While it’s certainly not definitive, and it doesn’t walk you through using each and every tool, Edwards has a good high-level overview piece that is worth reading.
Categories
Tag: Security
Categories
Guide to Hardening iOS 5
The Australian Department of Defence, Intelligence and Security division, has produced a particularly good walkthrough for hardening the iOS environment (.pdf). I’d recommend it to the curious and for system administrators who are interested in evaluating/contrasting their own iOS deployments.
Bruce Schneier, talking about the social and economic threats to the Internet’s infrastructure
Brian Snow, the (now) ex Technical Director of the NSA’s Information Assurance Directorate, speaking on Cybersecurity. Actual talk begins at 2:10.
Categories
Grope & Pillage
Visualizing TSA costs and ‘benefits’ since 9/11
A group of my colleagues and I are always on the hunt for affordable, easy-to-use, secure drive encryption tools that can be deployed to non-technically savvy individuals. The most recent piece of software we’ve come across is LaCie’s Public-Private encryption which, as far as I can tell, is a pretty front-end for TrueCrypt.
I’ve reached out to the company in the hopes of learning what, if anything, they’ve done in making TrueCrypt a tiny bit easier for people to use. TrueCrypt is one of the more secure means of protecting data. LaCie’s software itself is free – available here – and runs on any USB drive, so you can use the software without having to purchase anything from the company. The only deficit that I’ve come across thus far is that you can only create 4GB partitions; this means that if you want to encrypt everything on an 8GB drive then you’ll need to establish two separate partitions.
I’ll be updating this site once/if I hear back from the company.
Categories
Less Than Impressed With 1Password
First, the good news: 1Password has released a new version of their product on iOS. The company outlines a whole pile of reasons for supposedly delaying security upgrades – some of which include the updates will slow the speed at which users can access their encrypted data – but fail to identify what I suspect is a key motive behind the upgrade. If you recall, I wrote a while ago about key failures in mobile password managers. 1Password was amongst those who had flawed security implementations.
To be clear: security, especially good security, is damn hard to engineer. 1Password didn’t have the gaping flaw that others did – i.e. storing passwords in plaintext!! – but it was flawed. In the security community this (ideally) is resolved when someone critiques your secured infrastructure. In today’s world you should also credit the security researcher(s) who identified the flaw.
Unfortunately, this isn’t what 1Password has done. As far as I can tell, there is no formal recognition from the company that they have had flaws in their mobile security model pointed out by a third-party. This is a shame, given that a key factor that builds genuine trust in security is transparency. It seems like 1Password is willing to address problems – they’re not dwelling in a security by obscurity paradigm, to be sure! – but not credit others with finding those problems in the first place.
Update: My very, very bad. I missed an earlier piece from 1Password, where they note the research. That is available here. It would have been ideal to see a reference to this in their update but, admittedly, credit had previously been given.
For years, researchers have warned that the systems that run critical infrastructure have systemic and serious code-based vulnerabilities. Unfortunately, governments have tended to use such warnings as a platform to raise ‘cyber-warfare’ arguments. Many such arguments are thinly-disguised efforts to assert more substantive government surveillance and control over citizens’ rights and expressions of freedom. Few of these arguments genuinely address the concerns researchers raise.
In the face of governmental lacklustre efforts to secure infrastructure, researchers have disclosed critical vulnerabilities in many of the systems responsible for manufacturing facilities, water and waste management plants, oil and gas refineries and pipelines, and chemical production plants. What’s incredibly depressing is this:
The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC—essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.
These kinds of ‘attacks’ or ‘exploits’ are possible because the most basic security precautions are not integrated into the logic controllers running such infrastructure. On the one hand this makes sense: many PLCs and the infrastructure they are embedded in were created and deployed prior to ‘the Internet’ being what it is today. On the other, however, one has to ask: if the money spent on security theatre at airports had been invested in hardening actual PLCs and other infrastructure, where would critical infrastructure security be today?
We recently learned that the Australian government had blocked Huawei from tendering contracts for Australia’s National Broadband Network. The government defended their position, stating that:
As such, and as a strategic and significant government investment, we have a responsibility to do our utmost to protect its integrity and that of the information carried on it.
Of note, internally Huawei had been a preferred choice but the company was ostensibly blocked for political/security, rather than economic, reasons. This decision isn’t terribly surprising given that American, Australian, and United Kingdom national intelligence and security agencies have all come out against using Huawei equipment in key government-used networks. The rationale is that, even were a forensic code audit possible (and likely wouldn’t be, on grounds that we’re talking millions of lines of code) it wouldn’t be possible to perform such an audit on each and every update. In effect, knowing that a product is secure now isn’t a guarantee that the product will remain secure tomorrow after receiving a routine service update. The concern is that Huawei could, as a Chinese company, be compelled by the Chinese government to include such a vulnerability in an update. Many in the security community suspect that such vulnerabilities have already been seeded.
Does this mean that security is necessarily the real reason for the ‘national security card’ being played in Australia? No, of course not. It’s equally possible that calling national security:
- let’s the government work with a company that it already has ties with and wants to support;
- is the result of the government being enticed – either domestically or from foreign sources – to prefer a non-Huawei alternative;
- permits purchases of a non-Huawei equipment from vendors that are preferred for political reasons; perhaps buying Chinese goods just wouldn’t be seen as a popular move for the government of the day.
Moreover, simply because Australia isn’t tendering contracts from Huawei doesn’t suggest that whatever equipment is purchased will be any more secure. In theory, were Cisco equipment used to power the National Broadband Network then the American government could similarly compel Cisco to add vulnerabilities into routers.
In part, what this comes down to is who do you trust to spy on you? If you see the Americans as more friendly and/or less likely to involve themselves closely in your matters of state, then perhaps American companies are preferred over your economic and geographical next-door neighbours.
I should note, just in closing, that Huawei has contracts with most (though not quite all) of Canada’s largest mobile and wireline Internet companies. Having spoken with high-level governmental officials about security concerns surrounding Huawei’s equipment there seems to be a total lack of concern: just because GCHQ, NSA, and ASIO have publicly raised concerns about the company’s equipment doesn’t seem to raise any alarm bells or worries with our highest government officials.
A quick TEDx talk about the inherent (in)security of the software-driven devices that are increasingly embedded throughout our lives.
Excited Pixels 