An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.

Here is a list of links to websites where the issue is being followed:

http://www.phonefactor.com/sslgap/

IETF resources

Red Hat

SANS.org

I have a few new reviews of papers on cryptography in my updated page. For those interested in the security of NMAC and HMAC or affiliation hiding key exchanges, I recommend reading the reviews. They include links to relevant papers.

Two underused resources, “Dark Fiber” and “White Space” are to be taken advantage of to increase the power of the network.

One application seeks to use optic fiber that has being laid but not being used to enable the establishment of secure keys using quantum technology http://www.technologyreview.com/computing/23317/page1/

The other is a wireless network in which the information is carried in the unused interstices of the TV spectrum. http://www.technologyreview.com/communications/23781/

Again,

Hackers expose slew of Hotmail acount passwords

Social Engineering and phishing really work.

See what I wrote on Passwords

He deserved much better

National Post
14 Sep 2009

In the very distant future, the name of Alan Turing (1912-1954) will be among the very few for which the 20th century is remembered, long after most of the politicians, artists and celebrities have receded into confusion and oblivion. His stature is…read more…

An article stating the need to protect biometric data appeared in the IEEE spectrum magazine. Not a lot of new information, a good summary of the threats as biometrics are being used more and more as authenticators.

It looks like Canadian laws are finally forcing Facebook to play nice with their users’ personal information.
read the whole article http://www.financialpost.com/news-sectors/technology/story.html?id=1902992

Having all your personal information in one ID is not a very good idea, even if protected by a good encryption scheme. Having all your information in a card protected with a bad encryption scheme is definitely a bad idea.

That seems to be the case with the ID cards issued by the Home Office to foreign nationals working in the UK. As described in a news article, it looks that a cell phone fitted with an RFID scanner and a laptop is all the hardware you need to clone one of these cards and even change the information on it.

Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.

This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.

But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.

He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains – the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.

[Read the whole Mail-Online article]

These cards use the same technology as the ID card for British citizens unveiled last week by Alan Johnson, the Home Secretary. ID thieves must be anxiously waiting for the introduction of government ID cards, which will facilitate their daily jobs.  

The latest edition of Ouch! Newsletter issued an article on the risks of trusting too much personal information to social networks.  The article include a list of tips to avoid getting in trouble, most of them an exercise in applying common sense.

ID theft is a constant threat as thing can get really serious out there. Alessandro Acquisti team of Carnegie-Mellon University conducted a study in which they were able to guess Social Security Numbers using information commonly available.

Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 _ when the government began issuing numbers at birth _ the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts

Social networking is here to stay and , if you do it, make sure to practice ‘safe networking’.

Update
Ditto:

…..

Social networks are exploding in popularity. Forty-three percent of the online community now uses social networking sites, including Facebook, MySpace and LinkedIn. This is up from 27 percent a year ago, reports The Conference Board and TNS.

…..

The top concerns of social networking members — expressed by about 50 percent — are viruses/malware, exposure of information to strangers and lack of privacy. Women tend to be moderately more concerned than men. Only 14 percent claim they have no concerns, compared to 22 percent of men.

From a recent Conference Board Report.

This Excellent article in the WSJ described the recently broken Patterson’s Cipher. Dr. Smithline from the the Center for Communications Research in Princeton, N.J., got the cipher from a neighbour working on a school project about Thomas Jefferson. Make sure to check the interactive tab on the article for a very well done graphical description of the cipher.

h/t Paul