The IT Security category contains essays that discuss security aspects of corporate and personal information systems. Also included are personal and corporate security policy issues, as well as operations security. Examples for topics that fall into this category are: malware detection, network firewalls and attacks prevention, deployment of encryption technologies, protection of privacy in deployed systems, etc.
It has been a while since Truecrypt was discontinued. While it still works on most platforms, including new Windows machines (except for the full-disk-encryption on some of them), and while there still is no evidence to indicate that it is insecure, users of Truecrypt find the situation bothersome; and for a good reason. By now it seems obvious than an alternative has to be found.
Shodan is a search engine for computers. It allows to search for hosts on the Internet not by the text they serve but by their technical properties as they reflect in responses to queries. The crawler Shodan uses to build its index does not read text that websites emit when visited, but instead it reads the information that the machine provides when probed.
Like most other technologies, this is another dual-use technology. It has both legitimate and malicious uses. The tool can be used for research, but it can be, and indeed has been, used for vicious purposes. Shodan will readily map and report Internet-accessible web-cams, traffic lights, and other IoT devices, including those with lax protection, such as those using default passwords or no passwords for log-in.
So is Shodan bad? Not at all. Those are exactly the forces that make us all more secure.
Snapchat is in the headlines again for allegedly leaking out nude photos of users. They strictly deny that there was any breach of their servers, and blame third party applications for leaking this data. This might be the case, but it is not enough to take them off the hook, especially given that their product is mostly about confidence. There are more and better instant-messaging apps out there, and whoever uses Snapchat uses it exactly so such events do not happen, whatever the excuse is.
I have no idea what exactly happened, if at all, but if a third party app got to access Snapchat data, then this Snapchat data was either
On a typical (i.e., un-rooted) Android or iOS device, apps can store their data so it is not readily available to other, unauthorized, apps; it would have been careless to leave such photos behind for the asking. On the other hand, Snapchat were accused several months ago for improperly authenticating their clients by the server, allowing easy impersonation of Snapchat client apps. I was quoted in USA Today yesterday addressing the need to properly authenticate clients.
Lastly I will add that there is also the possibility that no breach has ever occurred, and that the entire image dump is a hoax. Time will tell.
It has been a while since the announcement of the demise of TrueCrypt (which I reported), and an equivalent replacement for all those people who rely on it is not yet evident. TrueCrypt did not revive yet, but the situation is not time-wise critical as it may have seemed. There are a few options, for the time being.
I wish I knew where TrueCrypt stands now, but I don't. I follow TrueCrypt and regularly endorse it ever since I discovered it and wrote this post nine years ago. TrueCrypt was, and may still be, the most sensible and presumably-secure volume and full-disk encryption software for Windows; also supporting Linux and Mac. A few days ago the project discontinued, and users were directed to alternative, non-open-source solutions.
A few days ago, a critical bug was found in the common OpenSSL library. OpenSSL is the library that implements the common SSL and TLS security protocols. These protocols facilitate the encrypted tunnel feature that secure services -- over the web and otherwise -- utilize to encrypt the traffic between the client (user) and the server.
The discovery of such a security bug is a big deal. Not only that OpenSSL is very common, but the bug that was found is one that can be readily exploited remotely without any privilege on the attacker's side. Also, the outcome of the attack that is made possible is devastating. Exploiting the bug allows an attacker to obtain internal information, in the form of memory contents, from the attacked server or client. This memory space that the attacker can obtain a copy of can contain just about everything. Almost.
There are many essays and posts about the "everything" that could be lost, so I will take the optimistic side and dedicate this post to the "almost". As opposed to with other serious attacks, at least the leak is not complete and can be quantified, and the attack is not persistent.
I attended CyberTech 2014 on January 27th-28th. CyberTech is a respectable conference for technologies related to cyber-security. The conference consisted of lectures and an exhibition. The lectures were most given by top notch speakers from the security space, both from the public sector and from the private sector; most being highly ranked executives. The exhibition sported companies ranging from the largest conglomerates as IBM and Microsoft, to garage start-ups.
I am easy to disappoint by cyber-security conferences. Simply put, there are more cyber-security conferences than what the security industry really has to say. This implies that for the security architect or practitioner, most cyber-security conferences lack sufficient substance. I take CyberTech 2014 with mixed emotions too. The exhibition showed interesting ideas, especially by start-ups, while the lectures left more to wish for.