Recently, a thread about a security problem
in a piece of open source software got a lot of attention. There was a
vulnerability report, a defensive developer, persistent security folks,
and of course sideline comments taking one side or the other. This
discussion perfectly illustrates why it can be hard to have a civil
discussion about security, and why even with the best of intentions and
with skilled developers, security problems can persist in a software
system.
Read More at the Galois Blog
Friday, November 11, 2011
Tuesday, October 4, 2011
Passwords are past their prime
Passwords are past their prime. Users are buried under the weight of too
many passwords, and most of us constantly struggle with these password
conundrums: Simple passwords are easy to guess, but complex passwords
are hard to remember. Writing passwords down means not having to
remember them, but it also means they might get stolen. Sharing
passwords between accounts means that if one account has a password
database spill, all the accounts are compromised.
Animate Login replaces passwords with mobile phones and replaces typing passwords with scanning a barcode on that phone. The phone uses two-dimensional barcodes to make a link between the user’s browser session and the physical presence of the user, then utilizes the phone’s Internet connection to send a long and complex shared secret to the web site to prove the user is who he/she claims to be.
Read More on G+
Animate Login replaces passwords with mobile phones and replaces typing passwords with scanning a barcode on that phone. The phone uses two-dimensional barcodes to make a link between the user’s browser session and the physical presence of the user, then utilizes the phone’s Internet connection to send a long and complex shared secret to the web site to prove the user is who he/she claims to be.
Read More on G+
Tuesday, August 23, 2011
Cloud Security Risk Agreements for Small Businesses
Cloud computing can be particularly beneficial to small businesses since
it can decrease the total cost of ownership for IT systems.
Unfortunately, one of the major barriers to adoption of cloud services
is the perception that they are inherently less secure, exposing the
organization to unacceptable risk. There are standard processes for
managing security risk that can help businesses make trade-off
decisions, but these processes currently cannot be applied to cloud
computing since the security details of cloud services are not typically
available to small businesses. This lack of information leads to a lack
of trust: small businesses cannot evaluate the security of cloud
services. This paper proposes an approach for cooperation between cloud
vendors and small businesses based on the NIST Risk Management
Framework. Security Risk Agreements would address the lack of trust so
that small businesses can confidently adopt cloud services, benefiting
both small businesses and cloud vendors.
HTML and PDF versions at Galois.com.
HTML and PDF versions at Galois.com.
Wednesday, January 5, 2011
Quick authentication using mobile devices and QR Codes
In this blog post, we propose an authentication scheme using QR codes
and Internet-connected smart phones to allow a user to quickly sign into
a web site without having to memorize or type in a username and
password. The user only has to prove that they are in possession of
their mobile phone. We've developed a demonstration app and web site for this approach which you can try if you have an Android smartphone. Or you can watch the video demonstration. We have also started work on a draft REST protocol, and welcome feedback.
Read More at the Galois Blog.
Read More at the Galois Blog.
Saturday, October 16, 2010
The amazing Stuxnet worm
Information about the Stuxnet worm has been bouncing around for a few
weeks, but more analysis has come out recently that points to how
amazing the worm is. I'll provide some choice quotes from two great summaries.
Schneier says:
... What Stuxnet looks for is a particular model of Programmable
Logic Controller (PLC) made by Siemens. These are small embedded
industrial control systems that run all sorts of automated
processes: on factory floors, in chemical plants, in oil refineries,
at pipelines--and, yes, in nuclear power plants.
...
In addition to the multiple vulnerabilities that it exploits, it
installs its own driver into Windows. These have to be signed, of
course, but Stuxnet used a stolen legitimate certificate.
Interestingly, the stolen certificate was revoked on July 16, and a
Stuxnet variant with a different stolen certificate was discovered
on July 17.
...
Stuxnet has two ways to update itself. It checks back to two control
servers, one in Malaysia and the other in Denmark, but also uses a
peer-to-peer update system: When two Stuxnet infections encounter
each other, they compare versions and make sure they both have the
most recent one.
...
We don't know who wrote Stuxnet. We don't know why. We don't know
what the target is, or if Stuxnet reached it. But you can see why
there is so much speculation that it was created by a government.
...
Stuxnet was expensive to create. Estimates are that it took 8 to 10
people six months to write.
...
Additionally, [4] zero-day exploits are valuable. They're hard to
find, and they can only be used once.
...
...maybe one of the pieces of the message is "we have so many
resources that we can burn four or five man-years of effort and four
zero-day vulnerabilities just for the fun of it." If that message
were for me, I'd be impressed.
Semmantic says:
Stuxnet represents the first of many milestones in malicious code
history – it is the first to exploit four 0-day vulnerabilities,
compromise two digital certificates, and inject code into industrial
control systems and hide the code from the operator.
...
The real-world implications of Stuxnet are beyond any threat we have
seen in the past. Despite the exciting challenge in reverse
engineering Stuxnet and understanding its purpose, Stuxnet is the
type of threat we hope to never see again.
weeks, but more analysis has come out recently that points to how
amazing the worm is. I'll provide some choice quotes from two great summaries.
Schneier says:
... What Stuxnet looks for is a particular model of Programmable
Logic Controller (PLC) made by Siemens. These are small embedded
industrial control systems that run all sorts of automated
processes: on factory floors, in chemical plants, in oil refineries,
at pipelines--and, yes, in nuclear power plants.
...
In addition to the multiple vulnerabilities that it exploits, it
installs its own driver into Windows. These have to be signed, of
course, but Stuxnet used a stolen legitimate certificate.
Interestingly, the stolen certificate was revoked on July 16, and a
Stuxnet variant with a different stolen certificate was discovered
on July 17.
...
Stuxnet has two ways to update itself. It checks back to two control
servers, one in Malaysia and the other in Denmark, but also uses a
peer-to-peer update system: When two Stuxnet infections encounter
each other, they compare versions and make sure they both have the
most recent one.
...
We don't know who wrote Stuxnet. We don't know why. We don't know
what the target is, or if Stuxnet reached it. But you can see why
there is so much speculation that it was created by a government.
...
Stuxnet was expensive to create. Estimates are that it took 8 to 10
people six months to write.
...
Additionally, [4] zero-day exploits are valuable. They're hard to
find, and they can only be used once.
...
...maybe one of the pieces of the message is "we have so many
resources that we can burn four or five man-years of effort and four
zero-day vulnerabilities just for the fun of it." If that message
were for me, I'd be impressed.
Semmantic says:
Stuxnet represents the first of many milestones in malicious code
history – it is the first to exploit four 0-day vulnerabilities,
compromise two digital certificates, and inject code into industrial
control systems and hide the code from the operator.
...
The real-world implications of Stuxnet are beyond any threat we have
seen in the past. Despite the exciting challenge in reverse
engineering Stuxnet and understanding its purpose, Stuxnet is the
type of threat we hope to never see again.
Subscribe to:
Posts (Atom)