1
NEWS 7 NOVEMBER/DECEMBER 2007 IN BRIEF SANS: crooks turn fire on users and custom software Cyber criminals have shifted their aim from flaws in commonly-used software to problems with custom-built applications, and are also targeting easily-misled users, according to the SANS Institute’s revised top 20 internet security risks. It said vulnerabilities in web applications represented the greatest risk, but this was closely followed by “gullible, busy, accommodating computer users,” particularly those with privileged access, which SANS called “the most challenging risk”. It added that training could help tackle the latter problem, but also recommended organisations launch benign spear phishing attacks against users as a form of inoculation – and to see who falls for them. inf-sec.com/news/071207_sans20.html Spies greater danger than terrorists, says CPNI The UK government’s Centre for the Protection of the National Infrastructure (CPNI) is more worried about espionage than terrorists when it comes to cyberattacks. Mark Oram, senior manager of knowledge development at the CPNI, said it was particularly concerned that cyberspies were using social engineering tricks to persuade people to give them sensitive data, circumventing IT security systems. According to press reports, the CPNI wrote to 300 top businesses warning that Chinese hackers are particularly active and to take special precautions against them. inf-sec.com/news/071203_cpni_cw.html RSA standard vulnerable The RSA data encryption standard could be vulnerable to hacking attacks following the discovery of a flaw in a popular microprocessor by one of the standard’s founders. In a research note, Adi Shamir revealed that if an intelligence organisation discovered the mathematical error in a well-known and widely used make of microprocessor, then security software on a computer with that chip could be “trivially broken with a single chosen message”. inf-sec.com/news/071126_rsa_vulnerable_ cw.html German pips Bletchley Park’s Colossus SA Mathieson A man in Bonn cracked a message encrypted with wartime Germany’s most-secure Lorenz equipment within hours of its release on 15 November, beating a rebuilt Colossus machine within Britain’s Bletchley Park code-breaking centre – which was delayed in its task by solar activity disrupting radio signals. It sounds like several twists in the plot of a Second World War thriller. But Joachim Schüth, who wrote special software to meet the challenge, will be invited to visit Bletchley to receive a prize from the nascent National Museum of Computing. “We really want to congratulate him,” said Andy Clark, a director and trustee of the museum. Schüth cracked the hardest of three signals transmitted by radio enthusiasts in Germany from 11am on 15 November, although Bletchley Park only managed to receive them at 5.40pm. Using the Colossus, the Bletchley Park team cracked the same message as Joachim Schüth at 1.15pm on 16 November, having started at 8.55am – although a spokesperson said 45 minutes should be subtracted for injury time, as they had to change a valve. Bletchley Park, the war-time base of the UK’s signal interception and decryption organisation now known as Government Communications Headquarters (GCHQ), is best-known for cracking Nazi Germany’s widely-used secure communications equipment, the Enigma machine, with pioneering mechanical computers known as bombes. The Colossus, which broke the Lorenz traffic and is regarded as the world’s first programmable computer, is less famous than the bombes. Britain told its wartime allies about breaking Enigma, but not about breaking Lorenz, and Colossus machines stayed in service after the end of the Second World War. Tony Sale, a computer expert and former employee of the UK security service MI5, started campaigning for Bletchley Park to be saved from demolition in 1991, and operated the fully- working Colossus computer – which is now a listed object in a listed building, representing the success of his campaign – on 16 November. He told Infosecurity that it has been possible to rebuild a Colossus as the design used standard components from Post Office telephone exchanges. Tommy Flowers, who worked alongside Alan Turing in designing the Colossus, worked for the Post Office before and after the war, and plenty of exchange components were available second-hand. A few parts were made from scratch, but the machine also includes nine original components, Sale added: eight photo-cells and a mains transformer, all of which were retained by engineers. “When the engineers were dismantling Colossi at the end of the war, photo-cells were a very nice thing to put in your pocket,” he said, as these are two inches high and 1.5 inches in diameter. However, the rebuilt machine normally uses modern silicon photo diodes, as the older photo-cells are fragile and need resting after prolonged use. The Colossus machine does not break Lorenz messages, but attempts to find the wheel- settings – mechanical encryption keys – used by the Germans (in this case, volunteers from Heinz Nixdorf Museum Forum in Paderborn). It does so by repeatedly running the paper loop into which the message is punched through the machine, trying different positions of a pair of Lorenz machine wheels one after another in a brute-force attack. Sale said the operator has to mark the start and end positions of the message on the tape, then the Colossus reports likely matches, using a scoring process. “Colossus doesn’t ‘know’ when it has a good thing,” said Sale, but it recognises when a match looks more likely. The operator then has to use the possible wheel positions to attempt to decode the message using a Tunny machine – the British named German war-time codes after fish. “If you’ve got it right, out comes German,” said Sale. Andy Clark said that although the Colossus processes 5000 characters a second (5 kilohertz), and employs extensive parallel processing, he assumes that the fastest machines doing this kind of code-breaking are capable of working in Terahertz, processing trillions of characters a second. GCHQ, now based in Cheltenham, said that it had no involvement in the work beyond loaning equipment including a Lorenz machine to the museum. “We applaud and support the ingenuity in rebuilding Colossus – a fantastic piece of work,” said a spokesperson.

In brief

  • Upload
    ngothuy

  • View
    216

  • Download
    3

Embed Size (px)

Citation preview

Page 1: In brief

NEWS

7NOVEMBER/DECEMBER 2007

IN BRIEF

SANS: crooks turn fire on users and custom softwareCyber criminals have shifted their aim

from flaws in commonly-used software to

problems with custom-built applications,

and are also targeting easily-misled

users, according to the SANS Institute’s

revised top 20 internet security risks. It

said vulnerabilities in web applications

represented the greatest risk, but this

was closely followed by “gullible, busy,

accommodating computer users,”

particularly those with privileged access,

which SANS called “the most challenging

risk”. It added that training could help tackle

the latter problem, but also recommended

organisations launch benign spear

phishing attacks against users as a form of

inoculation – and to see who falls for them.

inf-sec.com/news/071207_sans20.html

Spies greater danger than terrorists, says CPNIThe UK government’s Centre for the

Protection of the National Infrastructure

(CPNI) is more worried about espionage

than terrorists when it comes to

cyberattacks. Mark Oram, senior manager of

knowledge development at the CPNI, said it

was particularly concerned that cyberspies

were using social engineering tricks to

persuade people to give them sensitive

data, circumventing IT security systems.

According to press reports, the CPNI wrote

to 300 top businesses warning that Chinese

hackers are particularly active and to take

special precautions against them.

inf-sec.com/news/071203_cpni_cw.html

RSA standard vulnerableThe RSA data encryption standard could

be vulnerable to hacking attacks following

the discovery of a flaw in a popular

microprocessor by one of the standard’s

founders. In a research note, Adi Shamir

revealed that if an intelligence organisation

discovered the mathematical error in

a well-known and widely used make of

microprocessor, then security software on a

computer with that chip could be “trivially

broken with a single chosen message”.

inf-sec.com/news/071126_rsa_vulnerable_

cw.html

German pips Bletchley Park’s ColossusSA Mathieson

A man in Bonn cracked a message encrypted with wartime Germany’s most-secure Lorenz

equipment within hours of its release on 15 November, beating a rebuilt Colossus machine

within Britain’s Bletchley Park code-breaking centre – which was delayed in its task by solar

activity disrupting radio signals.

It sounds like several twists in the plot of a Second World War thriller. But Joachim Schüth,

who wrote special software to meet the challenge, will be invited to visit Bletchley to receive a

prize from the nascent National Museum of Computing.

“We really want to congratulate him,” said Andy Clark, a director and trustee of the museum.

Schüth cracked the hardest of three signals transmitted by radio enthusiasts in Germany from

11am on 15 November, although Bletchley Park only managed to receive them at 5.40pm.

Using the Colossus, the Bletchley Park team cracked the same message as Joachim Schüth

at 1.15pm on 16 November, having started at 8.55am – although a spokesperson said 45

minutes should be subtracted for injury time, as they had to change a valve.

Bletchley Park, the war-time base of the UK’s signal interception and decryption organisation

now known as Government Communications Headquarters (GCHQ), is best-known for cracking

Nazi Germany’s widely-used secure communications equipment, the Enigma machine, with

pioneering mechanical computers known as bombes. The Colossus, which broke the Lorenz

traffic and is regarded as the world’s first programmable computer, is less famous than the

bombes. Britain told its wartime allies about breaking Enigma, but not about breaking Lorenz,

and Colossus machines stayed in service after the end of the Second World War.

Tony Sale, a computer expert and former employee of the UK security service MI5, started

campaigning for Bletchley Park to be saved from demolition in 1991, and operated the fully-

working Colossus computer – which is now a listed object in a listed building, representing the

success of his campaign – on 16 November.

He told Infosecurity that it has been possible to rebuild a Colossus as the design used

standard components from Post Office telephone exchanges. Tommy Flowers, who worked

alongside Alan Turing in designing the Colossus, worked for the Post Office before and after the

war, and plenty of exchange components were available second-hand.

A few parts were made from scratch, but the machine also includes nine original

components, Sale added: eight photo-cells and a mains transformer, all of which were retained

by engineers. “When the engineers were dismantling Colossi at the end of the war, photo-cells

were a very nice thing to put in your pocket,” he said, as these are two inches high and 1.5

inches in diameter. However, the rebuilt machine normally uses modern silicon photo diodes, as

the older photo-cells are fragile and need resting after prolonged use.

The Colossus machine does not break Lorenz messages, but attempts to find the wheel-

settings – mechanical encryption keys – used by the Germans (in this case, volunteers from

Heinz Nixdorf Museum Forum in Paderborn). It does so by repeatedly running the paper loop

into which the message is punched through the machine, trying different positions of a pair of

Lorenz machine wheels one after another in a brute-force attack.

Sale said the operator has to mark the start and end positions of the message on the tape,

then the Colossus reports likely matches, using a scoring process. “Colossus doesn’t ‘know’

when it has a good thing,” said Sale, but it recognises when a match looks more likely. The

operator then has to use the possible wheel positions to attempt to decode the message using a

Tunny machine – the British named German war-time codes after fish. “If you’ve got it right, out

comes German,” said Sale.

Andy Clark said that although the Colossus processes 5000 characters a second (5 kilohertz),

and employs extensive parallel processing, he assumes that the fastest machines doing this kind

of code-breaking are capable of working in Terahertz, processing trillions of characters a second.

GCHQ, now based in Cheltenham, said that it had no involvement in the work beyond

loaning equipment including a Lorenz machine to the museum. “We applaud and support the

ingenuity in rebuilding Colossus – a fantastic piece of work,” said a spokesperson.

http://inf-sec.com/news/071207_sans20.html
http://inf-sec.com/news/071203_cpni_cw.html
http://inf-sec.com/news/071126_rsa_vulnerable_cw.html
http://inf-sec.com/news/071126_rsa_vulnerable_cw.html

Thailand in Brief

Thailand in Brief

Documents
CIP in Brief

CIP in Brief

Documents
VR in brief

VR in brief

Documents
Genioplasty in Brief

Genioplasty in Brief

Health & Medicine
Veolia in brief

Veolia in brief

Economy & Finance
Budget in brief

Budget in brief

Business
CEEOA in brief

CEEOA in brief

Documents
SKF In brief

SKF In brief

Investor Relations
WDHB in Brief

WDHB in Brief

Documents
Kazakhstan in Brief

Kazakhstan in Brief

Documents
GRAPHENE IN BRIEF

GRAPHENE IN BRIEF

Documents
SAK in brief

SAK in brief

News & Politics
EFESO in brief

EFESO in brief

Documents
TKT in brief

TKT in brief

Documents
Report in Brief

Report in Brief

Documents
CITEVE in brief

CITEVE in brief

Documents
In brief oer

In brief oer

Education
bulten.com · 2 Bulten in Brief ......................................................................................................................... 4 The Year in Brief

bulten.com · 2 Bulten in Brief ......................................................................................................................... 4 The Year in Brief

Documents
IFRS in brief

IFRS in brief

Documents
CVIS in brief

CVIS in brief

Documents
Harmonic – in brief

Harmonic – in brief

Documents
Ottawa In Brief

Ottawa In Brief

Documents
ePUB in brief

ePUB in brief

Technology
Axell In Brief

Axell In Brief

Business
Romania in brief

Romania in brief

Education
islam in brief

islam in brief

Spiritual
Murjottelu in Brief!

Murjottelu in Brief!

Career
Weka: Brief IntroductionWeka: Brief Introductionlegacydirs.umiacs.umd.edu/.../Weka-tutorial-short_4... · Weka: Brief IntroductionWeka: Brief Introduction Features Covered in this

Weka: Brief IntroductionWeka: Brief Introductionlegacydirs.umiacs.umd.edu/.../Weka-tutorial-short_4... · Weka: Brief IntroductionWeka: Brief Introduction Features Covered in this

Documents
Novozymes in brief

Novozymes in brief

Documents
Asean in brief

Asean in brief

Documents