Archive
Think Like A Spy…
Recently John Sileo spoke at the Department Of Defense’s Joint Family Readiness Conference on the topic of identity protection and theft. As a two time victim of identity theft, John is well placed to speak from the heart about the practical, factual, and emotional aspects of this problem, and though I was not able to attend his presentation the writeup on his presentation is well worth a read.
John advocates a couple of thought processes which I’ll let you read the details of directly from the transcript, but to summarize he encourages us all to “Think Like A Spy” – to question the validity of the request for information at every stage, and with every person. Read more…
Cold Boot Attacks Revisited (again).
Following my recent post on FireWire Attacks, I thought I’d follow up on that other classic Full Disk Encryption exploit, The “Cold Boot Attack”.
Back in February 2008 a group of clever Princeton students published their infamous paper “Lest We Remember: Cold Boot Attacks on Encryption Keys“. Though the retention of data in RAM chips has been known since their invention, and certainly since at least 1978, The “Princeton Paper” reminded us that when you turn a computer off, it does not mean all the data from memory is instantly gone, and of course, if something important remained, like an encryption key, then your computer security might be vulnerable. Read more…
Privacy By Design, Madrid 2009
Privacy By Design
For those interested in the “big picture” of privacy and technology, I’ll be at the PbD conference in Madrid this year, 2nd November, talking about privacy enabling technologies such as data protection, identity protection etc. You can get details about the conference from the PbD website, which is being run just ahead of this years 31st International Conference of Data Protection and Privacy.
Privacy by Design is a concept promoted by Ann Cavoukian, Ph.D, Information & Privacy Commissioner Ontario, Canada which aims to promote the idea of systems and processes built with privacy in mind, rather than retrofitted afterwards. I encourage all readers to browse her site which is quite informative, and gives you perhaps a “bigger picture” view than IT alone.
Firewire Attacks Revisited
For those who follow these kinds of things, you’ll remember that back in 2004 an enterprising group of people (Maximilian Dornseif, Michael Becher, and Christian Klein) gave a series of talks on how to bypass many kinds of computer security using the FireWire ports. This attack, though obvious from reading the specification of the Firewire / i.LINK / IEEE 1394 bus, simply used a computer acting as a “rogue” device to read and modify any memory location on a target PC.
Yes, ANY memory location, and that’s quite supported, even required by the FireWire/iLink specification, which needs direct-memory-access for some devices (like iPODs) to function.
Enterprising people have written attacks that use this “exploit” to get around encryption products, and locked workstations on Mac, Linux and PC.
Is Encryption enough? Why just encrypting data doesn’t solve today’s information security concerns.
“But if it’s encrypted, why do I need to login?” the customer across the desk asks me with incredulity.
I realise that I’m about to get into a discussion which boarders on theological and raises passion in both security and business leaders alike. A discussion that I’ve had many times over the last two years, and will have many more times in the near future.
“Because, without authentication, there’s no point to encryption”. I reply, knowing full well that this isn’t an answer that’s wanted, or understood.
With a stifled sigh I start to explain.. Read more…
10 Things you don’t want to know about Bitlocker…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
What happened?
Disaster Recovery, WinTech and WinPE
A long while ago, probably back in 2006 I wrote an article about how to add WinTech (the diagnostic and disaster recovery toolkit for the “SafeBoot”, or McAfee Endpoint Encryption for PCs) to a BartPE CD Image. At the time WinPE was only available to system integrators, and not to the likes of you and me. The steps to create custom WinPE CDs were obtuse, thanks mainly to a lack of documentation from Microsoft as to how WinPE worked, and thus many people migrated to the simple and easy BartPE system.I wanted to provide an easy way for people to make these useful bootable recovery CDs Read more…
TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..
Peter Kieissner
This weeks flame war between TrueCrypt and Peter Kleissner had me both upset and laughing at the same time.
For a start, hats off to young Peter (18 years old according to his site), who recently presented at Black Hat his concept for a “universal rootkit” exploit, which, using that older-than-he-is technology of MBR replacement, manages to subvert Windows in such a way as to be able to drop a payload into memory as the computer boots.
I’m not sure, but isn’t that what MBR viruses have done since day one? I guess Peter agrees because his new “Stoned Bootkit” rootkit is named “Stoned” in homage to one of the original MBR Viruses of 1987 Read more…
iPhone 3GS and BlackBerry (In)securities..
This weeks (potential) major fail goes to Apple for the iPhone 3GS security. As reported by Wired and others, it seems the new 3GS encryption touted by Apple in their “iPhone Security Overview” isn’t so secure after all.
The offical description of the new feature sounds pretty good:
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.
But this excellent 2nd video demonstration by Jonathan Zdziarski shows plainly that there could be something very flawed about it. Read more…
FSA Fines HSBC Companies $7,500,000 for data security issues
Following on from my recent posts regarding fines and the cost of data leakage (TJX and Cornell), I thought I’d also bring to your attention the latest initiated by the FSA (Financial Services Authority of UK) against HSBC – On 22nd July A tidy penalty of £4,550,000 ($7.5m) for two failures to protect personal information. HSBC will get a nice 30% discount on this for early payment, leaving them with a bill for £3,185,000 ($5.26m) plus their own internal costs.
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments