TURKEY’S RETURN TO GLORY March 22, 2009
Posted by Can ARIK in Security.Tags: Security
add a comment
For reasons of history, culture and geography, there is a surprising opportunity for Turkey to assume a position of central global leadership in the 21st century and thereby further all of its legitimate national interests.
This is shocking considering the fact that the West and the Arab world often associate the Ottoman Empire with a case study in long-term decay. But it turns out that Ottoman history is replete with extraordinary cultural wealth that is perfect for this moment of history, especially when it comes to the nonviolent diplomatic engagement of multiple civilizations and religions.
This is exactly what the world needs right now. Turkey is where the West and the East must meet, this is where Islam must engage and be engaged, this is where Jews must reconcile with Muslims, and this is where Arabs, Muslims, Jews and Christians must find a new basis for an international social contract between them.
The current divisions are clear, regarding Israel, Palestine and Hamas, for example. It is also clear that Turkey is shifting its traditional role as a non-Arab military power in the region. The prime minister has clearly shifted gears in terms of standing up to Israel’s conduct of its war in Gaza, as well as demonstrating a clear willingness to engage Syria, Hamas and Iran, essentially those who the powerful neoconservatives in Washington labeled “the axis of evil.” This is a bold and difficult move, but if it is framed in the right way it may place Turkey at the cutting edge of diplomatic practice in the 21st century.
In order for Turkey to resume its historic role as a successful weaver of civilizations and religions it will need to perfect its skills of international diplomacy. The nexus at which Turkey is situated is fraught with difficulty, but also with immense opportunity. The West, Israel and the Arab world are in a place of extreme tension with Iran. The West and at least significant portions of the Arab world are in tension and division with Hamas. The West, Israel and Europe are in a significant — though more muted — place of tension with Islamic civilization. Most importantly, much of the world is in great tension with Israeli policies. Turkey has the potential to positively impact all these fronts.
The key to all Turkish engagement must be what I would refer to as ‘positive diplomacy.’ Positive diplomacy focuses on opportunities rather than problems, on relationships rather than controversies and on encouragement rather than criticism. Turkey is to be applauded for roundly criticizing Israel’s use of excessive force in Gaza because the humanitarian circumstances of the war were extreme. But now it is time to turn the message in a positive direction.
Most importantly, in order to not be blackmailed in Washington by reactionary lobbies that do not want to see peaceful progress in the Middle East, Turkey must jettison old forms of diplomacy that focused narrowly on defense of Turkish pride, especially regarding Armenia and the tragic violence at the beginning of the 20th century.
An integrated set of aggressive strategies is called for. These include: First, a very public engagement and reconciliation with Armenia that is accompanied by significant gestures to Armenian citizens, including possibly official welcoming ceremonies to visit Turkey, commemoration of past life in Turkey and also shared mourning of loss of life; second, an embrace of human needs in Azerbaijan, and a commitment to help Azerbaijan develop a more successful negotiation with Armenia in the future; third, an embrace of Jews, Judaism and Israelis that is very public and builds on past relations but that is combined with a strong embrace of Palestinians and very public efforts to negotiate with Hamas on the foundations of a long-term treaty with Israel; and fourth, an ongoing engagement with Syria and Iran as to the conditions of their engagement with Israel and with the Arab world.
The most important point is that Turkey needs to escape the straitjacket of old defensive diplomacy in Washington that held them hostage to the Armenian issue, and instead reclaim their historical, geopolitical and cultural nobility as a bridge of civilizations, continents and religions. This is where the very progressive Islam that is guiding many Turkish citizens today can be a paradigm of enlightenment and democracy that will put the lie to the reactionary Western — and extreme Arab — perceptions of Islamic civilization as violent. Secondly, freed from pressure in Washington by aggressively pursuing a new relationship with Armenians, Turkish leadership will be able to positively engage Jews on their own terms, as they did for centuries, while at the same time calling upon them to engage all Palestinians with dignity, respect and generosity. Turkey is a country that can officially and openly invite hundreds of Israeli professionals and spiritual and cultural leaders to engage in a new relationship with Palestinians on Turkish soil as equals, to engage Muslims, to engage Gazans, to engage Hamas. This could be revolutionary for conflict resolution in Israel and Palestine.
A clever politics can also be a visionary politics. US President Barack Obama has pioneered a politics that combines vision and pragmatism, realism and hope. Turkey can do the same through the venue of its new/old model of enlightened Islamic civilization. Mevlana Jelaluddin Rumi, for example, is one of the most popular poets in the world today, and Sufis are the pioneers everywhere I go in the Arab Middle East where there are bold young peacemakers. This is the age of Rumi, this is the age of the Sufi visionaries and peacemakers.
If this path is pursued with humility and without arrogance, I am convinced that even the most conservative elements in the Arab world will be challenged and even enticed. No one in the Gulf wants the shadow of Osama Bin Laden to haunt the Arab and Muslim worlds forever. The poison has spread broadly to Central Asia, and everyone fears that this is threatening the fabric of the Muslim social order, while it simultaneously emboldens intolerance of Islamic civilization in the West. We need bold leadership in the Muslim world, we need bold partners to prod with great confidence Israel and its enemies to earnestly pursue a final settlement. No one is situated better than Turkey, and no one will be more grateful than President Obama, the most powerful leader in the world today. Turkey needs to bury its ghosts of the 20th century so that the 21st century will see its return to international glory. The time has come for an Ottoman-inspired enlightenment. (http://www.marcgopin.com)
Prime Minister Erdogan Honored by the Jewish Anti-Defamation League in the United States
Reopening of the Neve Shalom Synagogue in Turkey after it had been bombed
Prime Minister Erdogan Receiving Hero’s Welcome After Speaking Against Israel’s War in Gaza
No police charges in accidental terror death February 16, 2009
Posted by Can ARIK in Counter-Terrorism.Tags: Counter-Terrorism
add a comment
No police will be charged in the death of a Brazilian who was mistakenly shot by officers in the tense days following 2005 terror attacks in London, prosecutors announced Friday after a new review of the case.
Prosecutors had previously decided not to file charges against any police for killing 27-year-old Jean Charles de Menezes in a London subway car two weeks after 52 commuters were killed in suicide bombings on the British capital’s transport network.
But prosecutors were required to review the case one final time after a jury at a coroner’s inquest returned an “open verdict” on his death in December.
Prosecutor Stephen O’Doherty said there was insufficient evidence that police had committed any offense.
De Menezes was mistaken for a suicide bomber. In returning its “open verdict,” the inquest jury rejected police claims that they lawfully killed de Menezes, who was shot seven times at close range by police who followed him onto a subway car.
Police had insisted they were trying to protect the public from a suicide attack when its officers shot the unarmed man. De Menezes was killed as he sat aboard a subway train on July 22, 2005, a day after terrorists tried to set off bombs on London’s transit system and two weeks after four suicide bombers killed 52 bus and subway commuters.
The two officers who shot him testified that they believed de Menezes was one of the failed bombers who had tried to attack subway trains and a bus the day before. De Menezes had an apartment in the same building as Hussain Osman, a subway bombing suspect later convicted in the failed July 21 attack. But in their December verdict, the 10 jurors rejected several claims made by police.
London’s acting police chief Paul Stephenson said de Menezes’ killing had been a “terrible mistake.” “He was an innocent man and we must, and do, accept full responsibility for his death,” Stephenson said in December. But he said that the anti-terror officers “set out with the intention to defend and protect the public” and that “no one set out that day to kill an innocent man.”
No individual has been charged in de Menezes’ death. A British court convicted London’s police force last year of health and safety violations for endangering the public’s safety during the shooting. The force was fined 560,000 pounds ($820,000).
AP
Dutch politician Geert Wilders to be deported after being refused entry to Britain February 13, 2009
Posted by Can ARIK in Security.Tags: Security
add a comment
Geert Wilders, the controversial right-wing Dutch MP, is to be deported after being refused entry to Britain at London’s Heathrow Aiport.
Wilders, who is the leader of the Freedom Party, flew into the UK in the face of a ban from the Home Secretary Jacqui Smith just after 2pm to show an anti-Muslim film at the House of Lords.
He was seized by two border guards who boarded the BMI aircraft as it sat on the tarmac and was marched into a side room in the main Terminal One building.
The politician, who was invited by the UKIP peer Lord Pearson and cross-bencher Baroness Cox, had earlier been warned that Miss Smith viewed his presence in the country as a threat to the “fundamental interests of society”.
The Home Office refused to confirm the flight on which the politician would be placed.
But Mr Wilders’s spokesman in Amsterdam said that he understood that he would sent back to the Dutch capital within two hours.
As he was escorted off the aircraft Mr Wilders said: “Is this how Great Britain welcomes a democrat?”
He was invited to Westminster to show his 17-minute film Fitna, which criticises the Koran as a “fascist book”, by a member of the House of Lords.
But on Tuesday he received a letter from the Home Office refusing him entry because his opinions “would threaten community security and therefore public security” in the UK.
Mr Wilders condemned the British Government as “weak and cowardly” and vowed he would make the trip anyway.
He left Amsterdam on a BMI flight at lunchtime and the aircraft touched down at London’s Heathrow Airport at about 2pm.
BMI refused to confirm that Mr Wilders had booked a flight with the airline, citing data protection laws.
A spokesman said only: “We are obliged to observe Government-enforced travel restrictions. If they are imposed, we are duty-bound to abide by them.”
Mr Wilders has urged the Dutch government to ban the Koran and warned of a “tsunami” of Islam swamping the Netherlands.
His film sparked violent protests around the Muslim world last year for linking verses in the religious text with footage of terrorist attacks.
He has launched an appeal against an Amsterdam court’s order that he should be prosecuted for hate speech.
Mr Wilders said he had already shown his film to Denmark’s parliament and would take it to Italy and the US House of Representatives in the coming weeks.
He told the BBC: “I was very surprised and very saddened that the freedom of speech that I believe was a very strong point in UK society is being harassed today.”
Dutch Foreign Minister Maxime Verhagen said the government of the Netherlands would press for a reversal of the travel ban.
UK Independence Party peer Lord Pearson, who invited Mr Wilders to Britain, said the screening of the film would go ahead today “with or without Mr Wilders”.
In a joint statement he and cross-bench peer Baroness Cox said they were “promoting freedom of speech” and accused the Government of “appeasing” militant Islam.
They added: “Geert Wilders’ Fitna film, available on the web, is not a threat to anyone. It merely suggests how the Koran has been used by militant Islamists to promote and justify their violence.”
The Home Office said: “The Government opposes extremism in all its forms. It will stop those who want to spread extremism, hatred and violent messages in our communities from coming to our country, and that was the driving force behind tighter rules on exclusions for unacceptable behaviour that the Home Secretary announced in October last year.”
Liberal Democrat home affairs spokesman Chris Huhne said: “Freedom of speech is our most precious freedom of all, because all the other freedoms depend on it.
“But there is a line to be drawn even with freedom of speech, and that is where it is likely to incite violence or hatred against someone or some group.
“Having watched Geert Wilders’ movie Fitna, with its raw and emotional appeals to anti-Islamic feeling and its shocking images of violence, there is no doubt in my mind that he has overstepped the line that should be defended in a civilised society and that the Home Secretary’s ruling is right.”
A spokesman for the Conservative Party said it did not wish to comment.
The National Secular Society’s president said he wrote to Home Secretary Jacqui Smith arguing that she had made a mistake in denying an application by a “democratically-elected politician from a sovereign state who wants to come and express an opinion”.
Terry Sanderson said: “It may be a controversial opinion but he is entitled to express it. We think that the wrong people are being targeted here because the reason they have given for refusing him entry is that it may result in some kind of public disturbance.”
Mr Sanderson said that, while the organisation did not agree with a lot of what Mr Wilders said, the right way to deal with it was to “argue with him, debate and discuss – not silence him”.
A spokesman for the Muslim Council of Britain said: “Geert Wilders has been an open and relentless preacher of hate – there is little difference between his views and those of the far right.
“Mr Wilders’ xenophobic views have been identified as repugnant by a Dutch court, and is now confirmed by his official exclusion from the United Kingdom.”
Mohammed Shafiq, chief executive of Muslim youth organisation the Ramadhan Foundation, supported the Government’s stance.
He said: “His hatred of Islam is based on fiction and his presence in the UK may lead to community tensions. Mr Wilders and his fascist views are not welcomed to our country where we pride ourselves as a multi-faith society.”
Telegraph (UK)
Britain under attack from 20 foreign spy agencies including France and Germany February 8, 2009
Posted by Can ARIK in Intelligence.Tags: Intelligence
add a comment
Spies from 20 foreign intelligence agencies, including Nato allies such as France and Germany, are attempting to steal Britain’s most sensitive secrets.
Russia and China have been identified as having the most active spy networks operating in the UK but it is understood that some European countries are also involved in espionage attacks against Britain.
Details of the spy plots were revealed in a government security document obtained by The Sunday Telegraph which states that Britain is “high priority espionage target” for 20 foreign intelligence agencies.
Security sources have revealed that the list of foreign agencies operating within the UK includes Iran, Syria, North Korea and Serbia, as well as some members of the European Union, such as France and Germany, who have traditionally been regarded as allies.
The document, marked “restricted”, warns that foreign spies are trying to steal secrets related to the military, optics, communications, genetics and aviation industries.
The report, which was drawn up by an Army intelligence cell inside Whitehall, warns that it is too easy to “lose sight” of the threat from traditional espionage and become solely focused on attacks by al Qaeda.
The document, which has been distributed to all government departments, states: “Whilst our primary threat would seem to come from International Terrorism, it is important that we do not lose sight of another omnipresent threat. Espionage against UK interests continues to come from many quarters.”
The report, dated 19th January 2009, continues: “In the past, espionage activity was typically directed towards obtaining political and military intelligence. In today’s high-tech world, the intelligence requirements of a number of countries now include new communications technologies, IT, genetics, aviation, lasers, optics, electronics and many other fields. Intelligence services, therefore, are targeting commercial enterprises far more than in the past.
“The UK is a high priority espionage target and a number of countries are actively seeking UK information and material to advance their own, military, technological, political and economic programmes.
“It is estimated that at least 20 Foreign intelligence services are operating to some degree against UK interests. Of greatest concern are the Russians and Chinese. The number of Russian intelligence officers in London has not fallen since the Soviet times.”
A Whitehall source told The Sunday Telegraph that Russia uses its massive spy network as an “extension of state power” in an attempt to “further its own military and economic base”.
The source said: “If a country, such as Russia or Iran, can steal a piece of software which will save it seven years in research and development then it will do so without any hesitation. Russian agents will target anybody that they believe could be useful to them. Spying is hard-wired into the country’s DNA. They have been at it for centuries and they are simply not going to stop because the Cold War has ended.”
The source added that Britain’s European neighbours, including Germany and France, were also engaged in industrial and political espionage within the UK.
Many senior figures in Britain’s intelligence community are frustrated by the activities of Russian spies which they claim is detracting from the fight against al-Qaeda and international terrorism.
In a speech in November 2007, Jonathan Evans, the director general of MI5, said that foreign intelligence services were active in the UK, with the Russians at the forefront of covert operations.
He said: “Despite the Cold War ending nearly two decades ago, my service is still expending resources to defend the UK against unreconstructed attempts by Russia, China and others, to spy on us.
“A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense.
“They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks.
“It is a matter of some disappointment to me that I still have to devote significant amounts of equipment, money and staff to countering this threat.
“They are resources which I would far rather devote to countering the threat from international terrorism – a threat to the whole international community, not just the UK.”
Patrick Mercer, the chairman of the House of Commons counter-terrorist subcommittee, said the document served as a warning to Britain that the Cold War espionage threat had not gone away.
He said: “Britain is at the forefront of many cutting edge technologies and these are extremely attractive to lots of other countries, some of whom may actually be our allies.
“This serves as a timely reminder that our counter-intelligence assets must not be solely concentrated on countries with a traditional track record of espionage against us.”
The Sunday Telegraph
User info on crashed PCs helps hackers February 7, 2009
Posted by Can ARIK in Cyber-Terror.Tags: Cyber-Terror
add a comment
Even hackers are taking the easy way out. They are now riding piggy-back on your problems to virtually take over your computer.
Surfing the web for vulnerabilities is the new modus operandi for them. Unsuspecting netizens, who put out their woes about systems crashing on the web, are in for a nasty surprise.
Web attackers are taking this code that crashes the PC and combining it with their own code that takes control over the machine. This cuts their work by half.
These “zero-day-attacks” , which do not yet have a software patch ready to fix the problem, have been cropping up of late, says a report by Websense, a global leader in integrated web, data and e-mail security. Web attackers are taking advantage of these codes put up by people who are sincerely looking for a solution to the problem and misusing it to steal financial and other sensitive data from PCs that come under their control.
How this attacks work is that hackers put out a combination of both codes on to any public forum. When any user clicks on the malicious site, the hackers gain control over that PC. The code put out by a genuine netizen helps corrupt the victim’s system and then the malicious code mixed with it by the attacker helps hack into the system completely. So far these attacks have targeted gaming sites and blogs, but they could spread else where too.
The Economic Times.
The spam mail in your inbox could be a terrorist’s handiwork February 6, 2009
Posted by Can ARIK in Cyber-Terror.Tags: Cyber-Terror
add a comment
Watch out! The spam mail that just hit your inbox could be a encrypted information from a terrorist to his companions.
With terrorists using internet and other communication technologies to plan, plot and carry out their subversive activities, intelligence agencies reckon that some of the millions of spam mails that are sent out daily, could be the handiwork of these groups.
“Numerous softwares and websites are now available through which one can easily send spam to numerous e-mail account holders. Terrorists, who are now more tech savvy than before are sending out encrypted messages to millions including the one actually it is meant for,” a senior Home Ministry official said.
Explaining the rationale behind sending out a secret message to millions to avoid any risks, the official said, “99 per cent of the people don’t even bother to check spam mails which usually get delivered in the spam box because of strong firewall of e-mail service providers. Usually people just delete them. Moreover, the message is in encrypted form and hence any ordinary person would not be able to decipher it.”
Adding to spam mails, multimedia files like pictures, audio and video files are another source of sending coded information.
The Economic Times
Police Study Way to Jam Cellphones in an Attack January 11, 2009
Posted by Can ARIK in Counter-Terrorism.Tags: Counter-Terrorism
add a comment
New York police officials are studying the feasibility of disrupting cellphone communications between terrorists during any attack, after revelations that gunmen in Mumbai received electronic transmissions during their killing spree in November.
Police Commissioner Raymond W. Kelly raised the possibility in Washington at a Senate hearing on Thursday, but he noted there were technological hurdles to shutting down cellular service in a narrow location, like a hotel or movie theater.
At the hearing of the Senate Committee on Homeland Security and Governmental Affairs, Mr. Kelly testified, “Law enforcement needs to find ways to disrupt cellphones and other communications” during an unfolding crisis like the one in Mumbai.
But he stressed, under questioning by senators, that care must be taken in pursuing such plans, suggesting that widespread shutdowns could hamper emergency personnel or keep civilians from making emergency calls.
Later, Paul J. Browne, the Police Department’s chief spokesman, said the department wanted to preserve the option of monitoring conversations between terrorists should that prove more advantageous than cutting them off. He said that any plan to shut electronics transmissions was “only in the discussion stage.”
Mr. Browne said, “Our communications and technology people are looking for ways to disrupt cellphone and hand-held devices in a pinpointed way.”
He added: “We are not at a point where we are testing any equipment. We are talking to the industry and to people in other government agencies and among ourselves. What is known about this? What is possible? And what is being tested along these lines?”
Electronic jamming of cellphones or of global positioning systems is complicated but possible, and might already be in use by foreign military agencies, said Eric Lustig, a data systems manager at Eastern Communications, a Queens company that provides radio equipment to government agencies and other clients.
Cellular service in a big region, like a borough, could be simply shut down, he said. More compact sites, like an official motorcade, could be jammed by devices in the cars.
“You cannot draw straight lines around, or a circle around, an area where you would do it, but it is certainly possible to jam an area,” Mr. Lustig said. “If you are talking about a tall building, you would knock out cellphone communications for a far larger area. If you just wanted to knock out cellphones in a movie theater, it could be done.”
Mr. Lustig said it would be much more difficult to jam a satellite phone than a cellular phone, since the antenna is pointed at the sky.
Eric Schmitt contributed reporting. The New York Times
Terror networks use gambling websites for recruitment, finance January 3, 2009
Posted by Can ARIK in Cyber-Terror.Tags: Cyber-Terror
add a comment
Islamist terrorist networks, particularly al-Qaeda, are using gambling websites to launder money and train potential terrorists in Britai
n without them having to risk travelling to camps in Pakistan, a media report said on Friday.
Terrorism experts warned the security services that the Internet is increasingly being used to train terrorists and raise money and has become the primary medium for promoting radical Islam.
Quoting security sources, a newspaper reported that they are fighting a new battle against al-Qaeda on the Internet.
Al-Qaeda wants to create an “online university of jihad” that is recruiting and training potential terrorists in Britain without them having to risk travelling to camps in Pakistan, they said.
The terrorist network has also used computer experts to develop encryption software, known as ‘Mujahideen Secrets 2′, to allow militants to communicate by email without fear of interception by intelligence services.
Speaking at a select conference on the terrorist threat to Britain, experts from Jane’s Intelligence Group, said an online community was growing with younger and more impressionable people inadvertently sponsoring terrorism.
Terry Pattar, a specialist in counter-terrorism with Jane’s Strategic Advisory Services, said: “Al-Qaeda want to create a university of jihad online, both in a spiritual and financial sense.
“They want a community that can carry out attacks without having to travel abroad for training.”
Economic Times.
Experts uncover weakness in Internet security January 1, 2009
Posted by Can ARIK in Cyber-Terror.Tags: Cyber-Terror
add a comment
Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found a weakness in the Internet digital certificate infrastructure that allows attackers to forge certificates that are fully trusted by all commonly used web browsers. As a result of this weakness it is possible to impersonate secure websites and email servers and to perform virtually undetectable phishing attacks, implying that visiting secure websites is not as safe as it should be and is believed to be. By presenting their results at the 25C3 security congress in Berlin on the 30th of December, the experts hope to increase the adoption of more secure cryptographic standards on the Internet and therewith increase the safety of the internet.
When you visit a website whose URL starts with “https”, a small padlock symbol appears in the browser window. This indicates that the website is secured using a digital certificate issued by one of a few trusted Certification Authorities (CAs). To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. The team of researchers has discovered that one of these algorithms, known as MD5, can be misused.
The first significant weakness in the MD5 algorithm was presented in 2004 at the annual cryptology conference “Crypto” by a team of Chinese researchers. They had managed to pull off a so-called “collision attack” and were able to create two different messages with the same digital signature. While this initial construction was severely limited, a much stronger collision construction was announced by the researchers from CWI, EPFL and TU/e in May 2007. Their method showed that it was possible to have almost complete freedom in the choice of both messages. The team of researchers has now discovered that it is possible to create a rogue certification authority (CA) that is trusted by all major web browsers by using an advanced implementation of the collision construction and a cluster of more than 200 commercially available game consoles.
The team of researchers has thus managed to demonstrate that a critical part of the Internet’s infrastructure is not safe. A rogue CA, in combination with known weaknesses in the DNS (Domain Name System) protocol, can open the door for virtually undetectable phishing attacks. For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.
“The major browsers and Internet players – such as Mozilla and Microsoft – have been contacted to inform them of our discovery and some have already taken action to better protect their users,” reassures Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms. “To prevent any damage from occurring, the certificate we created had a validity of only one month – August 2004 – which expired more than four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security.”
According to the researchers, their discovery shows that MD5 can no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates. Currently MD5 is still used by certain certificate authorities to issue digital certificates for a large number of secure websites. “Theoretically it has been possible to create a rogue CA since the publication of our stronger collision attack in 2007,” says cryptanalyst Marc Stevens (CWI). “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard,” insists Lenstra.
Additional information:
The expert team of researchers consists of: Alexander Sotirov (independent security researcher), Marc Stevens (Cryptology Group, CWI), Jacob Appelbaum (Noisebridge, The Tor Project), Arjen Lenstra (EPFL), David Molnar (UC Berkeley), Dag Arne Osvik (EPFL) and Benne de Weger (TU/e).
More information on the discovery may be found on the websites of the researchers:
Researchers hack VeriSign’s SSL scheme for securing Web sites December 30, 2008
Posted by Can ARIK in Cyber-Terror, Uncategorized.Tags: Cyber-Terror
add a comment
With the help of about 200 Sony Playstations, an international team of security researchers has devised a way to undermine one of the algorithms used to protect secure Web sites — a capability that the researchers said could be used to launch nearly undetectable phishing attacks.
To accomplish that, the researchers said today that they had exploited a bug in the MD5 hashing algorithm used to create some of the digital certificates used by Web sites to prove they are what they claim to be. The researchers said that by taking advantage of known flaws in the algorithm, they were able to hack VeriSign Inc.’s RapidSSL.com certificate authority site and create fake digital certificates for any Web site on the Internet.
Hashes are used to create a digital “fingerprint” that is supposed to uniquely identify a given document and can easily be calculated to verify that the document hasn’t been modified in transit. But the flaw in the MD5 algorithm makes it possible to create two different documents that have the same numerical hash value.
That, the researchers said, explains how someone could create a digital certificate for a phishing site that has the same fingerprint as the certificate for a genuine Web site. They added, though, that they don’t expect to see any actual attacks using the flaw that they exploited — a point that Microsoft Corp. seconded in a security advisory in which it downplayed the threat to Internet users.
Using their farm of Playstation 3 machines, the researchers built a rogue certificate authority that could issue bogus certificates. The Playstation’s Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.
The researchers planned to present their findings today at the Chaos Communication Congress, a hacker conference being held in Berlin. Even before their talk took place, it already was the subject of speculation within the Internet security community.
The team that did the research work included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde & Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley.
Although the researchers believe that a real-world attack using their techniques is unlikely, they say their work shows that the MD5 algorithm should no longer be used by the certificate authority companies that issue digital certificates. “It’s a wake-up call for anyone still using MD5,” said David Molnar, a Berkeley graduate student who worked on the project.
In addition to VeriSign, TC TrustCenter AG, EMC Corp.’s RSA unit and Thawte Inc. use MD5 to generate their digital certificates, according to the researchers. They said that VeriSign also uses the algorithm on a certificate service offered through its Japanese Web site, in addition to RapidSSL.com.
Exploiting the MD5 bug to carry out an attack would be hard, because cybercrooks would first have to trick a victim into visiting the malicious Web site that hosts a fake digital certificate. That could be done, however, by using what’s called a man-in-the-middle attack. Last August, for example, security researcher Dan Kaminsky showed how a major flaw in the Internet’s Domain Name System could be used to launch such attacks.
And with this latest research, it’s now potentially easier to attack Web sites that are secured using Secure Sockets Layer (SSL) encryption, which relies on trustworthy digital certificates. “You can use Kaminsky’s DNS bug combined with this to get virtually undetectable phishing,” Molnar said.
“This isn’t a pie-in-the-sky talk about what may happen or what someone might be able to do, this is a demonstration of what they actually did with the results to prove it,” HD Moore, director of security research at BreakingPoint Systems Inc., wrote in a blog post about the researchers’ findings.
Cryptographers have been gradually chipping away at the security of MD5 since 2004, when a team lead by Shandong University’s Wang Xiaoyun demonstrated flaws in the algorithm.
Given the state of research into MD5, certificate authorities should have upgraded to more secure algorithms such as SHA-1 “years ago,” said Bruce Schneier, a noted cryptography expert and chief security technology officer at BT PLC.
RapidSSL.com will stop issuing MD5-based digital certificates by the end of January and is looking for ways to encourage its customers to move to new certificates after that, said Tim Callan, VeriSign’s vice president of product marketing. But first, Callan added, VeriSign wants to get a good look at the new research.
Molnar and his team have communicated their findings to VeriSign indirectly, via Microsoft, but they have yet to speak directly to VeriSign, out of fear that it might take legal action to quash their talk. In the past, companies sometimes have obtained court orders to prevent security researchers from talking at hacker conferences.
Callan said he wished that VeriSign had been given more information ahead of time. “I can’t express how disappointed I am that bloggers and journalists are being briefed on this but we’re not, considering that we’re the people who have to actually respond,” he said.
While Schneier said he was impressed by the math behind this latest research, he said that there are already far more important security problems on the Internet — weaknesses that expose large databases of sensitive information to attackers, for example.
“It doesn’t matter if you get a fake MD5 certificate, because you never check your certs anyway,” he said. “There are dozens of ways to fake that, and this is yet another.”
Computer World_Robert McMillan
