Real Time Keylogging

According to New York Times the trojan Clampi is able to send key presses in real time. This means that it can be used to attack one time password (OTP) systems.

From here on, it seems necessary to consider a more complex mode of OTP known as EMV CAP respectively Visa DPA. Here a challenge is sent from the server which is signed by a smart card. Therefore the attacker cannot submit the stolen OTP signature for any other purpose than it was originally intended for.

MacOS X is not Invulnerable

Apple has fixed a nasty longstanding bug. This bug seems to enable user space programs to overwrite arbitrary locations in the kernel memory. The impact of this depends on how easy it is to guess the location of the target. A technique called Address Space Layout Randomization is expected to help here. Attackers need to guess the location of target variables or code for many computers in order to create a worm or rootkit that spreads using this vulnerability. However, it seems that the kernel memory is not randomized so all macs prior to the latest version of Leopard are vulnerable.

Voting Computer Tempest Attack

Youtube has a video where the german hacker club CCC shows how to read out the votes cast on an online voting machine. The electromagnetic radiation generated by the machine, in particular it's pressure sensitive input device, is measured by a sensitive radio scanner. It seems that almost any man-machine interface is threatend by this kind of attack.

Whole Genome Amplification allows DNA Spoofing

Israele researchers found that using a variant of polymerase chain reaction called 'whole genome amplification' it is possible to produce macroscopic amounts of DNA from very small samples. This can be used to create fake evidences at crime scenes. The fabricated samples have been tested with commercially available test kits.

This underlines two insights we all should know since long:

• Don't trust on DNA alone to convict people
• Be careful with large databases - their contents might be stolen

Update (209-08-20): Another Israeli company, Nucleix, claims that they have a DNA analysis kit that can distinguish between real and amplificated DNA. This looks ver much like another armamaent race to me.

New RFC for Publishing DKIM Signature Policy

A new RFC allows to publish the policy for using DKIM signatures on outgoing emails. There are two ways to use DKIM:

• use a valid DKIM header as an indication that the email is legit
• use a missing DKIM header as an indication that the email is spam.

However, the first option fails if the spammer registers a domain and adds a valid DKIM header. The second option cannot be used if the domain in question simply doesn't use DKIM. Now there is a new option:

• use a missing DKIM header as an indication that the email is spam and the sending domain announces that they use DKIM

This sounds reasonable to me.

Email Stamps

CentMail is new attempt to fight spam by using digital stamps.It is backed by Yahoo research. The proceedings from centmail go to a charity chosen by the sender.
It is well known that even such a small cost for sending out spam will kill the business modell of most spammers. However, it remains to be seen how email receivers will react to these stamps. I would consider acknowledging them in my spamassassin rules.
Also note that people still need to guard against malware received by email even if such a system becomes popular, as a targeted malware infection may have a completely different business model.
Anyway, the money is well spent even if it doesn't kill spam immediately.

Formally Evaluated Microkernel Sourcecode

Australian researchers have published a formal proof of the correctness of a L4 microkernel. They used the theorem prover Isabelle to achieve this. L4 is a microkernel, not an operating system. It performs only very elementary functions like memory management and controlling processes as well as interprocess communication.
Additional operating system functionality, like networking or file systems are implemented outside of the kernel.
If this works out, meaning that the proof holds and the kernel runs at a reasonable speed, this would mean thet this the world's fist bug-free operating system kernel source code. Note the defensive wording, there might still be errors in the specification, the services outside of the service or the C compiler.
Unfortunately, it wont't run on smart cards, as it's target architecture is ARM11 and x86. Also, to gain a formally proven secure smart card kernel one would have to prove also security against hardware glitches and attacks.

Flash Cookies

Kate McKinley from iSEC Partners notes that Adabe's flash browser plugin can be used to store persistent data and thus track internet usage. Even worse, those flash cookies cannot be deleted through the browser settings. She descrribes a complicated procedure for managing and deleting flash cookies. This is annoying.

AES Weaknesses

Recent attacks on AES (see here and here) have shown weaknessesn in the AES key schedule. In short, they managed to recover the key of an 256-bit AES with a complexity of 2¹¹⁹ and 192-bit AES with complexity 2¹⁷⁶. If this results holds, AES-256 is not better then AES-128. For the time being, there are no practical implications, as all three algorithms still can be considered practically secure.

Electromechanical Locks

There is a video that shows all sorts of against electromechanical locks. No details. however. Maybe electronical locks shoudn't use mechanical keys at all?

Economics of Spam

An experiment about spam conversion rate (the rate by which spam emails result in purchases) show that less than 0.00001% of spam emails result in sales. The experiment was performed by infiltrating the storm botnet and sending out spam emails referring to fake sales pages operated by the researchers (I won't comment on whether I consider this method ethically acceptable. At least, no damage is done to the test subjects).
As sending out spam comes with a cost, this low conversion rate poses a problem to the spammers. The authors assume that the retail price for sending out spam is $80/million spam mails. That's not a business because one million emails result in only 0.1 conversions by the conversion rate quoted above.
The conclusion in the cited paper is that the storm botnet is "vertically integrated" and thus operates at lower costs than $80 per million of sent spam emails.
The good news is that spam business seems to operate at the border of profitability. If this is true, then measures that reduce spam profitabiity further might effectively reduce the quantity of spam.

Rootkit Breaks TrueCrypt

There is an attack against TrueCrypt based on a rootkit which is installed in the MBR. Such things are well-known since rootkits have been invented, but this one seems to be targeted directly at TrueCrypt and also quite hard to detect.

Someone who can change the booting process of a PC without being noticed can always steal the keyboard input. However, I would suggest that a tool like TrueCrypt should do everything that as possible to detect rootkits. Also it was suggested to boot TrueCrypt from a physical CD-ROM. That fixes the MBR issue.

Of course a TPM would help here, too. Too bad it has been burned by the DRM industry.