Thursday, February 25, 2010

Microsoft's Global Criminal Compliance Handbook

Business Insider via Gizmodo reports links to a Microsoft document describing Microsoft's contact details and processes for being served legal documents. The document sets expectations for response, enumerates the online services described, and what data the users provide to the services. An example is their XBox Live service which records Gamertag, credit card number, phone number, first and last name with zip, the serial number of devices registered online, service request numbers, email account, and the IP history for the lifetime of the gamertag.

Yes, according to this document, XBox Live tracks every IP your gamertag has logged in from. Ever. That might surprise some XBox players, but shouldn't really surprise most security analysts.

The document fully describes the information retained about each service's users, their activities, and their content. Along with these, Microsoft offers sample language describing a records request, such as this: "Any and all website information for the [group requested] including content, images, member lists, and all IIS logs" for MSN Groups.

Finally, the document describes the legal process required to acquire this information.

This is an interesting read - take a look for yourself:
Microsoft Spy

Friday, February 19, 2010

The 2010 Higher Education Cybersecurity Summit

Indiana University will host the 2010 Higher Education Cybersecurity Summit on April 1st. The keynote speaker is Bruce Schneier, who is scheduled to give a talk titled "Security, Privacy, and the Generation Gap".

Of particular interest at this year's event are a panel on information privacy in higher ed, and talks on PCI compliance, as well as discussions.

I've attended and have spoken at this conference in years past, and found it to be an enjoyable higher ed focused conference, as well as a great place to touch base with peers. If you're an Indiana resident higher education security staffer, this is a great, short, and local conference.

Crypto Cracking: RSA 768 Factored

When I cover cryptography for security professionals, I always discuss bad choices in cryptographic solutions: designing your own cryptosystem, choosing a bad mode, and of course, too short of a key length. The good news is that scientists continue to pursue key cracks, providing great fodder for my teaching efforts.

The key length question in particular is interesting, as we continue to see higher and higher key lengths broken in widely used crypto systems. The most recent hurdle to fall is RSA 768, which was cracked using a number field sieve by an international team. The good news for those who have critical secrets encrypted with 768 bit keys is that this was a multi-year effort - we're not to the point where we can do commodity cracking of RSA keys of that length yet.

Interestingly, the techniques used significantly decrease the effort required to derive the key - the Register article describes a "thousands" of times more difficult effort than the signficantly greater effort that the key size alone would indicate. This makes teaching students about key length trickier - but it also means that explaining why key length alone is not the only factor to consider is important.

Thursday, February 18, 2010

Flash Forensics: Bunnie Studios Analysis of SD cards

If you're a hardware geek, or simply a fan of the forensic process, "On Micro SD Cards" on the Bunnie Studios blog is a great read. A problem that started with a higher than normal failure rate in Chumby devices coming off the assembly line leads the author through SD card fingerprinting and analysis, and ends with a much deeper understanding of SD card fabbing and manufacturer design choices than most IT professionals would have.

Wednesday, February 17, 2010

Google Buzz Security, Part 1 - Follower Privacy

Part 1: Follower Privacy

If you're a Gmail user, you likely recently discovered that you now have a Google Buzz account. The new social networking platform automatically enrolls your contacts as followers of your posts, and you automatically follow theirs. For many users, this new functionality is more of a data leak than a welcome feature, and Google's opt-out, rather than opt-in rollout is creating some discord.

The good news is that if you preferred that your contacts not be listed for others to see, the fix is quite simple, although rather well hidden.

First, navigate to your Buzz page using the left hand Google menu found in Gmail. You'll see a window that looks like this (note that these images are done using a sample account, and don't have followers).


Now click "Following people" near the bottom of the page next to Buzz. You'll see this menu:

Click the checkbox at the bottom labelled "Show the lists of people I'm following and people following me on my profile". You can also edit the list of who you are following here, which provides a great way to get rid of the old contacts Google likely added for you.

Friday, February 12, 2010

ATM Skimmers - Brian Krebs on advances in skimmers

Brian Krebs' Krebs on Security blog has a great slideshow of some of the more advanced ATM skimmers that have been found recently - well worth a look if you're interested in ATM security.

We've talked about ATM security before:

Thursday, February 11, 2010

Insecure As Designed: Logitech's Touch Mouse application

Logitech recently introduced a handy application that converts an iPhone into a Wifi enabled mouse and virtual keyboard. The TouchMouse app is available for free, and has both Windows and MacOS clients, making it a neat way to control a home theater PC, or other system that you want to interact with from across the room.


Unfortunately, it isn't an app that I can recommend to most users because it is insecure as designed. The first thing I noted after starting the app and linking it to a PC was that there was no authentication. Any TouchMouse user can connect to any other TouchMouse system that they can find.

That's bad enough with a mouse, but add the keyboard and you're in interesting territory. If the application had some form of authentication, even at the simple level of a Bluetooth bonding style code, my next step would have been to sniff the traffic between the devices to make sure that it was encrypted. Without any form of encryption, I stopped there. Some applications disqualify themselves right away...