Application Security: Is the Backdoor Threat the Next Big Threat to

,----[ Quote ]
| CSO: What are those categories?
| Wysopal: The most common is a special credential backdoor. If you know about
| it being there, you can authenticate with that. It’s always there. It gives
| you a privileged account. But it’s also nice and easy to look for statically;
| ^^^^^^^^^^^^^^^^^^
| these guys stand out like a sore thumb, so they’re easier to find.

Days ago:

Dual_EC_DRBG Added to Windows Vista

,----[ Quote ]
| Microsoft has added the random-number generator Dual_EC-DRBG to Windows
| Vista, as part of SP1. Yes, this is the same RNG that could have an NSA
| backdoor. *
| It's not enabled by default, and my advice is to never enable it. Ever.

Microsoft Sells Out to NSA... again!

,----[ Quote ]
| So before you go to the store and get that shiny new laptop, consider asking
| the retailer to not put Windows on there because not doing so could end up
| being a serious mistake. *


Why proprietary code is bad for security

,----[ Quote ]
| Tho Skype is using an encrypted protocol, it’s still their own, non-disclosed
| code and property. So we don’t know what it contains.
| [...]
| It’s time to stop accepting that we are the bad guys, and to stop consuming
| things we just don’t understand (and cannot, because they are proprietary, *
| closed-source systems).
| Say no to companies, or even governments who treat you like this. Start using
| open sourced products and protocols wherever you can. Even if you could
| still never understand the code used in these systems, there are still lots
| of people who can, and who will examine it. The magic word here is “peer
| review” - your friend or buddy or neighbour may be able to understand all
| that, and to help. No, not with Skype or Windows or any black box from Cisco. * * *

Did NSA Put a Secret Backdoor in New Encryption Standard?

,----[ Quote ]
| Which is why you should worry about a new random-number standard that
| includes an algorithm that is slow, badly designed and just might contain a
| backdoor for the National Security Agency. *

,----[ Quote ]
| "Is this a good idea or not? For the first time, the giant software maker
| is acknowledging the help of the secretive agency, better known for
| eavesdropping on foreign officials and, more recently, U.S. citizens as
| part of the Bush..."

Animal Rights Activists Forced to Hand Over Encryption Keys

,----[ Quote ]
| If you remember, this was sold to the public as essential for fighting
| terrorism. It's already being misused.

Microsoft could be teaching police to hack Vista

,----[ Quote ]
| Microsoft may begin training the police in ways to break the
| encryption built into its forthcoming Vista operating system.

UK holds Microsoft security talks

,----[ Quote ]
| "UK officials are talking to Microsoft over fears the new version of
| Windows could make it harder for police to read suspects' computer files."

For Windows Vista Security, Microsoft Called in Pros

,----[ Quote ]
| The NSA also declined to be specific but said it used two groups — a “red
| team” and a “blue team” — to test Vista’s security. The red team, for
| instance, posed as “the determined, technically competent adversary” to
| disrupt, corrupt or steal information. “They pretend to be bad guys,” Sager
| said. The blue team helped Defense Department system administrators with
| Vista’s configuration . * *
| Microsoft said this is not the first time it has sought help from the NSA.
| For about four years, Microsoft has tapped the spy agency for security
| expertise in reviewing its operating systems, including the Windows XP
| consumer version and the Windows Server 2003 for corporate customers. *

Microsoft patents the mother of all adware systems

,----[ Quote ]
| The adware framework would leave almost no data untouched in its quest to
| sell you stuff. It would inspect "user document files, user e-mail files,
| user music files, downloaded podcasts, computer settings, computer status
| messages (e.g., a low memory status or low printer ink)," and more. How could
| we have been so blind as to not see the marketing value in computer status
| messages? * *

Spy Master Admits Error

,----[ Quote ]
| Intel czar Mike McConnell told Congress a new law helped bring down a terror
| plot. The facts say otherwise.

FBI ducks questions about its remotely installed spyware

,----[ Quote ]
| There are plenty of unanswered questions about the FBI spyware that, as we
| reported earlier this week, can be delivered over the Internet and implanted *
| in a suspect's computer remotely.

United States Government Online Watchdogs? Part of the war on terror?

,----[ Quote
| Is there anyone in the abandonia community with a US based connection who is
| experiencing this watchdog behavior? Are any foreign Vista users experiencing
| similar attacks from their own countries ministries and governing agencies?" *

On back doors in Windows XP...

Vista as the mother of all spyware...

Police eats your CPU cycles and disk space...

,----[ Quote ]
| Vista—Microsoft’s latest operating system—may prove to be most
| appropriately named, especially for those seeking evidence of how a
| computer was used.

Will Microsoft Put The Colonel in the Kernel?

,----[ Quote ]
| "The kernel meets The Colonel in a just-published Microsoft patent
| application for an Advertising Services Architecture, which delivers targeted
| advertising as 'part of the OS.' *

Austria OKs terror snooping Trojan plan

,----[ Quote ]
| Austria has become one of the first countries to officially sanction the use
| of Trojan Horse malware as a tactic for monitoring the PCs of suspected
| terrorists and criminals. *
| [...]
| Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if
| they stuck with Windows their anti-virus software might detect the malware.
| Anti-virus firms that accede to law enforcement demands to turn a blind eye
| to state-sanctioned malware risk undermining trust in their software, as
| similar experience in the US has shown. * *

Schäuble renews calls for surreptitious online searches of PCs

,----[ Quote ]
| In his speech towards the end of the national conference of the Junge Union,
| the youth organization of the ruling conservative Christian Democratic Union
| (CDU), in Berlin the Federal Minister of the Interior Wolfgang Schäuble has
| again come out in favor of allowing authorities to search private PCs
| secretly online and of deploying the German Armed Forces in Germany in the
| event of an emergency. * *

Is My Boss Reading My Personal E-mail?

,----[ Summary ]
| Your employer can monitor all electronic communication
| to and from work equipment, especially when it's sent
| over the corporate network

Botnet 'pandemic' threatens to strangle the net

,----[ Quote ]
| Cerf estimated that between 100 million and 150 million of the
| 600 million PCs on the internet are under the control of hackers,
| the BBC reports.

Encrypted E-Mail Company Hushmail Spills to Feds

,----[ Quote ]
| Hushmail, a longtime provider of encrypted web-based email, markets itself by
| saying that "not even a Hushmail employee with access to our servers can read
| your encrypted e-mail, since each message is uniquely encoded before it
| leaves your computer." *
| But it turns out that statement seems not to apply to individuals targeted by
| government agencies that are able to convince a Canadian court to serve a
| court order on the company. *

No email privacy rights under Constitution, US gov claims

,----[ Quote ]
| This appears to be more than a mere argument in support of the
| constitutionality of a Congressional email privacy and access scheme. It
| represents what may be the fundamental governmental position on
| Constitutional email and electronic privacy - that there isn't any. What is
| important in this case is not the ultimate resolution of that narrow issue,
| but the position that the United States government is taking on the entire
| issue of electronic privacy. That position, if accepted, may mean that the
| government can read anybody's email at any time without a warrant. * * *

Can FOSS save your privacy?

,----[ Quote ]
| Well, the Bush regime has already claimed "we don't need no steenkin
| warrant" to listen to your phone calls, see what websites you visit,
| scan your emails, and now, with the revelation of a new
| "signing statement", it?s even claiming the authority to read your
| physical mail. When the government becomes the biggest threat to
| your privacy, you better take advantage of the legion of privacy
| advocates creating FOSS to help you retain what little bit of privacy
| you can still have.
| [...]
| However, just because your privacy is being threatened doesn't mean
| you have to accept it. There is a growing array of FOSS being
| developed to provide us with the ability to control our privacy.
| It's about time we all start using it.

Polippix: The Political Linux Distribution of Denmark

,----[ Quote ]
| From what I have been able to determine, PROSA, the Association of
| Computer Professionals, is the group responsible for its development
| and distribution. Their feelings on how privacy is being affected in
| the country of Denmark are rather obvious, and it looks as if they
| are not going to take these concerns lying down.

Microsoft exec calls XP hack 'frightening'

,----[ Quote ]
| "You can download attack tools from the Internet, and even script kiddies can
| use this one," said Mick.
| Mick found the IP address of his own computer by using the XP Wireless
| Network Connection Status dialog box. He deduced the IP address of Andy's
| computer by typing different numerically adjacent addresses in that IP range
| into the attack tool, then scanning the addresses to see if they belonged to
| a vulnerable machine. * *
| Using a different attack tool, he produced a security report detailing the
| vulnerabilities found on the system. Mick decided to exploit one of them.
| Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a
| payload that would exploit the flaw within a couple of minutes. *

Duh! Windows Encryption Hacked Via Random Number Generator

,----[ Quote ]
| GeneralMount Carmel, Haifa – A group of researchers headed by Dr. Benny
| Pinkas from the Department of Computer Science at the University of Haifa
| succeeded in finding a security vulnerability in Microsoft's "Windows 2000"
| operating system. The significance of the loophole: emails, passwords, credit
| card numbers, if they were typed into the computer, and actually all
| correspondence that emanated from a computer using "Windows 2000" is
| susceptible to tracking. "This is not a theoretical discovery. Anyone who
| exploits this security loophole can definitely access this information on
| other computers," remarked Dr. Pinkas. * * * *
| Editors Note: *I believe this "loophole" is part of the Patriot Act, it is
| designed for foreign governments. *Seriously, if you care about security,
| privacy, data, trojans, spyware, etc., one does not run Windows, you run
| Linux. *

"Trusted" Computing

,----[ Quote ]
| Do you imagine that any US Linux distributor would say no to the
| US government if they were requested (politely, of course) to add
| a back-door to the binary Linux images shipped as part of their
| products ? Who amongst us actually uses the source code so helpfully
| given to us on the extra CDs to compile our own version ? With
| Windows of course there are already so many back-doors known and
| unknown that the US government might not have even bothered to
| ask Microsoft, they may have just found their own, ready to
| exploit at will. What about Intel or AMD and the microcode on
| the processor itself ?

,----[ Quote ]
| In relation to the issue of sharing technical API and protocol
| information used throughout Microsoft products, which the
| states were seeking, Allchin alleged that releasing this
| information would increase the security risk to consumers.
| * * * *"It is no exaggeration to say that the national security is
| * * * *also implicated by the efforts of hackers to break into
| * * * *computing networks. Computers, including many running Windows
| * * * *operating systems, are used throughout the United States
| * * * *Department of Defense and by the armed forces of the United
| * * * *States in Afghanistan and elsewhere."

How NSA access was built into Windows

,----[ Quote ]
| A careless mistake by Microsoft programmers has revealed that
| special access codes prepared by the US National Security Agency
| have been secretly built into Windows.
| [...]
| The first discovery of the new NSA access system was made two years
| ago by British researcher Dr Nicko van Someren. But it was only a
| few weeks ago when a second researcher rediscovered the access
| system. With it, he found the evidence linking it to NSA.

NSA Builds Security Access Into Windows

,----[ Quote ]
| A careless mistake by Microsoft programmers has shown that special access
| codes for use by the U.S. National Security Agency (NSA) have been secretly
| built into all versions of the Windows operating system.