ENTRIES TAGGED "security"

Security firms must retool as clients move to the cloud

The risk of disintermediation meets a promise of collaboration.

This should be flush times for firms selling security solutions, such as Symantec, McAfee, Trend Micro, and RSA. Front-page news about cyber attacks provides free advertising, and security capabilities swell with new techniques such as security analysis (permit me a plug here for our book Network Security Through Data Analysis). But according to Jane Wright, senior analyst covering…
Read Full Post | Comments: 4 |
Four short links: 7 January 2014

Four short links: 7 January 2014

Wearables Mature, Network as Filter, To The Androidmobile, and U R Pwn3d

  1. Pebble Gets App Store (ReadWrite Web) — as both Pebble and MetaWatch go after the high-end watch market. Wearables becoming more than a nerd novelty.
  2. Thinking About the Network as Filter (JP Rangaswami) — Constant re-openings of the same debate as people try and get a synchronous outcome out of an asynchronous tool without the agreements and conventions in place to do it. He says friends are your social filters. You no longer have to read every email. When you come back from vacation, whatever has passed in the stream unread can stay unread but most social tools are built as collectors, not as filters. Looking forward to the rest in his series.
  3. Open Auto AllianceThe OAA is a global alliance of technology and auto industry leaders committed to bringing the Android platform to cars starting in 2014. “KidGamesPack 7 requires access to your history, SMS, location, network connectivity, speed, weight, in-car audio, and ABS control systems. Install or Cancel?”
  4. Jacob Appelbaum’s CCC Talk — transcript of an excellent talk. One of the scariest parts about this is that for this system or these sets of systems to exist, we have been kept vulnerable. So it is the case that if the Chinese, if the Russians, if people here wish to build this system, there’s nothing that stops them. And in fact the NSA has in a literal sense retarded the process by which we would secure the internet because it establishes a hegemony of power, their power in secret to do these things.

Comment |
Four short links: 30 December 2013

Four short links: 30 December 2013

Pattern Recognition, MicroSD Vulnerability, Security Talks, and IoT List

  1. tooldiaga collection of methods for statistical pattern recognition. Implemented in C.
  2. Hacking MicroSD Cards (Bunnie Huang) — In my explorations of the electronics markets in China, I’ve seen shop keepers burning firmware on cards that “expand” the capacity of the card — in other words, they load a firmware that reports the capacity of a card is much larger than the actual available storage. The fact that this is possible at the point of sale means that most likely, the update mechanism is not secured. MicroSD cards come with embedded microcontrollers whose firmware can be exploited.
  3. 30c3 — recordings from the 30th Chaos Communication Congress.
  4. IOT Companies, Products, Devices, and Software by Sector (Mike Nicholls) — astonishing amount of work in the space, especially given this list is inevitably incomplete.
Comment |
Four short links: 23 December 2013

Four short links: 23 December 2013

Lightweight Flying Robot, Autonomous Weapons, Scientific Irony, and Insecurity of Password Management Extensions

  1. DelFly Explorer — 20 grams, 9 minutes of autonomous flight, via barometer and new stereo vision system. (via Wayne Radinsky)
  2. Banning Autonomous Killing Machines (Tech Republic) — While no autonomous weapons have been built yet, it’s not a theoretical concern, either. Late last year, the U.S. Department of Defense (DoD) released its policy around how autonomous weapons should be used if they were to be deployed in the battlefield. The policy limits how they should operate, but definitely doesn’t ban them. (via Slashdot)
  3. Scientific Data Lost at Alarming Rate — says scientific paper PUBLISHED BEHIND A PAYWALL.
  4. Security of Browser Extension Password Managers (PDF) — This research shows that the examined password managers made design decisions that greatly increase the chance of users unknowingly exposing their passwords through application-level flaws. Many of the flaws relate to the browser-integrated password managers that don’t follow the same-origin policy that is crucial to browser security. In the case of password managers, this means that passwords could be filled into unintended credential forms, making password theft easier.
Comment: 1 |
Four short links: 19 December 2013

Four short links: 19 December 2013

Audio Key Extraction, Die Bitcoin, Keep Dying Bitcoin, Firmware Hacks

  1. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis (PDF) — research uses audio from CPU to break GnuPG’s implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
  2. Bitcoin, Magic Thinking, and Political Ideology (Alex Payne) — In other words: Bitcoin represents more of the same short-sighted hypercapitalism that got us into this mess, minus the accountability. No wonder that many of the same culprits are diving eagerly into the mining pool.
  3. Why I Want Bitcoin to Die in a Fire (Charlie Stross) — Like all currency systems, Bitcoin comes with an implicit political agenda attached. Decisions we take about how to manage money, taxation, and the economy have consequences: by its consequences you may judge a finance system. Our current global system is pretty crap, but I submit that Bitcoin is worst. With a list of reasons why Bitcoin is bad, like Stolen electricity will drive out honest mining. (So the greatest benefits accrue to the most ruthless criminals.)
  4. iSeeYou: Disabling the MacBook Webcam Indicator LED — your computer is made up of many computers, each of which can be a threat. This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non-root) application. The same technique that allows us to disable the LED, namely reprogramming the firmware that runs on the iSight, enables a virtual machine escape whereby malware running inside a virtual machine reprograms the camera to act as a USB Human Interface Device (HID) keyboard which executes code in the host operating system. We build two proofs-of-concept: (1) an OS X application, iSeeYou, which demonstrates capturing video with the LED disabled; and (2) a virtual machine escape that launches Terminal.app and runs shell commands. (via Washington Post)
Comment |
Four short links: 18 December 2013

Four short links: 18 December 2013

2013 Mispredicted, 2013 Accurately Predicted, RJ45 Computer, and Leakless Comms

  1. Cyberpunk 2013 — a roleplaying game shows a Gibsonian view of 2013 from 1988. (via Ben Hammersley)
  2. The Future Computer Utility — 1967 prediction of the current state. There are several reasons why some form of regulation may be required. Consider one of the more dramatic ones, that of privacy and freedom from tampering. Highly sensitive personal and important business information will be stored in many of the contemplated systems. Information will be exchanged over easy-to-tap telephone lines. At best, nothing more than trust—or, at best, a lack of technical sophistication—stands in the way of a would-be eavesdropper. All data flow over the lines of the commercial telephone system. Hanky-panky by an imaginative computer designer, operator, technician, communications worker, or programmer could have disastrous consequences. As time-shared computers come into wider use, and hold more sensitive information, these problems can only increase. Today we lack the mechanisms to insure adequate safeguards. Because of the difficulty in rebuilding complex systems to incorporate safeguards at a later date, it appears desirable to anticipate these problems. (via New Yorker)
  3. Lantronix XPort Pro Lx6a secure embedded device server supporting IPv6, that barely larger than an RJ45 connector. The device runs Linux or the company’s Evolution OS, and is destined to be used in wired industrial IoT / M2M applications.
  4. Pond — interesting post-NSA experiment in forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker. (via Morgan Mayhem)
Comment |
Four short links: 4 December 2013

Four short links: 4 December 2013

Zombie Drones, Algebra Through Code, Data Toolkit, and Crowdsourcing Antibiotic Discovery

  1. Skyjack — drone that takes over other drones. Welcome to the Malware of Things.
  2. Bootstrap Worlda curricular module for students ages 12-16, which teaches algebraic and geometric concepts through computer programming. (via Esther Wojicki)
  3. Harvestopen source BSD-licensed toolkit for building web applications for integrating, discovering, and reporting data. Designed for biomedical data first. (via Mozilla Science Lab)
  4. Project ILIAD — crowdsourced antibiotic discovery.
Comment: 1 |
Four short links: 20 November 2013

Four short links: 20 November 2013

Disruption, Telepresence, Drone Mapping, and TV Malware

  1. Innovation and the Coming Shape of Social Transformation (Techonomy) — great interview with Tim O’Reilly and Max Levchin. in electronics and in our devices, we’re getting more and more a sense of how to fix things, where they break. And yet as a culture, what we have chosen to do is to make those devices more disposable, not last forever. And why do you think it will be different with people? To me one of the real risks is, yes, we get this technology of life extension, and it’s reserved for a very few, very rich people, and everybody else becomes more disposable.
  2. Attending a Conference via a Telepresence Robot (IEEE) — interesting idea, and I look forward to giving it a try. The mark of success for the idea, alas, is two bots facing each other having a conversation.
  3. Drone Imagery for OpenStreetMap — 100 acres of 4cm/pixel imagery, in less than an hour.
  4. LG Smart TV Phones Home with Shows and Played Files — welcome to the Internet of Manufacturer Malware.
Comment: 1 |
Four short links: 13 November 2013

Four short links: 13 November 2013

ISS Malware, Computational Creativity, Happy Birthday Go, Built Environment for Surveillance

  1. ISS Enjoys Malware — Kaspersky reveals ISS had XP malware infestation before they shifted to Linux. The Gravity movie would have had more registry editing sessions if the producers had cared about FACTUAL ACCURACY.
  2. Big Data Approach to Computational Creativity (Arxiv) — although the “results” are a little weak (methodology for assessing creativity not described, and this sadly subjective line “professional chefs at various hotels, restaurants, and culinary schools have indicated that the system helps them explore new vistas in food”), the process and mechanism are fantastic. Bayesian surprise, crowdsourced tagged recipes, dictionaries of volatile compounds, and more. (via MIT Technology Review)
  3. Go at 4 — recapping four years of Go language growth.
  4. Las Vegas Street Lights to Record Conversations (Daily Mail) — The wireless, LED lighting, computer-operated lights are not only capable of illuminating streets, they can also play music, interact with pedestrians and are equipped with video screens, which can display police alerts, weather alerts and traffic information. The high tech lights can also stream live video of activity in the surrounding area. Technology vendor is Intellistreets. LV says, Right now our intention is not to have any cameras or recording devices. Love that “right now”. Can’t wait for malware to infest it.
Comment |
Four short links: 6 November 2013

Four short links: 6 November 2013

Warrant Canary, Polluted Statistics, Dollars for Deathbots, and Protocol Madness

  1. Apple Transparency Report (PDF) — contains a warrant canary, the statement Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge an order if served on us which will of course be removed if one of the secret orders is received. Bravo, Apple, for implementing a clever hack to route around excessive secrecy. (via Boing Boing)
  2. You’re Probably Polluting Your Statistics More Than You Think — it is insanely easy to find phantom correlations in random data without obviously being foolish. Anyone who thinks it’s possible to draw truthful conclusions from data analysis without really learning statistics needs to read this. (via Stijn Debrouwere)
  3. CyPhy Funded (Quartz) — the second act of iRobot co-founder Helen Greiner, maker of the famed Roomba robot vacuum cleaner. She terrified ETech long ago—the audience were expecting Roomba cuteness and got a keynote about military deathbots. It would appear she’s still in the deathbot niche, not so much with the cute. Remember this when you build your OpenCV-powered recoil-resistant load-bearing-hoverbot and think it’ll only ever be used for the intended purpose of launching fertiliser pellets into third world hemp farms.
  4. User-Agent String History — a light-hearted illustration of why the formal semantic value of free-text fields is driven to zero in the face of actual use.
Comments: 3 |