Snapchat is in the headlines again for allegedly leaking out nude photos of users. They strictly deny that there was any breach of their servers, and blame third party applications for leaking this data. This might be the case, but it is not enough to take them off the hook, especially given that their product is mostly about confidence. There are more and better instant-messaging apps out there, and whoever uses Snapchat uses it exactly so such events do not happen, whatever the excuse is.
I have no idea what exactly happened, if at all, but if a third party app got to access Snapchat data, then this Snapchat data was either
-
obtained by the third-party app on the user device, or
-
obtained by the third party app by impersonating the legitimate Snapchat app against the Snapchat server.
On a typical (i.e., un-rooted) Android or iOS device, apps can store their data so it is not readily available to other, unauthorized, apps; it would have been careless to leave such photos behind for the asking. On the other hand, Snapchat were accused several months ago for improperly authenticating their clients by the server, allowing easy impersonation of Snapchat client apps. I was quoted in USA Today yesterday addressing the need to properly authenticate clients.
Lastly I will add that there is also the possibility that no breach has ever occurred, and that the entire image dump is a hoax. Time will tell.
This video demonstrates how an IR camera, of the type that can be bought for a reasonable price and attached to a smart-phone, can be used to capture a PIN that was previously entered on a PIN pad, by analyzing a thermal image of the pad after the fact. When the human finger presses a non-metallic button, it leaves a thermal residue that can be detected on a thermal image, even if taken many seconds later.
The video refers to the article: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, written in UC San-Diego.
When people discuss Bitcoin, one of its properties that is often considered is its presumable anonymity. In this respect, it is often compared to cash. However, it shall be recognized and understood that Bitcoin is not as anonymous as cash; far from it, actually. Its anonymity relies on the concept of pseudonyms, which delivers some (unjustified) sense of anonymity, but very weak anonymity in practice.
Continue reading "Bitcoin does not provide anonymity"
I recently got a US patent application granted by the Patent and Trademark Office. The patent bears the title “Methods Circuits Devices and Systems for Provisioning of Cryptographic Data to One or More Electronic Devices“.
Continue reading "My new patent on secure key provisioning"
Congratulations to Apple for featuring a fingerprint reader as part of its new iPhone. It was reported by The Wall Street Journal here, in the blog of Bruce Schneier here, by Time Tech here, and in dozens of other places. Very much expectedly, this revelation spurred anxiety among the conspiracy theorists out there. The two common concerns that were raised are:
(There is another line of concern, related to the fifth amendment and how its protection may be foiled by authenticating using biometrics alone, but this is a legal concern which is off topic.)
While a bit of paranoid thinking is always helpful, security engineering requires more than crying out each time a mega-corporate launches a new technology that involves private data. Assets and threats need to be determined, and then we can decide whether or not the risk is worth the benefits.
Continue reading "How risky to privacy is Apple's fingerprint reader?"
I recently got a US patent application granted by the Patent and Trademark Office. The patent bears the title “Device, System, and Method of Securely Executing Applications".
Continue reading "My new patent on a secure execution environment"
I recently got a US patent application granted by the Patent and Trademark Office. The patent bears the title “Device, System, and Method of Digital Rights Management Utilizing Supplemental Content".
Continue reading "My new patent on ads extension to DRM"
Smart Grid security is one of the new emerging fields of security. Everybody knows that the new generation of electricity grids requires a new level of security against cyber-wars, cyber-terrorism, and all the rest. Yet, for the purchaser of Smart Grid solutions, it is not always obvious where to start and that to require. The topic is wide, complex, and not very well documented. I do not intend to write a compendium here, but I will share my perspective on how an integrator, or purchaser, may prefer to approach the problem of evaluating Smart Grid solutions from the security perspective.
Continue reading "Handling the Security Aspect of Smart Grid Product Purchasing"
A few days ago I was presented with an interesting question: What is the difference between Content Protection and Cyber Security? These domains of Information Security are so different and unrelated, that the difference in their definition is more or less the entire definition of both. This question, however, was asked in the context of the factors that make each of these problems hard to solve. Both problems are hard ones, and seem to require more than the state of the art in security can provide; yet they are hard problems for completely different reasons.
Continue reading "The Difference Between Content Protection and Cyber Security"
The emergence of the Android Operating System for mobile devices is said to have put the content protection industry in trouble. This is probably true. However, for sake of accuracy, it has not introduced wholly new problems as it worsened existing ones, in an overall situation that was never easy to start with. Let us see what open Operating Systems such as Android have changed, and how the content protection industry may go about to overcome these new-old difficulties.
Continue reading "The Future of Content Protection on Open Platforms, Such as Android"