February 2012 - Mark Ciampa's Blog (Security+ 4ed)

Sort by: Most Recent | Most Viewed | Most Commented

  • Limited Impact of Weak RSA Keys

    Much attention has been focused on a research paper that claims RSA encryption keys are weak. However, further analysis indicates that the number of weak keys is small, that it's limited to embedded network devices, that it does not affect digital certificates, and it's all due to improper implementation and not to weaknesses in the cryptography algorithm itself. The asymmetric algorithm RSA {Chapter 11 Security+ 4ed} was published in 1977 and patented by MIT in 1983. The RSA algorithm is the most common asymmetric cryptography algorithm and is the basis for several products. The RSA algorithm begins with a random number generator creating two large prime numbers (a prime number is a number divisible only by itself and 1), which is then followed by several additional steps. A paper was published two weeks ago (Feb 14 2011) that examined over 7 RSA million keys. The researchers found that 27,000 (or 0.03%) of them were improperly generated and offered “no security at all”...

  • Mountain Lion's Gatekeeper

    Last Thursday (Feb 16 2012) Apple surprised the tech community by announcing the next version of its Mac OS X operating system. This version, officially known as 10.8 and called Mountain Lion, follows the trend that started with version 10.7 (Lion) of migrating features from its mobile iOS operating system (which runs on iPad and iPhones) to Mac desktops and laptops. The public release of Mountain Lion is scheduled for late summer 2012. One of Mountain Lion’s security features is called Gateway, and has its roots in iOS. The Apple iOS performs a validity check on each application (app) before it runs in order to verify that the app is from a trusted source and has not been modified. That’s good. However, this validity check also has some app developers upset. The only trusted source that iOS accepts is the Apple iOS App Store. Unless Apple has approved your app so it can be listed on the iOS App Store, it will never run on an Apple iOS mobile device. A variation of this validity...
    Filed under: , ,

  • FCC to ISPs: You Protect Us

    For several years now there has been talk that Internet Service Providers (ISPs) should protect their subscribers by monitoring their computers for suspicious network behavior and then take action. An example would be when a subscriber's computer has been turned into a zombie {Chapter 2 Security+ 4ed} and is sending out massive amounts of spam the ISP could quarantine the computer. The customer could be identified by the ISP and made aware of a potential problem (see Oct 18 2010 blog posting). Yesterday (Feb 22 2012) the chairman of the U.S. Federal Communications Commission (FCC) said again that the ISPs need to protect us. The chairman called on ISPs to monitor their subscribers to identify those whose computers are part of a botnet. He also called on the ISPs to develop a code of conduct to combat botnets, to adopt secure routing standards to protect against Internet Protocol hijacking and to implement DNSSEC {Chapter 7 Security+ 4ed}. These were all priorities recently identified...

  • Global Blackout? Probably Not

    The group Anonymous, well-known for the attacks that they have launched over the past year against those who do not support their viewpoints (see May 11 2011, Jun 28 2011, Jan 23 2012 and Jan 26 2012 blog postings), have announced yet another attack. Called Operation Global Blackout, this attack will, in their words, “shut down the Internet” on March 31. However, there probably are too many safeguards for this to happen. The Domain Name System (DNS) {Chapter 3 Security+ 4ed} is at the core of TCP/IP and the Internet. It resolves Website names (such as www.cengage.com) to their corresponding IP address (69.32.173.79). Built on a hierarchical system, there are 13 authoritative DNS root nameservers (see http://www.root-servers.org/). These servers contain the master list of where other DNS nameservers can look up an IP address for a domain name within a certain top-level domain such as ".com." Anonymous plans to perform a distributed denial of service or DDoS {Chapter...
    Filed under: , ,

  • Facebook Timeline Security

    Recently a colleague forwarded to me an e-mail she received through Facebook: From: Mark Zuckerberg [mailto:tlelejkomxck@hotmail.com] Subject: Attention Facebook User Hi Friend, My name is Mark Zuckerberg, Ceo of Facebook. We have recently partnered up with Apple mackintosh regarding a one-time promotional event today, we are giving away complimentary Apple iPhones and iPads to randomly selected individuals who have been fortunate to be picked as one of our most recent winners for today. We randomly selected users from our systems database and you have matched with our latest drawing. We have partnered up with Apple to advertise their most popular product yet, the Apple iPhone and iPad. Once yet again, we are operating this promotion for one-day only. All you need to do is CLICK HERE to check out our site made for this promotion and fill out this short survey to recieve yours for free. Simply make sure you enter your email so we may locate our records to make certain that we have reserved...
    Filed under: , ,

  • Firefox to Revoke Spying Digital Certificates

    The news about digital certificates {Chapter 12 Security+ 4ed} just won't end this week. First there was the news that Google Chrome not longer will be using the Online Certificate Status Protocol (OCSP) to check revoked certificates online (see Feb 12 2012 blog posting). Next came news that the first baseline requirements for digital certificates is being distributed by the CA/Browser Forum (see Feb 14 2012 blog posting). Now it's Mozilla asking all certificate authorities (CAs) {Chapter 12 Security+ 4ed} to revoke digital certificates that could be used for open spying. Many companies want to inspect Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted transmissions that are based on digital certificates {Chapter 12 Security+ 4ed}. They do this to watch for any data leaks or to detect internal policy violations. So CAs can issue a digital certificate to a company allowing it in turn to issue valid certificates for any server--ANY server (as it turns out this is a...

  • First Baseline Requirements for Digital Certificates

    A digital certificate {Chapter 12 Security+ 4ed} is a technology used to associate a user’s identity to a cryptographic public key, in which the user’s public key that has been “digitally signed” by a trusted third party. This third party verifies the owner and that the public key belongs to that owner. Microsoft's Internet Explorer 9 (IE9) Application Reputation now checks files to be downloaded against a Microsoft service that tries to identify the file's contents and its digital certificate. The most common transport encryption algorithm used for digital certificates is Secure Sockets Layer (SSL), which uses a public key to encrypt data that is transferred over the SSL connection. Transport Layer Security (TLS) is a protocol that guarantees privacy and data integrity between applications communicating over the Internet. TLS is an extension of SSL, and they are often referred to as SSL/TLS. The management tools for the use of digital certificates and asymmetric...

  • Chrome Stops Checking Revoked Certificates Online

    When a digital certificate {Chapter 12 Security+ 4ed} is issued by a Certificate Authority (CA) it is usually valid for one year, and sometimes longer. To protect against a situation where a site may lose control of its key, that certificate would need to be revoked. Currently there are two ways for a Web browser to check on the current status of a certificate. The first is using a certificate revocation list or CRL {Chapter 12 Security+ 4ed}. A CRL is essentially a list of certificate serial numbers that have been revoked and are downloaded to the Web browser. The second method is Online Certificate Status Protocol (OCSP). OCSP is called a request-response protocol. The browser sends the certificate's information to a trusted entity known as an OCSP Responder. The OCSP Responder then provides immediate revocation information on that one specific certificate. Up until now all modern Web browsers (Internet Explorer 7+, Firefox, Safari on Mac OS X, some versions of Opera 8+, and Google...

  • Secure Your Wireless or Be Liable

    Why should you keep your wireless network secure? There are several reasons: to prevent snoopers from getting into any folder set with file sharing enabled. To deny attackers from seeing everything you're doing online by reading your wireless transmissions. To stop someone from accessing your network behind the firewall so they can inject malware. These and others are excellent reasons to keep your wireless network {Chapter 8 Security+ 4ed}. Now there may be one more reason to add to the list: to keep from being held liable for what an unauthorized user does. A federal lawsuit was recently filed in Massachusetts by a producer of videos. The producer has accused over 50 people in Massachusetts of using BitTorrent {Chapter 14 Security+ 4ed} to illegally download and share a movie. The illegal downloads were traced to IP addresses belonging to both named individuals and to several unknown persons ("John Does"). The complaint alleges that each of the defendants was directly responsible...

  • Browser Check

    Web browser vulnerabilities {Chapter 3 Security+ 4ed} or those in a plug-in are a key attack target. A new tool can help defend against these attacks by checking the health status of your Web browser. The Qualys BrowserCheck will perform a scan and not only tell you if it uncovers a vulnerability in the browser or a plug-in, but it also has a one-click button by which you can fix the problem, such as downloading an updated version of Adobe Flash. It can be run online or by downloading a plug-in. Qualys BrowserCheck is at https://browsercheck.qualys.com/. Stay secure! http://www.cengage.com/community/infosec
    Filed under: