Gartner warns of 'proliferation of new attack tools'
Gartner warns of 'proliferation of new attack tools'
R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from vnunet.com
ADVERTISEMENT

Gartner warns of crypto bug attack tools

Weakness in security algorithms 'means trouble', says analyst

Robert Jaques, vnunet.com 24 May 2005
ADVERTISEMENT

The recently discovered bug allowing timing attacks against cryptographic algorithms could allow hackers to measure the behaviour of cryptographic software to reveal information about its keys.

Industry experts have warned that this will "inevitability result in the proliferation of new attack tools".

Analyst firm Gartner said that the attacks against cryptographic algorithms, discovered by Canadian researcher Colin Percival, could allow hackers to extract sensitive data by creating a parallel thread to measure cache activity in a cryptographic thread.

The attack does not reflect a security weakness in processor hyper-threading, but rather a weakness in the security algorithms exposed by Percival's ingenious timing attack, according to Gartner.

"The opportunities to use this attack seem narrow, because there are other, simpler ways to access keys running on the same machine. But history suggests that unaddressed security flaws usually mean trouble," said Martin Reynolds, vice president at Gartner's Dataquest division.

"Vendors of cryptographic code must address this weakness as a priority, by either affirming that their code is safe or correcting the flaw."

However, Reynolds added that disabling hyper-threading is not an effective solution to the problem. Vulnerable code must be corrected, or cryptographic processes must be run in protected environments.

The analyst advises against keeping intermediate results, keys or passwords in memory. Algorithms should delete secret bits as soon as they are no longer needed.

"Password entries should be checked against hashes after initialisation. Intermediate results should be written over as soon as possible, rather than left in memory," said Reynolds.

"These approaches defend against spy processes that peer into memory, and against searching of hibernation and paging files, as well as unallocated memory."

According to Gartner, enterprises should identify areas where cryptographic software could represent a risk and ask their vendor to certify that they have secured code against the exploit.

"Gartner has identified at least one security package that keeps passwords in memory, which means that the password is propagated into the hibernation and system paging files and is subject to trivial memory scanning," Reynolds warned.

See also:

Government Accountability Office warns of failure to secure vital internet infrastructure
US cyber-security efforts failing
Country not ready to fend off electronic attack  01 Jun 2005
Effective IT security infrastructure deemed key to UK's competitiveness
Security still top of the list for IT managers
BCS survey reveals difficulty in justifying infrastructure investment  24 May 2005
Security
Security
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack.  15 Apr 2004

All Hacking

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

Permalink for this story
R E A D E R   C O M M E N T S
Post your comment Post your comment   What is this?

M A R K E T P L A C E
Sponsored links
F E A T U R E D   J O B S
ICT Support Officer
London, United Kingdom | City of London
ICT Support Officer £27,320 - £33,370 pa inc. depending on experience (pay award pending) Maternity cover for up to one year Guildhall, London EC2 Bring your IT experience to one of the country's most prestigious ... more >
Web Content Manager
London, United Kingdom | Royal Borough of Kensington and Chelsea
Web Content Manager - c.£40,000 plus bonus - London   As one of the country's best-performing councils, we're always looking for new ways to improve on excellence. Providing an innovative, high-quality internet site for our ... more >
Change and Risk Analyst
Swindon, Wiltshire, United Kingdom | EDS
EDS are currently looking to recruit a Change, Risk and Issue Analyst to join our Project Management Defence team in Swindon, Wiltshire. Summary: The Regional Operations Cell Analyst will work as part of a small ... more >
ICT Systems Administrator
London, United Kingdom | Feltham City Learning Centre
ICT Systems Administrator - Feltham City Learning Centre - £23,097 - £24,528 A full time ICT Systems Administrator to work in the Feltham City Learning Centre. This role requires a broad range of ICT skills ... more >
More job opportunities
Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Feedback . Contacts
Consumer Technology websites:
Active Home Product reviews, competitions, news
Computeractive Software reviews, hardware reviews, buyers' guides, workshops, downloads
Gizmodo the daily gadget blog: technology news and reviews
PC Magazine your personal guide to technology
PCW software product reviews, hardware product reviews, buyers' guides, competitions
WebAct!ve what's happening on the web
What PC? helping you purchase the right computer, digital camera, peripherals, gadgets and more
Blogs:
Test Bed The PCW Labs blog, PCW Inter@ctive A reader blog from PCW. Your views, your comments, your say, Windows Watch Keeping an eye on the latest XP % Vista news
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory, Top IT Employers 2005
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . IT Week . vnunet.com
Business & Finance websites: Accountancy Age . Best Practice . Financial Director . Management Consultancy
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503