Washington Post and New York Times suggest Flame malware created by US and Israel

• American officials say that Flame was not part of Operation Olympic Games (which was begun under President G.W. Bush)
• Officials have declined to say whether the United States was responsible for the Flame attack
• Obama repeatedly expressed concerns that any American acknowledgment that it was using cyber weapons could enable other countries, terrorists or hackers to justify their own attacks
• New York Times Coverage
• Noted Security Expert Bruce Schneier calls cyber warfare destabilizing and dangerous
• Compared the 2007 Israeli attack on the Syrian nuclear facility, Stuxnet did not result in any loss of life, or risk to friendly personnel
• However, Stuxnet has damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response
• The offensive use of cyber weapons opens a pandora’s box and weakens the U.S.’s long term position, in exchange for a short term gain
• Have Stuxnet and Flame already destroyed the U.S.’s credibility as a leader for a free and open Internet?
• Richard Clarke (Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, and Author of ‘Cyber War’), contends that there is a firm distinction between cyber-espionage and offensive cyber-attacks
• Clarke argues that while cyber-espionage should be considered a routine, acceptable practice of any country as part of government intelligence operations, cyber-attacks are much more grave, and should be considered on par with physical attacks
• Clarke and others argue for international cyber weapon arms control treaties
• Richard Clark: How China Steals Our Secrets

---

US-CERT discloses security flaw in 64 bit Intel chips

• The issue surrounds the AMD64 processor instruction SYSRET
• The instruction is implemented differently by AMD (who developed the AMD64 instruction set) than by Intel
• Some implementations, notably: Microsoft, FreeBSD/NetBSD and Xen, used the AMD specifications
• This resulted in a mismatch in the expected behavior, that could result in a privilege escalation
• Microsoft’s Statement: An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights
• FreeBSD’s Statement: Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system
• Xen’s Statement: 64-bit PV guest to host privilege escalation vulnerability. This issue only impacts servers running on Intel processors and could permit a 64-bit PV guest to compromise the XenServer host
• Intel’s Statement: This is a software implementation issue. Intel processors are functioning as per specifications and this behavior is correctly documented in the IntelR64 Software Developers Manual, Volume 2B Pages 4–598–599
• AMD’s Statement: AMD processors’ SYSRET behavior is such that a non-canonical address in RCX does not generate a #GP while in CPL0. We have verified this with our architecture team, with our design team, and have performed tests that verified this on silicon. Therefore, this privilege escalation exposure is not applicable to any AMD processor
• Additional Source

---

Team at Fujitsu cracks proposed new pairing-based cryptography standard

• The team at Fujitsu, working in partnership with the Japanese National Institute of Information and Communications Technology (NICT) and Kyushu University, have successfully cracked 923-bit pairing based cryptography, in 148.2 days
• Based on previous results it was estimated to take several hundred thousand years to break a 923-bit key
• This does not mean that the security of pairing-based cryptography is entirely broken, just that a larger key size is required to maintain security
• This type of research is why only open cryptography standards should be trusted, and why it takes so long to select new standards
• The competition for the SHA–3 algorithm opened in 2007 and is not expected to be completed until later this year. More than 50 algorithms were entered into the competition, only 5 remain
• Among the rejected algorithms is MD6, which proported to scale to very large numbers of CPU cores for long messages, due to speed problems and unsufficient proof if its resistance to differential cryptanalysis. MD6 is still a work in progress and may still be used sometime in the future
• Additional Source
• NICT paper on cracking 676 bit pairing cryptography

---

A tour of GoDaddy’s Data Center

• Photo Tour
• Go Daddy is the registrar for over 52 million domain names
• DNS infrastructure responds to 10 billion DNS queries per day
• SSL infrastructure handles more than 1 billion OCSP responses every day
• Currently hosts more than 5 million web sites on 35,000 servers
• Blocks 2.5 million brute force attacks every hour.
• More than 23 petabytes of data housed on its storage systems
• Processes more than 350 million emails every day

---

OVH deploys world’s largest data center in Canada

• The new data center makes use of OVH’s ‘Cube Data Center’ design, where servers are servers are kept in the outer corridors of the cube, and the center of the cube is open
• Cold air is inlet from the outside of the cube, and the hot exhaust air is vented outside in the center of the cube
• OVH also makes extensive use of water cooling for their servers, which they found can save as much as 30% on their energy bills
• OVH Beauharnois, Quebec Data Center Video
• The Quebec data center is located adjacent to the electrical sub station for the 1900 megawatt Beauharnois Hydroelectric Power Station, which will provide renewable energy for the data center
• The data center also takes feeds from two additional power grids
• Additional Coverage

---

Feedback:

• Q: Eric asks about AD PW Storage

• Check the GPO Setting “Store passwords using reversible encryption”. – You DON’T want reversible encryption, unless application requirements outweigh the need to protect password information.

• Does Windows really still use unsalted MD4 for password storage?

• Q: Frank wants to know what more he could be doing to stay secure.

• Q: Robert wants to do some testing!

Round-Up:

• Breaking: Hacker claims to have breached 79 different banks and acquired 50GB of customer data
• FBI & DEA Warn That IPv6 May Be Too Damn Anonymous
• Let’s talk about secure password storage
• Leaked Documents Show the U.N.’s Internet Power Grab…
• Apple granted patent for polluting facebook pages with false data, to hamper data mining
• Password Manager LastPass 2.0 Released
• SSD Prices down 46% since 2011
• Lego Data Center

The post Peek Inside | TechSNAP 63 first appeared on Jupiter Broadcasting.

]]>