TED published an excellent talk: Why Privacy Matters, by Glenn Greenwald.
Seldom do I call an online lecture “a must for all audience“, but the TED lecture by Glenn Greenwald is worth such an enforcement. Glenn Greenwald is one of the key reporters who published material based on the leaks of Edward Snowden. He also wrote a good book about it called “No Place to Hide”; a book on which I wrote a review about 6 months ago.
If you know that privacy is important, but cannot explain why people who’ve done nothing wrong need it, or worse yet, if you really do not see why a surveillance state is bad also for law-abiding citizens, then you must listen to this. It packs hours of social, psychological, and public policy discussions into a few minutes.
Continue reading "TEDTalk review: "Why Privacy Matters" by Glenn Greenwald"
As much as there is hype about the Internet of Things (IoT) and protecting it, there is no such thing as “IoT Security” per se. There is just the usual security engineering that is applied to IoT. Security engineering is about determining assets, threats to assets, and cost-effective means of mitigation. There are many models and ways for carrying out such analysis, but for the most part they all boil down to those key elements. Such security analysis applies to networks, it applies to servers, it applies to cars, and it also applies to IoT. That said, security engineering in IoT does pose a few unique challenges, which I would like to discuss now.
Continue reading "Top challenges of securing IoT"
I was quoted by The Enquirer saying that we shall all assume that data (from wearables and otherwise) that is collected by service providers will never be deleted. The data collected by wearables is only as protected as the network that holds it – and it is likely to be stored indefinitely.
“The trend today, given the ever-decreasing cost of storage, is to store data forever. A CIO will prefer to pay a bit more for a little more disk space than risk his job and company prosperity by deciding to discard data that is one day determined to have been useful.”
EDITED TO ADD: This story was also pubished by USA Today, and others.
Shodan is a search engine for computers. It allows to search for hosts on the Internet not by the text they serve but by their technical properties as they reflect in responses to queries. The crawler Shodan uses to build its index does not read text that websites emit when visited, but instead it reads the information that the machine provides when probed.
Like most other technologies, this is another dual-use technology. It has both legitimate and malicious uses. The tool can be used for research, but it can be, and indeed has been, used for vicious purposes. Shodan will readily map and report Internet-accessible web-cams, traffic lights, and other IoT devices, including those with lax protection, such as those using default passwords or no passwords for log-in.
So is Shodan bad? Not at all. Those are exactly the forces that make us all more secure.
Continue reading "Shodan makes us all more secure"
An article and interview with me by Byron Acohido of ThirdCertainty about why surveillance cams are trivial to hack. The discussion also covers the stance of IoT security in general.
Without much relation to anything, I wrote this short essay about the role prime numbers play in Internet security. In a nutshell, security relies on the ability to form leverage for the defender over the adversary. Such leverage can be of one of two types:
-
Leverage through the ability to code the system behavior.
-
Leverage through math, where the good guy knows something that the adversary does not.
Prime numbers are used as part of at least one mathematical mechanism that serves #2.
Continue reading "Prime numbers and security"
The Poodle flaw discovered by Google folks is a big deal. It will not be hard to fix, because for most systems there is just no need to support SSLv3. Fixing those will only imply changing configuration so not to allow SSL fallback. However, this flaw brings to our attention, again, how the weakest link in security often lies in the graceful degradation mechanisms that are there to support interoperability. Logic that degrades security for the sake of interoperability is hard to do right and is often easy to exploit. Exploitation is usually carried out by the attacker connecting while pretending to be “the dumbest” principal, letting the “smarter” principal drop security to as low as it will go.
All this is not new. What may be new is a thought on what such types of flaws may imply on the emerging domain of the Internet-of-Things.
Continue reading "Poodle flaw and IoT"
Snapchat is in the headlines again for allegedly leaking out nude photos of users. They strictly deny that there was any breach of their servers, and blame third party applications for leaking this data. This might be the case, but it is not enough to take them off the hook, especially given that their product is mostly about confidence. There are more and better instant-messaging apps out there, and whoever uses Snapchat uses it exactly so such events do not happen, whatever the excuse is.
I have no idea what exactly happened, if at all, but if a third party app got to access Snapchat data, then this Snapchat data was either
-
obtained by the third-party app on the user device, or
-
obtained by the third party app by impersonating the legitimate Snapchat app against the Snapchat server.
On a typical (i.e., un-rooted) Android or iOS device, apps can store their data so it is not readily available to other, unauthorized, apps; it would have been careless to leave such photos behind for the asking. On the other hand, Snapchat were accused several months ago for improperly authenticating their clients by the server, allowing easy impersonation of Snapchat client apps. I was quoted in USA Today yesterday addressing the need to properly authenticate clients.
Lastly I will add that there is also the possibility that no breach has ever occurred, and that the entire image dump is a hoax. Time will tell.
The revelations made by Edward Snowden did not show us anything that we never thought possible. It did reveal, however, that many of the things that were possible in theory found their way to reality. Those revelations also gave opportunity for many of the chronic paranoids and conspiracy-theorists to say “I told you". Fact is, digital life causes us to rely on more and more service providers, in the shape of government agencies and private organizations, and those providers were now caught violating our trust. When we buy products and services, we trust their provider to follow the norms we believe it follows. When such trust breaks, we need to think what next. In my opinion, this situation forms an opportunity for Europe to catch up.
Continue reading "A gift from Snowden to the European economy"
This video demonstrates how an IR camera, of the type that can be bought for a reasonable price and attached to a smart-phone, can be used to capture a PIN that was previously entered on a PIN pad, by analyzing a thermal image of the pad after the fact. When the human finger presses a non-metallic button, it leaves a thermal residue that can be detected on a thermal image, even if taken many seconds later.
The video refers to the article: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, written in UC San-Diego.