Security Flaw Found in Linux

A bug found in Debian Linux, from which the popular Linux version Ubuntu is derived, puts at risk a number of cryptographic keys generated on Debian systems between September 2006 and May 13, 2008, according to security researcher H.D. Moore. The keys placed at risk include the type typically used to protect e-commerce transactions. The bug resulted from the deletion of a section of code that was responsible for providing the random numbers that are the foundation of the keys. As a consequence, keys generated could be vulnerable to attackers.

Adapting Virtual Worlds for Business

At the Virtual Worlds Conference 2008 in New York City, I see a lot of interest in using virtual worlds for more than just games. Yesterday, for example, Linden Lab and IBM announced that IBM is now hosting the Second Life Grid--a virtual-world platform based on Second Life--behind its firewall. The grid allows businesses to build their own virtual worlds using the foundations that have already been created for Second Life. Hosting the grid behind the firewall greatly improves security, making Second Life a much more attractive place to hold meetings involving sensitive corporate information or to build protected prototypes. At the same time, avatars can travel easily from IBM's secure grid to the larger, public version of Second Life.

Ginsu Yoon, Linden Lab's vice president for business affairs, says that protecting the grid required careful structuring of servers. "The easy part is putting it behind the firewall, and the hard part is making it connect to the larger world," says Yoon. Servers can host corporate data securely, he says, but software also has to watch avatars to make sure they don't carry protected data out into the public space. IBM and Linden Lab worked together to find a way to host the grid that measured up to IBM's standards for corporate security.

This is the latest of IBM's many forays into virtual space. In addition to the company's existing presence in Second Life--both in public and on a private island--IBM is conducting virtual-world experiments using Forterra, Qwaq, and its own internally built Metaverse. So far, these efforts are young and uncertain. While the company is actively researching ways to use virtual worlds in conjunction with business software, canvassing its own massive base of employees for information about the needs of today's corporations, it's still not clear what will come of its efforts.

I think that this is largely because many businesspeople don't yet see a need for virtual worlds. They feel that, while they do need to deal with colleagues remotely, 2-D tools such as Web-conferencing software and instant messaging do well enough.

Tools like instant messaging and social-networking sites have become common in businesses in part because of their deep connection to people's personal lives. People who are used to keeping track of friends on Facebook are likely to also keep track of business contacts in LinkedIn, or even Facebook itself. The IBM Lotus development group, with its Connections software, has worked to create secure social-networking sites that can run behind a firewall and serve as a medium for confidential corporate communications. I see IBM's research in virtual worlds as a similar phenomenon: the company is hunting for a way to catch hold of a popular phenomenon and adapt it for business.

As things currently stand, however, I see a few obstacles in the way:

Immersion
Immersion is both a blessing and a curse for virtual worlds. Remy Malan, vice president of enterprise for Qwaq, talked with me here about how compelling 3-D is for people. We talked about how people can learn their way around a real-world location without setting foot in it, just by navigating it in 3-D. However, immersion has a drawback, in my view. The tools that work best for many people in business are those that allow rapid switching. For example, as I write an article, I may flip between an instant-messaging conversation with my editor, the program in which I'm writing the article, my Web browser, and my e-mail client. An immersive virtual world doesn't allow for the same kind of multitasking.

Integration
The multitasking problem I just mentioned could be solved if word processing, e-mail, and other business tools were integrated into virtual worlds, the way instant messaging has been in most of them. This would mean effectively replacing a 2-D operating system with a 3-D, graphics-intensive operating system. Companies have moved in this direction already. Qwaq allows everything from documents to Web pages to be imported into a virtual meeting space, where they can remain for all to see for the duration of a project. IBM has connected its Metaverse to some of its existing business software, such as its Sametime instant messenger. The benefit here is that the integrated environment provides a persistent home for a project, which can be especially nice if people from many states or countries are working together. However, I'm not sure that this outweighs the significant drawbacks of going 3-D. The environment is hard for new users to navigate, requires heavy computer resources, and hogs bandwidth.

Fun
Fun is another blessing and curse for virtual worlds. Companies that specialize in virtual worlds for enterprise tend not to stress fun very much. I think that this is because they're working to avoid being labeled as purveyors of toys rather than tools. However, if we do need virtual worlds in business, it may be precisely because of fun. In their consumer incarnations, virtual worlds have an incredible ability to suck some users in. I have stayed up until 2:00 a.m. harvesting materials in a virtual world--which I can tell you feels suspiciously like work--simply because I wanted to finish building a virtual object. If employers could engage employees the same way game designers can engage players, exciting yet frightening possibilities open up. However, not only is this a delicate issue for many reasons, but it's unclear that virtual worlds will have the same effect when used for professional work rather than gaming.

I started this post by talking about how companies are addressing questions of the security of virtual worlds. Answers to those questions are clearly required before businesses can rely very much on virtual worlds. I'm confident that security won't remain a barrier. However, I think that the questions of immersion, integration, and fun will remain thorny issues for some time to come.

Hardware Insecurity

Today at the computer security conference Black Hat 2008, in Washington, DC, several impressive displays made clear that embedded systems, such as those used for keyless entry to cars or garage-door openers, could be an important security battleground in coming years. Breaking into embedded systems requires a different set of skills than those needed to crack websites. Instead of breaking in by using code written in computer languages that are relatively widely known, getting access to embedded systems can call for hands-on techniques, such as exposing a chip to ultraviolet light or probing it with needles.

Christopher Tarnovsky of Flylogic Engineering gave a virtuosic presentation in which he showed how he had taken over chips made by major manufacturers including Atmel, Motorola, and Infineon. Tarnovsky emphasized that, although the manufacturers stress the security features of their devices, he often finds it relatively easy to circumvent the very features that are being touted.

Later, Job de Haas, a senior specialist at Riscure, showed how he could extract keys from embedded devices without needing to open them up. The technique relies on measuring the electromagnetic field surrounding a device and analyzing patterns to make guesses at the processing going on within the system.

While in both cases, specialized skills and equipment are needed to pull off the attack, embedded systems are increasingly being used to guard access to valuable information or equipment that could make it worth the effort to break into them.

Phishing with Ease

Billy Rios and Nitesh Dhanjani spoke about phishing today at the computer-security conference Black Hat 2008, in Washington, DC. (Phishers, who set up websites that resemble legitimate sites in order to gain access to personal information that can be used for identity theft, are searching for good folk who'll hand over their passwords and credit-card numbers when asked.) Rios and Dhanjani trace phishers, starting from their dangled sites, back through compromised servers, to the forums where identities are bought and sold for as little as 50 cents each. "Are these phishers really the sophisticated, Einsteinian ninja hackers that the media makes them out to be?" asks Dhanjani.

It's a good question. I swore off my cell phone this morning after seeing David Hulton of Pico Computing and a man known only as "Steve" show how their sophisticated ninja hacking could be used to listen in on my phone conversations, read my texts, and possibly even gain control of my cell phone's core, the sim card, and use it to spy on me through my phone's microphones even when I'm not actively making a call. But I'll be honest with you: I'm going to go home and return to business as usual on my cell phone. I doubt that David and Steve will be around the corner from me. And although they say their process--which can decrypt the security on voice and SMS signals sent through the popular Global System for Mobile communications network--will be open source and also available as a commercial device, a would-be spy is still looking at $1,000 worth of equipment to get into the business of listening to me talk recipes with Mom.

On the other hand, phishing kits--which can be used to compromise a server, set up a fake site, and e-mail sensitive information wherever you want it to go--are easy to come by, according to Rios and Dhanjani. By slinging a little lingo, Rios says that he convinced a phisher to give him a set of 100 kits, which, had he chosen to use them, would have allowed him to set up fake versions of Amazon.com, Bank of America, and a slew of other sites. The kits are so easy to deploy, he says, that a would-be phisher doesn't even need to be able to read the code in which they're written. The fact is made even more evident by the barely hidden back doors scattered through the kits, ready to return information to the phisher who provided the kits, as well as the phisher who sets them up. Rios and Dhanjani, working on their own time, found a network of people all too willing to sell them identities, give them phishing kits, and sell them devices to collect credit-card information from ATMs.

"We could have kept following the trails for 10 years," Rios says to a group of us after the presentation. Solutions are hard to come by, the two researchers say, as long as personal information remains static (such as in the form of social-security numbers). To even begin to make a dent, they say, companies must raise the bar a little, so that would-be phishers need a little more in the way of technical skills in order to pull off their exploits. For example, Rios says, it might help if sites requiring authentication put a cookie on the browsers of legitimate users and only allow users to log in if they have the cookie.

In the meantime, Rios says that he's gotten paranoid about using ATMs: he even feels for the skimmers that can be installed over the pinpad or the card swipers to steal data. That's a paranoia that could stick with me. I find that I view hordes of lazy phishers who want my credit-card number as a more immediate threat than a ninja hacker, against whom my only real defense is to unplug.

Wearable Security Risks

Implantable medical devices could become a major focus of security research in the near future, according to Tadayoshi Kohno, a University of Washington assistant professor and TR35 honoree who appeared today at the Emerging Technologies Conference. Kohno says that security measures need to be an integral part of wireless medical computational devices implanted in the body, such as devices that would monitor the blood of diabetics and administer insulin when needed. Although much work is currently going into building such devices, Kohno says that he isn't seeing sufficient discussion of related security and privacy issues at this point.

Ivan Krstic, director of security architecture at One Laptop per Child and also a TR35 honoree, says that lack of incentive to make systems secure is part of the problem.

A Computer's Immune System

The future of security may involve making computer systems behave more like biological systems, according to Guido Jouret, CTO of the emerging markets technology group at Cisco Systems. In an appearance at the Emerging Technologies Conference yesterday, Jouret said that Cisco has invested heavily in self-defending security systems. As threats grow increasingly automated, he said, defenses must do the same. He offered the human autoimmune system as an example of an automated system flexible enough to deal with a wide variety of threats.

Cisco is working on technology that can block zero-day viruses--viruses that haven't yet been identified and loaded into antivirus programs--based on what they do, and which parts of a system they attack. "It's a better approach than this infernal race of trying to get patterns that match new viruses," Jouret said.