Spliced feed for Security Bloggers Network |
Killing Security, Piece by Piece [The Falcon's View] Posted: 25 Apr 2008 10:13 AM CDT | |||||||||||||||||||||||
IT Hot Topics Conference, May 15th and 16th Greensboro, NC [StillSecure, After All These Years] Posted: 25 Apr 2008 08:01 AM CDT Just a quick note on some recent events I will be attending. I am really psyched to be moderating a panel on NAC (does that mean I can give all of the panel a hard time?) at the IT Hot Topics Conference 2008 at Grandover Resorts & Conference Center, in Greensboro, NC. I also get a chance to play golf on a great course, the afternoon of the 16th! You can read more about the conference and some of the other guests and tracks on Jennifer (JJ) Jabbusch's blog here. | |||||||||||||||||||||||
Lessons from “Don’t copy that floppy” ’90s Video Still Relevant [BlogInfoSec.com] Posted: 25 Apr 2008 06:00 AM CDT How many people remember the name of a short movie that is supposed to fight software piracy back in 1992 called "Don't copy that floppy"? For the ones that do, the bad music, rhymes and situations have probably scarred us for life. Interestingly, there is a new message that one can take away from this video. It is not about the violations surrounding copyright infringement, but more of the risk associated with using our latest incarnation of Sneaker-Net 2.0: the USB thumb drive. We have all paid attention to the news in regards to the risks with USB thumb drives allowing the employees walk out with information, and there are tools and tricks for mitigating those risks. But the one that we have yet to resolve are the USB storage devices that come from the manufacturers with live and active malware ready to infect your core. Don't believe me? Well, hopefully you have heard about the recent issue with Hewlett Packard sending their customer base infected USB thumb drives. No, these were not the promotional marketing schwag, these were intended for use with their line of servers. ComputerWorld said, "A security analyst with the SANS Institute’s Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. 'I think it’s naive to assume that these are not targeted attacks,' …" Doesn’t this sound like the implantation of the malware was an intentional act? What about those pesky picture frames that showed up at Best Buy stores preconfigured to infect your machines. Fortunately, Best Buy owned up to the problem and recalled the picture frames, but not without gaining a bit of bad press for being reluctant about doing so. Now, stepping back for a minute; how many other incidents have we had where a USB device has been discovered out of the box and primed for infection? I'm counting news releases and articles that extend back almost a year by now. It's interesting that these are finding their way onto and into the mass consumer's hands and equipment for both residential and business. So, jumping back to the message that "Don't copy that floppy" was originally trying to convey, there's a new risk for users if they want to copy anything these days. Those fresh, new and mint condition USB enabled devices are going to backdoor your system even if they do come from a trusted source. Or, alternatively, if you find one lying on the side of the road, in the company parking lot, or the bathroom there may be a bigger scheme at hand. What about all those USB giveaways that you get at conferences or in the mail? Yup, they're not immune to being contaminated as well, and it will be particularly ironic when an antivirus company hands you a USB device that's infected! But enough about the drives, what about those other devices that have storage on them like our phones, printers, and Ethernet devices. How long is it going to be until you buy your brand new, top of the line trendy phone to only have it be the deliverer of a new Trojan right into your machine? There's just a small part of the problem: vendors not doing a good QA check of the products before they leave the door. But what can be done for the consumer in all of this? Obviously, you should not trust the device because it's new and still shrink wrapped. When configuring the device with your workstation format it first and it should be preferably low-level format if you know how. Finally, if you come across a device that is infected out of the box, write about it! Be a fellow netizen and alert us to your concerns and findings if you stumble across one of these devices. Some additional resources: Don't Copy that Floppy : http://en.wikipedia.org/wiki/Don’t_Copy_That_Floppy HP admits to selling infected flash floppy drives : http://www.computerworld.com.au/index.php/id;314715708 Best Buy sold infected digital picture frames : http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058638 Best Buy recalled infected picture frames : http://www.securityfocus.com/brief/670 Social Engineering, the USB Way : http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1 Hackers debut malware loaded USB ruse : http://www.theregister.co.uk/2007/04/25/usb_malware/ Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. | |||||||||||||||||||||||
Spear Phishing with Better Business Bureau complaints [StillSecure, After All These Years] Posted: 25 Apr 2008 12:04 AM CDT I received the following email yesterday purporting to be from the BBB. It looked phishy to me, so of course I did not click the link and did a little investigating. However, I could see how someone would be fooled on this one, thinking someone filed a bogus complaint against them. Almost as good as the subpoena story I heard from a customer last week. Beware of stuff like this! BBB CASE #841246605
| |||||||||||||||||||||||
Hurry Up and Wait [BumpInTheWire.com] Posted: 24 Apr 2008 10:39 PM CDT It is really quite comical how things work out. Today we had a “mini” disaster recovery test for our mainframe. Like most things, every DR test comes with a couple of meetings prior to the actual work being done. The part I’m involved in is really pretty simple and only involves ensuring a VPN tunnel to the recovery site comes up. The simple part is the config for this VPN was created back in 2005 and our end has not changed since. Every test comes with the same sense of importance stressed on this VPN creating successfully. I get asked several times if somebody will be available at the time the test starts to ensure the VPN comes up. I give the same bullshit answer every time…”Of course, if I’m not here El Sidekick is here at 6:00 AM every day so he will be here.” I give the same answer because I know that if the test is scheduled to start at 8:00 AM they won’t be to a point where they need the VPN until 2 hours later at the earliest. Today was no different. The test was scheduled to start at 8:00 AM. Shortly after 2:00 PM they were at a point where they needed the VPN. The VPN was up at 8:15 and sat idle for 6 hours. The tardiness of the VPN creation wasn’t even an issue on our end. For the third test in a row the DR site clowns didn’t put a default gateway on their config. Silly clowns. This has been a crazy busy week. The stars must have been aligned this week to cause me to be this busy. I think I’m going to reward myself by taking Friday afternoon off. If I can’t blow it out on a Friday when the hell can I blow it out? | |||||||||||||||||||||||
The Day I met Bruce Schneier at InfoSecuity Europe ‘08 [IT Security Expert] Posted: 24 Apr 2008 08:14 PM CDT No matter the profession or walk of life we are all in, we all have our heroes and mentors, for some it is the likes of Einstein, Winston Churchill, Lance Armstrong, Tiger Woods or Richard Branson, for others it's Elvis or Amy Winehouse. For me it's Bruce Schneier, who first made a name for himself as a predominant cryptography expert in 1960s and in recent times has evolved into a fresh and forward thinking security guru. Sure this proves that I'm geek for sure, but for those who have ever read any of Schneier's recent books, blog entries or heard him speak will understand where I coming from. I can't say I agree with absolutely everything Bruce says, but what grabs me is his unique approach, perspective and understanding of security and the information security industry. Bruce takes a large step back, then cuts out all the politics, security company marketing and associated sales hype, at which point you are left with the bare bones and the questions on what security is really suppose to be about. Which is, what do you want to protect, what are the risks, how will the security solution mitigate those risks, what risks does the security solution introduce and finally what are the costs, inconvenience and trade-offs around the security solution to mitigate the original risk. As a security professional you have to careful not to fall into the trap and tunnel vision in chasing perfect security and zero risk, because there is simply no such thing as perfect security and zero risk! Then the other side of this coin is to ensure the security is appropriate for the risk, making sure the security cost and trade-offs are viable against mitigating the actual risk of attack. Let me take a "real world" UK example, I sure someone might of raised this one, but in order to reduce the risk another London Underground bombing, we could impose a security counter measure of searching all passengers and their bags prior to them entering the system, like we do at airports. It might reduce the risk of attack, but when thinking about the trade-offs, which is huge passenger inconvenience and high costs in employing extra staff to carry out all the searches, does this make it a worthwhile security solution in relation to the risk? The rational answer is clearly no, as it's just not viable, and so we continue to accept this risk of terrorist attack. OK, let's say we went with that security solution, at the end of the day, there still would be a risk of terrorist attack on the London Underground, and the only real way to completely mitigate that is to completely shutdown the underground system! With business IT Security the same approach should apply, sure there are areas of Law and Industry compliance which must always be followed, but when dealing with security problems outside these areas, I always try to emulate that great Schneier vision, take that step back, making sure the business trades-offs and costs are balanced against the attack risk, it's not always that easy, the real difficulty is in quantifying elements, especially the attack risk. Fortunately for me, I utilise some of my own methods and practices which I have built up over the years to mitigate typical business risks, while causing minimal security trade offs and cost. Anyway, yesterday I attended InfoSecurity Europe, and I was chuffed to pieces, as not only did I get to listen to Bruce Schneier talk about the Security Industry, but I got to briefly meet him and I got a signed copy of his latest book, Beyond Fear. Which is a must read not only for Security Professionals, but for anyone in general who wants to understand what security is about without knowing any of the technical jargon. I also recommend signing up to Crypto-Gram Newsletter run by Bruce at http://schneier.com/. After the doors shut at InfoSecurity (ISC)2 EMEA held an event which I attended. From my perspective as CISSP member, I have to say EMEA (ISC)2 is progressing well under the leadership of John Colley, the event itself is evidence of this. Amongst the (ISC)2 bigwigs at this event, was former White House Cyber Security Advisor and (ISC)2 Security Strategist for (ISC) Prof. Howard A. Schmidt, who was also a keynote speaker at InfoSecurity Europe, again another guy who I can listen to all day. http://www.isc2.org/ Finally I met several guys from the UK Chapter of ISSA (Information System Security Association), I promised that I would sign up and get involved after learning that whey were planning more events in northern England. http://www.issa-uk.org/ | |||||||||||||||||||||||
Great article about malicious software [The Security Mentor] Posted: 24 Apr 2008 08:02 PM CDT Ars Technica explains malicious software. This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names. It's almost completely nontechnical. | |||||||||||||||||||||||
Automatic Patch-Based Exploit Generation [Observations of a digitally enlightened mind] Posted: 24 Apr 2008 06:19 PM CDT Security Focus has an article describing a system for reverse engineering Microsoft patches to determine deltas between binaries and automagically developing exploit code within seconds (here)
Honestly I am surprised someone hadn't already developed such a system, you would think the folks at Bluelane would have one running in their lab. Anyway, there is little doubt that the time to protect against dynamic threats is decreasing and minutes matter. However the reality is that most organizations can barely patch within the 3-6 weeks using their crappy version of SMS/SCCM, so really what's the difference between seconds, minutes, hours, days or weeks? And how should an organization deal with, what we already knew were, dramatically shorter times to protect? Well, first is to note that the old scan and patch model is broken (here), that's not to say that patch management isn't important - it is critical! however the immediate response to exploit code in the wild may not always be to distribute a patch, but to shield against the threat by mitigating the vulnerable condition. Essentially the response should be shield then remove the root cause, which in most cases becomes shield the environment and then patch, upgrade or remove the vulnerability or exposure. Scan and patch = ineffective Define policy, audit against policy, enforce policy + shield against emerging threats, then eliminate root cause = effective So how does an organization shield against attack? They must incorporate and facilitate coordination of all network and host-based technologies as part of their vulnerability and threat management program. Of course this level of organizational command and control would require technologies, like BigFix (here), and processes that support rapid modification to environmental variables. But how is that different from delivering a patch quickly you ask, well, modifying a firewall, host or network based, to block ingress or egress traffic on a particular port is far easier and timely than trying to deploy a patch, not to mention rolling back the change requires far less effort and environmental disruption than other mitigating factors. | |||||||||||||||||||||||
Cybercrime: Same Crimes, Different Days [securosis.com] Posted: 24 Apr 2008 03:13 PM CDT I was reading one of Alan’s posts over at StillSecure, based on the Lending Tree debacle. He starts with a bit I totally agree with:
This is something I’ve been harping on for a while- the only new thing about cybercrime is the vector; nearly every crime we see has a corollary in the physical world. Why? Because we’ve been screwing each other over since before we were technically humans. We’ve been taking things that don’t belong to us since far before we had any concept of commerce or society. That’s tens of thousands, if not hundreds of thousands, of years of criminal refinement. Nigerian 419 scam? It’s the Spanish Prisoner. DoS? It’s sabotage or a protection racket. You name the cybercrime, and I can name the crime. Now how does this practically apply to how security professionals do their job? Focus on the crime, not the tech. When you’re piecing together your defenses, monitoring for incidents, or cleaning up a mess always remember that someone attacked for a reason. If they didn’t steal something, hijack an asset for their own use, trespass for the fun of it, or vandalize/break something, keep looking. Odds are you still haven’t figured out why they are there, and what the real target is, and your day ain’t over yet. A person changes. People don’t. | |||||||||||||||||||||||
NJ Supreme Court Defends Internet Privacy [The Security Catalyst] Posted: 24 Apr 2008 02:57 PM CDT The Supreme Court of New Jersey has ruled that people have an expectation of privacy when they are online, and law enforcement officials need a grand jury warrant to have access to their private information. While the ruling only affects New Jersey state law, the holding will take precedence over weaker federal court decisions that hold there is no right to privacy on the internet. The court ruled in the case of Shirley Reid of Lower Township, Cape May County, who was charged with second-degree computer theft for hacking into her employer’s computer system from her home computer. Township police obtained her identity from Comcast by using a municipal court subpoena. The Supreme Court held that law enforcement had the right to investigate her but should have used a grand jury subpoena. The unanimous seven-member court held that police do have the right to seek a user’s private information when investigating a crime involving a computer, but must follow legal procedures. The court said authorities do not have to warn a suspect that they have a grand jury subpoena to obtain the information. Writing for the court, Chief Justice Stuart Rabner said: “We now hold that citizens have a reasonable expectation of privacy protected by Article I … of the New Jersey Constitution, in the subscriber information they provide to Internet service providers — just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” The case has significant implications for how courts could possibly interpret online privacy in e-mails and other forms of electronic communication. Federal courts have been reluctant to offer stronger protections in defense of online privacy except when there is a clear violation by the government under complicated statues like the Electronic Communications Privacy Act. This is the first ruling in the country that seeks to raise the bar on the privacy standards for online activities. It would help influence other state decisions and eventually could reach the Supreme Court. | |||||||||||||||||||||||
5 Security Metrics That Matter [Observations of a digitally enlightened mind] Posted: 24 Apr 2008 02:51 PM CDT Security metrics, which I have posted on in the past (here), and (here), are almost as elusive as security ROI. But unlike the mystical pink unicorn that is security ROI, security metrics are real, tangible and meaningful. Why is it then that we have so much difficulty in defining metrics that are both simple in their implementation and significant in their impact on the organization? I believe much of this stems from two flaws in how most organizations approach information security. The first problem is that, for the most part, security is a reactive, ad-hoc discipline, primarily focused on responding to an incident. This drives post-incident metrics such as how many virus outbreaks did we experience, or how many attacks did our IDS detect, or how much SPAM did our anti-spam thingie block. These might be useful in determining, well, those things above, but they are hardly telling of the effectiveness or efficiency of one’s IT security program. The second problem is how an organization communicates between groups. Operations, audit & compliance, and security are examples of domains within an organization that use a very different language to communicate problem/resolutions. Vulnerability assessment is a great example of the problem of cross-organizational communication. Security will look at vulnerability assessment data from the perspective of unique, distinct conditions, operations will look at the data with an eye towards what remediation must be done, and audit & compliance might be concerned with how the data is relevant to regulatory initiatives. Operationally these are all very different ways of describing environmental variables, and it is very difficult to satisfy each of these groups with a simple metric of how vulnerable are we? - to what? or How many vulnerabilities exist in our environment? - Why does it matter? Operations doesn’t care how many, unique, distinct vulnerabilities some VA scanner found - their charter is availability. A common language that is driven by policy and used in terms of the business is critical to ensuring cross-organizational communication. Ideally we would be able to draft metrics that address effectiveness and efficiency, how effective is our IT security and operations program and how efficient are we in detecting and remediating change. Most of this would require a move towards a policy driven approach and SLA's to monitor adherence to plan, which we will look at in a future post. I did want to take a minute and list some metrics that every organization must be able to address today, because if you cannot answer these basic questions about your environment, with any degree of accuracy, then all the metrics we will come up will fall short. 1. How many computing devices are actively connected to my network right now and how many of these do we actually own? 2. Of these how many do we actively manage (have full visibility into and command and control of)? 3. What percentage of these are compliant with basic security policies, including…? 4. How effective is our change management process? And how quickly can we affect change in the environment. For example, once a decision has been made to change some environmental variable (modify PFW settings, configuration change to the device itself, update to dat files, reconfigure HIPS/PFW settings, etc) what percentage of the environment can we verify conforms these changes within a 24 hour period? 5. What audit mechanisms are in place to detect changes to a corporate COE (common operating environment), how often do we monitor for non-compliance, what is the process for remediating non-compliant devices, and how long does it take from detection to remediation? If your organization can repeatably and verifiably answer these 5 questions, you are well on your way to metrics nirvana. | |||||||||||||||||||||||
ahh, New York in the Spring [Trey Ford - Security Spin Control] Posted: 24 Apr 2008 02:26 PM CDT | |||||||||||||||||||||||
Searching Google’s Channel Strategy [Alert Logic] Posted: 24 Apr 2008 01:50 PM CDT In my last post, I eluded to my disappointment in Google's lack of a good message around security at RSA this year. And at the Venture Tech Network (VTN) Invitational in New Orleans last February, they had a breakout session for VTN members "by invitation only". Ooh, how top secret of you, Google! You do [...] | |||||||||||||||||||||||
Posted: 24 Apr 2008 01:27 PM CDT Latest Network Computing rolling review of Patch Management products, this one focused on BigFix Enterprise Suite (here)
| |||||||||||||||||||||||
Mitigating DoS with Employee Monitoring. What. [un-excogitate.org] Posted: 24 Apr 2008 12:45 PM CDT This article over on Computerworld Australia seems to have a couple of conflicting items that have been bugging me since I read it the other day. The article begins by mentioning potential changes to federal government legislation:
It's at this point that all of sudden we go on a massive tangent, whereby the Attorney-General is saying that these legislative changes are a counter-terrorism measure, and that these changes could prevent breaches occurring:
Hopefully someone out there can explain to me exactly how allowing employers monitoring rights to their employees is a control against denial of service attacks? Or even better, how exactly a denial of service attack equates to a breach? Especially after they’ve done such a good job of defining what an Information Security Breach is in the “Draft Voluntary Information Security Breach Notification Guide“.
The only saving grace in the article was the comment from Nick Elsmore from SIFT where he states that these new laws will have minimal impact on businesses due to most enterprises having provisions for Internet monitoring within employee contracts. My experience in a few different enterprises has proven this to be the case. | |||||||||||||||||||||||
SC Magazine article on clarification of PCI requirements [StillSecure, After All These Years] Posted: 24 Apr 2008 12:24 PM CDT Martin and a bunch of others have written about the recent clarifications around section 6.6 and 11.3 of the PCI DSS. Jim Carr over at SC Magazine ran an article on it today that he interviewed me for. While I am not the PCI expert Martin is, I was happy to contribute my 2 cents (ain't I always). Anyway, sounds to me like these new clarifications are going to wind up with a lot of web application firewalls being sold. Here at StillSecure we are thinking about some ways to take those to the next level as well. Hopefully we can announce something soon on this. Overall, just another indication that right or wrong, compliance is driving a lot of the spending in security today. | |||||||||||||||||||||||
April Security “Incidents” Worth Noting [Observations of a digitally enlightened mind] Posted: 24 Apr 2008 09:51 AM CDT 1. Although not an incident the DNS redirect identified by Kaminsky (here) is the perfect storm of stupidity and greed on the part of ISPs resulting in bad mojo for the rest of us.
2. Mass SQL injections identified by F-Secure (here) F-Secure estimates 510,000 affected pages, you may be thinking “so why is this news worthy” mass events are worthy for 2 reasons 1. They do not receive much press lately and that has a negative impact on the understanding of threat by executives - they have a security incident memory half-life of 6 months before they decide to stop funding security projects and 2. This exploit coupled with another could result in mass damage.
3. Targeted malware laden subpoena (here) This is newsworthy because it was highly targeted at a user population that traditionally subverts security controls based on their role in the organization - the CEO - because it was so legitimate looking (no spelling errors, good logo’s) and because it spoke to a basic human desire to not get sued. It is also an example of yet another piece of malware that most of the AV companies didn’t have signatures to detect and clean until after the infections began.
There were other incidents, as there are every week, but these are worth understanding better as part of an organizations overall security initiatives. Of course as bad as it is in cyberspace we can take comfort in the fact that it will never get this bad… Lynchings in Congo as penis theft panic hits capital (here)
| |||||||||||||||||||||||
Posted: 24 Apr 2008 09:23 AM CDT The Hack in the Box (HITB) conference that took place in Dubai, was all in all a great fun. I would like to personally thank to Dhillon, Belinda, Amy and everybody else from the HITB crew for making this event possible and making sure that everybody have a good time. The devil is in the details and this is what makes HITB the best conference in Asia and the middle-east region. I am anxiously looking forward for HITB KL. It is needless to say that we’ve made a lot of friends, talked to some of the best minds in the security world, and even had the chance to present ourselves. Adrian presented his talk on Again, the event was great. The amount of effort the HITB crew put into the preparation was evident all the way till the end. We highly recommend to attend any of the following HITB events as they are very much worthed. | |||||||||||||||||||||||
But The Earth Remains Forever... [The Falcon's View] Posted: 24 Apr 2008 09:06 AM CDT | |||||||||||||||||||||||
Top Ten Items from the Recent Breach at Hannaford Supermarkets [RSA Conference - Blog] Posted: 24 Apr 2008 07:03 AM CDT | |||||||||||||||||||||||
OAuth & ID-WSF Authz Models [RSA Conference - Blog] Posted: 24 Apr 2008 06:25 AM CDT | |||||||||||||||||||||||
The whys of igovt [RSA Conference - Blog] Posted: 24 Apr 2008 06:18 AM CDT | |||||||||||||||||||||||
I Support Barack Obama for President [Observations of a digitally enlightened mind] Posted: 23 Apr 2008 10:15 PM CDT <political commentary below - if you are not interested stop reading> I generally try to avoid discussing politics, religion or operating system preference, as these issues tend to drive highly charged emotions. For the most part this is a security industry blog, but it is also a representation of my thoughts and feelings, and after thinking through the options I feel like supporting Barack Obama for President (here) Prior to the 2004 Democratic Convention I wasn’t familiar with Senator Obama, but I was captivated as he gave the Keynote. I remember turning to some friends and saying “that guy is going to be President one day”, honestly I barely remember who the Democrat’s were endorsing, but I will never forget Senator Obama’s speech. Sitting on the sidelines and lamenting the loss of our freedoms, the loss of four-thousand dedicated men and women of the US military, watching the collapse of the housing industry, record oil prices, and a looming economic disaster is no longer an option. As citizens of the United States we have the ultimate resposibility to do everything in our power to ensure the freedoms our founding fathers fought for, and every generation since has bled for, remain ours to pass on to our children. This freedom starts with a voice, yours and mine. A single voice, a single vote combined with others to create the winds of change - regardless of your political beliefs, whether they be republican, democratic or somewhere in between, just remember that it is not only your right to vote, it is your responsibility. | |||||||||||||||||||||||
Finally someone said it! [Security Balance] Posted: 23 Apr 2008 05:51 PM CDT I was extremely happy to read this post from Richard Mogull, where he says: I know what's running through your head right now. "WTF?!? Mogull's totally lost it. Isn't he that data/information-centric security dude?" Yes I am (the info-centric guy, not the insane bit), and here's the thing: Enterprise content is just too volatile for static tags to really represent it's value.” A few years ago I was advocating the same thing during a discussion with some friends, where I was complaining about how pointless the current data classification policies and procedures are when we think about the current state of applications, data sharing and web 2.0 stuff. I just don’t believe that information classification can happen in a dynamic organization in the way that is taught in, let’s say, a CISSP prep class. We really need to think out of the box when dealing with the challenges of priorizing security measures according to the value of information. I’ll quote Richard again about data classification: “That, my friend, is not only dead, it was never really alive.” | |||||||||||||||||||||||
Fuzzy Math: When 10 Points is Really 9 [The Falcon's View] Posted: 23 Apr 2008 03:57 PM CDT | |||||||||||||||||||||||
Functional Cryptography the future? [Data Protection, Management and Leakage] Posted: 23 Apr 2008 10:07 AM CDT Interesting concept this new research from UCLA called functional cryptography. Apparently the key is a function of peoples "attributes" and not having the specific key itself - as far as I can understand. I would guess that defining these attributes might be tough... Seems like they are addressing key management, authentication and aspects of sharing keys without going for a full blown PKI infrastructure... Be interesting to find out more about this area. However, one aspect of this did strike me as sysnergestic to my views of data centric/information centric security - the attributes and keys are held within the data itself and resides with the data... |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment