The snooping dragon: social-malware surveillance of the Tibetan movement

Shishir Nagaraja of the University of Illinois at Urbana-Champaign and Ross Anderson of Cambridge University have published a very interesting paper called “The snooping dragon: social-malware surveillance of the Tibetan movement” (abstract, full report) on how agents of the Chinese government managed to infiltrate the computer network of the Dalai Lama’s organisation through ingenious social engineering and gain access to intelligence information that could lead to peoples arrest and possible execution.

It’s a very interesting report and points out that the techniques used are within the reach of motivated individuals as well as government intelligence agencies and ponders how much less well known organisations can cope with such attacks; it also lends weight to the sage advice offered in Ross Andersons “Security Engineering” book. Both are well worth a read, even for those of us whose network security is not a literal matter of life or death.

Taxing Questions for Liechtenstein

I was listening to the BBC From Our Own Correspondent Podcast which had a great piece by John Sweeney about murky going ons in Liechtenstein. Part of it made me think that they’ve been going to the same school as Microsoft:

The next morning we heard that there was a banking seminar at the university on openness. This being Liechtenstein, the openness meeting was closed, at least to us.

John also has a wicked sense of humour..

Imagine my disappointment on discovering that Liechtenstein was, in fact, the most boring place on earth. I’m used to boredom – I work for the BBC, for heaven’s sake – but Liechtenstein was as dull as ditchwater, no duller. They bank behind closed doors. They create fuzzy trusts behind close doors. They make false teeth. And then they go to bed. The person who most looked like a ruthless killer was Howard, and he was the BBC producer.

Well worth a listen.. πŸ˜‰

Rogue CA – MD5 collisions for phun and profit

Now this is, umm, interesting..

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Trust no one..


Using Internet Explorer ? Switch Browser Now!

Oh joy, the BBC is reporting

Users of the world’s most common web browser have been advised to switch to a rival until a serious security flaw has been fixed.

It’s yet another security hole in Internet Exploder, this time a heap overflow that works against IE 7 as well as IE 6 and the betas of IE8.

It’s being actively exploited too (again from the Beeb):

As many as 10,000 websites have been compromised since last week to take advantage of the security flow (sic), said antivirus software maker Trend Micro.

I’m pretty sure the writer meant flaw, not flow.. πŸ™‚

Please use Firefox instead!

Spreadfirefox Affiliate Button

Book Meme

Seeing as everyone else on PLOA is doing it.. πŸ™‚


  • Grab the nearest book.
  • Open it to page 56.
  • Find the fifth sentence.
  • Post the text of the sentence in your journal along with these instructions.
  • DonÒ€ℒt dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.

So here’s mine:

This was spotted quickly, and a patch was shipped, but almost a hundred U.S. government systems in Germany were using unlicensed copies of the software and didn’t get the patch, with the result that hackers were able to get in and steal information, which they are rumoured to have sold to the KGB.

That’s from “Security Engineering: A Guide to Building Dependable Distributed Systems” (second edition) by Ross Anderson. I’m on page 76 of 891..

It’s the only book I have with me here for SC08 in Austin, Texas, so you can’t say I rigged it! πŸ™‚

A Tale of Two Transport Hacks

In the USA a court has ordered that three MIT students not talk at DEFCON about their security assessment of the Massachusetts Bay Transit Authority (MBTA) fare cards. Apparently the court believes that “discussing the flaws at a public conference constituted a ‘transmission’ of a computer program that could harm the fare collection system“, which is pretty sad. There are more documents at Cryptome on the case. Their presentation was to include a cryptanalysis of the Mifare “Classic” card, which takes us to our second case..

Bruce Schneier reports that a group of Dutch researchers have won in court to be able to publish their own cryptanalysis of that very same Mifare Classic card, with the court stating:

Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.

An outbreak of common sense that the MIT students could only dream of. I wonder if they could appeal and cite this case as grounds to have the judgement overturned ?