Tech News Weekly: Edition 01-09

[Ehtyar]

The Weekly Tech News

Hi all. Happy New Year everyone Enjoy the news. As usual, you can find last week's news here.

1. Hackers Create Rogue CA Certificate Using MD5 Collisions

Spoiler

http://blogs.zdnet.com/security/?p=2339
Another: http://www.theregister.co.uk/2008/12/30/ssl_spoofing/
Another: http://www.securityfocus.com/news/11541
A group of hackers have used 200 PS3s and a weak SSL certificate (timing prediction and MD5 collision) to create a rogue CA which they used to forge SSL certificates for severval major websites. Certificates validated by the rogue CA will be valid for 2004 only to prevent misuse, though browsers will be blacklisting the rogue CA in their next updates.

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.

2. Cybersecurity Attracts Boeing, Rival Lockheed

Spoiler

http://seattletimes.nwsource.com/html/boeingaerospace/2008575662_cybersecurity31.html
U.S. military contractors Boeing and Lockheed Martin have drastically increased the capacity of their cyber-security divisions anticipating higher demand in 2008.

Lockheed Martin and Boeing, the world's biggest defense companies, are deploying forces and resources to a new battlefield: cyberspace.

The military contractors, eager to capture a share of a market that may reach $11 billion in 2013, have formed business units to tap increased spending to protect U.S. government computers from attack.

Boeing set up its Cyber Solutions division in August "because of a realization by the company that it's a very serious threat," said Barbara Fast, vice president of the unit.

3. CA Issues No-questions Asked Mozilla Cert

Spoiler

http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/
A security researcher successfully procured an SSL certificate for Mozilla.com after identifying a CA that did not check the credentials of the entity making the request, highlighting the primary weak point in SSL: the CA.

Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks.

MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation. The approach might be used, for example, to trick a user into handing over online banking login credentials in the mistaken belief that they are talking directly to a financial institution.

Normally untrusted certificates from an unknown issuer are used by fraudster sites in these kind of scenarios. This would generate error messages or warnings that flag up possible problems, at least to the more internet-savvy.

4. DECT Wireless Eavesdropping Made Easy

Spoiler

http://www.theregister.co.uk/2008/12/31/dect_hack/
In yet another Epic Fail of security by obscurity, your household cordless phone is likely vulnerable to eavesdropping, even with the standard encryption scheme enabled.

Conversations relayed through cordless household phones might be far easier to snoop upon than previously suspected.

A new attack against phones based on DECT (Digital Enhanced Cordless Telecommunication) technology - demonstrated during the Chaos Communication Congress in Berlin earlier this week - might be carried out cheaply using off-the-shelf kit, together with a little know-how. A modified $30 VoIP laptop card running on a Linux portable were used to demonstrate the attack, which relies on using specially outfitted equipment to impersonate legitimate wireless base stations.

5. Windows Media Player Flaw Denied

Spoiler

http://www.theregister.co.uk/2008/12/30/wmp_bug_spat/
Microsoft have denied that a flaw in WMP uncovered by researchers is capable of enabling remote code execution.

Researchers reckon a security bug in Windows Media Player creates a means for hackers to inject hostile code onto vulnerable systems. However Microsoft has denied this, saying that the bug only creates a means to crash the software without posing a more damaging security risk.

The WMP integer overflow bug reportedly kicks in when the media player attempts to process maliciously constructed WAV, SND, or MIDI files. Security researchers have created proof of concept code demonstrating the vulnerability, the SANS Institute's Internet Storm Centre reports.

6. FBI Issues Code Cracking Challenge

Spoiler

http://www.networkworld.com/community/node/36704
Code: http://www.fbi.gov/headlines/code.swf
The FBI has issued another code cracking challenge.

The FBI today challenged anyone in the online community to break a cipher code on its site.  The code was created by FBI cryptanalysts. The bureau invited hackers to a similar code-cracking challenge last year  and got tens of thousands of responses it said.

7. UK: Private Firm to Guard Database of Every Phone Call, E-mail

Spoiler

http://arstechnica.com/news.ars/post/20090101-uk-private-firm-to-guard-database-of-every-phone-call-e-mail.html
Another: http://news.bbc.co.uk/2/hi/uk_news/politics/7805610.stm
The UK is considering contracting out the maintenance of its national call and email database.

A contentious proposal to create a massive database of communications metadata in the United Kingdom has just become even more controversial. According to reports in the British press, a "consultation paper" laying out the plan, slated for release in January, contemplates outsourcing the maintenance of the database to private-sector firms. The proposal has already come under fire from civil liberties groups, the European human rights commissioner, and former public officials.

Initially included in Britain's Communications Data Bill as part of a sweeping Interception Modernisation Programme, the surveillance proposal was dropped from the legislation in September, but it was not abandoned. The database is projected to cost some £12 billion ($17.5 billion US), and would contain metadata about every phone call placed, every e-mail or text message sent, and every Web site visited in the UK, reports say. Such "metadata" would include routing information, such as the sender and recipient of an e-mail, as well as times and dates.

8. FCC Okays DTV "Analog Nightlight" Rules

Spoiler

http://arstechnica.com/news.ars/post/20081228-fcc-oks-analog-nightlight-rules.html
The FCC has okay'd a proposal to keep analogue TV running for 30 days after digital TV broadcasting becomes compulsory. Broadcasters will be able to show critical news and update instructions to those without a DTV tuner.

On the night before Christmas, the Federal Communications Commission proposed rules that would let some full-power TV stations continue streaming a bare-bones analog signal for 30 days after the DTV transition. The "Analog Nightlight" program will allow those stations to keep their analog broadcast going "for the limited purpose of providing public safety and digital transition information," the FCC says. Meanwhile a key member of the House of Representatives is warning Congress that it may need to rush more money to the government's analog converter set top box program.

The analog nightlight rule means that couch potatoes who, as of February 17, still haven't figured out that their old analog sets can't receive digital broadcasts won't be left completely in the dark. After that day, all full-power stations must go digital. The nightlight system will permit eligible full-power license holders to continue to broadcast emergency news and information in analog using both English and Spanish. They can also transmit information about the transition and where to get help—at for roughly a month after DTV Day.

9. 30GB Zunes Killing Themselves In Droves

Spoiler

http://blog.wired.com/gadgets/2008/12/30gb-zunes-kill.html
Another: http://news.bbc.co.uk/2/hi/technology/7806683.stm
Discussion thread by CWuestefeld: https://www.donationcoder.com/forum/index.php?topic=16414.0
Microsoft's Zune MP3 player has been effected by a leap-year bug that cases it to crash around the end of 2008. Exhausting the battery should solve the issue.

The internet is awash with reports that the 30GB Zune is committing suicide across the planet. Not just one of them, either. It seems that some weird bug is simultaneously causing the music players to kill themselves, like lemmings leaping from a cliff.

While the Zune is a distant also-ran in the MP3 market, which is dominated by Apple's, the Microsoft-made device has gained critical approbation with its most recent, version 3.0 models, whose features are quite competitive with the iPod line. Many users appreciate the player's built-in FM radio and "Zune Social" features, which facilitate the communal sharing and discovery of new music.

10. Final Rewind: The VHS Tape Has Breathed Its Last

Spoiler

http://www.crn.com/retail/212501855
JVC, the last of the VHS manufacturers, has finally ceased production.

Remember the days when VHS tapes were so ubiquitous that every video store you knew had the slogan, "Be kind, rewind?" We bring you this bit of pressing nostalgia not because VHS has suddenly slowed its long decline, but because the last distribution holdout for VHS tapes this week announced it's finally cutting the format from its inventory.

According to the Los Angeles Times, Distribution Video Audio in Burbank, Calif., shipped its final truckload of VHS tapes in October -- the last time it plans to make VHS shipments, and the last major VHS distributor in the country to do so.

Ehtyar.

[tomos]

thanks Ethyar
I often seem to arrive just in time to make the first comment lol

#7 British politicians going mad now - I thought there was a recession - of course this would create a few nice jobs, for some people .... but I'm surprised they think it's even worth while
- idly wondering how much corruption there might be involved in such a big project

[Ehtyar]

Seems .gb and .au are competing for the most surveilled society. Good for them. </sarcasm>

Ehtyar.

[cranioscopical]

#7 British politicians going mad now - I thought there was a recession - of course this would create a few nice jobs, for some people .... but I'm surprised they think it's even worth while
- idly wondering how much corruption there might be involved in such a big project

-tomos (January 03, 2009, 02:48 PM)

U.K. gov. "loses" critical data about 3 times a week as far as I can tell.
Cut out corruption, cut out the middle-man, sell the data directly to every malcontent on the planet.

U.K. has gone totally nuts.
Privatize... private eyes... public eyes... public cries.

[ewemoa]

Thanks again for this week's edition  

[nosh]

Happy New Year, Ethyar! And thanks for these updates.

[Deozaan]

Wow somehow I totally missed this one.

Thanks Ehtyar!

[Ehtyar]

Was only posted 10 hours ago Deo, lol. But, my pleasure

Ehtyar.

[Deozaan]

Was only posted 10 hours ago Deo, lol. But, my pleasure

Ehtyar.

-Ehtyar (January 10, 2009, 11:50 PM)

No, this is last week's. 

[Ehtyar]

Ugh, shoot me now. Can anyone say weeetaaaawdeeeeed?

Ehtyar.

[Deozaan]

Can anyone say weeetaaaawdeeeeed?

-Ehtyar (January 10, 2009, 11:59 PM)

You seem pretty good at it. 

[Ehtyar]

LOL, I'm gonna have Scan Man sick the tweaked frogs on you tomorrow

Ehtyar.