Tuesday, December 16, 2014
Talk: Common crypto mistakes in Android
Date Tuesday, December 16, 2014 Time 11:00 AM
Speaker Isaac Potoczny-Jones
If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.
The problem here is that sites like Google and Stack Overflow rank results based on popularity, but the correctness of crypto isn’t something we can vote about. It’s not a popularity contest. To use it correctly, you have to understand the properties of the algorithm and the security goals of your code. Maybe the bad crypto someone pasted up on the Internet was acceptable for their needs, but there’s a good chance it’s completely unacceptable for yours.
In this talk, we’ll discuss the use of a very common crypto algorithm, AES, and show how code examples on the Internet usually make serious mistakes in how they use AES libraries. What are the consequences of these mistakes and what are more reasonable defaults. We’ll also talk a bit about our simple Android library that tries to do AES right.
More information on the Tozny blog.
Monday, December 1, 2014
Encrypting strings in Android: Let's make better mistakes
If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.
Read more on the Tozny blog, watch Isaac's talk on this topic and check out the Github repo for the AES library.
Friday, November 28, 2014
Godaddy's SSL certs don't work in Java - the right solution
Chrome and other browsers are phasing out SSL certificates that are implemented using the weak SHA-1 hash. As a result, SSL certificate authorities, like GoDaddy are also phasing out SHA-1 in favor of SHA-2. GoDaddy is one of the largest providers, at about 13% of all SSL certificates.
This means that GoDaddy had to switch to their SHA-2 root certificate and get it installed in all the major browsers, OSs, and other important clients. For some reason, it wasn’t installed in some versions of Oracle’s Java 7 or 8. This has caused some problem for Java clients.
This means that GoDaddy had to switch to their SHA-2 root certificate and get it installed in all the major browsers, OSs, and other important clients. For some reason, it wasn’t installed in some versions of Oracle’s Java 7 or 8. This has caused some problem for Java clients.
Monday, November 10, 2014
Blaming users for security incidents is counterproductive
The Associated Press has done some important research into the cause of cybersecurity incidents in the federal government. Unfortunately, they come to the wrong conclusion. They document the huge rise in security incidents, and then add:
"And [federal] employees are to blame for at least half of the problems."Specifically, not because the employees are the hackers, but because
"They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information."This is counterproductive. It blames end users for problems that the security community should be taking accountability for.
Tuesday, September 30, 2014
Shellshock: Making sense of the question, “Am I vulnerable?”
It seems like such a simple question, “Am I vulnerable to Shellshock,” but it’s surprisingly complicated. Lots of Internet forums suggest pasting some magic code into your command line. If the code outputs “Vulnerable” then you need to upgrade. Unfortunately, it’s not that easy.
There’s an ongoing dance among security researchers, OS venders, the Bash authors, and attackers. Here’s what we know today (read more at the Tozny blog).
There’s an ongoing dance among security researchers, OS venders, the Bash authors, and attackers. Here’s what we know today (read more at the Tozny blog).
Wednesday, August 20, 2014
A Guide To Insider Threats
Insider attacks are particularly difficult to defend against. Insiders have internal knowledge of the network, and often know a system’s vulnerabilities. Even if they don’t violate security policies, they can perform authorized actions in a malicious way.
Tuesday, May 20, 2014
Quote for the Oregonian: Feds accuse Chinese of stealing SolarWorld's data
I was recently quoted in The Oregonian for an article about industrial espionage.
Isaac Potoczny-Jones, a computer security expert with Galois Inc. in Portland, said spearphishing is a "rudimentary but extremely effective" hack. Unlike garden-variety spam promising millions in Nigerian lotto proceeds, sophisticated spear phishers make their emails appear legitimate, often with a familiar name in the sender box.
"It's a very asymmetrical problem," Potoczny-Jones said. "Those defending against cyber attacks have to get thousands of lines of code just right. Attackers have to find just one flaw."
Isaac Potoczny-Jones, a computer security expert with Galois Inc. in Portland, said spearphishing is a "rudimentary but extremely effective" hack. Unlike garden-variety spam promising millions in Nigerian lotto proceeds, sophisticated spear phishers make their emails appear legitimate, often with a familiar name in the sender box.
"It's a very asymmetrical problem," Potoczny-Jones said. "Those defending against cyber attacks have to get thousands of lines of code just right. Attackers have to find just one flaw."
Wednesday, April 9, 2014
Quote for Portland Business Journal: Heartbleed
I was recently quoted in the Portland Business Journal in an article about the HeartBleed vulnerability.
"The issue in cybersecurity
in particular is the defenders have to defend all the points of entry
and every line of code and the bad guys just have to find one flaw. When
you implement methods to eliminate classes of problems that is helpful,
this is a well known type of problem that has been around for a long
time." -Isaac Potoczny-Jones
Heartbleed: A great time to think about incident response
Heartbleed is the nickname of a dangerous OpenSSL vulnerability that was just announced. A security update was already available before the announcement, and this is definitely a vulnerability where quickly patching makes a big difference. A fast response matters here because malware wasn’t in the wild yet, so many sites likely can prevent any negative consequences with quick action.
The necessity for rapid response to vulnerabilities illustrates why you should have an incident response procedure in place. An incident response procedure allows for a measured, planned response to a security incident like this one. In this blog post, we’ll walk you through the basics of putting together an incident response plan, mostly based on NIST’s incident response process.
Friday, February 7, 2014
Talk: Reinvent Law NYC - How passwords impact the legal profession
Isaac recently spoke at ReInvent Law NYC at The Great Hall, Cooper Union. A brief article and Twitter discussion on LXBN.
Cybersecurity has never been a more pressing concern for companies with troves of sensitive data. Law firms, especially, have been identified as needing to step their game up on this front because they are a supposed "weak link" for hackers. Isaac Potoczny-Jones of Galois explains why the password problem is going to keep getting worse.
Cybersecurity has never been a more pressing concern for companies with troves of sensitive data. Law firms, especially, have been identified as needing to step their game up on this front because they are a supposed "weak link" for hackers. Isaac Potoczny-Jones of Galois explains why the password problem is going to keep getting worse.
Subscribe to:
Posts (Atom)