Wells Fargo Online Safe-Deposit Box
http://www.sci-tech-today.com/news/Wells-Offers-Online-Safe-Deposit-Box/story.xhtml?story_id=11200CI7MS74
It's no secret that even with a brick and mortar bank, you have to have a certain level of trust with a save-deposit box. But apart from a dishonest employee, the evildoers will have a rough time getting at your things. You would expect the bank to have at least, door locks, security cameras, motion detectors, and a big thick scary vault.
With an online storage system you really don't have all that many lines of defense. Let's presume the tech guys aren't thieves, and there are no flaws that could be used to gain access to your account. That means that the only real way in is to steal your "key". In the physical world, that might be as difficult as targeting you, knocking you down in the street, rummaging through your pockets, and finding the bank key. Then all you have to do is trick the bank into letting you actually use the stolen key, and taking whatever unusually important things I have stowed away in my box. In the tech world, I suspect stealing keys would go something like this:
Send out twelve billion phishing emails. Get some login credentials, steal their files.
The article mentions RSA tokens, which would help considerably, but they seem to suggest they are optional. I would be quite hesitant to put much faith in such a system if it doesn't offer multi factor authentication. Like most things though, I suspect this is just a case of making people feel all warm and fuzzy, since they don't really understand what's going on anyhow.
CERT-FI archive file fuzzing
CERT-FI published a giant archive of fuzzed files last week.
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
There are a couple of things that will need to be fixed in Fedora and RHEL, they are currently being worked on, but this really brings up a much bigger question. How is this a security advisory? They gave out an archive of millions of fuzzed files, the vast majority of which don't even trigger bugs in the software in question.
I think fuzzing is extremely powerful, and is very useful for finding bugs and security issues. Until now, fuzzing has really focused on the tools that mangle the data, to produce data with errors and flaws that will trigger bugs. These tools are a dime a dozen at this point, so what CERT-FI did wasn't all that useful. It would have been far more useful had CERT-FI distributed their suite for generating the fuzzed files, or released a test runner. Currently, the hard part when fuzzing is actually running the tests. When something fails, it's helpful to know where and why it happened, and by the very nature of fuzzing, there will be many failures caused by the same bug.
This also begs the question, what's coming next? Given what I've seen of fuzzing, I think it's beginning to reach the end of its extreme usefulness. Once fuzzing stops returning quick and easy results, I imagine most researchers will move on to something better for finding their flaws. It's in the best interest of security researchers to quickly and easily find security issues.
This reminds me of strcpy usage a few years back. There were an incredible number of security bugs found back when nobody cared about how they handled strings. Most developers are now quite aware of this and the strcpy buffer overflows are rather uncommon. Modern compilers will now even complain about crummy string use. Fuzzing is really just finding bugs where developers don't verify user input. This is getting better, and eventually ensuring that user input is sane will likely just be common knowledge. It shall be interesting to see what clever researchers come up with next, but until then, keep up the fuzzing.
