Tuesday, February 15, 2005

SHA-1 Broken?

Bruce Schneier's latest blog entry mentions an as-yet uncirculated paper that claims to show how to drastically reduce the number of operations needed to find a hash collision. If I read this correctly, Schneier has read the paper himself, but has not yet been able to verify the results. But it's obvious he's taking this very seriously, and that's good enough for me.

Thursday, February 03, 2005

Howard on Safer CRT

Microsoft's Michael Howard (co-author of Writing Secure Code and maintainer of a great Windows-oriented security blog has started writing a series of articles about the new security-enhanced C runtime library that will start shipping in the next beta version of Visual Studio. This won't automagically turn Windows into a security powerhouse, but this looks like a very promising step. I can't wait to hear more.

Wireless hacking presentation: "All Your Layer Are Belong To Us"

Among the presentations at ImmunitySec's recent Security Shindig 3 this exciting presentation about exploiting Windows Wireless Zero-Configuration behavior to an attacker's benefit. My favorite quote is "You can be 0wned while watching a DVD on a plane!"

Seriously, this is an interesting presentation. I would have loved to have been there for the demo of KARMA, the tool they wrote that automates these attacks. Don't know if it's available for download anywhere.

How manufacturers protect themselves from online lowballers

Ok, I know this isn't exactly about information security, but here's a cool article describing in some detail how major manufacturers protect themselves online black marketeers. This obviously isn't 100% effective, but it's kinda neat, in a King Canute sort of way.