Security Watch

U.S. Looks at Tougher Hashing Algorithms

Plus Sendmail vulnerability, Visa warning, security issues down under and more.

• By Russ Cooper
• 04/17/2006

According to NIST the increases in computing power have made SHA-1 less desirable than, for example, SHA-224, SHA-256, SHA-384 and SHA-512. However, currently all are essentially vulnerable to the “Chinese attack” (http://eprint.iacr.org/2004/199.pdf ). Until a new form of algorithm appears that resists the collision attacks, implementing strong versions of SHA may not yield the increased strength desired.

Sendmail Signal Handling Race Condition Vulnerability: Sendmail contains a race condition vulnerability when handling a certain sequence of events and commands that could allow a remote attacker to execute arbitrary code.   

Proof of concept exploit code is available, as are patches. With all of the Microsoft Exchange Server and PostFix in use on the Internet, the number of people still running Sendmail has dropped. As such, the excitement a Sendmail vulnerability used to cause has diminished significantly.

Visa recently issued a very specific, confidential warning to a number of financial institutions recently related to point of sale software used by Fujitsu Transaction Solutions. Visa warned that a specific configuration of a very specific version of the software could result in confidential data being stored; data which Visa insists not be stored. Fujitsu, for its part, reported that they recommend that the configuration in question not be used in a live environment as it is only intended for testing. However, with the information supplied by Visa, Fujitsu was able to determine that a single chain of stores was using the utility (TraceMon) in a live environment.

This clearly shows there is an increased effort to minimize the possibility of confidential data being stored without the store's knowledge. Cybertrust has repeatedly warned that unknown data storage is the most likely source of such disclosures.

Australian Digital Speed Camera "Defense": Technicalities and unbelievable incompetence on the part of the government abound, proving the courts (and in particular the prosecution) should not be let anywhere near cryptography. They didn't seem to be able to produce an expert witness on cryptography given three months, and as a result up to 1G$ in fines and penalties may have to be refunded.

There are two important issues in this case. The first is that the laws governing the use of digital pictures from speed cameras stated that they must be digitally signed using MD5. When MD5 was deemed too weak, the government illegally implemented SHA-1 -- illegal because the law was not modified to allow for stronger algorithms than MD5. The second issue was that the prosecution did not produce an expert to refute arguments by the defense that forging of the digital pictures was trivial.

Human Factors
After a tip from the Belgian Federal Computer Crime unit, Australian police recently arrested a 22-year-old male in Melbourne and charged him with using a telecommunications network with the intention to commit a serious offence. The man was indicated as being responsible for attacks against Australian IRC servers in 2005 that affected bot-controlled PCs in the U.S., Singapore and Austria.

The charge carries a maximum penalty of 10 years in prison. We can only hope.

Physical Security
Kingston has released the DataTraveler Elite (DTE), Privacy Edition, a USB drive that encrypts data using the 128-bit Advanced Encryption Algorithm (AES). The drive requires neither special software nor any special action on the part of the user. The drive uses a built-in chip accelerator to run the encryption with transfer rates of 24 megabytes per second for reads and up to 14 megabytes per second for writes.

Governance
A panel at the recent Information Processing Interagency Conference 2006 moderated by Steve Cooper, senior vice president and chief information officer for the Red Cross, discussed whether the government or private sector should be in control of a national information technology response plan. No clear consensus was arrived at.

What is clear that government and the private sector have to work together; before, during and after disaster events. If Katrina proved anything, it was that no single organization is capable of handling everything, and coordination amongst them will determine the success of any effort.

Consumer groups and privacy advocates are upset of a proposal by the U.S. Internal Revenue Service that would allow tax preparers to sell data from their clients' returns.

Apparently tax preparers are currently allowed to share data with their own companies. The new rules would permit them, under certain conditions, to sell their data to non-related third parties. The move is intended to make the electronic tax preparation business more lucrative, given the benefits such filing brings to the U.S. IRS.

The sale or sharing of confidential information is nothing new -- credit card companies and other financial services companies have been doing it for years with the consent of their customers.