ReadWriteWeb

OpenDNS announced a technology preview today for Macs running their DNS services called DNSCrypt. Think of this as doing for the DNS protocol what HTTPS does for the Web protocols. Like its mainline service, it is freely available, and Windows and Linux versions are promised for next year. You can download the code here for the Mac OS. They will eventually post all of their code on GitHub for public scrutiny.

To all the other "aaS" providers out there, add this one: MaaS, for malware as a service. Yup, the bad guys have their own routines that can provide a one-stop, full-service shopping for fraudsters. How depressing is that?

Turns out, very depressing.

Secure Socket Layers and Transport Layer Security (SSL/TLS) is the foundation of Web security. Banks, travel booking sites, social networks like Facebook and Twitter, email services and a plethora of other industries built their security based on the fact that it is very hard to crack SSL. Yet, a group of researchers has figured out how to do just that.

SSL encryption protects data in transit from the client to the server. This communication happens very rapidly and the encryption effectively makes a secure tunnel for information. The researchers that have cracked SSL used a vulnerability that until now was considered only a theory. Like wormholes.

The Amazon Web Services cloud outage lead to some contemplation from cloud computing leaders such as Krishnan Subramanian. I'm wondering if the FBI raid on co-location host DigitalOne will lead to some similar considerations.

Colos aren't cloud in most senses of the word, but multi-tenant cloud providers are at least as vulnerable to this sort of problem. There are ways to mitigate the problems, such as fail-over servers with other cloud providers and encrypting data before storing in the cloud, but I don't think anyone wants to deal with this issue.

Yesterday Dropbox, the popular file storage Web application that enables users to easily sync a folder from their local computer with the the cloud, made a small change to its terms of service. Dropbox made it clear that it would decrypt and hand-over files if the U.S. government requested it.

The issue is not so much that Dropbox is willing to hand over user data to the feds if requested - as RedMonk co-founder and analyst James Governor points out, the company doesn't have much choice: "given I understand it runs on Amazon Web Services, which would give up the data if asked anyway."

The real issue, it seems, is that Dropbox has the ability to snoop on your encrypted files at all.

Zed Shaw yesterday unveiled Vulnarb.com, an experimental project to improve the process of responsible security vulnerability disclosure. Today, security researchers have two choices: contact the developers about a vulnerability and wait for them to fix it, or publish the vulnerability for the world to see. Both of these solutions have flaws. Users may be unaware that the products they use have vulnerabilities if it isn't publicly disclosed, but public disclosure could make them even more vulnerable to exploitation.

Shaw's plan is to create a public repository of security vulnerabilities. The specifics of the vulnerability will be encrypted and provided only to the company or developers behind a product. The public will know what products have vulnerabilities, but not what the specific vulnerabilities are. Companies or researches can then disclose the vulnerability once it's been fixed.

Bob Schroeder is the director of product management at Qwest Business. In this interview, he provides a high level overview of what you should be doing to protect your company against security threats.

Schroeder talks about anti-virus, securing mobile networks, encryption and more.

Late last year the Stuxnet made international headlines by infecting computers at an Iranian nuclear power plant. Much of the coverage has been focused on speculation as to who was behind the malware, which appeared to be designed specifically to target nuclear power plants with certain types of equipment. But how were the creators of Stuxnet able to infiltrate a high security nuclear power plant? According to Symantec, one of the key components in the attack was a legitimate digital certificate. The attackers either stole a private key, or were able to get their files signed. How can you keep your digital certificates and encryption keys safe?

The FBI is being accused of planting backdoors in the security-focused open source operating system OpenBSD. OpenBSD is used in commercial security products such as firewalls from Calyptix and .vantronix. Thus far, a code audit has not revealed any backdoors in OpenBSD but some bugs have been found.

Earlier this week, OpenBSD founder Theo de Raadt forwarded an e-mail from Gregory Perry, former CTO of the defunct security company NETSEC, to the OpenBSD mailing list. NETSEC paid developers to contribute to OpenBSD during the 90s. Perry claims that former NETSEC developer Jason Wright and his development team inserted backdoors into the OpenBSD Crypto Framework under the direction of the FBI - a claim Wright firmly denies. Perry claims to be coming forward now because his 10 year nondisclosure agreement with the FBI has expired.

Following a number of stories over the past week about the release of personally identifiable information, Facebook announced on its developer blog today that it looking into ways to address this.