Future of Cyber Security: Hackers Have Grown Up
Kevin Poulsen writes on Wired's Dual Perspectives:
Late last year, the software engineers developing a new Windows-based networking client confronted an all-too-common problem in today's hostile internet environment: How would they make their software resistant to the legions of enemies waiting to attack it? Particularly worrisome was a key feature of their code, a mechanism to accept updates online. If it were subverted, an attacker could slip his own program into an installed base of millions of machines.More here.
The coders decided to fortify their software with MIT's brand-new, high-security cryptographic hashing algorithm called MD-6. It was an ambitious choice: MD-6 had been released just two months before, and hadn't yet faced the rigors of real-life deployment. Sure enough, the move seemed to backfire when a security hole was found in MD-6's reference implementation not long after the launch. But the coders rallied, and pushed out a corrected version in a new release of their software just weeks later.
It would be a model for secure software development, except for one detail: The "Windows-based networking client" in the example above is the B-variant of the spam-spewing Conficker worm; the corrected version is Conficker C, and the hard-working security-minded coders and software engineers? A criminal gang of anonymous malware writers, likely based in Ukraine. The very first real-world use of MD-6, an important new security algorithm, was by the bad guys.