Working in IT Security I receive and get to read lot of security related articles. I will list here a summary of the ones I found the most interesting, the idea is to try publishing this list on a weekly basis… not sure I will always have the time to do so, hence why the subject of those posts will be numbered, and we start with week #1:
– Safari Vulnerability
An Auto-fill vulnerability in the Safari browser which allows attackers to get info from your personal contact details.
Reading the comments on that article, it is not clear if this could also affect other WebKit based browsers such as Chrome.
It may be best practise anyway to disable the auto fill option in any browsers you are using.
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
– New GSM-cracking software release… the call of Kraken!
A software called Kraken has recently been released and claims to crack the A5/1 encryption algorithm used by some GSM networks. Although this algorithm had been subject to attacks before, this is a new and very efficient method. According to that article, the GSM network is also the fall-back network for the 3G network, thus maybe exposing the security of 3G users too (but not of the 3G network per say)!
http://www.networkworld.com/news/2010/072210-new-kraken-gsm-cracking-software-is.html
– Simple and safe password
Arecent Microsoft research has described a new password policy scheme using simple but safe passwords. Instead of enforcing a complex password policy, the policy is based on password popularity… if a password is too popular it becomes a forbidden password.
Now I can see two requirements for this to work: a) (as mentioned in the article) A large user base population and b) (not mentioned in the article) for the system to have access to users’ clear text passwords, or for a unique “salt” to be used in the hash algorithm… not sure it would be a good thing!
The idea is that if all the passwords used are not “popular”, then it doesn’t really matter as much if they are complex as they would not be part of the “popular” passwords list. This however, would not protect you against a brute force attack!
Anyway, this is a refreshing take on a very old IT security issue…
http://msmvps.com/blogs/donna/archive/2010/07/21/passwords-that-are-simple-and-safe.aspx
– Who cares about encryption?
An interesting poll study showing there is a consensus for most people that encryption is required, especially for mobile devices/users,but technical difficulties go in the way… something which hasbeen associated withencryption technologies for a long time and although a lot has been done in recent years to simplify encryption implementation there is still some way to go.
http://www.theregister.co.uk/2010/07/20/who_cares_about_encryption/