ICS

« January 2009 | Main | March 2009 »

February 2009

February 23, 2009

Defeating SSL in Practice

This year's Blackhat conference had a number of great topics in the field of security, but one that caught the eyes of us here at the Institute for Cyber Security was a great presentation by "Moxie Marlinspike" on how to subvert transport layer security (colloquially known as SSL) via a man-in-the-middle (MITM) attack using a combination of technical expertise and social engineering.

Of course, TLS/SSL is impervious to MITM attacks. In fact, SSL guaranties the authenticity (you know where/who it came from), confidentiality (nobody knows what you are receiving/sending), and integrity (alteration by MITM produces garbage and the alteration is detected) of data sent by one party to another. This remains true and the presentation doesn't dispute that.

Rather, the presentation demonstrates how to proxy a SSL connection, rewrite HTTPS URLs to HTTP URLs (while capturing the data), and presenting it to the user without the user perceiving that the connection is no longer secure. He alsp provides an open source software package in a alpha state called SSLStrip. It is a little long, but worth viewing if you have an interest in cyber security, SSL, or social engineering.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 06:56 AM in Cyber Security, Security, SSL/TLS | | Comments (1) | TrackBack (0)

February 17, 2009

Ravi Sandhu Interviewed in SC Magazine

This week,Greg Masters from SC Magazine wrote an article on government cyber attacks, interviewing our own Ravi Sandhu, director of the Institute for Cyber Security. In the article, he discusses attacks on federal computers, what the attackers are after, and cyber security, the hallmark of ICS. Certainly a worthwhile read on cyber security.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu


Posted at 09:19 PM in Cyber Security, News | | Comments (0) | TrackBack (0)

February 13, 2009

Eugene Spafford in the New York Times

Eugene Spafford, who serves as the executive director on the founder's board for the Institute for Cyber Security, was cited in an article in the New York Times today. The article covers a growing concern on the inherent weaknesses of the Internet. Since the Internet was born as an academic tool and has quickly blossomed into ubiquity, the notion of starting over from scratch, building security into the framework, rather than an afterthought, is brought into light. A fascinating read over two pages, the first of which Dr. Spafford discusses how worse off we are, security-wise, than even twenty years ago.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 11:47 AM in Cyber Security, News, Security, Web/Tech | | Comments (0) | TrackBack (0)

February 11, 2009

NSA Updates its Top 25 Programming Security Errors

The NSA, in partnership with MITRE Corp., SANS, and dozens of industry experts from many other organizations, recently updated its Top 25 list of Programming Errors. Similar to the OWASP Top Ten Project, which attempts to categorize programming errors in an effort to provide awareness on web application security, this paper outlines the Top 25 and how they were selected, what makes them insecure, and how to defend against them. Of note are the appendices at the end, especially on threat modeling, which we covered in a recent blog post.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 09:21 AM in Cyber Security, Education, Programming, Software, Threat Modeling | | Comments (0) | TrackBack (0)

February 09, 2009

Speaking at TRISC Conference Next Month

Folks in Texas who are interested in information security should plan to attend the Texas Regional Infrastructure Security Conference (TRISC) in March. There are a number of great speakers, and if it's anything like last year's, it should be a blast.

I will be speaking Tuesday March 24th about Cross Domain XHRThe talk will cover how server-side and client-side mashup security currently works with cross-domain XHRs and how to use two-party protocols such as TLS in a multi-party environment.

Dates: Monday, March 23 through Wednesday, March 25th, 2009
Location: AT&T Executive Education and Conference Center, Austin, TX (512) 404-1900

For more details, go to www.trisc.org.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 11:43 AM in Cyber Security, Events, News, Presentation, Security, Software, Startups | | Comments (0) | TrackBack (0)

February 06, 2009

Facebook Joins OpenID Foundation Board


Yesterday evening, the OpenID group announced that Facebook has joined its foundation board. If this headline sounds familiar, it is only because it is hot on the heels of Paypal joining the OpenID Foundation Board itself just a week ago.

At first, this seems to clash with Facebook Connect, which this blog discussed a month ago. The single sign-on (SSO) idea (one login for all web apps and sites) remains the same, but unlike OpenID, Facebook connect uses a centralized mechanism (namely, Facebook) to facilitate the exchange.

Facebook joining the board now adds a host of organizations that have joined its board, including Google, IBM, Microsoft, the aforementioned PayPal, VeriSign and Yahoo!. While OpenID has faced some criticisms, including its user interface experience, 2008 was a large year for it, and it looks to be building on that early into 2009. It'll be interesting to see where OpenID ends up at the end of the year.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 10:45 AM in Cyber Security, OpenID, Single Sign-on, Social Networking, Web/Tech | | Comments (0) | TrackBack (0)

February 05, 2009

ICS in the News Again

SC Magazine just wrote up a fantastic article worth reading if you're interested in the tech sector of the market. Discussing the Institute for Cyber Security at length, our own Ravi Ganesan was interviewed by Deb Radcliff, discussing where capital raising (either through venture capital funding or elsewhere) has gone and how it can be found.

More news out of ICS is coming within a month! Visit the main site to learn more about ICS, the incubator and how to apply.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 01:36 PM in News, Security, Startups | | Comments (0) | TrackBack (0)