It’s been a mighty interesting week in security.
Kids learned about cryptography and received a visit from federal authorities at a special session at DefCon, McAfee is duking it out with other security vendors over Operation Shady Rat, facial recognition is stripping away what little is left of our privacy, and Microsoft is offering big bucks for anyone who comes up with a new security technology.
Meanwhile, the Electronic Frontier Foundation has released HTTPS Everywhere, a Firefox browser tool to make searches safer, and the paranoid will be pleased by the Q2 2011 security threat reports issued by numerous vendors.
Furthering the paranoia, the hacker community Anonymous announced over the weekend that it had hacked 70 law enforcement websites in rural communities in the United States.
All in all, it’s a wonderful time to be a security researcher.
Hacking Beats Milk and Cookies
Last week saw the first DefCon Kids event, held as part of the DefCon hacker conference in Las Vegas.
Classes and workshops were held for children ages 8 through 16, United States federal agency representatives gave them some face time, and a 10-year-old who goes by the handle “CyFi” presented a paper on how to hack games running on smartphones or tablets.
The feds were likely trying to get the kids to understand the role government plays in advancing security and technology rather than to teach them anything hacking itself, Scott Crawford, a managing research director at Enterprise Management Associates, told TechNewsWorld.
“If anything, government has less to teach truly competent security researchers — who often earn their skills through experience not exactly considered a standard career path — than the other way around,” Crawford said.
A Rat by Any Other Name
McAfee last week hit the headlines with the announcement of a huge, sophisticated operation to steal intellectual property from U.S. government and private sectors, prompting reaction from the White House and triggering a verbal beating from other security vendors.
Experts had known about — and been working on — this type of attack for some time on the Q.T., Jonathan Gossels, president of SystemExperts, told TechNewsWorld.
The problem had been discussed in a book back in 2007, David Harley, senior research fellow at ESET, told TechNewsWorld.
This publication, The Avien Malware Defense Guide for the Enterprise, was published by Syngress.
McAfee also took a walloping from arch-rival Symantec, which discussed Shady Rat on its blog.
Private Eyes Are Watching You
Facial recognition seems to be the next step in search, with Facebook already offering the technology and Google having purchased facial recognition software developer PittPatt last month.
PittPatt, which is an abbreviation of the company’s full name, Pittsburgh Pattern Recognition, is based on research conducted at Carnegie Mellon University’s Robotics Institute back in the 1990s.
In counterpoint, researchers from the same university have found that it’s possible to identify strangers and get their personal information, up to and including their Social Security numbers, by combining off-the-shelf facial recognition software and publicly available information in social media profiles.
They also built a smartphone app to demonstrate that this information is accessible in real-time.
Tottering Toward Better Security
Microsoft has launched the BlueHat Prize competition for technology to prevent the exploitation of memory safety vulnerabilities.
Don’t those vulnerabilities plague Windows and various versions of IE? I forget …
The winner of will get US$200,000. Submissions must be filed by midnight April 1, 2012.
Meanwhile, the Electronic Frontier Foundation has released the official version 1.0 of the HTTPS Everywhere encryption tool for the Firefox Web browser.
Developed in collaboration with the Tor Project, HTTPS Everywhere protects people using Google, DuckDuckGo, or StartingPage for their searches. However, it can’t protect Bing and Yahoo users because those search engines don’t support HTTPS, the EFF said.
Is Safety a Myth?
The faint of heart may wish to avoid reading Q2, 2011 threat reports from several security vendors.
They can be summed up thus: Doom, gloom and lots more security threats over both landline and wireless connections. And their pessimism may well be warranted.
Application security specialists at White Hat Security, for instance, found serious vulnerabilities in legitimate extensions posted on Google’s Chrome Webstore.
“The problem is that completely benign extensions are vulnerable for attackers to take advantage of, and utilize, the permissions made available by the developer,” Kyle Osborn, one of the specialists, told TechNewsWorld.