fyi: Storm Worm botnet numbers, via Microsoft
food for consideration. yes, #s are from MSFT as he notes, but are the only ones we have presently wrt actual Storm extent, yes? If not, pls post pointers... =JeffH -- Storm Worm botnet numbers, via Microsoft http://blogs.zdnet.com/security/?p=533 Posted by Ryan Naraine @ 7:40 am Categories: Patch Watch, Hackers, Microsoft, Browsers, Rootkits, Vulnerability research, Spam and Phishing, Spyware and Adware, Botnets, Exploit code, Viruses and Worms, Data theft, Pen testing, Passwords Tags: Microsoft Corp., Worm, Machine, MSRT, Productivity, Microsoft Windows, Cyberthreats, Spyware, Adware Malware, Viruses And Worms, Security, Operating Systems, Software, Ryan Naraine icn_balloon_154x48 +14 16 votes Worthwhile? If the statistics from Microsoft\u2019s MSRT (malicious software removal tool) are anything to go by, the Storm Worm botnet is not quite the world\u2019s most powerful supercomputer. The tool \u2014 which is updated and shipped once a month on Patch Tuesday \u2014 removed malware associated with Storm Worm from 274,372 machines in the first week after September 11. In all the tool scanned more about 2.6 million Windows machines. These numbers, released by Microsoft anti-virus guru Jimmy Kuo, puts the size of the botnet on the low end of speculation that Storm Worm has commandeered between 1 million and 10 million Windows machines around the world. [ SEE: Storm Worm botnet could be world\u2019s most powerful supercomputer ] The MSRT numbers, though helpful, shouldn\u2019t be relied on as gospel. For starters, the tool targets a very specific known malware (it only finds exactly what it\u2019s looking for) and attackers constantly tweak malware files to get around detection. In addition, it is only delivered to Windows machines that have automatic updates turned on, which means there are liely tons and tons of hijacked machines that never gets a copy of the MSRT. Still, Kuo claims that the September version of MSRT made a dent in the botnet. Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of Storm\u2019s Denial of Service (DoS) capability on September 11th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the Storm botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the Storm botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature. The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active Storm botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the Storm botnet perhaps were not actively incorporating. Kuo also confirmed fears that the botnet will slowly regain its strength once those cleaned machines become reinfected because those machines are likely unpatched and not equipped with any security software. --- end - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Contested UK encryption disclosure law takes effect
Source: http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511.html British law enforcement gained new powers on Monday to compel individuals and businesses to decrypt data wanted by authorities for investigations. .. Failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do. Read the entire story at: http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511.html Saqib http://security-basics.blogspot.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Linus: Security is people wanking around with their opinions
For people who don't read LKML (or get interesting bits forwarded to them), there's a wonderful quote by Linus Torvalds about the difference between OS scheduler design and security design: Schedulers can be objectively tested. There's this thing called 'performance', that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is 'hard science'. The other one is 'people wanking around with their opinions'. http://kerneltrap.org/mailarchive/linux-kernel/2007/10/1/326534 Peter :-). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Following up on an old thread with some new information: Hitachi's white paper is available from: http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf ... The interesting part is the final sentence of the white paper: Hitachi will be offering the Bulk Data Encryption option on all new 2.5-inch hard disk drive models launched in 2007, including both the 7200 RPM and 5400 RPM product lines. At the request of the customer, ^^ this option can be enabled or not, at the factory, without any impact on the drive?s storage capacity, features or performance. Interestingly, Hitachi has updated that paragraph in the paper (re-using the same URL), and now it reads: Hitachi will be offering the Bulk Data Encryption option on specific part numbers of all new 2.5-inch hard disk drive products launched in 2007, including both the 7200 RPM and 5400 RPM product lines. For a list of specific part numbers that include the Bulk Disk Encryption feature or for more information on how to use the encryption feature, see the ?How To Guide? for Bulk Data Encryption Technology available on our website. The How To Guide includes screen shots from BIOS configuration. The disk appear to be using the standard ATA BIOS password lock mechanism. The guide is available from: http://hitachigst.com/tech/techlib.nsf/products/Travelstar_7K200 http://hitachigst.com/tech/techlib.nsf/techdocs/F08FCD6C41A7A3FF8625735400620E6A/$file/HowToGuide_BulkDataEncryption_final.pdf Without access to the device (I've contacted Hitachi EMEA to find out if it is possible to purchase the special disks) it is difficult to infer how it works, but the final page of the howto seems strange: Disable security For an end user to disable security (i.e., turn off the password access control): 1. Enter the BIOS and unlock the drive (when required, BIOS dependent). 2. Find the security portion of your BIOS and disable the HDD user password, NOT the BIOS password. The master password is still set. ... NOTE: All data on the hard drive will be accessible. A secure erase should be performed before disposing or redeploying the drive to avoid inadvertent disclosure of data. One would assume that if you disable the password, the data would NOT be accessible. Making it accessible should require a read+decrypt+write of the entire disk, which would be quite time consuming. It may be that this is happening in the background, although it isn't clear. Another interesting remark is: Note that the access method to the drive is stored in an encrypted form in redundant locations on the drive. It sounds to me as if they are storing the AES key used for bulk encryption somewhere on the disk, and that it can be unlocked via the password. So it may be that the bulk data encryption AES key is randomized by the device (using what entropy?) or possibly generated in the factory, rather than derived from the password. /Simon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Linus: Security is people wanking around with their opinions
Peter Gutmann wrote: For people who don't read LKML (or get interesting bits forwarded to them), there's a wonderful quote by Linus Torvalds about the difference between OS scheduler design and security design: Schedulers can be objectively tested. There's this thing called 'performance', that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is 'hard science'. The other one is 'people wanking around with their opinions'. http://kerneltrap.org/mailarchive/linux-kernel/2007/10/1/326534 This will be in sharp contrast to kernel design, where its just one person wanking around with their opinions. :-) -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
On Tue, 02 Oct 2007 15:50:27 +0200 Simon Josefsson [EMAIL PROTECTED] wrote: It sounds to me as if they are storing the AES key used for bulk encryption somewhere on the disk, and that it can be unlocked via the password. I'd say decrypted by the password, rather than unlocked, but that's the right way to do it: since it permits easy password changes. It also lets you do things like use different AES keys for different parts of the disk (necessary with 3DES, probably not with AES). So it may be that the bulk data encryption AES key is randomized by the device (using what entropy?) or possibly generated in the factory, rather than derived from the password. There was this paper on using air turbulence-induced disk timing variations for entropy... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Linus: Security is people wanking around with their opinions
I often say, Rub a pair of cryptographers together, and you'll get three opinions. Ask three, you'll get six opinions. :-) However, he's talking about security, which often isn't quantifiable! And don't get me ranting about provable security Had a small disagreement with somebody at Google the other week, as he complained that variable moduli ruined the security proof (attempts) for SSH. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]