Archive
IOS8 Security – Apple take the high road?
Jonathan Zdziarski posted an interesting blog last week detailing some of the changes in IOS designed to improve security, and reign in accessibility of data in the new IOS 8 release.
Historically, it’s been possible for legitimate law enforcement groups to pressure Apple into unlocking devices – Much like data requests sent to ISP’s about your browsing and network habits, Apple (and Google et all) were able to unlock “confiscated” devices so detectives could search them for incriminating evidence.
IOS8 makes that somewhat harder and puts Apple (and Google) squarely against what Law Enforcement and Governments want. Read more…
Two Gulf States to Ban some BlackBerry Functions..
Following on from a failed state-wide “hack” of the Blackberry system, where the state-controlled telco etisalat tried to distribute a “performance enhancing patch” to Blackberry users (which turned out to be a state-controlled back door program), The United Arab Emirates is threatening to block e-mail sending and IM delivery on Blackberries, and Saudi Arabia is threatening to block Blackberry-to-Blackberry IM.
According to BBC News:
Both nations are unhappy that they are unable to monitor such communications via the handsets. This is because the Blackberry handsets automatically send the encrypted data to computer servers outside the two countries.
CSO Executive Seminar Series on Data Protection and Encryption…
Just a reminder that tomorrow I will be speaking at the CSO Executive Seminar at the Hilton, Tysons Corner VA – http://public.cxo.com/conferences/index.html?conferenceID=64. The topic will be “5 practical steps for data protection”. I don’t expect it to be a McAfee sales push, I’ll be talking about technologies in general.
If you’re a reader of my blog(s) please come and say hello.
Is Encryption enough? Why just encrypting data doesn’t solve today’s information security concerns.
“But if it’s encrypted, why do I need to login?” the customer across the desk asks me with incredulity.
I realise that I’m about to get into a discussion which boarders on theological and raises passion in both security and business leaders alike. A discussion that I’ve had many times over the last two years, and will have many more times in the near future.
“Because, without authentication, there’s no point to encryption”. I reply, knowing full well that this isn’t an answer that’s wanted, or understood.
With a stifled sigh I start to explain.. Read more…
10 Things you don’t want to know about Bitlocker…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
What happened?
TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..
Peter Kieissner
This weeks flame war between TrueCrypt and Peter Kleissner had me both upset and laughing at the same time.
For a start, hats off to young Peter (18 years old according to his site), who recently presented at Black Hat his concept for a “universal rootkit” exploit, which, using that older-than-he-is technology of MBR replacement, manages to subvert Windows in such a way as to be able to drop a payload into memory as the computer boots.
I’m not sure, but isn’t that what MBR viruses have done since day one? I guess Peter agrees because his new “Stoned Bootkit” rootkit is named “Stoned” in homage to one of the original MBR Viruses of 1987 Read more…
iPhone 3GS and BlackBerry (In)securities..
This weeks (potential) major fail goes to Apple for the iPhone 3GS security. As reported by Wired and others, it seems the new 3GS encryption touted by Apple in their “iPhone Security Overview” isn’t so secure after all.
The offical description of the new feature sounds pretty good:
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.
But this excellent 2nd video demonstration by Jonathan Zdziarski shows plainly that there could be something very flawed about it. Read more…
AES-256 and Reputational Risk
I came across this excellent article while looking for something different. Dr O’Connor succinctly sums up the idea of impossible, and more impossible when talking about the relative key lengths of encryption algorithms.
Reputational risk is something that everyone understands, particularly businesses who regard their brand as one of their most critical assets. There is considerable trust in the security of AES-256, both in the public and commercial sectors. Reputational risk to AES-256 has a very high impact, and we therefore hope, a very low likelihood of occurrence.
Changes to PII and PCI regulations in Nevada
This week Linda McGlasson talked on BankInfo security about some changes to Nevada’s data protection stance. Nevada’s laws are no less complex than other states, but interestingly they have a few which, when combined, give a tighter than usual position.
The interesting bills are CHAPTER 603A – SECURITY OF PERSONAL INFORMATION, which deals with the regulations of Business Practices. This law puts the state teeth behind the PCI regulations, enforcing things which the payment card industry require as part of PCI compliance with state-driven criminal and financial penalties. Read more…
Are we really too dumb to handle protected data?
Following on from my posts on how identitiy / personal data theft protection should be considerd a personal goal of everyone carrying around such information, I thought I’d solicit your opinions – Are we really too dumb to handle password protected information?
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments