Category: "IT Security"

About the IT Security category

  22:30, by Hagai Bar-El   , 57 words
Categories: IT Security

The IT Security category contains essays that discuss security aspects of corporate and personal information systems. Also included are personal and corporate security policy issues, as well as operations security. Examples for topics that fall into this category are: malware detection, network firewalls and attacks prevention, deployment of encryption technologies, protection of privacy in deployed systems, etc.

Pages: 1 2 4


How risky to privacy is Apple's fingerprint reader?

  22:11, by Hagai Bar-El   , 964 words
Categories: IT Security, Security Engineering

Congratulations to Apple for featuring a fingerprint reader as part of its new iPhone. It was reported by The Wall Street Journal here, in the blog of Bruce Schneier here, by Time Tech here, and in dozens of other places. Very much expectedly, this revelation spurred anxiety among the conspiracy theorists out there. The two common concerns that were raised are:

  • Apple will have a database of all our fingerprints.
  • What if someone breaks into the device and gets at our fingerprint?

(There is another line of concern, related to the fifth amendment and how its protection may be foiled by authenticating using biometrics alone, but this is a legal concern which is off topic.)

While a bit of paranoid thinking is always helpful, security engineering requires more than crying out each time a mega-corporate launches a new technology that involves private data. Assets and threats need to be determined, and then we can decide whether or not the risk is worth the benefits.

Full story »


The difference between Cyber Security and just Security

  19:24, by Hagai Bar-El   , 637 words
Categories: IT Security, Security Policies, Cyber Security, Counter-media

The concept of "Cyber Security" is surely the attention grabber of the year. All security products and services enjoy a boost in their perception of importance, and sales, by merely prepending the word "cyber" to their description. But how is cyber security different than just security?

It differs, but it is not an entirely different domain, at least not from the technology perspective.

Security protects against malicious attacks. Attacks involve an attacker, an attack target, and the attack method, which exploits one or more vulnerabilities in the target. When speaking of cyber attacks, it is common to refer to a nation state attacking another, or to an organization attacking a state. Referring to unorganized individual hackers as executing "cyber attacks", while being a common trend, is a blunt misuse of the "cyber" term in its common meaning. And still, cyber security is not as dramatically different than traditional security.

Full story »


Improving the security provided by Yubikey for local encryption

  23:47, by Hagai Bar-El   , 697 words
Categories: IT Security

In the previous post, I discussed the use of Yubikey for local encryption. I noted that Yubikey can store a long string that can be used as an encryption key, or a password. It provides no extra protection against key-loggers, but still allows to use strong passwords without remembering and typing them. Today, I would like to discuss a technique that makes Yubikey based encryption more secure; still not resistant to a key-logger, but resistant to having the Yubikey “borrowed” by a thief.

Full story »


Using Yubikey with constant keys

  23:46, by Hagai Bar-El   , 322 words
Categories: IT Security

Yubikey is the first one-time password generator I saw that can also emit a static password. When you press the button, a constant pre-defined string is entered, just as if it was typed on the keyboard. Is it more secure than typing the password on the keyboard? Not at all (unless shoulder-surfing is an issue.) So how does it differ from entering a long key yourself? It does not. And still, local encryption is a valid use-case just for such a function.

Full story »


The case for supporting one-time passwords in conjunction with regular ones

  23:42, by Hagai Bar-El   , 874 words
Categories: IT Security

A few days ago I got a Yubikey. While exploring use-cases for it, it occurred to me that there is a strong case for a mode of operation which is seldom (never?) used by IT departments: using the token while also supporting static passwords for the same services. It is not suitable for everyone, but it is suitable for the security-aware users. I will now introduce Yubikey in a few words, and then explain the purpose of adding support for one-time password to services that already support static passwords, without eliminating the latter.

Full story »


CAcert as a certification alternative

  23:31, by Hagai Bar-El   , 1011 words
Categories: IT Security, Counter-media

A few months ago, I wrote about the problem that emerges from having to rely on digital certificates that are issued by Certification Authorities of which we, the relying parties, are not the paying customers. As a result, we rely on the CA (Certification Authority) certification process, while there is no economic incentive for the CA to actually maintain a robust certification mechanism and to justify our trust.

Unexpectedly, this post, titled “The Inevitable Collapse of the Certificate Model”, quickly became the favorite post on my blog, pulling more views than all other individual posts.

One alternative that was suggested is by, a community based certification organization. Here are my thoughts on the ability of such a mechanism to solve the certification problem.

Full story »


Understanding the Impact of the RSA SecurID Breach

  23:25, by Hagai Bar-El   , 849 words
Categories: IT Security

A few days ago, we were notified (e.g., here and here) that a hack into the network of RSA Security (the security division of EMC) has led to someone stealing something that is related to the SecurID token product.

We cannot determine the real impact of this security breach until RSA Security tells us what exactly got stolen. I believe that this information will be made available, as a result of legal or public pressure, if for no other reason. Until this data becomes available, let us examine the two most probable options, and how we may respond to each.

Full story »

1 2 4