Pages: 1 3 5 ...6 ...7 8 9 10 11 12 ... 14

  2015-02-15

Top challenges of securing IoT

  22:03, by Hagai Bar-El   , 917 words
Categories: Security Engineering

As much as there is hype about the Internet of Things (IoT) and protecting it, there is no such thing as "IoT Security" per se. There is just the usual security engineering that is applied to IoT. Security engineering is about determining assets, threats to assets, and cost-effective means of mitigation. There are many models and ways for carrying out such analysis, but for the most part they all boil down to those key elements. Such security analysis applies to networks, it applies to servers, it applies to cars, and it also applies to IoT. That said, security engineering in IoT does pose a few unique challenges, which I would like to discuss now.

Full story »

  2015-02-11

Data about you is never thrown away

  11:01, by Hagai Bar-El   , 114 words
Categories: Personal News, Security Policies

I was quoted by The Enquirer saying that we shall all assume that data (from wearables and otherwise) that is collected by service providers will never be deleted. The data collected by wearables is only as protected as the network that holds it – and it is likely to be stored indefinitely.

"The trend today, given the ever-decreasing cost of storage, is to store data forever. A CIO will prefer to pay a bit more for a little more disk space than risk his job and company prosperity by deciding to discard data that is one day determined to have been useful."

EDITED TO ADD: This story was also pubished by USA Today, and others.

  2015-01-05

Shodan makes us all more secure

  05:46, by Hagai Bar-El   , 792 words
Categories: IT Security, Security Policies

Shodan is a search engine for computers. It allows to search for hosts on the Internet not by the text they serve but by their technical properties as they reflect in responses to queries. The crawler Shodan uses to build its index does not read text that websites emit when visited, but instead it reads the information that the machine provides when probed.

Like most other technologies, this is another dual-use technology. It has both legitimate and malicious uses. The tool can be used for research, but it can be, and indeed has been, used for vicious purposes. Shodan will readily map and report Internet-accessible web-cams, traffic lights, and other IoT devices, including those with lax protection, such as those using default passwords or no passwords for log-in.

So is Shodan bad? Not at all. Those are exactly the forces that make us all more secure. 

Full story »

  2014-12-06

The ease of hacking surveillance cams

  20:43, by Hagai Bar-El   , 30 words
Categories: Personal News, Security Engineering

Visit: http://thirdcertainty.com/qa/qa-webcams-easy-hack/

An article and interview with me by Byron Acohido of ThirdCertainty about why surveillance cams are trivial to hack. The discussion also covers the stance of IoT security in general.

  2014-11-13

Prime numbers and security

  02:28, by Hagai Bar-El   , 607 words
Categories: Security Engineering

Without much relation to anything, I wrote this short essay about the role prime numbers play in Internet security. In a nutshell, security relies on the ability to form leverage for the defender over the adversary. Such leverage can be of one of two types:

  1. Leverage through the ability to code the system behavior.
  2. Leverage through math, where the good guy knows something that the adversary does not.

Prime numbers are used as part of at least one mathematical mechanism that serves #2.

Full story »

  2014-10-15

Poodle flaw and IoT

  17:53, by Hagai Bar-El   , 457 words
Categories: Security Engineering

The Poodle flaw discovered by Google folks is a big deal. It will not be hard to fix, because for most systems there is just no need to support SSLv3. Fixing those will only imply changing configuration so not to allow SSL fallback. However, this flaw brings to our attention, again, how the weakest link in security often lies in the graceful degradation mechanisms that are there to support interoperability. Logic that degrades security for the sake of interoperability is hard to do right and is often easy to exploit. Exploitation is usually carried out by the attacker connecting while pretending to be "the dumbest" principal, letting the "smarter" principal drop security to as low as it will go.

All this is not new. What may be new is a thought on what such types of flaws may imply on the emerging domain of the Internet-of-Things.

Full story »

  2014-10-11

Snapchat leak -- who is to blame?

  10:52, by Hagai Bar-El   , 242 words
Categories: IT Security, Security Engineering

Snapchat is in the headlines again for allegedly leaking out nude photos of users. They strictly deny that there was any breach of their servers, and blame third party applications for leaking this data. This might be the case, but it is not enough to take them off the hook, especially given that their product is mostly about confidence. There are more and better instant-messaging apps out there, and whoever uses Snapchat uses it exactly so such events do not happen, whatever the excuse is.

I have no idea what exactly happened, if at all, but if a third party app got to access Snapchat data, then this Snapchat data was either

  • obtained by the third-party app on the user device, or
  • obtained by the third party app by impersonating the legitimate Snapchat app against the Snapchat server.

On a typical (i.e., un-rooted) Android or iOS device, apps can store their data so it is not readily available to other, unauthorized, apps; it would have been careless to leave such photos behind for the asking. On the other hand, Snapchat were accused several months ago for improperly authenticating their clients by the server, allowing easy impersonation of Snapchat client apps. I was quoted in USA Today yesterday addressing the need to properly authenticate clients.

Lastly I will add that there is also the possibility that no breach has ever occurred, and that the entire image dump is a hoax. Time will tell.

1 3 5 ...6 ...7 8 9 10 11 12 ... 14