Month: March 2011

From Freedom to Tinker: “Today, the public learned of a previously undisclosed compromise of a trusted Certificate Authority — one of the entities that issues certificates attesting to the identity of “secure” web sites. Last week, Comodo quietly issued a command via its certificate revocation servers designed to tell browsers to no longer accept 9 certificates. …

“This implied that the certificates were likely malicious, and may even been used by a third-party to impersonate secure sites. …

“Clearly, something exceptional happened behind the scenes. Security hacker Jacob Appelbaum did some fantastic detective work using the EFF’s SSL Observatory data and discovered that all of the certificates in question originated from Comodo — perhaps from one of the many affiliated companies that issues certificates under Comodo’s authority via their ‘Registration Authority’ (RA) program. Evidently, someone had figured out how to successfully attack Comodo or one of their RAs, or had colluded with them in getting some invalid certs.”

Jacob Appelbaum is a UW Security and Privacy Lab researcher and a Tor developer. You can read more about Jacob’s discoveries here.

The UW CSE cyber defense competition team just won regionals! Congratulations to team members Alexei Czeskis (team captain), Ian Finder, Mark Jordan, Karl Koscher, Conrad Meyer, Baron Oldenburg, Mary Pimenova, and Cullen Walsh!

Update (4.7.2011): The Seattle Times has written an article about the team: “A team of eight University of Washington students will wage war this weekend against an expert force, defending their territory with stealth tactics and on-the-fly invention. But there are no physical weapons involved. There’s not even a physical battleground. For the fourth year in a row, the team will compete in the National Collegiate Cyber Defense Competition, in which teams from around the country attempt to shield a computer system from professional hackers aiming to cause havoc ranging from stealing trade secrets to turning home pages into random YouTube videos.”

Read the full article here.

Congratulations to Karl Koscher, Alexei Czeskis, and Franziska Roesner, and their University of California at San Diego collaborators Steve Checkoway, Damon McCoy, Brian Kantor, and Danny Anderson, whose study of the vulnerability of modern cars to remote compromise was picked up by the press after being presented to the National Academy of Sciences. (We understand some faculty at UW and UCSD were involved as well.)

The Associated Press and The New York Times broke the story, with additional coverage at Technology Review, PCWorld, Slashdot, Jamie Zawinski’s blog, Boing Boing, and The Volokh Conspiracy. More information at the CEASS site.