Future attacks ??

I liked the article on some remote attacks without network!!! Interesting…….

http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections

What about analyzing your brain waives..Hah.. Funny…

Phishing Attack – An amateur example

I got an email from some amateur hacker asking me to change my bank account details.

The email was quite promising, I liked it Here is an screen shot of that from my mailbox :-

After i clicked th URL, the layout was good but the URL that was visible on address bar is really bad, I mean really amateur

Here is a screen shot of that. I have marked the mistakes

BIOS attack & cryptography

i liked the article on BIOS attack :- http://searchsecurity.techtarget.com.au/articles/33210-BIOS-can-become-a-source-of-malware.

The author sited two examples/ mechanism to prevent such attacks:

1) Non-writable BIOS, well it was before, but not user freindly.

2) Trusted Platform Module. This based on cryptographic verification and very secure. But there is problem of certificate expiration of public key cryptography. With current standard a certificate can be valid upto 2-3 years max and you can’t throw your PC after that period if you do not update your certificate store. Now that becomes more or you can say very complicated process. Atleast not so user friendly.

Firefox & Java Plugin problem

There is a very good note on plugins and firefox setup. The problem occurs sometimes,

if you install a new JRE after your firefox installation on LInux. Here is the Link :

http://plugindoc.mozdev.org/linux.html

Hitghlighted the Java Plugin & Firefox

Install Java Runtime Environment.

Make a symbolic link to libjavaplugin_oji.so in your Mozilla Plugins directory.

Use the copy located in the plugin/i386/ns7 directory of JRE 5.0 or later, or plugin/i386/ns610-gcc32 if you are using JRE 1.4.2

Virtualization Security Issues — Adding an sticky Firewall

It might be a good idea to  add a firewall to each of your VMs to protect the whole system. The “Whole System” is of concern becuase one compromise VM can become a hacker’s playground and will be used it attack other VMs in it’s boundary. But there is an; LATENCY, software switches makes the latency more and the firewall (software) will add to it. The presentation from ALTOR networks looks promising for ALTOR VF.

Good Cartoons on Science & Environment

I am not a big fan of cartoon but i appreciate the work on Cartoon Cosmos. Realy thoughtfull and well presented. Good work Mr Sumanta Baruah.

Unintentional Attacks

I have been observing a quite simple but very interesting attack these days and that is based on the popularity of the Web Service. Though is it similar to this definition but it has a  clear distintion from the previous one.

Consider about the enormou popular Web Servers like – yahoo, google, ….etc.  Now consider about all the Developer, system testers, testers, network troubleshooter, network tester and so on…

What is the first thing you do when your server is not respondig? This what:

1. Ping (includes all kind) google or yahoo or … any web server that you remember or you trust or is popular
2. then so on.. other methods

I am not claiming that this same to everyone of us but it is somewhat common. Now, immediate question will be; How to get rid of such attack? Ans: It is really great to have such honor.

World Wide Grid???

World Wide Web — ??? Some Buzz words

——————–

Semantic — Ontology

——————–

Internet –HTTP

———————

Communication Protocols – TCP/IP

========================

Come on it is too much !!! The length is increasing vertically on top same old infrastructure. I feel we need to stop and make some foundation changes..

http://schneider.blogspot.com/wwg.htm

http://tech.slashdot.org/article.pl?sid=08/11/19/2335219

http://schneider.blogspot.com/wwg.htm

Hardware Security module / Crypto Accelerator

I think this is a very interesting topic, I have just started to learn this, But as I am going through this I have found couple of links as well as documents which are really interesting. These articles talk about openssl, Hardware Security module, SSL Accelerator and information about provider companies

1. Blog post : http://jadickinson.co.uk/2007/11/02/using-hardware-security-modules/
2. Article on HSM, http://nlnetlabs.nl/downloads/publications/hsm/hsm.pdf
3. Wiki http://en.wikipedia.org/wiki/SSL_acceleration
4. Wiki http://en.wikipedia.org/wiki/Hardware_Security_Module
5. SSL programming tutorial http://h71000.www7.hp.com/doc/83final/BA554_90007/ch04s03.html
6. VIA PadLock support for Linux http://www.logix.cz/michal/devel/padlock/
7. Something from safenet http://www.safenet-inc.com/products/pki/psGold_API.asp

I will write about my findings, An how to do , Short cut of course. But let me look in to it more carefully. Thanks to Jad.

Communication Security for DSSP

I was not able to find any communication or message security related documents for Microsoft’s DSSP (Decentralized Software Services Protocol). The current DSS defines a fine grain application security model / access control mechanism to restrict service consumtion and it has been improved from the last MSRS 1.5 version.

As per I know (From the available documents on the Web), the current implementation of DSSP always uses SOAP as a message tunneling mechanism. That means either it may be binary TCP or HTTP, it is always SOAP. The following two diagrams helps to visualize the scenario.

DSSP HTTP Binding

DSSP TCP Binding

Well, it uses SOAP and also defines the transport on top of HTTP or TCP. So, the security mechanisms comes to mind are HTTPS, WS-Security or if you do not want to touch the DSSP communication stack then it is IPsec.

Since MS defines DSSP for Robots or Control systems, so HTTPS may be the last choice as device with low resource are not well suited with https. As one of advantage of DSSP is to provide a decentralized and distributed system so WS-Security would be a very good choice since it provides end-to-end security instead point-to-point security like https.The following diagram shows the new stack with WS-Security.

In WS-Security, Message integrity is provided by XML Signature and Message confidentiality leverages XML Encryption. Both these techniques has numbers of advantages other than TLS or SSL or even IPsec style of Security.  Also “Specifically, the WS-Security profile specifications describes how to encode Username Tokens, X.509 Tokens, SAML Tokens , REL Tokens and Kerberos Tokens as well as how to include opaque encrypted keys as a sample of different binary token types.“

So, if the security for the SOAP messages exchanged during DSSP service request and response are provided by WS-Security, it will be very strong as well as end-to-end security mechanism.  The existing username/pasword security policy of DSS can be combined with WS-Security and also with WS-SecureConversation to have secure session. However attaching with Kerberos will be a better option as it guarantees better network security to overcome those entropy related attacks in username/password cases.