Pages: 1 ... 5 6 7 8 9 ...10 ... 12 ...14 ...15 16

  2010-05-19

Automobile hack: we should have known better

  By Hagai Bar-El   , 776 words
Categories: Security Engineering, Counter-media

No one in the automotive security industry could miss the recently published news article titled “Beware of Hackers Controlling Your Automobile”, published here, and a similar essay titled “Car hackers can kill brakes, engine, and more”, which can be found here. In short, it describes how researchers succeeded in taking over a running car, messing up with its brakes, lights, data systems, and what not.

As alerting and serious as this is, it should not come by as a surprise.

Read more »

  2010-03-24

InZero provides some security

  By Hagai Bar-El   , 826 words
Categories: IT Security, Counter-media

I was just made aware of InZero, a new physical device that you connect to your PC, and your browsing becomes secure. I find it amazing that some people treat it as among the most revolutionary of security solutions.

I think the InZero device is cool. I think it protects against some attack vectors, at some usability costs. It may even make a worthwhile trade-off for some people. But to consider the protection granted by this device as something that is revolutionary, or to claim that it is “giving hackers, criminals, and spies the middle finger” is an exaggeration, even when it comes from marketing guys.

Read more »

  2009-09-02

A business model based on people making bad security trade-offs

  By Hagai Bar-El   , 483 words
Categories: IT Security, Counter-media

From time to time I am exposed to a new service, sometimes security-related, that promises something new. More often than not, the new security service is novel, but only because either no one really needs it, or because it does not form a good balance between security and other needs. The cases of the latter category are far more interesting.

Read more »

  2009-07-24

Companies collect data on us --- so what?

  By Hagai Bar-El   , 865 words
Categories: Security Policies, Counter-media

It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of…

To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?

Read more »

  2009-04-04

On the Purpose of Security Standards

  By Hagai Bar-El   , 960 words
Categories: Security Policies, Counter-media

An interesting article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.

The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.

There are two questions that need to be asked:

Read more »

  2009-03-06

Right, the kernel can access your encrypted volume keys. So what?

  By Hagai Bar-El   , 717 words
Categories: Security Engineering, Counter-media

On January 15th, TechWorld published an article called Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.

“According to a paper […] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called ‘DevicelOControl’.”


And they consider it as a threat:

“Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”


Such “findings” occur often when the security model of a security system is ignored.

Read more »

  2008-12-17

My new patent on secure boot using embedded flash

  By Hagai Bar-El   , 271 words
Categories: Personal News

Yesterday, I got a US patent application granted by the Patent and Trademark Office. The patent bears the title “SYSTEM, DEVICE, AND METHOD OF SELECTIVELY ALLOWING A HOST PROCESSOR TO ACCESS HOST-EXECUTABLE CODE". Essentially, this patent discloses a technology that allows to boot a computing platform into a trusted state using a cryptography-enabled code storage device, without the need for a cryptography-enabled host processor. In other words, the technology allows to securely boot a platform that has a security module that is coupled with the storage medium (e.g., embedded Flash memory) that stores the software, instead of a security module that is coupled with the host processor.

Read more »

1 ... 5 6 7 8 9 ...10 ... 12 ...14 ...15 16


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.