2010
09.28

From SANS: This could be interesting…

–Administration Will Seek Changes in Wiretap Rules to Cover New
Technologies
(September 27, 2010)
The Obama administration plans to submit a bill to legislators
next year that would require all communications services to have
technology in place so they will be able to comply with wiretap
orders.  Targets include services like BlackBerry, Facebook and
Skype. The administration claims that the increasing use of online
communications has lessened their abilities to intercept communications
of criminal and terrorism suspects. The proposal is likely to require
communications services offering encryption to have method decryption;
to require foreign companies doing business within the US to establish
offices in the country that can intercept the requested communications;
and to require peer-to-peer software developers to redesign their
products to allow interception.  Officials maintain the proposal is
not seeking an expansion of authority, but rather is clarifying how
wiretaps apply to technologies that did not exist when the original
rules were established.  The proposal has met with criticism.  Columbia
University computer science professor Steven M. Bellovin noted that “if
they start building in all these back doors, they will be exploited,”
and Center for Democracy and Technology vice president James X. Dempsey
said “They basically want to turn back the clock and make Internet
services function the way that the telephone system used to function.”
http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=2&hp=&pagewanted=all
[Editor’s Note (Northcutt): Steven Bellovin is correct; there is ZERO
chance of law enforcement being able to implement this and organized
crime not being able to exploit it. This is a lose-lose proposal.
(Pescatore): In 1994, we went through the same drill when phone lines
went digital and thus the Community Assistance to Law Enforcement
Act which forced telecoms vendors to build in back doors to enable
legal surveillance. There always needs to be a balance between what
technology can do and what society allows law enforcement to do.]

2010
09.22

News from SANS

TOP OF THE NEWS
–Microsoft Says Millions of ASP.net-Based Web Sites Vulnerable To
Major Attack
(September 20, 201, 2010)
Microsoft confirmed that a vulnerability disclosed at a Buenos Aires
hacker conference is present in “millions of web sites” that rely on the
ASP.Net framework. The researchers showed how attackers can exploit an
error in ASP.Net’s encryption to decrypt data on a remote server, and
read and copy files from a site or Web application that relies on the
framework. Especially vulnerable to theft are user names and passwords.
The vulnerability is present on millions of Web sites. Microsoft has
published tool to detect vulnerable ASP.Net applications and established
a dedicated support forum (http://forums.asp.net/1233.aspx) to answer
questions from people building web sites and applications.
http://www.computerworld.com/s/article/9186842/Microsoft_sounds_alert_on_massive_Web_bug
[Editor’s Note (Pescatore): When you learn to drive, they always try to
ingrain “defensive driving” into you, as driving is dangerous. Since
software engineering is still an oxymoron, and web sites represent the
“LA Freeway” (Or “LIE” for you East Coasters) of software, defensive web
site techniques are clearly required to protect customer and business
data.]