Thursday, July 02, 2015

Can Bitcoin-based Enigma encryption succeed where HE has failed?

Enigma is the brainchild of a couple of Bitcoin entrepreneurs who, together with a MIT Media Lab researcher, have used features from the decentralized Bitcoin network architecture including an external blockchain to create what they reckon will be the ultimate peer-to-peer network for storing and running computations on data whilst keeping it completely private at the same time. Enigma will break your data up into tiny chunks and then randomly distributes meaningless bits of those to nodes in the network where the calculations are performed on each discrete lump before being returned to the user where they are put back together to form an unencrypted whole again. Obviously there is some maths involved to enable each node to do whatever computational task is required on just that miniature piece of data. Equally obviously, the more nodes there are the quicker the computing is and, importantly, the more secure this thing is as the pieces will be smaller. The Bitcoin blockchain keeps track of who has what and where by way of a metadata store, unforgeable courtesy of being copied to thousands of computers.

GoPro rides into Tour de France 2016 with new security faux pas

Action video camera vendor GoPro has announced that it is riding into the Tour de France with a promotional video to celebrate being named the official camera of the world's largest annual sporting event with a worldwide television audience of some 4 billion people, but not before the BBC reported how GoPro cameras could be used to spy on their owners. But it gets worse for GoPro, as now Pen Test Partners has also explained in a blog posting how the GoPro Studio editing software was making update requests using an unencrypted HTTP connection which could enable an attacker on public Wi-Fi to inject a potential fake malicious download code update instead. "It's fairly easy to add malicious code into pre-existing binaries and therefore we could abuse this to introduce backdoors to the victim whilst also letting them update their GoPro Studio software at the same time" the post warns.

Wednesday, June 24, 2015

Dear Adobe Flash, why won't you DIE, DIE, DIE?

Earlier this month, security outfit FireEye's 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not. I'm with Brian Krebs who, just the other week, wrote about how he has "spent the better part of the last month running a little experiment to see how much I would miss Adobe's buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much." C'mon folks, be honest now, do you really need Flash, do you really you it and would you really miss it? Let's all do the decent thing and shoot this sick beyond belief monstrosity in the head...

In other news, Dell brings Greek malware into view

A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.

Thursday, June 18, 2015

Samsung keyboard vulnerability exposes triple whammy mobile flaw

Researchers at NowSecure have uncovered a vulnerability in the stock keyboard that is pre-installed on 600 million Samsung mobile devices, including the new Galaxy S6, that can apparently enable a remote arbitrary code execution attack. According to the researcher Ryan Welton, the SwiftKey IME keyboard update mechanism can be manipulated by a remote attacker capable of controlling user network traffic, and can then execute code as a privileged system user on the target phone. As far as we can tell, the threat itself only actually applies to users of Samsung mobile devices which run a stock keyboard version of the SwiftKey keyboard, rather than the app which is available for download from the Apple or Google Play stores (this appears to be confirmed by the developers). Which begs the question, if the standalone download is secure what went wrong with the Samsung IME keyboard development process?

Why I'm NOT changing my LastPass master password

The news that LastPass network security has been compromised is, of course, a serious issue. That the company being breached was one that provides a password-management service ratchets up the seriousness by a notch – or ten. So why am I, someone who has built a career on writing about IT security, not pulling my hair out about it? Well beyond the fact that I have none to tug at, the LastPass “breach” isn’t as big a deal for some of us as it is for others.

Event log management: stop security threats by turning your data to detective

Log management is, without a doubt, one of the most boring subjects to set before even the most hardcore of IT admins. Seriously, just the mention of analyzing event logs is enough to send a geek to sleep. Unless, that is, the geek happens to understand that these logs have the power if not always to stop a potential security breach before it starts then certainly to stop it before it succeeds. Think of log management and the alerting capabilities that come attached as being the Agatha Christie of the server room, or perhaps more appropriately the Hercule Poirot: this is where data turns detective!