Category: "IT Security"

About the IT Security category

  By Hagai Bar-El   , 57 words
Categories: IT Security

The IT Security category contains essays that discuss security aspects of corporate and personal information systems. Also included are personal and corporate security policy issues, as well as operations security. Examples for topics that fall into this category are: malware detection, network firewalls and attacks prevention, deployment of encryption technologies, protection of privacy in deployed systems, etc.

Pages: 1 2 4 5

  2014-04-09

OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

  By Hagai Bar-El   , 1223 words
Categories: IT Security, Cyber Security, Counter-media

A few days ago, a critical bug was found in the common OpenSSL library. OpenSSL is the library that implements the common SSL and TLS security protocols. These protocols facilitate the encrypted tunnel feature that secure services – over the web and otherwise – utilize to encrypt the traffic between the client (user) and the server.

The discovery of such a security bug is a big deal. Not only that OpenSSL is very common, but the bug that was found is one that can be readily exploited remotely without any privilege on the attacker’s side. Also, the outcome of the attack that is made possible is devastating. Exploiting the bug allows an attacker to obtain internal information, in the form of memory contents, from the attacked server or client. This memory space that the attacker can obtain a copy of can contain just about everything. Almost.

There are many essays and posts about the “everything” that could be lost, so I will take the optimistic side and dedicate this post to the “almost". As opposed to with other serious attacks, at least the leak is not complete and can be quantified, and the attack is not persistent.

Read more »

  2014-02-01

CyberTech 2014

  By Hagai Bar-El   , 438 words
Categories: IT Security, Cyber Security, Events, Counter-media

I attended CyberTech 2014 on January 27th-28th. CyberTech is a respectable conference for technologies related to cyber-security. The conference consisted of lectures and an exhibition. The lectures were most given by top notch speakers from the security space, both from the public sector and from the private sector; most being highly ranked executives. The exhibition sported companies ranging from the largest conglomerates as IBM and Microsoft, to garage start-ups.

I am easy to disappoint by cyber-security conferences. Simply put, there are more cyber-security conferences than what the security industry really has to say. This implies that for the security architect or practitioner, most cyber-security conferences lack sufficient substance. I take CyberTech 2014 with mixed emotions too. The exhibition showed interesting ideas, especially by start-ups, while the lectures left more to wish for.

Read more »

  2013-09-15

How risky to privacy is Apple's fingerprint reader?

  By Hagai Bar-El   , 964 words
Categories: IT Security, Security Engineering

Congratulations to Apple for featuring a fingerprint reader as part of its new iPhone. It was reported by The Wall Street Journal here, in the blog of Bruce Schneier here, by Time Tech here, and in dozens of other places. Very much expectedly, this revelation spurred anxiety among the conspiracy theorists out there. The two common concerns that were raised are:

  • Apple will have a database of all our fingerprints.
  • What if someone breaks into the device and gets at our fingerprint?

(There is another line of concern, related to the fifth amendment and how its protection may be foiled by authenticating using biometrics alone, but this is a legal concern which is off topic.)

While a bit of paranoid thinking is always helpful, security engineering requires more than crying out each time a mega-corporate launches a new technology that involves private data. Assets and threats need to be determined, and then we can decide whether or not the risk is worth the benefits.

Read more »

  2013-07-06

The difference between Cyber Security and just Security

  By Hagai Bar-El   , 637 words
Categories: IT Security, Security Policies, Cyber Security, Counter-media

The concept of “Cyber Security” is surely the attention grabber of the year. All security products and services enjoy a boost in their perception of importance, and sales, by merely prepending the word “cyber” to their description. But how is cyber security different than just security?

It differs, but it is not an entirely different domain, at least not from the technology perspective.

Security protects against malicious attacks. Attacks involve an attacker, an attack target, and the attack method, which exploits one or more vulnerabilities in the target. When speaking of cyber attacks, it is common to refer to a nation state attacking another, or to an organization attacking a state. Referring to unorganized individual hackers as executing “cyber attacks", while being a common trend, is a blunt misuse of the “cyber” term in its common meaning. And still, cyber security is not as dramatically different than traditional security.

Read more »

  2012-03-02

Improving the security provided by Yubikey for local encryption

  By Hagai Bar-El   , 697 words
Categories: IT Security

In the previous post, I discussed the use of Yubikey for local encryption. I noted that Yubikey can store a long string that can be used as an encryption key, or a password. It provides no extra protection against key-loggers, but still allows to use strong passwords without remembering and typing them. Today, I would like to discuss a technique that makes Yubikey based encryption more secure; still not resistant to a key-logger, but resistant to having the Yubikey “borrowed” by a thief.

Read more »

  2012-02-26

Using Yubikey with constant keys

  By Hagai Bar-El   , 322 words
Categories: IT Security

Yubikey is the first one-time password generator I saw that can also emit a static password. When you press the button, a constant pre-defined string is entered, just as if it was typed on the keyboard. Is it more secure than typing the password on the keyboard? Not at all (unless shoulder-surfing is an issue.) So how does it differ from entering a long key yourself? It does not. And still, local encryption is a valid use-case just for such a function.

Read more »

  2012-02-25

The case for supporting one-time passwords in conjunction with regular ones

  By Hagai Bar-El   , 874 words
Categories: IT Security

A few days ago I got a Yubikey. While exploring use-cases for it, it occurred to me that there is a strong case for a mode of operation which is seldom (never?) used by IT departments: using the token while also supporting static passwords for the same services. It is not suitable for everyone, but it is suitable for the security-aware users. I will now introduce Yubikey in a few words, and then explain the purpose of adding support for one-time password to services that already support static passwords, without eliminating the latter.

Read more »

1 2 4 5

Search

  XML Feeds

License

All contents licensed under the Creative Commons Attribution license.