Two researchers for Hewlett-Packard have created a browser-based darknet, an idea that could make it easier for businesses to keep eavesdroppers from uncovering confidential information.
Darknets are encrypted peer-to-peer networks normally used to communicate files between closed groups of people. Most darknets require a certain level of technological literacy to set up and maintain, including taking care of the necessary servers. However, HP researchers Billy Hoffman and Matt Wood plan next week to demonstrate a browser-based darknet called "Veiled," which they claim requires little proficiency to set up and run.
"This will really lower the barriers to participation," Wood told ZDNet UK. "If you want to create a darknet, you can send an encrypted e-mail saying, 'Here's the URL.' When (the recipient visits) the Web site, the browser can just get (the darknet application) going."
Hoffman and Wood are scheduled to demonstrate the technology next week at the Black Hat security conference in Las Vegas.
Wood said HP does not want to turn the project into a commercial product. While the company does not plan to make the source code available, the researchers do plan to open source their idea, so to speak, so other security researchers can "pick up the baton."
"HP has no desire to patent or copyright or release any code," Wood said. "Black Hat is one of the top security conferences, and we want to get this cool idea into the hands of people who are really smart."
Businesses could use browser-based darknets to set up workgroups to exchange commercially sensitive information, or to have a means of making anonymous suggestions to management, Wood said. "I like the idea of a suggestions box on the Web," he said. "It provides an anonymous way to make suggestions to your boss."
HP's darknet research came about when the researchers realized the potential of new browser technologies, according to Wood.
Browsers with HTML 5 support--such as recent versions of Firefox, Safari and Internet Explorer--allow files to be stored "persistently" on the client, for working on them when offline. This feature, coupled with the distributed grid-computing nature of a darknet, means files can be effectively uploaded in perpetuity, even when the initial browser has been shut down. It also makes the darknet resilient, said Wood.
"One of the benefits of a darknet is that they are distributed," said Wood. "To destroy it, you would have to take down all of the clients, because if one server gets compromised, you just shift to a different server. They can hop around."
Advances in JavaScript engines, such as Google's Chrome V8 and Mozilla's TraceMonkey, have also helped make browser-based darknets possible, according to Wood. These engines allow browser-based communications to be set up quickly and encrypted. The Veiled darknet uses RSA public key cryptography, but any cryptography will work.
"Cool advances in JavaScript technology allow encryption in the browser," said Wood. "Browsers are getting really powerful."
Tom Espiner of ZDNet UK reported from London.
HP is set to announce on Monday a free tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites.
HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe's best security practices guidelines, said Billy Hoffman, manager of HP's Web Security Research Group. The tool works with all versions of Flash.
With the Flash Player installed on more than 98 percent of Internet-connected computers globally, Flash applications are a popular target for attackers. HP analyzed nearly 4,000 Web apps developed with the Flash platform and found that 35 percent violate Adobe's security best practices.
For example, encryption keys and other sensitive data have been found inside client-side Flash code, Hoffman said.
Flash, traditionally used for creating animation and games, has been increasingly used for Web 2.0 apps destined for enterprise use, for which tighter security measures are required, he said.
Hoffman explains how a Flash app vulnerability can be exploited in this video.
This isn't the first tool aimed at Flash developers. IBM last month announced its Rational AppScan, which automatically scans Flash and Ajax-based applications for security defects. The standard version of that product costs $17,550 for a one-year license.
Last year, HP was called upon by Microsoft to develop a free tool, Scrawlr, that developers can use to test for SQL injection vulnerabilities in apps on Microsoft's ASP platform, according to Hoffman.
While developers are striving to write more secure Flash apps, Adobe occasionally is forced to deal with security holes in the Flash Player itself. For instance, Adobe recently issued a patch for a hole in the player that could allow an attacker to remotely take control of a computer.
Not everyone is rocking to the new iTunes 8 released Tuesday. An informal poll on ZDNet suggests that a problem with the latest edition of the Apple media player is affecting some, but not all, users of the software on Microsoft's Windows Vista. (You can download iTunes 8 for Windows from CNET Download.com.)
Users on an Apple forum reported seeing the so-called blue screen of death (BSOD) on their desktops running Windows Vista with iTunes 8 installed. The BSOD problem occurs shortly after connecting their iPods and iPhones.
A second, more subtle effect is that their CD/DVD drives "disappear."
ZDNet's Ed Bott offers a look at the upgrades or changes in iTunes 8.
Removing other USB devices, such as Webcams and printers, appears to resolve the problem, for the moment. Users on the forum speculate that there is an incompatibility between Apple and USB products from LogicTech and HP, as well as disc-burning software from Roxio.
We will update this post with further details, as they unfold.
- prev
- 1
- next
