I was just made aware of InZero, a new physical device that you connect to your PC, and your browsing becomes secure. I find it amazing that some people treat it as among the most revolutionary of security solutions.
I think the InZero device is cool. I think it protects against some attack vectors, at some usability costs. It may even make a worthwhile trade-off for some people. But to consider the protection granted by this device as something that is revolutionary, or to claim that it is “giving hackers, criminals, and spies the middle finger” is an exaggeration, even when it comes from marketing guys.
Continue reading "InZero provides some security"
From time to time I am exposed to a new service, sometimes security-related, that promises something new. More often than not, the new security service is novel, but only because either no one really needs it, or because it does not form a good balance between security and other needs. The cases of the latter category are far more interesting.
Continue reading "A business model based on people making bad security trade-offs"
It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of…
To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.
It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?
Continue reading "Companies collect data on us --- so what?"
An interesting article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.
The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.
There are two questions that need to be asked:
Continue reading "On the Purpose of Security Standards"
On January 15th, TechWorld published an article called Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.
“According to a paper […] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called ‘DevicelOControl’.”
And they consider it as a threat:
“Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”
Such “findings” occur often when the security model of a security system is ignored.
Continue reading "Right, the kernel can access your encrypted volume keys. So what?"
Yesterday, I got a US patent application granted by the Patent and Trademark Office. The patent bears the title “SYSTEM, DEVICE, AND METHOD OF SELECTIVELY ALLOWING A HOST PROCESSOR TO ACCESS HOST-EXECUTABLE CODE". Essentially, this patent discloses a technology that allows to boot a computing platform into a trusted state using a cryptography-enabled code storage device, without the need for a cryptography-enabled host processor. In other words, the technology allows to securely boot a platform that has a security module that is coupled with the storage medium (e.g., embedded Flash memory) that stores the software, instead of a security module that is coupled with the host processor.
Continue reading "My new patent on secure boot using embedded flash"
I could not miss this one in Wired.com.
Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, “Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention,” the report notes. “The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time.”
It seems as people are making an effort to ring the bell on just about anything. Twitter? Twitter is merely an application that facilitates instant messaging, like tons of others. Whatever can be done with Twitter can also be done with IRC, Web chat rooms, shout boxes (those little frames on websites that display whatever is written by guests to the website), and what not.
Yes, someone evil can use Twitter to pass messages to other evil people in the field, but the ability to pass instant messages along is a “problem” of ubiquitous network technologies, not of this or that particular product.
Full-Disk Encryption (FDE) suffers class attacks lately.
As if the latest research (which showed that RAM contents can be recovered after power-down) was not enough, it seems as Firewire ports can form yet an easier attack vector into FDE-locked laptops.
From TechWorld: Windows hacked in seconds via Firewire
The attack takes advantage of the fact that Firewire can directly read and write to a system’s memory, adding extra speed to data transfer.
The tool mentioned seems to only bypass the Win32 unlock screen, but given the free access to RAM, exploit code that digs out FDE keys is a matter of very little extra work.
This is nothing new. The concept was presented a couple of years ago, but I haven’t seen most FDE enthusiasts disable their Firewire ports yet.
Continue reading "Firewire threat to FDE"
Many homeland security experts preach against the approach to airport security taken by the TSA. The TSA’s mitigation efforts focus primarily on specific tactics that terrorists may use, rather than on more generalized, more effective, measures, such as intelligence. Airline security, according to the ones opposing the TSA’s acts, shall be in effect long before the terrorist reaches the airport. All existing mechanisms, such as scanning shoes, banning liquids, etc., are a waste of time and money and punish only the innocent.
I generally agree, but I do so with mixed emotions.
Continue reading "The TSA Does Not Get It Completely Wrong"
I was interviewed (by e-mail) for a project that preferred to remain undisclosed, on the future of secure content distribution. Enclosed are the (slightly modified) questions and answers.
Continue reading "An Interview on Secure Content Distribution"