EYE ON SECURITY

The World of Secure Development.

February 2007

A month of so ago, I posted a note about how much fun it is to be on an airplane with Hugh Thompson.

Like I said at the time, some people collect stamps. Other hobbyists go fishing. Some even write computer programs for fun. Hugh's hobby is different -- he gets his kicks from crashing onboard entertainment systems on airplanes. Hugh, who is best known for as a security expert and who has written articles for Dr. Dobb's including Rethinking Software Security and Red-Team Application Security Testing, does so all in the name of research, of course. This is fine, of course, unless you happen to be on the same plane.

Hugh recently provided the details on his scientific process in an article entitled How to Crash an In-flight Entertainment System. Very funny. A little scary. Enjoy.

Posted by Jon Erickson at 10:05 AM  Permalink |

IntellaSys has announced its OnSpec xSil261 controller chip with 128-bit, hardware-encrypted security for use with UDMA CompactFlash (CF) memory or IDE/ATAPI Hard Disk Drives using a USB 2.0 interface.

The xSil261's hardware-embedded encryption/decryption function, which is fully compliant with the Advanced Encryption Standard (AES), combines with two-level software authentication of passwords to prevent unauthorized access of memory content.

Commenting on the xSil261's embedded security, IntellaSys' Bryan Chin noted that any unauthorized attempt to decipher the xSil261's keys is virtually impossible as it would take 149 trillion years to determine all possibilities at an attempted recovery rate of one key per second. He attributed this extraordinary level of security to the 3.4x1038 possible options the xSil261 offers to code keys.

The xSil261 can be configured to manage either a USB-to-CF or USB-to-IDE/ATA interface, but not both simultaneously. Configured for the IDE/ATA interface, the xSil261 allows two hard drives to operate as one, providing a low-cost solution for data backup. "This feature can handle up to 2 terabytes capacity, making it far more attractive when you consider the alternative of using a single high-capacity hard drive at a premium price," added Chin.

Posted by Jon Erickson at 05:33 PM  Permalink |

Amayeta has released SWF Encrypt 4.0, an obfuscation tool for protecting and securing Windows-based Flash files created with Amayeta's Flash ActionScript Code.

ActionScript is a scripting language for building Adobe Flash movies and applications (SWF Files). Since there is no native protection, the contents of SWF files can be viewed using Flash Decompiler Tools. These tools break open the resources that make up a SWF file and can display the full ActionScript Source Code. SWF Encrypt 4.0 shields ActionScript from Flash Decompilers and SWF hackers by encrypting and obfuscating the SWF whilst retaining its original functionality.

"The ActionScript in a Flash Movie is its most important asset" said Jaspal Sohal, Amayeta Founder and CEO, "Companies develop software in languages such as C++ and VB and go to great lengths to protect their source code. Why should ActionScript be any different? It's the first, and possibly only, choice for developing Rich Internet Applications. Flash Developers should have a means to protecting their code and SWF Encrypt 4.0 provides that option."

"Flash Components are an integral part of Flash and the Flash Development Community" said Simon Yang, Software Architect at Amayeta, "However they are notoriously time consuming to develop, yet notoriously simple to decompile. With some several thousand developers making a living from building Flash Components, it's essential their work is protected."

Mac OSX Editions are currently in development and planned for Q3 2007.

Posted by Jon Erickson at 09:59 AM  Permalink |

For the time being, identity fraud appears to be on a downswing, at least according to a recent report commissioned by CheckFree, Visa, and Wells Fargo.

The study, entitled "The 2007 Identity Fraud Survey Report" and conducted by Javelin Strategy and Research found that:

• Identity fraud in the U.S. appears to be dropping by an estimated 12 percent over the previous year -- a total fraud reduction of $6.4 billion.
• Fraudulent new account openings are down.

According to the report, about 500,000 fewer U.S. adults fell victim to identity fraud in 2006 than in 2005. Translated to dollars, identity fraud in this year’s report dropped by an estimated 12 percent over the previous year, from $55.7 billion to $49.3 billion.

What's behind the decline? Consumer education and awareness, and the increased use of online banking and financial sites that let us more frequently monitor our accounts.

"Thanks in part to comprehensive data protection, fraud monitoring, and consumer education, we now have more effective methods to quickly catch -- or even prevent -- fraud before it occurs by utilizing common online technologies such as electronic banking and bill payment," says Javelin’s James Van Dyke.

New account fraud dropped from 1.5 percent of all respondents in 2006 to 1 percent in 2007. Additionally, when fraudulent accounts are opened, many victims caught the fraud more quickly utilizing online channels, such as the viewing of statements, resulting in average fraud amounts dropping from more than $10,000 in 2006 to $7260 on average in 2007.

Posted by Jon Erickson at 06:51 PM  Permalink |