Dutch chipmaker NXP Semiconductors has sued a university in The Netherlands to block publication of research that details security flaws in NXP's Mifare Classic wireless smart cards, which are used in transit and building entry systems around the world.
NXP, formerly Philips Semiconductors, sued to prevent Radboud University Nijmegen from publishing a scientific paper on the technology in October. A hearing is scheduled for Thursday in the Dutch court, Rechtbank Arnhem.
"We feel the publication would not be responsible," NXP said in an e-mail statement when asked to comment for this article on Wednesday. "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order."
A court decision on the matter is expected next week, according to Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year and has been closely following the case.
The Dutch university's research builds upon Nohl's work. Nohl said he plans to publish his research in August and that NXP has not sued him to halt publication of his work.
"NXP spent most of this year defending the technology," Nohl told CNET News in a phone interview this week. "Only recently have they started admitting that the security is flawed, but they are still not ready for this to leak into the public domain."
"The only thing NXP would achieve if they win the lawsuit is prevent information from getting to other research groups that might very well be looking for solutions to this problem," Nohl said. Meanwhile, information on how to break the cryptography on the smart cards is already available to criminals who are willing to pay tens of thousands of dollars, he added.
A statement issued by the Dutch University in March says: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."
Dr. Bart Jacobs of Radboud University Nijmegen demonstrated last month how he could ride the London transit system for free. Once he obtained the key used by the London transit system, he then brushed up aside passengers carrying the Oyster transit cards and was able to collect their card information on his laptop and make a clone of it.
This YouTube video shows how it is done:
In addition to the transit system in The Netherlands, the technology is used in the subway systems in London, Hong Kong and Boston, as well as in cards for accessing buildings and facilities. The Mifare technology is used in more than 80 percent of the market, Nohl said.
The university defended its plans to publish the research in a statement released Monday in Dutch, saying it has a duty to research and publish data on security technology flaws so that they can be fixed.
Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords.
The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.
Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.
The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.
Summertime is the season for traveling circuses and local fairs, so I shouldn't be surprised that this carnival atmosphere has spread to security. A company named Permanent Privacy just announced a $1 million prize to the person who can crack its algorithm and uncover the underlying encryption keys.
Now I realize there is some history here. In January 1999, a group of academics cracked the 56-bit Data Encryption Standard in just over 22 hours and won a prize of $10,000. That said, I am not a big fan of security showmanship like this from unknown security start-ups.
Why? First of all, this "challenge" isn't really a challenge at all. Permanent Privacy technology is based upon the AES (Advanced Encryption Standard) algorithm and since no one has cracked AES, it's highly unlikely that anyone will crack AES with an additional proprietary security wrapper . Furthermore, information security is no longer an academic playground for brainiacs at Berkeley and MIT. Rather, it's serious business that impacts everything we do. Given this level of criticality, I'd rather see things like Common Criteria or FIPS certification than a publicity gimmick.
As a start-up, I understand that Permanent Privacy needs to generate buzz and all PR is good PR. Heck, I did the same thing as VP of marketing at a misguided CLEC during the boom. Security isn't like other technologies however, it's more about law, order, and safety. Oracle was dragged through the mud when it advertised its database as "unbreakable." Perhaps it's just me, but I think Permanent Privacy deserves a similar treatment in the market.
Microsoft issued a security advisory on Monday warning about targeted attacks being launched that exploit a hole in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.
Basically, an attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-in user has.
The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, 2002 and 2003.
The ActiveX control, which allows a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access, ships with the standalone Snapshot Viewer and with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 run in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet zone to "high." This is a mitigating factor for Web sites that a user has not added to the Internet Explorer Trusted sites zone, according to Bill Sisk, security response communications manager for Microsoft.
In addition, a security feature in Internet Explorer can be set to prevent ActiveX controls from being loaded by the IE HTML-rendering engine, the advisory says.
Microsoft suggests that users adopt a workaround, such as configuring IE to disable Active Scripting or to prompt before running it, or setting Internet and local intranet security zone settings to "high" to prompt before running ActiveX Controls and Active Scripting.
Eventually, Microsoft may provide a security update for the vulnerability, according to the frequently-asked-questions section of the advisory.
"While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA (Microsoft Security Response Alliance) partners to help protect customers," Sisk says.
A day before the United States celebrates its independence, we continue to question our individual freedoms online. In Thursday's Daily Debrief, CNET News.com Editor in Chief Dan Farber and I discuss a federal judge's recent ruling in the ongoing Google-Viacom lawsuit that orders Google to turn over YouTube user activity. This will include videos watched, IP addresses, and usernames as part of an ongoing copyright infringement case.
Understandably, this news is disconcerting for YouTube users. Sources tell CNET News.com, however, that if Viacom uses this information for anything other than investigating piracy issues, it will be held in contempt of court. Regardless, Farber makes the point that this ruling could now set a precedent for other online privacy and security battles. Representatives from the Electronic Frontier Foundation agree, arguing that this court order will slowly erode the online rights we have come to enjoy and appreciate. Sounds like fireworks of a different kind this Fourth of July.
We all worry about keeping our online passwords safe from prying eyes. But now our faith in ATM PIN codes is being shaken.
Three people face charges in federal court in New York for allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes, according to court filings reported on by The Associated Press on Tuesday.
The alleged thieves made off with about $2 million between October 2007 until March of this year. Officials believe they remotely broke into the back-end computers that approve cash withdrawals and grabbed the PINs as they were being transmitted from the ATMs to the transaction processing computers, which increasingly use Windows, the report says.
Wired News was the first to report on the ATM network breach.
Updated Tuesday at 9:10 a.m. with Google comment.
A few months ago, spam came to Google Calendar. Now phishing has arrived.
Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.
He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as "customer care," and it asked him to verify his account by supplying his username and password.
"We are having congestions (sic) due to the anonymous registration of Gmail accounts, so we are shutting down some Gmail accounts, and your account was among those to be deleted. We are sending you this email to so that you can verify and let us know if you still want to use this account," the e-mail said, complete with grammatical and spelling mistakes that can tip people off to phishing attempts.
On May 28, a Google Talk Guide addressed the issue in a Google Groups thread, urging users to click the "Report Phishing" link if they receive suspicious e-mails and not to click on links within the e-mails or open attachments.
Late on Monday, a Google representative e-mailed this statement: "Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Calendar, or any Google product, to send spam is a violation of our product policies. We are actively identifying Calendar accounts that send spam and disabling them."
Google has more information on how to protect against e-mail fraud on its Official Google Blog Web site.
Philipp Lenssen of Google Blogoscope writes about how phishers targeted him via Google Calendar. This is a screenshot of the e-mail he received.
(Credit: Blogoscoped)The makers of World of Warcraft are offering players of the online role-playing game an optional layer of security in the form of an electronic token device called Blizzard Authenticator designed to prevent unauthorized access to an account.
The lightweight device, which fits on a keyring, provides a unique, one-time six-digit numeric code that the account holder includes when logging in. It is used in addition to a password and account name.
It was offered to attendees at the 2008 Blizzard Entertainment Worldwide invitational in Paris over the weekend and will be available for $6.50 through Blizzard's online store soon, according to the company.
"It's important to us that World of Warcraft offers a safe and enjoyable game environment," Mike Morhaime, CEO and co-founder of Blizzard Entertainment, said in a news release distributed last week. "One aspect of that is helping players avoid account compromise, so we're pleased to make this additional layer of security available to them."
World of Warcraft users have had their share of security issues. Last year, hackers were luring players to Web sites and surreptitiously downloading keylogging software onto their Windows computers through vulnerabilities in Internet Explorer. The software allowed the hackers to hijack the victims' WoW accounts and sell off valuable in-game assets.
WoW players also have been targeted by a password-stealing Trojan sent via e-mail and peer-to-peer file-sharing sites.
It's unclear exactly what prompted the company to release Blizzard Authenticator. A company spokesman said on Monday that representatives were still in Paris where it was late at night and could not immediately be reached for comment.
Vancouver-based computer technician Byron Ng, who likes to prod social networks for holes and other errors, stumbled across a way to learn more about Facebook users than you're supposed to be able to--prompting Facebook to suspend the Top Friends application late on Wednesday.
Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name "Whitney."
Security holes in Facebook can be used to access peoples' personal information and view their friends and other activities if they are using the Top Friends or Super Wall apps. For instance, this screenshot shows the Top Friends of Facebook Chief Operating Officer Sheryl Sandberg. CNET News.com obscured her personal information.
(Credit: CNET News.com)Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone's Facebook ID number.
"We expect third-party apps to follow the rules the users set," Ben Ling, director of platform product management at Facebook, said in a phone interview Wednesday. "With Top Friends, the privacy settings of the user were not being respected according to the privacy policy terms of use."
Less than six hours after CNET News.com contacted Facebook on Wednesday about the matter, the company decided to suspend the Top Friends app, meaning no one can use it, Ling said. The company is also conducting an ongoing investigation into the matter, he said.
Meanwhile, another third-party app that Ng disclosed a security hole in, Super Wall, was fixed. With Super Wall, which was created by RockYou, no personal data is revealed, but anyone could have viewed the Super Wall of any other user, even if they were not friends.
"Super Wall is respecting the privacy rules of the site," Ling said, adding that data created in the apps is not governed by the same privacy policies as user profile data.
These are supposedly the Top Friends of Paris Hilton, who apparently listed herself using her middle name.
(Credit: CNET News.com)Before the app was suspended, CNET News.com was able to use Top Friends to pull up profiles of Bobby Jindal, the Republican governor of Louisiana who's been talked about as John McCain's running mate; Facebook Chief Operating Officer Sheryl Sandberg; Jonathan Heiliger, Facebook's vice president of technical operations; and what is believed to be a page for Hilton.
Similar steps were taken to view the Super Wall pages for Sandberg, Facebook founder Mark Zuckerberg; Google executive Marissa Mayer; and Lucy Southworth, wife of Google founder Larry Page.
By accessing these pages it is easy to get the Facebook ID numbers for their friends and see their pages, as well.
Nothing on the Super Walls was all that juicy (who hasn't been annoyed by the "Click forward to see what happens" spam?), but the information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands.
"Any Facebook user who adds an application to their profile is agreeing to give any of their personal information to the developer of that profile," Ng wrote in an e-mail after walking News.com through a demonstration of how to exploit the security holes. "Facebook has pretty low barriers of entry with regards to becoming a developer. You just need a Facebook account and to fill out some online forms."
This screenshot shows the Super Wall of Facebook founder Mark Zuckerberg. News.com blacked out the names.
(Credit: CNET News.com)It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said.
"Of course, it's against the Facebook terms of service for an application to store someone's personal information, but there's NO WAY for Facebook to verify compliance since Facebook applications run on PRIVATE THIRD-PARTY SERVERS, not on their own servers," Ng wrote.
Ng uncovered a way to snoop on strangers' SuperPoke pages a few weeks ago and Facebook promptly plugged it. He also exposed a hole in MySpace earlier this month that allowed people to see private photos of Hilton and her celebrity pal Lindsay Lohan, and currently there is an open hole in MySpace that allows anyone to create a discussion group and delete other peoples' bulletins, even if they are not the group leader, he said.
A MySpace representative said late Wednesday she was looking into the matter.
CNET News.com's Declan McCullagh contributed to this report.
Updated 12:00 p.m. Thursday with additional Trusted computing Group comment.
Early this decade, Microsoft weathered unrelenting criticism over a controversial set of technologies known as Palladium, which the company envisioned as creating a kind of secure vault to store passwords or medical records.
Academics warned it could "support remote censorship" and blacklists, likening Palladium to the Soviet Union's efforts to register typewriters and fax machines. Privacy activists predicted it would hand Microsoft "an unprecedented level of control" over the world, and free software doyen Richard Stallman solemnly dubbed it "treacherous computing."
It worked, kind of. Microsoft retreated by doing what any large bureaucracy tends to do in response to such a kerfuffle: it gave its problem a new name. Palladium became the awkwardly-titled Next-Generation Secure Computing Base, or NGSCB, (and the group Microsoft coalesced around the initiative changed its name from Trusted Computing Platform Alliance to Trusted Computing Group) and critics mostly moved on to worry about the recording industry and other threats to digital liberties instead.
Since then, the NGSCB--once derided as "nagscab"--has existed in an odd kind of technological purgatory. One report in 2004 said that Microsoft has "killed" NGSCB, which the company quickly denied later the same day. CNET News.com published a story in 2005 quoting Microsoft as saying NGSCB was "still coming."
After six years, the supposed world-striding colossus of a technology that once sparked so much fuss (one reviewer said it might become "either Santa or Satan") is much diminished. NGSCB never did live up to its early promise--or what critics would have said was its early threat as a digital rights management tool that would restrict how people consume content on their PCs and lock them into one vendor.
"It has changed from something that was very revolutionary and grandiose into something much more modest," said Andrew Jaquith, a senior analyst at Yankee Group.
And then came BitLocker
NGSCB does live on, manifesting itself in a Microsoft technology called BitLocker, a Microsoft spokesman confirmed.
BitLocker, Microsoft's only product to come from the Trusted Computing effort, is a feature in Windows Vista Enterprise, Vista Ultimate, and Windows Server 2008 that encrypts the disk drive to protect against data theft or exposure if the computer is lost or stolen. (Trusted Computing should not be confused with Trustworthy Computing, which is Microsoft's effort to improve the security of its own products and is largely considered to be successful.)
While it is useful, BitLocker hasn't taken the computing world by storm yet, or even been enough to justify upgrades to Vista, said Rob Helm of Directions on Microsoft.
"BitLocker hasn't been the rage anybody expected, although there is a strong case for using that feature on laptops," he said. In addition, plenty of third-party products--many offering whole disk encryption--exist.
Bruce Schneier, crypto researcher, author, and chief security technology officer of BT, was one of the more vocal critics when Microsoft first unveiled its Trusted Computing plans in 2002. In 2005, he was still beating the drum, writing that Microsoft was attempting to stall, and possibly get Vista exempted from a best practices document for the Trusted Computing Group that addressed many of the critics' concerns.
The Best Practices Principles (PDF), which was written in 2003 and eventually published in 2005, gives consumers some control over disabling the functionality, allows devices to support multiple users, adds privacy protections, and calls for interoperability and portability of data.
"We were concerned that users were able to opt in and not be controlled from above," said Susan Landau, a distinguished engineer at Sun Microsystems who worked on the Best Practices document after Sun joined the Trusted Computing Group. Sun was not a member of the Trusted Computing Platform Alliance.
"The public criticism certainly created pressure," especially when it conflicted with consumer privacy guidelines in Europe and elsewhere, she said.
"I think it's interesting that the (Trusted Computing Group) technology is continuing, but the big DRM push, so far, has not happened," Landau said.
Putting trust in a module
The centerpiece of the Trusted Computing Group is the Trusted Platform Module, a microcontroller that stores keys, passwords, and digital certificates in a secure, isolated area. They are widely distributed in computers from Dell, Fujitsu, Gateway, Hewlett-Packard, Intel, Lenovo, Toshiba, and others, but most people don't even know they are there. BitLocker makes use of the Trusted Platform Module.
Microsoft has "convinced a lot of hardware manufacturers to put the chips in computers and they're in a lot of computers, but they're not doing anything," Schneier said. "The question is what are they going to do with the chips? How is Dell feeling these days?"
A Dell spokesman did not return a call seeking comment. Even Scott Rotondo, president of the Trusted Computing Group, acknowledges that the Trusted Platform Modules need more applications.
"A lot of them haven't been utilized fully and in some cases not at all," said Rotondo, who works as a senior staff engineer in Solaris Security Technologies at Sun. "The supporting infrastructure has been slow to materialize."
"It stands to reason that there might be frustration on the part of hardware manufacturers," Rotondo said, likening it to a "chicken and egg situation."
"We need to really make use of these things before the hardware manufacturers get tired and take them away," he added.
Trusted Platform Modules "have not yet fulfilled their potential, but Microsoft and other companies are working on it," the Microsoft representative said.
A Trusted Computing Group spokeswoman said on Wednesday that the organization is not focused on DRM and that applications that use the TPM include secure e-mail, multifactor authentication, password management, and single sign-on. The group is also working to extend the concepts of hardware-based security to storage, network security, and mobile devices, she said.
While initial concerns about misuse of the technologies slowed down the group's efforts, people see legitimate uses for the technology, and digital rights management could be among them, Rotondo said. However, any digital rights management systems would have to maintain a proper balance between the rights of the content owner and the rights of the consumer, he said.
Where Microsoft failed in doing that, Apple has succeeded, according to Paul Saffo, a Silicon Valley-based technology forecaster.
"The biggest thing that has changed in the last five years is iTunes and the iPhone," he said. "The companies got their protection and the consumers got the right to purchase individual songs at a price that was less than the cost of the album."
Don't discount Microsoft just yet, warns Ross Anderson, a security engineering professor at the University of Cambridge's Computer Lab and an early critic of the Trusted Computing Platform Alliance.
Asked if the world has been spared a Microsoft digital rights management machine, Anderson responded in an e-mail: "Wrong--WMP (Windows Media Player) and the surrounding stuff that MS hopes will enable it to do to the HDTV market what Apple did for MP3s."
Saffo joked: "It's like a horror movie; they'll be back."
(CNET News.com's Declan McCullagh contributed to this report.)
