IDpendant Security News
German researchers crack RFID cards
www.h-online.com – 11. October 2011
Researchers at Ruhr University in Bochum have succeeded in copying the key from one make of RFID card. As well as having the obvious benefit of convenience, RFID cards, which are used for access control and billing, are supposed to be very secure. But a copied card would offer attackers plenty of scope for abuse...
Source:
http://www.h-online.com/security/news/item/German-researchers-crack-RFID-cards-1359218.html
Successful timing attacks on elliptic curve cryptography
www.h-online.com – 23. May 2011
Researchers Billy Bob Brumley and Nicola Tuveri have used a "timing attack" to calculate the secret key of a TLS/SSL server which uses the Elliptic Curve DSA. The attack is based on the idea that the time required for performing a multiplication allows conclusions to be drawn about the multiplication's operands...
Identity theft with OpenID
www.h-online.com – 23. May 2011
The OpenID Foundation has warned that flawed implementations of the Attribute Exchange (AX) OpenID extension allow potential attackers to assume other users' identities on certain web sites. Security researchers had found that some web sites which participate in OpenID don't verify whether the transmitted data has been signed. This insufficient verification reportedly allows attackers to arbitrarily manipulate the data. The Foundation didn't suggest a specific attack scenario...
Source:
http://www.h-online.com/security/news/item/Identity-theft-with-OpenID-1240030.html
RSA hack could endanger the security of SecurID tokens
www.h-online.com – 18. March 2011
RSA, one of the leading global manufacturers of cryptographic solutions, has apparently fallen prey to an attack in which data was stolen from its servers. According to a press release from RSA's CEO, Art Coviello, to RSA customers, part of the data included information about SecurID products, which could endanger their security.
SecurID is one of the oldest systems for two-factor authentication for safe logins on computers; most people are familiar with it as a hardware token that generates a one-time password (OTP) every 60 seconds. Worldwide, 40 million tokens are reportedly used by companies in addition to an estimated 250 million software versions on mobile devices, etc.
Some of RSA's SecurID tokens, also known as hardware authenticators.
Source: RSA.com Coviello says the data stolen reduces the "effectiveness of a current two-factor authentication implementation", which the unknown parties could exploit in future attacks. He does not, however, say exactly which data has been lost. There are speculations that the SecurID source code or even the "seeds" may have been copied. The source code would allow the algorithm that generates OTPs to be identified; furthermore, the attackers could use the source code to look for security holes in RSA software. All of the OTPs ever generated by a token can be derived from the seeds....
Hacker extracts crypto key from TPM chip
www.h-online.com – 10. February 2011
An American hacker has, with a great deal of effort, managed to crack a Trusted Platform Module (TPM) by Infineon. He was able to read the data stored on the TPM chip, for instance cryptographic keys (RSA, DES) such as those also used by Microsoft's BitLocker on appropriate motherboards.
TPM hardware incorporates various levels of logical as well as physical measures designed to counter a range of attacks, such as differential electromagnetic analyses (DEMA) and even physical intrusions. Once the keys are retrieved, however, an attacker can read the encrypted data stored on a hard disk without needing a password.
Previously known as the smart card hacker, Christopher Tarnovsky of Flylogic Engineering has presented his work at the Black Hat DC security conference. He apparently managed to suss out a processor in the "SLE 66CLX360PE"family used in the TPM. For this purpose, he extracted the actual chip from the housing in his special lab using various procedures that involved liquids and gases (a video about this is available online)....
Source:
http://www.h-online.com/security/news/item/Hacker-extracts-crypto-key-from-TPM-chip-927077.html
Details of 24,000 people lost following laptop theft from training company
scmagazineuk.com – 30. June 2010
Training company A4e has written to clients in Hull and Leicester following the loss of the details of over 24,000 people on a stolen laptop.
It claimed that the data lost 'did not contain any banking or credit information' and it advised that the risk of illegal use is low. The data was held on the personal computer of an A4e employee stolen in what police believe was an opportunistic domestic burglary.
This contained names, postcodes, dates of birth and any possible awards made by a court. The company is examining how its data security procedures were breached, to ensure such an incident does not occur again.
The Information Commissioner has been informed and the police investigation into the burglary is continuing....
Laptops stolen from California health care organization
scmagazineuk.com – 03. May 2010
How many victims? More than 20,000.
What type of personal information? Social Security numbers, dates of birth and, in some cases, health-related information.
What happened? Thieves stole the computers from the St. Jude Heritage Healthcare Clinical Management Services building.
Details: There have been no reports of stolen personal information being used illegally.
Quote: "The data that was stolen originated from private practice physicians," St. Jude Heritage Healthcare spokesman Kevin Andrus said in a statement. “St. Jude Heritage Healthcare is an administrative foundation that contracts with physicians, so that's why the data was there.”...
Source:
http://www.scmagazineus.com/laptops-stolen-from-california-health-care-organization/article/169349/
Serious SSL Vulnerability Found
InformationWeek – 05. November 2009
A vulnerability in the most common data security protocol on the Internet could allow secure Web sessions to be hijacked.
Two security researchers with PhoneFactor, a provider of phone-based two-factor authentication, on Thursday said that they had discovered a serious flaw in the SSL protocol, which is used to protect sensitive data in online transactions.
SSL, short for Secure Sockets Layer, is used for online banking and for secure e-mail and database access, among other things.
Discovered in August and disclosed by PhoneFactor researchers Marsh Ray and Steve Dispensa to a consortium of major tech industry companies and standards groups in September, the vulnerability was slated for disclosure next year, to give affected vendors time to patch their software.
But an independent security researcher discovered the vulnerability on his own and posted it to an Internet Engineering Task Force mailing list on November 4th.
The vulnerability could allow an attack to conduct a man-in-the-middle attack, whereby he or she could hijack an authenticated SSL session and execute commands. In theory, neither the Web server nor Web browser would provide any indication that the session had been subverted.
"Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching," said Steve Dispensa, CTO of PhoneFactor, in a statement. "All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL." ...
Source:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=221600478
Two-factor authentication, vigilance foil password theft
SearchSecurity.com – 02. November 2009
The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.
It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior.
Traditional password protection policies, such as those described by Jeremiah Grossman, one of the industry's top researchers at WhiteHat Security Inc., can be implemented to reduce the risk of an intruder impersonating a user. However, even if the password policy works, it is often unacceptable for IT to disable accounts after a number of bad logon attempts. The business often relies on out-of-wallet questions to avoid expensive help desk calls and a security investigation.
Phishing protection begins with training, antiphishing evangelist: IT organizations can take a lesson from marketers by sending three phishing education emails to users before the holiday season.
End users are also storing passwords in their browsers for automatic logon and those passwords are often used for multiple accounts in different businesses. The result is an organization that is dependent on another organization's security program to protect a password...
Source:
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1373531,00.html
USB stick security flaw puts data at risk
crn.com.au – 02. November 2009
USB sticks have been found to contain a significant security flaw which could be exploited to break into millions of computers around the world, according to researchers at MWR InfoSecurity.
The UK firm claimed that the flaw could allow the creation of USB sticks that "interrogate a computer and download the contents".
The researchers added that such devices are just months away from development, and are likely to be used by malevolent and sophisticated criminals to steal the contents of entire hard drives.
"What millions of us have seen in countless James Bond and other spy thrillers around the world has now taken a step closer to being realised," said Alex Fidgen, commercial director at MWR InfoSecurity.
"The bad guy plugging a small device into the system and removing sensitive data is no longer theoretical. It is possible."
Criminals could exploit a flaw in the driver software of USB devices to take control of systems and steal information. Fidgen claimed that MWR InfoSecurity has been concerned about these security implications for some time.
"Hackers are becoming more and more sophisticated, and business is under threat. Up until now people have felt secure in the knowledge that a simple USB stick could not copy their information without their permission. We have proved that it is not the case," he said...
Source:
http://www.crn.com.au/News/159524,usb-stick-security-flaw-puts-data-at-risk.aspx