Phillip Hallam-Baker's Web Security Blog

Recently I have been restoring my 1977 MGB Roadster over the weekends. While removing the carpet I discovered a problem, there was wood underneath the carpet rather than steel.

From a strength point of view there is absolutely nothing wrong with a wooden floor. Most houses have wooden floors. The MGs of the 1950s had wooden floors when the left the factory. The problem is not the wooden floor itself, the problem is that I expected to find steel. The previous owner was clearly hiding something and when the wood panels were finally removed I found a rust problem that could have been serious if left much longer.

That in a nutshell is the problem that we are currently finding with the cryptographic digest function SHA-1. We keep finding wood where the design calls for steel. The defects found to date are not a major safety concern in themselves, the problem is what they say about the security of the design.

It may be possible to repair the car with a special purpose rust inhibiting epoxy paint. If the rust turns out to be too bad it will be necessary to have the old floors removed and new ones welded in place.

Similar options exist to fix SHA-1. In the short term the industry is switching to SHA-2 which is believed to be considerably stronger and offers 256 and 512 bit versions. In the longer term a replacement will be agreed. The good news is that there is no reason at this point to believe that SHA-1 is unsafe to drive.

Posted by Phillip Hallam-Baker at 10:32 PM | Permalink | Comments (0) | TrackBacks (0)

Infoworld asks whether the end of anti-virus scanners may be upon us.

There are really two separate questions here: first is there no longer a need for AV software, second does AV software provide any usefull protection? While the answer to the first question is clearly yes the answer to the second is increasingly no.

The problem with anti-virus scanners is that they try to play a game that is weighted heavily in favor of the attacker. The effort required to write a new virus is orders of magnitude less than the effort required to detect a virus, fingerprint it and distribute the fingerprint data. The anti-virus providers could win the game when the number of viruses was relatively small and the viruses propagated themselves by reading address books. Today the virus writers win by blasting out their trojans by the tens of million in the space of an hour. The trojans have already made it into user's inboxes by the time the signature is ready.

The way to win is to detect and patch vulnerabilities rather than attacks. Everyone recognizes that if you wait until the worm is launched it is too late to upgrade your database software. Malware removal tools have their uses, if a machine has been compromised they are the only way to restore it to health. Like the hospital Emergency Room, when they are needed they are needed urgently but a security strategy that relies on fingerprint detection techniques alone is as bogus as a healthcare strategy where the Emergency Room is the first recourse rather than the last.

Posted by Phillip Hallam-Baker at 05:03 PM | Permalink | Comments (1) | TrackBacks (0)

The BBC reports that stock pump and dump scammers are offering their services to companies to 'improve' their stock prices.

Its not a suprising development but it would be very surprising if it became a widespread problem. The pump and dump spams make money for the perpetrators in the very short term. In most cases a stock that has been targetted by a pump and dump scam will be trading significantly below the original asking price a few weeks later.

The management of a company would have to have a very short term reason for inflating their stock price in order for this type of scheme to be attractive. There are much simpler ways to achieve the same effect that do not involve such clear cut illegality.

It is not difficult to see why the net effect of these schemes is to reduce the price of the stock. Pump and dump schemes target 'penny stocks', stocks that trade in very limited volumes. The thin trading volume means that a small increase in demand for the stock can lead to a rapid increase in price. Speculators drawn in by the pump and dump spams and momentum traders attempting to profit from the rapid rise in price both increase demand for the shares and the volume of shares changing hands. Shareholders with large positions that they had previously been unable to unload have a small window of opportunity in which they can dispose of their shares. Few people will pass up the opportunity to sell for a million dollars what they had been unable to sell at half the price for several years.

Once the temporary effect of the speculation has ended fewer shares will be held by long term investors and a greater proportion will be held by short term speculators. Such a market will clear at a lower level than it did previously.

If the stock scammers had a deeper understanding of what is going on they might well propose their services to competitors of companies in this position rather than the companies themselves. I expect the next wave of solicitations for this type of service to propose it as a means of engineering a hostile takeover of a competitor.

Posted by Phillip Hallam-Baker at 02:32 PM | Permalink | Comments (0) | TrackBacks (0)