Security News (92 Posts)

<< Next - First ... 4 5 6 7 8 ... Last - Previous >>

The right (way) to disclose vulnerabilities

An article was discussed last month in The Guardian and The BBCexplaining how a research paper from the University of Birmingham had been barred by a judge from being published because it discussed weaknesses in the security related to cars starting mechanisms from many manufacturers (BMW, Porsche, Fiat, Peugeot, etc).

This was already discussed publicly at the 21st Usenix Security Sympposium, where an online video is available. A quick search on Google also produces a PDF paper explaining how a car can be gone in 360 seconds through hijacking car key transponders. If that was the paper stopped from publication, then I don’t think it provided enough details that warranted those legal actions.

Thi...
>>[READ MORE]


iOS7 and Mavericks Security

There is an interesting article HERE that describes the new security features of iOS7 and Mavericks. It also asks some interesting questions that still need answering.

...
>>[READ MORE]

A story about Password: The Wrong Formula

In this article I will first talk about some misconceptions regarding what is considered a secure password and then about how you can leverage different technologies to help protect your different credentials.

In the past few years there has been a sharp increase in websites being hacked and their users’ passwords/hashes stolen, in parallel we are using online services for almost everything: to pay for your local pizzeria delivery or your electricity bill, access your bank account, connect to your work email, etc.

The common advice is to use different passwords for each site you register to, but most people don’t. It means that hackers can often reuse credentials they obtained on one website to access another.

One way to counter that risk would be to use some kind of formula so you remember a different password for each site you have registered to. This *could* be the best solution, as remembering a password formula means you do not have to write it do...
>>[READ MORE]


Evernote hacked, an early warning for the Cloud Storage storm coming?

In recent years I have written various articles warning of the risk related to uncontrolled cloud storage solutions usage in the corporate world.

Evernote is a popular online note storage solution which is often used by mobile users. You could see it as a cut down version of Dropbox as it is more restrictive to what one can store online.

It got hacked a few days ago, as reported by the Verge, what was stolen includes usernames, email addresses and encrypted passwords. We don’t know what password algorithm they used and how hard/easy/feasible it is for the hackers to crack them, but the company behind Evernote now asks *all* its (millions) users to reset their passwords.

This should really serve as a wake up call, to check what policies and controls are in place to prevent your user...
>>[READ MORE]


Mobile devices security, history repeating itself: Harder, Faster, Stronger but not Better!

Following up on my SANS 575: Mobile Device Ethical Hacking course review, below is my take on the current state of Mobile Devices security.

First, let me define what I mean by mobile devices: Smartphone and Tablets, not laptops. Although laptops are “mobile” the level of security available to them is more mature and not in scope for this article.

Then, let’s dive into the past and where mobile device security fits.
Right at the start, when computers where used and interconnected, the security element of it has always been the last “add-on” and security professionals had to play catch-up. This was true with Intranets, where no or poor defences meant companies were often heavily relying on physical security, i.e.: no hackers will be allowed within the premises to connect their portable desktops. The realisation that staff could also be hackers and the arrival of laptops meant better IT access controls were put in place.
When Interne...
>>[READ MORE]


Boxcryptor, a great tool to secure your cloud storage solution.

I made my feelings very clear about the use of Dropbox in the enterprise, through a previous post. I still believe Dropbox and similar other cloud sotrage solutions such as Google drive or Sky Drive are a timebomb waiting to happen for many companies who are busy securing their infrastructure but forget to look at the data leaving their premises through the back door. Or just not appreciating how tablets and smartphones are driving their users’ behaviours and requirements.

There will be a lot of red faces if/when Dropbox and Co announce they have been hacked.

However, I have recently come accross a great tool that can help reducing the impact of such a bad scenario. It is called Boxcryptor.

Boxcryptor creates an encrypted folder under your Cloud Storage directory (i.e.:...
>>[READ MORE]


Security Onion and seeing through HTTPS

Security Onion is an Open Source Linux distribution that makes deploying an IDS/NSM a very easy task indeed and I highly recommend you try it at home. Especially since you can do everything in a VM…

The video below gives a great summary of what this is all about (it is an hour long, but like any good movie you won’t see the time fly ;)


If you have ever been through a Snorby installation yourself, you will appreciate this distribution even more as everything is done for you. The installation process only asks a couple of questions and you should be ready to monitor your network, analyse data through full packet capture within 15 minutes!

The latest beta is even better, and lets you use your own Ubuntu flavoured distribution if you prefer not to use the d...
>>[READ MORE]


Is that the holy grail for critical systems?

Kaspersky Lab just announced they are working on their own Operating System for critical systems.

This is something that is increasingly needed, but is Kaspesrky the best entity suited to produce such OS? To contribute/review it, certainly. But to drive its development? I am not so certain. I would have thought that developing an OS requires more specific skills than just security ones. One could argue that making security the core skill used in developing that OS should make it more secure but I would argue back it could also introduce performance issues… And performance is a health/security risk on its own, especially when speaking about critical systems such as process control environments.

Kaspersky Labs is engaging with different vendors and ICS operators, so they should get some kind of expertise on what their systems req...
>>[READ MORE]


Old tricks will always work…

There is something about deception, it can bypass a lot of security controls through a very basic principle, to make you believe about something that isn’t there. It is a bit like magic.

Like this WEBSITE, where you can see an example of what the new HTML5 fullscreen function could make you believe. That you are on a bank website, where in fact you are on a phishing site. The previous link is harmless and only serves as an example, one I would advise you to try yourself (you can’t enter any details anyway in case you haven’t understood it isn’t really a Bank of America website).

Basically, they use the HTML5 Fullscreen function to recreate your browser TABS and URL. If you are not used to browse the internet in full screen mode then you would see the trickstraightaway. However, if you are following the trend to browse in full screen mode, especially on mobile phones or on MACs where app...
>>[READ MORE]


Distributed Credential Protection

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentialsacrossdifferent systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview >>[READ MORE]