizations, according to the USCCU.

Early reports last year pinned the attacks on the cyber equivalent of the Russian mafia, known as the “Russian Business Network.” Mr. Bumgarner said it wasn’t possible to connect the attacks directly to that group. Security experts disagree on whether the group still exists.

Some of the software used to carry out the attacks was a modified version of Microsoft code commonly used by network administrators to test their computer systems, Mr. Bumgarner found. The code remains freely available on Microsoft’s Web site, he said, declining to name it.

A Microsoft spokesman declined to comment on the finding because he hadn’t seen the report.

Once the botnet attacks had launched, Mr. Bumgarner said, other would-be attackers noticed them and started to collaborate on various Web forums, including Twitter and Facebook.

Mr. Bumgarner used data-mining tools to review Facebook pages (which some people don’t keep private) and Twitter for certain Russian words that indicated they were likely involved in the attack. He saw users on those sites and others swapping attack code and target lists, and encouraging others to join.

“It’s a difficult problem to handle,” said Facebook spokesman Barry Schnitt, because it is impossible to detect such collaboration without monitoring conversations. Facebook has mechanisms to verify user identities and users can report inappropriate activities on the site, he said, but it doesn’t monitor communications of its users.

Twitter didn’t respond to requests to comment.

—Jessica E. Vascellaro contributed to this article.

Write to Siobhan Gorman at siobhan.gorman@wsj.com

Tags: security by Fred
No Comments »

By Robert Vamosi, PC World

Tags: security by Fred
No Comments »