This is a 1 Million USD settlement in a consumer fraud against the on-line video gaming company E-Sports Entertainment, LLC. On top of its online gaming business, the company found quite profitable to use the customer PCs to mine for Bitcoins and to monitor the customers’ use of the PC even when they were not running the E-Sports’s program.
Category Archives: Security
Diverting and Tampering with Internet Traffic
This is really a disturbing news. Renesys has announced that this year there have been many cases of traffic redirection via BGP which look suspicious at the least.
Without entering in details of how BGP works, it suffices to say that BGP is (together with DNS) the hardcore infrastructure protocol which makes the global Internet working. BGP is used to build traffic routes so that the data can flow from one network to another. Each Internet provider (ISP) uses BGP to announce his own networks to the other ISPs and to learn where and through whom to send data to other destinations.
It is well-known that BGP has some weaknesses in particular due to its trusting that every ISP would not try to cheat. Indeed it possible in some particular situations that an ISP could announce the networks of another ISP and manage to receive all traffic for these networks. In this way, it could be possible to divert the traffic and possibly read it (if it is not encrypted) and tampering with it.
From the Renesys blog entry it seems that this has actually happened this year and that those involved claimed that these incidents have been due to “bugs” in some “vendor BGP software” and that there were no malicious intentions. Let’s just hope that this is true and that there will be introduced soon ways to prevent this to happen in the future.
A new way of authenticating yourself
We all know very well that username+password is a very weak form of authentication. Unfortunately alternative universal and more secure methods are not available.
Some researcher (see here for example) are proposing to use our mobile phones as pencils to draw our signature in the air and to use this movement as our password. This approach has many interesting characteristics, from the hardware-set used, to the movement itself which can be extremely difficult to replicate, much more difficult than a fingerprint, and a few drawbacks like the obvious need of space to do it.
There is already an App for Android that you can download here. In any case, more research is needed in particular in the full evaluation of the security features of this almost biometric authentication method.
Interesting Linux backdoor
Symantec has released here information about a new kind of Linux backdoor found on broken-in Linux servers.
The most interesting point is the use of injecting data in normal SSH traffic for communication, without opening new network ports nor adding new daemons to the process list.
It would be interesting to learn more about it.
Good-bye RC4 and SHA-1
In the wake of whatever has recently happened, we are going to get tighter security starting from a more widespread use of cryptography and a more careful review of cryptography algorithms and protocols.
For the moment we should say good-bye to RC4 and SHA-1, see here for example.
ENISA Publishes Guidelines on the Use of Cryptography
ENISA just published a report with recommendations on the use of crypto algorithms, keysizes and parameters.
Crypto elements are classified in primitives, schemes, protocols ad key sizes and for each of them it is stated if it is:
- Legacy not adequate, to be replaced immediately
- Legacy adequate but with better existing alternatives
- Future proof and expected to remain secure for 10 to 50 years.
Following the NSA saga and the state of uncertainty we are living in right now, this is a must read.
Happy Birthday Morris Worm
25 years ago was the Morris worm. I was there… time flies!
Social Engineering, Password Reset and DNS Hijack
The DNS provider Web.com has been subject to a Social Engineering attack which allowed a pro-Palestine hacking gang to successfully reset the password of a few important customers, and use the new password to change the resolution of their domain name to other sites. See for example here for a description of the attack.
Again and again, as of today the technical side does not look to be the weak side of ICT Security. In particular cryptography is sound and reliable, and many technical ICT security products deliver what the promise.
On the other side, username + password show another time how much inappropriate they are to support our current security needs. But what can we use instead?
The general problem lies mostly in our ability to make a system “secure” by including logical, physical and procedural measures to give a 360 degrees protection. Indeed, the security level of a system is that of its weakest point, which for most systems means that they are really insecure.
Physical Security and ATM withdrawls
Lax physical security means access to hardware and the possibility to install and run what you want. This is just what happened to some ATMs in Mexico, see for example here.
It is just a reminder that logical security alone does not work. You always have to start from the hardware on which your software runs and have a comprehensive, eg. “holistic”, approach to security.
Device fingerprinting and user tracking
A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.
This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.
On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.
At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.
Andrea Pasquinucci 