While the software industry continues to make strides in the area of security and data protection, the hardware industry shouldn’t be underestimated. With the announcement of storage devices like Toshiba’s MK-61GSYG hard disk drives, it may only be a matter of time before we see even more creative security features for hardware (due, in part, to industry-wide adoption of standards). Toshiba’s harddrive comes with some interesting security tricks, including the ability to configure the disk to erase itself when connected to an unauthorized host, and the ability for the drive to self-encrypt without relying on the host computer’s operating system for cryptographic operations. Most of the features are drawn from the standards found in the Opal Security Subsystem Class (SSC)[…]
Category: Uncategorized
Many papers and online explanations of security protocols are dense and quite complicated. And sometimes even security professionals don’t understand the explanations. When I first started at CMU, there was a class called “Internet Security”. I went to the first lecture and promptly dropped the class. I understood practical security – but this class focused on theoretical security. In the first class, we were given the “security language” of Kerberos. At the time, I had barely used Kerberos as part of the CMU computer systems, and certainly didn’t understand it – and didn’t realize that that’s what the class was about, until several years later. Now, I finally understand more, and really wish I hadn’t dropped that class. However, there[…]
Open Authorization (OAuth), the authorization standard centered around the granting of permissions and the exchange of access tokens, has slowly gained more widespread use as a result of its adoption as an API authorization system for large web services (Google, Facebook, and Twitter all embrace some version of OAuth). Although OAuth version 2.0 probably won’t look much different from 1.0a to end users (if they even notice), most improvements seem to be aligned with the needs of a rapidly-expanding apps market. This is not a bad thing. When implemented correctly, OAuth can certainly improve security. Naturally, there would be an interest in simplifying things for both users and developers. But this simplification comes partially from the lack of signatures (used[…]
If you’re interested in online security, you’ve probably heard about HBGary. If you haven’t, here’s a brief rundown with a few links: A security firm, HBGary (or, more accurately, HBGary’s subsidiary HBGary Federal) announced that they had discovered the names of some of the supposed ringleaders of the “hacktivist” organization Anonymous. This “angered the hive” and – rather than the generally low-risk and unsophisticated DDOS attacks for which Anonymous is better known – Anonymous used a combination of social engineering, SQL Exploits, and password cracking to compromise one of HBGary’s servers. They leveraged that to get into multiple servers, ultimately gaining access to HBGary’s email and no few internal documents – including business plans and proposals to potential clients. Anonymous[…]
Back in August, my colleague Tim Donaworth posted about security threats in Android. Smartphone malware and smartphone botnets are buzz phases right now, but when speaking about my research in the field I am often asked, “Will this sort of attack actually happen outside of a lab?” The answer is not only will it, it already has, and is going on as we speak. Earlier this week Symantec blogged about a malicious Android application found carrying out the exact sort of attack Tim warned about in his post. In short, there was a legitimate application called Steamy Windows that fogged up your screen and asked for reasonable permissions when installed. There was also a malicious version of Steamy Windows that[…]
Your own users, with no malice, regularly compromise security every day. Odds are, they train new hires to do the same thing. Why are they undermining your work?