Pages: 1 2 3 ...4 ... 6 ...8 ...9 10 11 12 ... 16

  2014-10-15

Poodle flaw and IoT

  By Hagai Bar-El   , 457 words
Categories: Security Engineering

The Poodle flaw discovered by Google folks is a big deal. It will not be hard to fix, because for most systems there is just no need to support SSLv3. Fixing those will only imply changing configuration so not to allow SSL fallback. However, this flaw brings to our attention, again, how the weakest link in security often lies in the graceful degradation mechanisms that are there to support interoperability. Logic that degrades security for the sake of interoperability is hard to do right and is often easy to exploit. Exploitation is usually carried out by the attacker connecting while pretending to be “the dumbest” principal, letting the “smarter” principal drop security to as low as it will go.

All this is not new. What may be new is a thought on what such types of flaws may imply on the emerging domain of the Internet-of-Things.

Read more »

  2014-10-11

Snapchat leak -- who is to blame?

  By Hagai Bar-El   , 242 words
Categories: IT Security, Security Engineering

Snapchat is in the headlines again for allegedly leaking out nude photos of users. They strictly deny that there was any breach of their servers, and blame third party applications for leaking this data. This might be the case, but it is not enough to take them off the hook, especially given that their product is mostly about confidence. There are more and better instant-messaging apps out there, and whoever uses Snapchat uses it exactly so such events do not happen, whatever the excuse is.

I have no idea what exactly happened, if at all, but if a third party app got to access Snapchat data, then this Snapchat data was either

  • obtained by the third-party app on the user device, or
  • obtained by the third party app by impersonating the legitimate Snapchat app against the Snapchat server.

On a typical (i.e., un-rooted) Android or iOS device, apps can store their data so it is not readily available to other, unauthorized, apps; it would have been careless to leave such photos behind for the asking. On the other hand, Snapchat were accused several months ago for improperly authenticating their clients by the server, allowing easy impersonation of Snapchat client apps. I was quoted in USA Today yesterday addressing the need to properly authenticate clients.

Lastly I will add that there is also the possibility that no breach has ever occurred, and that the entire image dump is a hoax. Time will tell.

  2014-09-23

A gift from Snowden to the European economy

  By Hagai Bar-El   , 463 words
Categories: Security Policies

The revelations made by Edward Snowden did not show us anything that we never thought possible. It did reveal, however, that many of the things that were possible in theory found their way to reality. Those revelations also gave opportunity for many of the chronic paranoids and conspiracy-theorists to say “I told you". Fact is, digital life causes us to rely on more and more service providers, in the shape of government agencies and private organizations, and those providers were now caught violating our trust. When we buy products and services, we trust their provider to follow the norms we believe it follows. When such trust breaks, we need to think what next. In my opinion, this situation forms an opportunity for Europe to catch up.

Read more »

  2014-09-06

Book review: "No place to hide" by Glenn Greenwald

  By Hagai Bar-El   , 411 words
Categories: Sources

I just finished reading the book “No Place to Hide“, by the journalist Glenn Greenwald. The book talks about the revelations from Edward Snowden on the actions taken by the NSA, as well as about their implications. It is not theĀ  book you can’t take your hands off, but it is certainly a worthy read and conveys a very well elaborated message.

Read more »

  2014-09-05

Capturing PINs using an IR camera

  By Hagai Bar-El   , 97 words
Categories: Security

This video demonstrates how an IR camera, of the type that can be bought for a reasonable price and attached to a smart-phone, can be used to capture a PIN that was previously entered on a PIN pad, by analyzing a thermal image of the pad after the fact. When the human finger presses a non-metallic button, it leaves a thermal residue that can be detected on a thermal image, even if taken many seconds later.

The video refers to the article: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, written in UC San-Diego.

  2014-08-19

Protecting network neutrality: both important and hard

  By Hagai Bar-El   , 2362 words
Categories: Security Policies

The term “network neutrality” is mentioned very often lately; also in the context of FCC ruling, such as here, and here. Since the definition of net neutrality is not always clear, this topic is not subject to as much public debate as it probably should. Here is my take of what network neutrality is, and why it is difficult to regulate and enforce. I will start with my proposed technical and service-related definition of “network neutrality", and will follow with a brief explanation of why this is both difficult and important.

Read more »

Pages: 1· 2· 3

  2014-07-24

TrueCrypt alternatives?

  By Hagai Bar-El   , 660 words
Categories: IT Security, Products

It has been a while since the announcement of the demise of TrueCrypt (which I reported), and an equivalent replacement for all those people who rely on it is not yet evident. TrueCrypt did not revive yet, but the situation is not time-wise critical as it may have seemed. There are a few options, for the time being.

Read more »

1 2 3 ...4 ... 6 ...8 ...9 10 11 12 ... 16


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.