Security News (95 Posts)

<< Next - First ... 5 6 7 8 9 ... Last - Previous >>

Is that the holy grail for critical systems?

#76 - Posted on 18 October 2012 - Author: SM - Category: Security

Kaspersky Lab just announced they are working on their own Operating System for critical systems.

This is something that is increasingly needed, but is Kaspesrky the best entity suited to produce such OS? To contribute/review it, certainly. But to drive its development? I am not so certain. I would have thought that developing an OS requires more specific skills than just security ones. One could argue that making security the core skill used in developing that OS should make it more secure but I would argue back it could also introduce performance issues… And performance is a health/security risk on its own, especially when speaking about critical systems such as process control environments.

Kaspersky Labs is engaging with different vendors and ICS operators, so they should get some kind of expertise on what their systems req...
>>[READ MORE]

Old tricks will always work…

#75 - Posted on 17 October 2012 - Author: SM - Category: Hacking, Security

There is something about deception, it can bypass a lot of security controls through a very basic principle, to make you believe about something that isn’t there. It is a bit like magic.

Like this WEBSITE, where you can see an example of what the new HTML5 fullscreen function could make you believe. That you are on a bank website, where in fact you are on a phishing site. The previous link is harmless and only serves as an example, one I would advise you to try yourself (you can’t enter any details anyway in case you haven’t understood it isn’t really a Bank of America website).

Basically, they use the HTML5 Fullscreen function to recreate your browser TABS and URL. If you are not used to browse the internet in full screen mode then you would see the trickstraightaway. However, if you are following the trend to browse in full screen mode, especially on mobile phones or on MACs where app...
>>[READ MORE]

Distributed Credential Protection

#74 - Posted on 15 October 2012 - Author: SM - Category: Security

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentialsacrossdifferent systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview >>[READ MORE]

MD5 Security Flaws

#71 - Posted on 13 June 2012 - Author: SM - Category: Security

In case you were in any doubts about the security flaws of MD5, in recent days, 2 implementations of MD5 have been shown to have severe security issues.

1) The md5crypt password scrambler used in many Unix based distributions has been deemed as “unsafe” by its author (in fact this has been known for some time now).

2) MD5 collisions were used in the recent Flame malware to bypass Microsoft Update signature certificates.

The sole use of MD5 as a security vector must be avoided.

...
>>[READ MORE]

An interesting timeline representation of the CloudFlare’s hack

#70 - Posted on 12 June 2012 - Author: SM - Category: Hacking, Security

CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamaibecauseit provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.

In a nutshell, CloudFlare appears to be a service that can help optim...
>>[READ MORE]

Flame and the DEB93D trail

#69 - Posted on 6 June 2012 - Author: SM - Category: Security, Hacking

In the last few weeks there has been a lot of noise about what looks like the latest State sponsored malware, Flame. You can find a lot of information about it from Kaspersky and also from the CrySyS lab who seems to have done some parallel investigation and call it differently (sKyWIper).

This malware is quite interesting for several reasons:
1) It seems to focus on stealing information rather than being directly disruptive.
2) It has been active for 5+ years and has remained undetected until now.
3) It has an option to delete itself, but in doing so leaves one file. a ~DEB93D.tmp file.
4) It is modular and can/has been used to intercept Microsoft update using fake certificates t...
>>[READ MORE]

Apple in Denial

#68 - Posted on 7 April 2012 - Author: SM - Category: Security

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB)was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan ( >>[READ MORE]

Satellite phones encryption attacked

#67 - Posted on 5 March 2012 - Author: SM - Category: Security

About a month ago, Arts Technica ran an article about the encryption standards used by satellite phones that have been broken.

This is yet another exemple of a proprietary encryption system which appears to have been weakly designed and implemented.
Although they have only been able to break the communication from the Satellite to the phone and not the other way around, it should still be of concern for anyone using those phones to transmit sensitive information without additional security.
Even if the audio codec still needs to be reversed engineered, this should be the easy part of this attack!

Someone is likely to get a great PhD as the paper exposing this issuewas co-written by such student.

...
>>[READ MORE]

John Nash on Cryptography

#65 - Posted on 1 March 2012 - Author: SM - Category: Security, Cryptography

John Nash is a famous mathematician whose life inspired the Hollywood movie “A beautiful Mind”. However, summerizing his life through that light hearted movie would be very inadequate!

So, this genius mathematician who worked in game theory, differential geometry, and partial differential equations as well as winning a Nobel Prize in 1994 appears to also have had some great insights into modern cryptography… back in the 1950s!

As seen in this article, NSA recently released a series of documents related to letters/conversationa between the NSA and Nash in 1955, where the mathematician made an unsuccessful but noted attempt to communicate his own take on a crypto machine.

If anything, reading at the hand written...
>>[READ MORE]

Bringing Your Own Device, a Security challenge.

#63 - Posted on 14 February 2012 - Author: SM - Category: Security

There is an increasing level of noise in the enterprise about Bringing Your Own Device (BYOD). That you like it or not, it is most probably happening right now within your company unless your are “lucky enough” to be able to enforce strict controls as to what devices are allowed and able to access your data.

For a true BYOD concept, meaning with no restrictions on what that device might be, there are only 2 possible way to enable it:

1) To allow network access to your data/application directly from any devices
or
2) To make your data/application available from the Internet, and the easiest incarnation of that is through web applications.

With the first approach, focusing on the network access, the positives are that you can have more control over the environment from which the data/application is accessed from. Such as enforcing a minimum set of security controls and quarantine non compliant devices. The negatives, though, are the need for a ...
>>[READ MORE]