Category: "Security Engineering"

About the Security Engineering category

  By Hagai Bar-El   , 49 words
Categories: Security Engineering

The Security Engineering category contains articles that discuss analysis of requirements and solutions that are of interest to the security engineer. As opposed to the IT Security category, the articles of this category address not the secure deployment of systems, but the secure design of systems – software and hardware.

Pages: 1 2 4 5

  2014-12-06

The ease of hacking surveillance cams

  By Hagai Bar-El   , 30 words
Categories: Personal News, Security Engineering

An article and interview with me by Byron Acohido of ThirdCertainty about why surveillance cams are trivial to hack. The discussion also covers the stance of IoT security in general.

  2014-11-13

Prime numbers and security

  By Hagai Bar-El   , 607 words
Categories: Security Engineering

Without much relation to anything, I wrote this short essay about the role prime numbers play in Internet security. In a nutshell, security relies on the ability to formĀ leverage for the defender over the adversary. Such leverage can be of one of two types:

  1. Leverage through the ability to code the system behavior.
  2. Leverage through math, where the good guy knows something that the adversary does not.

Prime numbers are used as part of at least one mathematical mechanism that serves #2.

Read more »

  2014-10-15

Poodle flaw and IoT

  By Hagai Bar-El   , 457 words
Categories: Security Engineering

The Poodle flaw discovered by Google folks is a big deal. It will not be hard to fix, because for most systems there is just no need to support SSLv3. Fixing those will only imply changing configuration so not to allow SSL fallback. However, this flaw brings to our attention, again, how the weakest link in security often lies in the graceful degradation mechanisms that are there to support interoperability. Logic that degrades security for the sake of interoperability is hard to do right and is often easy to exploit. Exploitation is usually carried out by the attacker connecting while pretending to be “the dumbest” principal, letting the “smarter” principal drop security to as low as it will go.

All this is not new. What may be new is a thought on what such types of flaws may imply on the emerging domain of the Internet-of-Things.

Read more »

  2014-10-11

Snapchat leak -- who is to blame?

  By Hagai Bar-El   , 242 words
Categories: IT Security, Security Engineering

Snapchat is in the headlines again for allegedly leaking out nude photos of users. They strictly deny that there was any breach of their servers, and blame third party applications for leaking this data. This might be the case, but it is not enough to take them off the hook, especially given that their product is mostly about confidence. There are more and better instant-messaging apps out there, and whoever uses Snapchat uses it exactly so such events do not happen, whatever the excuse is.

I have no idea what exactly happened, if at all, but if a third party app got to access Snapchat data, then this Snapchat data was either

  • obtained by the third-party app on the user device, or
  • obtained by the third party app by impersonating the legitimate Snapchat app against the Snapchat server.

On a typical (i.e., un-rooted) Android or iOS device, apps can store their data so it is not readily available to other, unauthorized, apps; it would have been careless to leave such photos behind for the asking. On the other hand, Snapchat were accused several months ago for improperly authenticating their clients by the server, allowing easy impersonation of Snapchat client apps. I was quoted in USA Today yesterday addressing the need to properly authenticate clients.

Lastly I will add that there is also the possibility that no breach has ever occurred, and that the entire image dump is a hoax. Time will tell.

  2014-04-03

Bitcoin does not provide anonymity

  By Hagai Bar-El   , 762 words
Categories: Security Engineering, Security Policies, Security, Counter-media

When people discuss Bitcoin, one of its properties that is often considered is its presumable anonymity. In this respect, it is often compared to cash. However, it shall be recognized and understood that Bitcoin is not as anonymous as cash; far from it, actually. Its anonymity relies on the concept of pseudonyms, which delivers some (unjustified) sense of anonymity, but very weak anonymity in practice.

Read more »

My new patent on secure key provisioning

  By Hagai Bar-El   , 151 words
Categories: Personal News, Security Engineering

I recently got a US patent application granted by the Patent and Trademark Office. The patent bears the title “Methods Circuits Devices and Systems for Provisioning of Cryptographic Data to One or More Electronic Devices“.

Read more »

  2014-01-29

SnapChat and client authentication

  By Hagai Bar-El   , 25 words
Categories: Security Engineering

A post I have written about the SnapChat hack, and what it can teach us on the need for secure execution and secure client authentication.

1 2 4 5


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.