Unix and Security Article Links

Obtaining help with security investigations

General help should first be obtained by attending the timetabled tutorial sessions. However, it is impossible for your tutor to be an expert in all areas of IT where your security investigation is likely to take you.

More specialist help for the use of open source software products and protocols can very often be obtained from forums and support groups and via mailing lists on the Internet. But if you expect intelligent answers, common politeness requires you to ask intelligent questions. So do your homework first by making sure you have read and understood the documentation provided with the software as best you can. Then read and follow these guidelines to improve your chances of making good use of the time of those you are asking for help.

Unix articles

A good bourne shell programming starting guide

General Security Article Links

Ken Thomson's evil 'C' compiler hack raises the question of whether you can fully trust a system even if you could inspect all of the source code. Where trust in a complex systems begins and ends is an open question.

Wikipedia Disaster Recovery article (checked 2 Oct 2009)

On entropy and randomness. Article explaining use of a limited entropy pool to seed a pseudo random number generator.

Getting Elvis through (some) border controls using a fake E-Passport

W32-virut-cf collateral damage. A symantec employee's article revealing how difficult it is getting to clean up an infected network after infection by a hard to detect state of the art computer virus. An infection by this virus is the focus of a recent story about how an Australian regional electric grid was close to being shut down.

Domestic Embedded System Insecurity

Not so smart electricity metering. This article covers a major privacy leak arising from networked smart electricity metering. It seems we need to be careful not only about attackers being able to control devices within our own home using this vector, but also about them being able to know when we are in or out, and even what we are watching on our TV sets, due to the brightness levels on screens affecting power consumption leading to programs and films having identifying power consumption signatures.

Financial Engineering

How to lose $7.2bn for your employer with just a few Basic skills.

Cross site scripting XSS and cross site request forgery XSF

Some XSS and XSF training animations.

The RFC2965 standard dictates that web cookies are valid in all subdomains that have not set their own cookies. This opens a major XSS hole in large domains where vulnerabilities exist in subdomains. This one is likely to crop up in various places for a long time to come, because the underlying weakness is built into an important Internet standard.

Social Engineering

Turning the tables - A nifty bit of social engineering captured for posterity.

Digital Rights Management (DRM)

Content of Cory Doctorow of the EFF's talk at Microsoft concerning DRM. In TXT format, but also contains URLs for versions in many other formats.

RSA side-channel cryptographic attack poses threat to DRM.

PKI - Public Key Infrastructure

Peter Gutman's tutorial (PDF format) covering why Public Key certificate revocation is inherently hard and likely to be unreliable in practice.

Rubber hose cryptanalysis

The term "Rubber Hose Cryptanalysis" refers to the practice of using torture to obtain cryptography keys, instead of more technical methods. The application of a rubber hose to the soles of the feet of the individual who knows the key is thought by some to result in the discovery of the key more efficiently for strong cryptography than other methods under some circumstances. In this context, the provision of the UK RIPA to use the threat and practice of imprisonment over those who will not otherwise disclose keys to the criminal justice authorities or decrypt data on request can be considered in a similar light, if the threat of imprisonment can be considered a form of torture upon someone with an already unstable mental health condition.

UK Jails schizophrenic under RIPA for refusal to decypt files.

Hash functions

MD5 has been known to be insecure for some time. This was proved in 2004 with a demonstration of 2 documents hashing to the same value. Then in 2007 the technique was improved so that it became possible for the second document to contain just about anything. Now it seems that this trick can be used to fake a digital SSL certificate for a web site of the attacker's choosing which will validate in any web browser which accepts a MD5 hash still used (Dec 2008) by many certificate issuers. They should have switched to the SHA2 algorithm some time ago, but did they ?. Tough luck if the SSL certificate you paid for used a MD5 hash because once all your site users have had their browsers updated, it won't work any more. Until your browser is updated to prevent acceptance of MD5 you can't trust the identity of any HTTPS website you connect to using its certificate alone.