I have been running a security research group at Sansa Security since 2006, and while I think about it often, I never bothered to publish any post about how to run an effective security research team. So here is a first post on this topic, with an anticipation for writing additional installments in the future.

I will address a few random topics that come to my mind this moment, about staffing, external interaction, being in the know, and logging. Feel free to bring up other topics of interest as comments to this post.

Continue reading "Running an effective security research team"

I will be speaking in the ARM Security Seminar in Taipei, Taiwan. The title of the talk is “Future proofing your security architecture”.

Following is the talk abstract:

Continue reading "ARM Taiwan Security Seminar"

Today it is ten years since the first post on this blog was published. This blog superseded an email bulletin that I maintained for seven years beforehand.

I am not the best blogger ever. I write much less frequently than I planned and wanted. Writing takes time that I do not always have; but more importantly, I try not to write unless I have something unique to say, and by doing this I feel I differentiate this blog from hundreds of others.

Continue reading "My blog's 10th anniversary"

TED published an excellent talk: Why Privacy Matters, by Glenn Greenwald.

Seldom do I call an online lecture “a must for all audience“, but the TED lecture by Glenn Greenwald is worth such an enforcement. Glenn Greenwald is one of the key reporters who published material based on the leaks of Edward Snowden. He also wrote a good book about it called “No Place to Hide”; a book on which I wrote a review about 6 months ago.

If you know that privacy is important, but cannot explain why people who’ve done nothing wrong need it, or worse yet, if you really do not see why a surveillance state is bad also for law-abiding citizens, then you must listen to this. It packs hours of social, psychological, and public policy discussions into a few minutes.

Continue reading "TEDTalk review: "Why Privacy Matters" by Glenn Greenwald"

As much as there is hype about the Internet of Things (IoT) and protecting it, there is no such thing as “IoT Security” per se. There is just the usual security engineering that is applied to IoT. Security engineering is about determining assets, threats to assets, and cost-effective means of mitigation. There are many models and ways for carrying out such analysis, but for the most part they all boil down to those key elements. Such security analysis applies to networks, it applies to servers, it applies to cars, and it also applies to IoT. That said, security engineering in IoT does pose a few unique challenges, which I would like to discuss now.

Continue reading "Top challenges of securing IoT"

I was quoted by The Enquirer saying that we shall all assume that data (from wearables and otherwise) that is collected by service providers will never be deleted. The data collected by wearables is only as protected as the network that holds it – and it is likely to be stored indefinitely.

“The trend today, given the ever-decreasing cost of storage, is to store data forever. A CIO will prefer to pay a bit more for a little more disk space than risk his job and company prosperity by deciding to discard data that is one day determined to have been useful.”

EDITED TO ADD: This story was also pubished by USA Today, and others.

Shodan is a search engine for computers. It allows to search for hosts on the Internet not by the text they serve but by their technical properties as they reflect in responses to queries. The crawler Shodan uses to build its index does not read text that websites emit when visited, but instead it reads the information that the machine provides when probed.

Like most other technologies, this is another dual-use technology. It has both legitimate and malicious uses. The tool can be used for research, but it can be, and indeed has been, used for vicious purposes. Shodan will readily map and report Internet-accessible web-cams, traffic lights, and other IoT devices, including those with lax protection, such as those using default passwords or no passwords for log-in.

So is Shodan bad? Not at all. Those are exactly the forces that make us all more secure.

Continue reading "Shodan makes us all more secure"

An article and interview with me by Byron Acohido of ThirdCertainty about why surveillance cams are trivial to hack. The discussion also covers the stance of IoT security in general.

Without much relation to anything, I wrote this short essay about the role prime numbers play in Internet security. In a nutshell, security relies on the ability to form leverage for the defender over the adversary. Such leverage can be of one of two types:

1. Leverage through the ability to code the system behavior.

2. Leverage through math, where the good guy knows something that the adversary does not.

Prime numbers are used as part of at least one mathematical mechanism that serves #2.

Continue reading "Prime numbers and security"

The Poodle flaw discovered by Google folks is a big deal. It will not be hard to fix, because for most systems there is just no need to support SSLv3. Fixing those will only imply changing configuration so not to allow SSL fallback. However, this flaw brings to our attention, again, how the weakest link in security often lies in the graceful degradation mechanisms that are there to support interoperability. Logic that degrades security for the sake of interoperability is hard to do right and is often easy to exploit. Exploitation is usually carried out by the attacker connecting while pretending to be “the dumbest” principal, letting the “smarter” principal drop security to as low as it will go.

All this is not new. What may be new is a thought on what such types of flaws may imply on the emerging domain of the Internet-of-Things.

Continue reading "Poodle flaw and IoT"