Tag: Security

Categories
Writing

Another Playbook UI Fail

Over the past years, one of the things I’ve spent an inordinate amount of time researching and writing about has been security certificates and data transport security. This is just to say: I spend time in security and know more than a lot of non-technical people.

I have no clue what the fuck this message in the Kobo application for the BlackBerry PlayBook is doing here.

To be specific: I opened the app in a wifi-dead area that was dead in the middle of no where. There was no cell service. I checked with packet sniffing applications on my computer, there were no adhoc or other wireless networks. This kind of a warning indicates that some third-party was trying to intercept encrypted messaging traffic that was destined to Kobo’s servers but gives no indication of how or why this certificate problem was raised. In effect, it’s a warning “shit’s gone back, son!” without say “because X just happened!”

Security – on all devices – should be transparent to the user. The warning above (which I’ve seen in other PlayBook apps) is useless to the end-user because it gives no guidance as to what just happened, how to address it, or even how to learn more about the issue. While I commend RIM for making certificate errors so front and centre, presenting highly technical security information to the end-user is garbage unless you also inform them what the hell just happened.

Categories
Links

DiskCrypt turns any laptop storage into a self-encrypted drive

An interesting product:

At CES, Singapore-based ST Electronics was showing off a new security device that can be installed in nearly any notebook computer to protect its data from prying eyes—Digisafe DiskCrypt, a hard-disk enclosure that turns any 1.8-inch micro-SATA device into removable and fully encrypted storage. The enclosure, which is the size of a 2.5″ drive, can be used as a drop-in replacement for existing drives.

 

Before boot, DiskCrypt requires a USB dongle to be plugged in to pass the key, and it can also be optionally configured to require the user to enter a password for two-factor authentication. The hardware can handle up to150MBps of data throughput, so once it has been activated it’s completely transparent. ST Electronics’ deputy director Jimmy Neo claimed the encryption module has no impact on read/write performance.

All this is pretty standard for a self-encrypted drive. The main advantage of DiskCrypt is that it can be put into nearly any existing notebook. If there’s a drive failure, a need to move from hard disk to SSD—or just swap out the drive—the enclosure can be quickly opened and the storage device popped out. Separated from the encryption enclosure, the drive is practically the same as destroyed.

It will be important to test this against a hostile attacker, or situate it in a hostile general environment. There is a depressing history of encrypted storage solutions along these lines failing when confronted by a serious attacker. While the crypto itself might be secure, a side-channel attack (the most common means of subverting encryption schemes) could compromise the drive.

Categories
Links

Passwords: uniqueness, not complexity

Graham argues that there are three tiers of sites and that you should apply variable password policies to each tier. The key lesson is to have unique passwords across the tiers so that a tier 3 site being hacked doesn’t endanger your tier 1 sites. You probably want unique passwords for each tier 1 site.

At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.

At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.

At the third tier are the unimportant accounts, like StratFor, where it wouldn’t be catastrophic if your password were lost. Again, you could choose a third, simple password, like “passwd1234” for all these accounts. It’ll probably get stolen within a year, but who really cares?

While I agree, in part, I still think that a highly complex passphrase (not password) and a strong password daemon like 1 Password is probably the best approach for most people. That way you can enjoy strong, unique, passwords and generate new ones for each account you open.

Categories
Links

ContraRISK: Bad password advice

contrarisk:

In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell – ‘Assessing password guidance and enforcement on leading websites’ – presents some fascinating original research into the password practices of various leading websites – and also paints a somewhat…

Whenever I read about bad passwords, I’m reminded of XKCD’s comic on password strengths.

 

Categories
Links Writing

Why Mobile Carriers are a Threat to Us All

Paul Thurrott reports that Microsoft is no longer guaranteeing that mobile updates will be delivered to end-users and will no longer give guidance about when/if those updates will come.

I suspect that Microsoft’s actions are the result of carriers not caring one lick about security and actively opposing performance updates to “old” phones. Carriers aren’t themselves affected by security deficiencies that they are largely responsible for prolonging, and if new cool features are automatically provided in a smartphone update then the customer is less likely to rush out and buy a new phone with the same features. Carriers need to be held accountable: if they know there are security updates and refuse to let them go out to customers, then customers’ contracts should be broken with those same carriers. If customers experience actual harms, then the carriers should be legally – and financially – liable.

Microsoft, and the other mobile OS vendors, need to realize that the most important customer base is the people buying phones, not the device manufacturers or carriers. The latter two groups are important, yes, but if Microsoft can’t convince end-customers to pick up their phones and be happy about the choice a few months later then Microsoft is going to turn into an Android-like OS manufacturer. We already have one too many of those.

Categories
Humour

An instance of non-security theatre?

Categories
Links

Side Channel Attack =/ Cracking Encryption

From the article:

BlackBerry messenger is “significantly less encrypted compared to the BlackBerry email that corporations are using,” Leif-Olof Wallin, an analyst at Gartner Inc., based in Sweden, recently told Bloomberg News. “Any kind of cryptographer should be able to crack it without the involvement of (parent company, Waterloo, Ont.-based Research in Motion).”

BBM for consumers is sufficiently encrypted and it isn’t a simple matter for ‘amateur cryptologists’ to easily break it. No: the deficiency with the communications encryption
is that RIM uses, and possesses, a common global key to provide transit security to BBM messages. In the case of users that are linked to a BlackBerry Enterprise Server (BES) the BES administrator is responsible for establishing the encryption/decryption keys. As a result, RIM is incapable of breaking the BES infrastructure. It should be noted that, with consumer BBM traffic, the supposed attacker is a transit middle-man and not the government. RIM protects end-users from this – which doesn’t happen with a SMS message – and makes no bones about being there to protect consumers from legitimate (in the sense of legally justified, rather than normatively acceptable) government interceptions.