EYE ON SECURITY

The World of Secure Development.

April 2006

According to a Spyware Quiz conducted by McAfee SiteAdvisor, 97 percent of Internet users are just one click away from infecting their PCs with spyware, adware, or some other kind of unwanted software.

Even though the threat of spyware has received extensive media coverage, just 3 percent of the 14,000-plus consumers who took SiteAdvisor's spyware quiz received perfect scores.

The survey challenged Web surfers to test their ability to detect which sites in a number of popular categories were free of adware or spyware. The examples in the quiz are taken from more than 3 million Web sites which SiteAdvisor has independently tested and rated for Web safety issues like spyware and spam. The first part of the quiz presented users with pairs of sites and asked them to pick which one of the pair was safe. The second part presented a series of file sharing software sites and asked which ones were spyware and adware free. The test has been available since March.

Among the survey's conclusions:

• Based on their choices, most users (65 percent) would have been infected with adware or spyware many times over.
• The presence of national advertisers and a clean, uncluttered design seem to trick respondents into thinking a site is safe.
• Even users with a high "Spyware IQ" have a nearly 100 percent chance of visiting a dangerous site during 30 days of typical online searching and browsing activity.
• Users often miss the fine print that allows a dangerous Web site to claim it installs unwanted software legally.

Sites were selected from popular categories screensavers, smileys, free games, song lyrics, and file-sharing applications all of which are also notorious for distributing spyware, adware and other unwanted programs. The quiz was specifically designed to determine how adept users are at visually detecting the potential for intrusive downloads on a site. Quiz takers did particularly poorly on the pair of lyrics sites. One possible reason the unsafe site had advertising from well-known brands like Circuit City and Monster.com that may have served to legitimize it

Posted by Jon Erickson at 08:11 AM  Permalink |

The National Science and Technology Council has released its "Federal Plan for Cyber Security and Information Assurance Research and Development."

The report sets out a framework for multi-agency coordination of federal R&D investments in technologies that can better secure the interconnected computing systems, networks, and information that together make up the U.S. IT infrastructure.

The report outlines strategic objectives for coordinated federal R&D in cyber security and information assurance, presenting a broad range of R&D technical topics and identifies those topics that are multiagency technical and funding priorities. The report's findings and recommendations address R&D priority-setting, coordination, fundamental R&D, emerging technologies, roadmapping, and metrics. Together with commentaries about the R&D technical topics that describe their significance, the current state of the art, and gaps in current capabilities, these elements are intened to provide a baseline for implementing the report's recommendations.

More specifically, the report addresses among other topics the:

• Technology trends, ranging from increasing complexity to wireless connectivity.
• Types of vulnerabilities, threats, and risks, including supply chain attacks, outsourcing, industrial espinonage.
• Top technical and funding priorities. Authentication, authorization, and trust management; access control; attack protection; and software testing and assessment tools, among others.

Posted by Jon Erickson at 10:12 AM  Permalink |

IBM Research has announced a technology it claims is designed to increase the security of consumer products, medical devices, defense systems, and digital media. Codenamed "SecureBlue", the technology is a security architecture built into microprocessors. It protects the security of microprocessors as well as the security of an entire microprocessor-based device. Because it is based on secure hardware rather than software techniques, SecureBlue provides strong protection for secrets and strong defenses against reverse-engineering and tampering. SecureBlue can be used to protect the confidentiality of all the information on a device including documents, presentations, and software as well as the keys that are used for communications security or digital signatures.

Cryptography-based protection against unauthorized access is a security feature normally reserved for high-end computers, making it difficult for intruders to break into or corrupt electronic systems. By providing the overlaying on-chip security layer, SecureBlue removes a barrier to the widespread use of crypto-based strong protection. While encryption should be applied wherever data exists at any given time--whether being processed, stored, or transmitted over a network, traditionally, its use outside the datacenter has been costly and impractical because it requires a great deal of processing power to constantly encrypt and decrypt data.

Posted by Jon Erickson at 04:45 PM  Permalink |

The National Institute of Standards and Technology (NIST) has taken a step towards using conventional high-speed networks such as broadband Internet and LANs to transmit ultra-secure video for applications via quantum key distribution (QKD). QKD uses single photons in different orientations to produce a continuous binary code ("key") for encrypting data. Anyone intercepting the key is detected, thus providing highly secure key exchange. The system produced this "raw" key at a rate of more than 4 million bits per second (4 million bps) over 1 kilometer (km) of optical fiber with an error rate of 3.6 percent. NIST has previously encrypted, transmitted, and decrypted Web-quality streaming video using secret keys generated at 1 million bps in a 1-km fiber QKD system using a different quantum encoding method.

Applications for high-speed QKD might include distribution of sensitive remote video, such as satellite imagery, or commercially valuable material such as intellectual property, or confidential healthcare and financial data. In addition, high-volume secure communications are needed for military operations to service large numbers of users simultaneously and provide multimedia capabilities as well as database access.

Conventional encryption is typically based on mathematical complexity and may be broken given sufficiently powerful computers and enough time. In contrast, QKD produces encryption codes based on the quantum states of individual photons and is considered "verifiably secure." Under the principles of quantum physics, measuring a photon's quantum state destroys that state. QKD systems are specifically designed so that eavesdropping causes detectable changes in the system.

Posted by Jon Erickson at 09:53 AM  Permalink |

CERT is sponsoring the "Secure Software Architecture, Design, Implementation and Assurance Minitrack" at this year's Hawaii International Conference on System Sciences which will convene January 3-6, 2007. A call for papers has been announced. The deadline for submitting papers is June 15, 2006.

The "Secure Software Architecture, Design, Implementation and Assurance Minitrack," which is part of the "Software Technology Track", focuses on the research and automation required to develop secure software systems that do not compromise other system properties such as performance or reliability. Current security engineering methods are demonstrably inadequate, as software vulnerabilities are currently being discovered at the rate of over 4000 per year. These vulnerabilities are caused by software designs and implementations that do not adequately protect systems and by development practices that do not focus sufficiently on eliminating implementation defects that result in security flaws. An opportunity exists for systematic improvement that can lead to secure software architectures, designs, and implementations.

Posted by Jon Erickson at 11:07 AM  Permalink |

Hewlett-Packard has acknowledged that software used to control two of its color printers could be exploited by attackers to remotely steal files from Windows PCs. As reported on TechWeb, the bug, which Danish vulnerability tracker Secunia dubbed "less critical," affects the Toolbox software included with the Color LaserJet 2500 and Color LaserJet 4600. In its default configuration, the Toolbox--which lets users remotely monitor the status of a connected printer--could allow an attacker to hack into computers, then read any file on the hard disk.

According to TechWeb's Gregg Keizer, HP's advisory links to an update to the Toolbox that patches the bug.

"A vulnerability like this opens the door for hackers to spy on your sensitive information," said Graham Cluley, a senior technology consultant at U.K. security company Sophos. "Users running the affected software should upgrade as soon as possible."

Many of HP's business-class printers come with similar software--which installs an HTTP server on the connected PC--for remotely changing printer settings, receiving alerts (such as paper jams), and monitoring the amount of remaining toner.

Posted by Jon Erickson at 11:14 PM  Permalink |