Nuno’s blog

As promised in my 1st semester retrospective, here is a retrospective of the 2nd semester (Spring Semester).

The second semester was consisted of three courses, two core courses and one free elective. I picked the following courses:

• Distributed Systems
• Network Security
• Secure Software Systems

You can take a look at the syllabus for each course here. I can’t tell for sure which semester was tougher, the 1st or this one. I guess this 2nd semester involved more work, but you are more used to it, so you can handle things better.

(more…)

Despite what some people (including RapidSSL) said about the recent MD5 collision attack on SSL, the truth is that just because RapidSSL stopped using MD5 for issuing certificates it doesn’t mean the world is safe again.

The researchers were able to create a rogue Certification Authority certificate. That means they have a valid CA certificate, or that they can create any certificate they want for any site. No one tells me that a crime organization wasn’t able to do the same, and if they were, it doesn’t really matter that RapidSSL stopped using MD5 or not. In theory, RapidSSL would need to revoke its Root Certificate to make sure the problem was solved. The problem is that each certificate contains a URL so the browser can check if the certificate was revoked or not. The researcher’s rogue CA certificate had very limited space and it was impossible to include such a URL, which means that by default both Internet Explorer and Firefox are unable to find a revocation server to check their certificate against. Basically it’s up to the Browser vendors to solve the problem permanently by stop accepting certificates that use MD5 for example.

SSL is subject to many types of attacks, specially Man-in-the-Middle attacks. Users usually ignore SSL warnings so they’ll most likely not notice a Man-in-the-Middle attack. One way to be more protected is to install Perspectives, a Firefox plugin, developed by a couple of grad students from Carnegie Mellon University, that monitors the certificates used in the sites you visit, and warns you if the certificate has changed.

So let’s imagine you want to login on your Homebanking to make some wire transfers (or any other site that uses SSL). Here is a list that will make your SSL browsing safer:

1. Make a bookmark of your Homebanking. Double check that the URL is correct.
2. Install Perspectives
3. If your browser is running, please quit it and run it again (so it’s a fresh run).
4. Go to your bookmarks and click on the Homebanking bookmark. DO NOT load any webpage before the Homebanking one. Make sure the Homebanking is the first page loaded.
5. Make sure Perspectives says the Homebanking site is safe
6. Now it is safer to use the Homebanking. You can do whatever you want to do there now.

While there’s people out there working for 1 cent an hour, CAPTCHA will never be bullet proof… just because it’s not supposed to be Human proof.

Check out http://www.anti-captcha.com/ or the google translation here since the original site is in Russian. Impressive that they even offer SLAs.

A lot of people have been asking me for a retrospective of the Lisbon MSIT-IS (Masters in Information Technology - Information Security) program from Carnegie Mellon, so I decided to post here a review of the previous semester.

First of all, this is a Dual Program (MSIT-IS from CMU and Mestrado em Segurança Informatica from FCUL). The entire program is held at FCUL in Lisbon, although a lot of the courses are lectured from Carnegie Mellon. You also have the option to go to Pittsburgh for the Summer Semester to write your Thesis.

The program started the last week of August ‘08. The portuguese students were invited to go to Pittsburgh for an orientation session and for the first week of classes. There, we got familiar with the campus, school procedures and we had a taste of what is to be a student at CMU.

After that week we returned to Lisbon, where we attended classes in a high-tech classroom prepared for video-conferencing with Carnegie Mellon at FCUL. All remote classes were live and interactive. Students in Portugal could see students at CMU (and vice-versa), they could interrupt the class and ask questions, etc. The experience was quite pleasant and it’s pretty much like we were there.

(more…)

I had to post this. Couldn’t resist.

O PHP Summer School já acaba amanhã. Cerca de vinta pessoas participaram neste curso e o resultado parece ter sido bastante positivo para os formandos.

Foi falado de tudo, desde Linux, Web Servers, o mais básico de PHP até tópicos mais avançados tais como OOP, Webservices, PHP&Performance e PHP&Segurança.

Esperemos agora que todos consigam tirar a certificação de PHP e se juntem ao clube.
Eu como formador também gostei bastante da experiência. Aqui ficam os slides dos dois módulos que dei:

• Performance & PHP
  
• Security & PHP

Around 80% of the Spam messages on the Internet are sent by Spam Zombies. For those who don’t know what I’m talking about, Spam Zombies are normal PCs that were infected by some malicious software and then controlled by some spammer.

The spammer then uses a backoffice to send orders to those infected PCs, or basically to send spam for living..

This nice post from pmontoya, shows exactly what such a backoffice looks like.

Crime on the Internet is old news, specially crimes about sexual predators and child pornography. In my opinion, in the near future we all will need to be a little more careful about the things we publish on the Internet for our own security. There’s a niche of crimes that hasn’t been exploited yet and I realize a lot of people are not even aware about the type of information they publish online.

I’m talking about the use of the Internet to help burglars rob homes. If you think about it for awhile, a lot of people publish on their blogs where they are. Some even have maps of their current location. They also publish on their blogs about the toys they buy, their stuff, etc. and all this together can help a burglar choose its next target. However, I have not read about something like this happening yet.
Today, I read a story about the use of Orkut for other types of crimes. Earlier this month, a 43 year old woman was robbed and brutally murdered after a date set on Orkut. More recently a 19 year old boy committed suicide after a defaming message that was spread on Orkut. For this reason, and after several battles between Orkut and Google, the Brazilian authorities blocked or are going to block Orkut (whatever it means) in Brazil.

I was reading a paper about an engine to detect phishing Web Sites - CANTINA - developed by Carnegie Mellon University and University of Pittsburgh. I guess they came up with an interesting idea:

Roughly, CANTINA works as follows:
• Given a web page, calculate the TF-IDF scores of each term
on that web page.
• Generate a lexical signature by taking the five terms with
highest TF-IDF weights.
• Feed this lexical signature to a search engine, which in our
case is Google.
• If the domain name of the current web page matches the
domain name of the N top search results, we consider it to be
a legitimate web site. Otherwise, we consider it a phishing
site. (We varied the value of N, as described in the evaluation,
to balance false positives with false negatives; however, we
found that going beyond the top 30 results had little practical
effect.)

They say the effectiviness of this engine is 95%. I guess they’re presenting this paper at www2007.

Now you ask: What the hell is TF-IDF?
The term frequency (TF) is simply the number of times a given
term appears in a specific document. The term IDF (inverse d ocument frequency) measures how common a term is across an entire collection of documents.