Black Hat Briefings have been going on all this week, with the expected announcements of vulnerabilities, tools, and other fun. I refuse to go to Vegas for health reasons, so I often miss out on Black Hat and Defcon. But this week, the one announcement that has me interested is that SMS messages are being used to unlock cars and start them – specifically the Subaru Outback. They also demonstrated that car unlocking isn’t the only capability that SMS messages have. Pretty much anything that uses the GSM network for communication may be vulnerable – electric meters, traffic lights, GPS-tracking, etc. With more and more devices being “always connected”, I suspect we’ll see more problems. And these are the kinds[…]

The UCLA Health System was just fined $865,000 for HIPAA violations. That probably sounds like an awful lot, but in truth it isn’t. It’s awfully difficult to find exact figures on regulatory fines – companies tend to be rather tight-lipped on the subject, after all. But on the scale of companies and business fines, and knowing that companies in general, and hospitals in particular, are generally good at cushioning themselves against such damage, it’s just not that much. Also, HIPAA is considered something of a paper tiger. Although HIPAA was passed in 1996, there weren’t any fines issued until 2006. While there have been quite a few fines and even criminal prosecutions since then, and the UCLA fine is the[…]

Disclaimer: I am *not* a mathematician. I just happened to take a Number Theory class from an awesome professor (Dr Blakley) at Texas A&M. When I took Dr Blakley’s Math 673 class, I was in over my head at first (and probably still would be if I hadn’t seen the applications of the topics in his class since taking his class). Unfortunately, I graduated and didn’t get to take the second part of the course, which friends told me was just as good as the first part. We learned about polynomial math, and at the time, I had no clue what it could be used for…. Then a friend linked me to this awesome stick figure explanation of AES. Once[…]

If you haven’t heard already about the PlayStation Network compromise, you should pay attention if you have a PS3 and use PSN. Your PSN online ID, name, address and birthdate have all been compromised, and (potentially) your secret questions, and credit card numbers. What I don’t understand is why Sony can’t definitively tell us that the secret questions and answers or the credit card numbers have been stolen? PCI rules require strict controls over the CC information, and the PAN (CC number) must be stored *unreadable* Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches: • One-way hashes based on strong cryptography • Truncation[…]

While the software industry continues to make strides in the area of security and data protection, the hardware industry shouldn’t be underestimated. With the announcement of storage devices like Toshiba’s MK-61GSYG hard disk drives, it may only be a matter of time before we see even more creative security features for hardware (due, in part, to industry-wide adoption of standards). Toshiba’s harddrive comes with some interesting security tricks, including the ability to configure the disk to erase itself when connected to an unauthorized host, and the ability for the drive to self-encrypt without relying on the host computer’s operating system for cryptographic operations. Most of the features are drawn from the standards found in the Opal Security Subsystem Class (SSC)[…]

Many papers and online explanations of security protocols are dense and quite complicated. And sometimes even security professionals don’t understand the explanations. When I first started at CMU, there was a class called “Internet Security”. I went to the first lecture and promptly dropped the class. I understood practical security – but this class focused on theoretical security. In the first class, we were given the “security language” of Kerberos. At the time, I had barely used Kerberos as part of the CMU computer systems, and certainly didn’t understand it – and didn’t realize that that’s what the class was about, until several years later. Now, I finally understand more, and really wish I hadn’t dropped that class. However, there[…]