Monday, 30 August 2010

Security Digest #12

This month's headlines: an aviation disaster report, and a perfect quantum crypto hack.

Programmer Kills 154 in Air Crash

The Register reports what might be the first ever case of malware contributing directly to the cause of a fatal air crash:
The accident on take-off happened after pilots had abandoned an earlier take-off attempt and a day after two other reported problems on board. If the airlines' central computer was working properly a take-off after three warnings would not have been allowed, thereby averting the tragedy.
On August 20th 2008, a McDonnell Douglas MD-82 aircraft owned by Spanair, on scheduled flight number JK 5022 to Las Palmas, crashed just seconds after taking off from Barajas Airport, Madrid, with 172 people on board. The crash and subsequent fire killed all but 18.

Now it has emerged, according to a report in the Spanish El Pais daily newspaper, that multiple problems with the plane failed to raise any alarm, due to the existence, at the time of the fatal crash, of Trojan infections on the airline's central maintenance computer.

According to the report by independent crash investigators,
The plane took off with flaps and slats retracted, something that should in any case have been picked up by the pilots during pre-flight checks or triggered an internal warning on the plane. Neither happened, with tragic consequences.
(TechNewsDaily report here) The lessons to be drawn from this are surely too obvious to need repeating, and particularly so for anyone working in the intersection of the software and aviation industries (holds up hand).

Quantum Cryptos Pwned

Recent months have seen several commercial quantum encryption systems apparently compromised, although in the related wars of words, grey areas have emerged in questions such as: what levels of error occurrence and detection can be achieved, and what levels should be used for intruder detection.

This report is different. From the University of Science and Technology, Trondheim Norway, via Nature Photonics, comes word of Lars Lydersen and his international team of research colleagues, who have successfully cracked two commercially available quantum crypto systems, Switzerland's ID Quantique, and MagiQ Technologies of Boston Mass., obtaining full disclosure of their quantum encryption keys without detection.

The exploit is a "purely technological" one, which the two companies should have no problem in mitigating. It involves shining a continuous mW laser at
the receiver, rendering it blind to the quantum properties of the incoming data stream, while still receiving and responding correctly to the contained classical data.

However it does raise the question of whether any practical system - in this case, both were quantum key distribution (QKD) implementations - can be designed which does not exhibit such technological deficiencies and vulnerabilities, and just how this could possibly be proved.

XSS Excesses

Casale Media's Julia Casale-Amorim wrote in detail about a well-structured and professional looking "malvertising" attempt made by fake agency BellasInteractive on her display media company.

This is an extensive and incredibly detailed analysis of a sophisticated system of attack that's becoming more common (recent reports here have placed XSS incidents second in frequency only to SQL injections). Chilling to think how many similar exploits run successfully to completion and publication, without being detected until they appear as statistics on a security vendor's annual survey.

That is all.

No comments:

Post a Comment