billso.com

Wikipedia has a stub article about AFCYBER, a new Air Force command that, for now, is based in Bossier City, Louisiana. Several cities are contending for the command’s permanent headquarters, but I am not sure if Honolulu is one of the candidates.

I discussed the Cyber Command on 2 November 2006, when the funding request was first announced.

See these two Wired articles for some more information.

The Air Force has a new marketing slogan that incorporates its new emphasis on cyberspace, but the tagline sounds a bit too German to BoingBoing and tongodeon – and I agree with both blogs. The German national anthem during World War II was “Deutschland Ueber Alles”.

Earlier today, we noticed that YouTube was not available. An ISP in Pakistan, PieNet, single-handedly blocked global access to the popular video site for two hours, according to multiple reports on the Times of London, ZDnet, ReneSys, OpenDNS and Data Center Knowledge.

PieNet hijacked YouTube’s domain name by sending Border Gateway Protocol (BGP) instructions called advertisements to reroute all requests for YouTube.com to an IP address in Pakistan. ISPs use BGP to link the routers in their networks together, creating the global internetwork that we call the Internet. ISPs trust that the BGP advertisements they receive from other ISPs are correct.

Trust is cheap

Researchers have developed encrypted forms of BGP, but ISPs would rather not implement these more secure protocols because more powerful and expensive routers would be needed. While Cisco and other router manufacturers would welcome the additional sales revenue, ISPs would pass along their increased costs to businesses and consumers.

Many Internet protocols and services rely upon trust. Email is a good example. The core e-mail protocols do not check message content or the identities of senders and recipients. Email messages are sent across the Internet as alphanumeric text. Over the years, as a few users decided to exploit the open nature of email, we have added protocols and services to identify spam, check user identity and encrypt messages and passwords.

Pakistan goes offline

It is very rare for a major mistake like this to happen, because ISP managers and staff understand the value of reputation and trust. This redirect was probably not an accident or an error by PieNet staff – it was almost certainly an intentional hijacking designed to make a political statement. A bogus BGP advertisement is a very loud and rude way to make such a statement.

Richard Stiennon of ZDnet notes that PieNet probably brought all Internet traffic in Pakistan to a grinding halt, as Pakistan Telecom could not handle millions of requests for YouTube.

YouTube engineers detected the redirection quickly and asked for help from major ISPs. Their next step was to find the bad BGP instructions. This was a trivial exercise, as PieNet’s identifiers were all over the advertisement.

PCCW Telecom, the main Internet provider for Pakistan, removed Pakistan’s ISPs from the Internet until the new BGP advertisements propagated to ISPs across the world. Once YouTube’s route was restored, users could watch their videos again.

Internet users in Pakistan will have slower Internet connections for the next few days, and network engineers around the world will keep close tabs on Pakistani ISPs.

From BoingBoing comes the most disturbing information security news I have read in a while.

We’ve long assumed that disk encryption is a robust means of storing confidential data on a computer. Disk encryption products work by encrypting all of the data on a drive, including documents, the operating system, swap files and caches. Disk encryption software can start up before the operating system to let the user enter their password or key. Disk encryption software can also be used on USB storage, as well as partitions on an unencrypted drive.

Disk encryption helps travelers keep their data confidential. My post of 5 Janaury 2008 addresses how cryptography works.

Warm RAM, lost key

Princeton University researchers have developed a simple attack that can retrieve the BitLocker disk encryption key from a Windows Vista computer. The user has to have logged into the computer so that the encryption key is then stored in the computer’s RAM. If the computer is in sleep mode, running a screen saver, or still warm, the encryption key can be extracted from RAM. The extracted data can be saved to a USB storage device, so that another computer can take its time to analyze and fix any errors in the extracted key.

The same kind of attack will also work on Apple FileVault, TrueCrypt, PGP Whole Disk Encryption, and other disk encryption products. The research report is available as a PDF file at this web site.

Declan McCullagh has posted his analysis of the report at news.com. he points out that this vulnerability has been used by other researchers to pull data through a FireWire connection to an iPod. It is difficult to harden a computer against this form of attack, but the attack must be carried out in person. It cannot be done across the Internet, at least in the form that the researchers demonstrate. The attacker needs a USB drive preloaded with the attack software. A can of Dust-Off might also be helpful, to chill the RAM.

Watch that drive

The easiest way to harden a computer against this attack is to maintain physical control of the encrypted drive. Don’t leave it alone. Update the encryption software regularly, as the software developers will more than likely develop their own patches to wipe the key from RAM.
This YouTube video produced by the research team is a brief overview of the vulnerability and the attack.

From ComputerWorld: IBM security researchers claim that hackers are hiding or masking almost all of their Web attacks. JavaScript is still the tool of choice for infiltrating Web browsers. Most users shouldn’t turn off JavaScript, especially students who use tools like webmail, WebCT and TurnItIn.com. So we rely on antivirus and Internet security software that runs on the client-side to screen out these attacks before they can be executed.

Hackers have added more tricks to their toolboxes, because the potential payoff for evading security software and infecting computers can be huge. Encryption is one such tool - hackers often encrypt their programming code so that software cannot easily identify the attack.

As IBM researcher Kris Lamb states, hackers have stopped targeting the operating system and have moved to a higher level of the application stack that runs on almost any desktop and laptop computer that connects to the Internet - the web browser.

So we come back to good old common sense as the user’s best defense against computer attacks.

1. Hover your mouse over a web link and inspect the URL before clicking.
2. Don’t click URLs in email messages if the links look suspicious.
3. Find, install and use good security software. I recommend the free version of Avast for Windows users who need to protect their residential computers.
4. If you’re not using your computer at home, turn it off. You’ll burn less energy, and hackers cannot access your computer if it’s not running.

See my earlier posts on security software and attacks from 10 June 2007, 13 August 2006 and 27 November 2005 for more information.

It’s easy to explain how a key principle of cryptography works. Just watch this two-minute video.

I could look at a Wikipedia article to learn how dual-key cryptography keeps email messages and web pages secure in transit. But video often helps explain complex concepts quickly… and this example has a nice soundtrack!

Thanks to BoingBoing for the link!