Tuesday, November 20, 2007

Warning! Danger Will Robinson!

This morning, a friend forwarded me a couple of interesting and troubling security articles. Safe surfing may no longer be enough. And given that we are just dropping into online shopping season, I thought some of this info might be good to have.

The first item, found on Wired, is a new twist on an old hack. Malicious users are embedding encrypted redirect functions in flash banners. You don't need to click the banner. You just have to visit a site that displays it. It then redirects your browser to an anti virus software site where software is installed seemingly no matter what you do. Security providers are working on fixes for this, and I'm curious if changing your flash settings will help. Any security workers out there want to comment?

The second item, from Network World, seems a little less easily classified. The article is vaguely written. The gist is that a math error on a chip could create serious security vulnerabilities. The author references the math error that plagued Intel chips back in 1994. I think he is saying that if such a math error occurred on newer chips, it would be exploitable. I'm not sure whether or not he has found said vulnerability. But this bears watching.

And, finally, in the "are they really that stupid" category, we have the NSA. In another Wired
story you can read about the government's new cryptography standards. The standards themselves are a good thing. The component of the standard the NSA is championing is less so. The NSA wants us to adopt an algorithm into which they have a back door. That way, they have a skeleton key to decrypt the messages from the 'bad guys'. Who decides who the bad guys are? They do. Well, them and the President. And of course, they would never use it on law-abiding citizens. And there is no way they could be infiltrated by a terrorist or industrial spy. So, none of us should lose the slightest bit of sleep over it. Right?

I'm pretty sure the crypto community at large will reject NSA's approach, but how many need to adopt to worry us?