Archive for October, 2014

Oct 21 2014

Posting other places

Published by under Blogging

I’ve been blogging for some other sources lately.  It’s interesting to be creating articles for someone other than myself, because I put more thought into it and spend more time trying to organize my thoughts and outline the article before I put virtual pen to paper.  I’m writing for IBM’s Security Intelligence blog (they’re an Akamai partner) and InfoSecurity Magazine regularly and contributing to other venues as opportunity comes up and time allows.  Blog post, articles, webinars, presentations, or just shooting the breeze about security, I do it all.

  • Don’t Track My Children – Title’s pretty self-explanatory.  I don’t want my children to be subject to constant tracking and observation just to go to school.
  • How to Present Security Topics to a Non-security Audience – I wrote this after I had the privilege of presenting at a Cloud event in Prague last month.
  • Why is “Security Intelligence” so Hard – Marketing teams call their products ‘security intelligence’, but the reality is most of the products barely rise to the level of information, let alone intelligence.  It’s a pet peeve and I feed it often.
  • Heartbleed and Shellshock: The New Norm in Vulnerabilities – I’ve been talking to a lot of my co-workers lately and we all expect there to be more vulnerabilities of this level in the near future.  On the other hand, I’ve gotten feedback from people basically stating this isn’t anything new, it’s just that the latest vulnerabilities have better PR and logos.  You have to love logos.
  • Setting a Dangerous Precedent: It’s Foreign – Where in I posit that the US and UK governments are setting a dangerous standard by saying it’s okay for them to hack foreign computers in pursuit of criminals because it lets other governments do the same.

More coming, but I thought I’d give you a wrap of my recent posts, just in case you missed them.  Am I my own link bait?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 14 2014

Wake up to a POODLE puddle

TL:DR – Disable SSL immediately.

As of this morning SSL appears to be dead or at least dying.  The POODLE vulnerability in SSL was released last night, basically revealing a vulnerability in the way that SSL v3 uses ciphers and allows an attacker to make a plain-text attack against the encrypted traffic.  This makes the third major vulnerability released on the Internet this year and is another warning that this level of vulnerability discovery may be the new shape of things to come.

I’m not going to try to explain POODLE in detail, or give you a nice logo for it.  Instead I’ll just point to the better articles on the subject, a couple of which just happen to be written by my teammates at Akamai.  I’ll add more as I find them, but this should tell you everything you need to know for now.

Update: It’s estimated that SSLv3 accounts for between 1% and 3% of all Internet traffic.

And since there’s not an official logo for it yet, I present …. The Rabid Poodle!

Rabid Poodle

Rabid Poodle

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Oct 05 2014

Understanding Apple’s new encryption model

I understand enough about encryption to get myself in trouble, but not much more.  I can talk about it intelligently in most cases, but when we get down to the nitty gritty, bit by bit discussion of how encryption works, I want to have someone who’s really an expert explain it to me.  Which is why I’m glad that Matthew Green sat down to explain Apple’s claims of new encryption that they can’t open for law enforcement in great detail.

The Too Long; Didn’t Read (I often forget what tl;dr means) version of it is that there is a unique ID that’s hidden deep in the hardware encryption chips on your phone that software doesn’t have access to.  This UID is made part of your encryption key through complex algorithms and can’t be pulled out locally or remotely and makes for a strong encryption key that protects your encrypted data.  Do keep in mind that not all of the interesting data on your phone is encrypted, there are still nooks and crannies that can be looked at by someone with physical access to the phone.  And that some of the most interesting stuff on your phone isn’t what’s on it in many cases; it’s the list of who you’ve called, where you’ve been and the like that they can get from the carrier.  That metadata is often at least as important as what’s on your phone, and much easier to get without ever having to even see your phone.

I’m personally very glad that Apple (and Android as well) have begun encrypting phones by default.   Yes, police need to the ability to get into phones and see what people have been doing on them, but the last two years have shown that this ability has been abused for quite some time.  Various governmental officials in the US have decried the move saying they need the ability to catch pedophiles and terrorists.  Yet so far the count of cases where the information needed to catch anyone from either of those categories couldn’t be gotten by other means is still in the single digits.  At the same time the number of  lawsuits against police in the US abusing their ability to get into phones numbers in the hundreds.  Do the math and figure out for yourself if it’s worth law enforcement having easy access.

We’ll be seeing more organizations of all types moving encryption, partially to protect users and partially to defend themselves from the negative publicity being open to the police brings.  There will be a number of missteps, of poor encryption methodology and cases where people realize they can’t just get their backup from the cloud because they used serious encryption and lost the key.  There will be growing pains and there will be examples of guilty people escaping because law enforcement doesn’t have easy access to phone data.  But we need to have strong encryption to protect the privacy of average citizens who’ve done nothing more than catch the attention of the wrong person at the wrong time as well.  Our privacy is much more delicate and deserving of protection than many in power believe it is.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far