Rodney Campbell's Blog

New Cryptanalytic Results Against SHA-1

Yesterday I reported on an article claiming that SHA-1 has been cracked… Bruce Schneier says the reality is more complicated.

HDCP: beta testing DRM on the public?

When the supposedly uncrackable copy protection used on DVD was indeed cracked back in 1999, two very different messages were received. Hackers and most tech enthusiasts took the crack as yet another sign that these encryption schemes will all, ultimately, fall to the efforts of hackers. The titans of the entertainment industry received another message—a challenge, as it were, to build an even more "robust" content protection system.

In yet another example of why we’re better off without DRM, many owners of the new PlayStation 3 will find that they don’t get a picture every now and then if their playstation is hooked up to their TV via HDMI (HDMI is digital and thus the best way to hook up any digital device). So not only do you have to pay extra to have those DRM chips in your hardware, it also interferes with your ability to use the device in the manner it was supposed to be used.

List of frequently seen TCP and UDP ports and what they mean

List of frequently seen TCP and UDP ports and what they mean. The goal of this port table is to point to further resources for more information.

Computer Security – The New Wave

Many malware blockers are inadequate because they target only known intruders, but there’s hope in new security products.

The Surprising Security Threat – Your Printers

At the Black Hat conference in Las Vegas in August, O’Connor delivered a blow-by-blow presentation on how to bypass authentication, inject commands at the root level and create shell code to take over printers in Xerox Corp.’s WorkCentre line of printers.

There’s more spam now than ever before. In fact, there’s twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don’t even use e-mail. About one-third of all spam is stock spam now.

Chinese Prof Cracks SHA-1 Data Encryption Scheme

A brilliant Chinese professor has cracked her fifth encryption scheme in ten years. She and her team have taken out the SHA-1 scheme, which includes the (highly thought of) MD5 algorithm. As a result, the U.S. government and major corporations will cease using the scheme within the next few years.

Robert X. Cringely makes some interesting observations as to what Google’s up to next. He theorizes that Google is looking to create a bandwidth shortage that will drive ISP/cable/telephone customers into it’s open arms (often with the blessing of the ISP/cable/telephone company). The evidence: leasing massive amounts of network capacity, and huge data centers in rural areas (close to power-generation facilities). The shortage will only occur if the average bandwidth consumption by individual consumers skyrockets; think mainstream BitTorrent, streaming moves from NetFlix, tv episodes from iTunes, video games on demand, etc.

Rainbow table targets Word, Excel crypto

Swiss information-technology firm Objectif Sécurité announced last week that its latest pre-generated list of passwords and their hashes, known as a rainbow table, can now crack the standard encryption on Word and Excel documents in about 5 minutes on average.

The first HD DVD movie has made its way onto BitTorrent

The pirates of the world have fired another salvo in their ongoing war with copy protection schemes with the first release of the first full-resolution rip of an HD DVD movie on BitTorrent. The movie, Serenity, was made available as a .EVO file and is playable on most DVD playback software packages such as PowerDVD. The file was encoded in MPEG-4 VC-1 and the resulting file size was a hefty 19.6 GB.

DRM is not really about piracy

In a nutshell: DRM’s sole purpose is to maximize revenues by minimizing your rights so that they can sell them back to you… Like all lies, there comes a point when the gig is up; the ruse is busted. For the movie studios, it’s the moment they have to admit that it’s not the piracy that worries them, but business models which don’t squeeze every last cent out of customers.

Malware creates new challenges for anti virus vendors

Over the past few years those monitoring trends on malicious Internet activities have noticed a significant change. We are seeing a sizeable decrease in the media grabbing pandemic outbreaks of malicious software. Yet with less headlines on high risk infectors we are still seeing an increasing overall number of malware infections, it is this new breed of malware that is costing industry millions every year – yet no-one seems to know about them.

Rootkit Basics

Malicious Intrusion Techniques – A Review of Rootkits, Bots, Trojan Horses, and Remote Access Trojans (RATs) (pdf)

If a computer virus or email worm has ever infected your company, the PCs within your environment are prime candidates for further attacks. To protect your company, you should become familiar with these types of vulnerabilities, how they work, and how to detect and prevent these nuisances.

Do Away With HTML Based E-mail

Last week, Microsoft issued a patch to fix an extremely dangerous flaw in Windows that cyber crooks could use to break into your computer just by getting you to open an e-mail.

Review of 6 Rootkit Detectors

This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker.

Uninformed Journal Volume 6

Subverting PatchGuard Version 2; A proof of concept executable packer that does not use any custom code to unpack binaries at execution time; and Exploiting 802.11 Wireless Driver Vulnerabilities on Windows.

Hackers look to break Apple iPhone

Within hours of Apple’s iPhone launch this week, the iPhone was a hot topic on the Dailydave discussion list, a widely read forum on security research. Much of the discussion centred on the processor that Apple may have chosen to power its new device and what kind of assembly language "shellcode" might work on this chip.

Corporate Security Hole: Employees Forwarding eMail to Personal Accounts

Employees forwarding their work email to "web-accessible personal accounts" is a growing problem. When away from the corporate network accessing email from these accounts is usually faster and easier than going through the corporate remote email solution. Accessing email from these accounts is usually faster and easier than going through corporate networks. However, because email sent from these services does not pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate email and turn it over during litigation.

RSA Finds Phishing Kit With GUI Interface

A new "do-it-yourself" phishing kit enables criminals to launch quite effective man-in-the-middle phishing attacks. The graphical user interface makes it easy for less skilled criminals to start fooling users into providing sensitive information. The tool steals the actual web page of the target institution so that the user sees a completely familiar page.

Secure Passwords Keep You Safer

Ever since Bruce Schneier wrote about the 34,000 MySpace passwords he analyzed, people have been asking how to choose secure passwords.

Internet Security Trends for 2007

The year 2006 was extremely active for messaging security. Most notably, spam is back, driven by advanced image-based spam, which is 10 times more prevalent than text spam. And even though spam was in the forefront, viruses did not go away. 2006 showed a shift in virus writer’s tactics, and while the frequency and size of outbreaks decreased, the sophistication and maliciousness of these outbreaks increased. While the industry continued to fight spam and viruses, spyware, and malware also flourished in 2006, with two major tactical shifts during the year. The result? A busy year for internet security and predictions for an even busier 2007.

Security, privacy and DRM: My wishes for 2007

Scott Granneman (Security Focus) sets out his stall.

Decryption Keys For HD-DVD Found, Confirmed

If you had any doubts about the validity of BackupHDDVD – the time for doubts has come to an end today. Next stop: Blu-Ray.