Articles by: Paul
I'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."

Heartbleed: Technology Monoculture’s Second Act

April 22, 2014 12:150 comments
Dr. Geer argues that Heartbleed suggests ways that Internet security is being undermined by de-facto technology monocultures.

Say ‘technology monoculture’ and most people (who don’t look at you cross-eyed or say ‘God bless you!’) will say “Microsoft” or “Windows” or “Microsoft Windows.” That makes sense. Windows still runs on more than 90% of all desktop systems, long after Redmond’s star is rumored to have dimmed next to that of Apple. Microsoft is the poster child for the dangers and benefits of a monoculture. Hardware makers and application developers have a single platform to write to – consumers have confidence that the software and hardware they buy will “just work” so long as they’re running some version of Windows. The downside, of course, is that the Windows monoculture has also been a boon to bad guys, who can tailor exploits to one operating system or associated application (Office, Internet Explorer) and be confident that 9 of 10 systems their malicious software encounters will at least be running some version of the […]

Read more ›

History Suggests Heartbleed Will Continue To Beat

April 16, 2014 11:120 comments
Heartbleed probably won't ever go away, and is likely to become an endemic problem on the Internet, experts agree.

The SANS Internet Storm Center dialed down the panic on Monday, resetting the Infocon to “Green” and citing the increased awareness of the critical OpenSSL vulnerability known as Heartbleed as the reason.   Still, the drumbeat of news about a serious vulnerability in the OpenSSL encryption software continued this week. Among the large-font headlines: tens of  millions of Android mobile devices running version 4.1 of that mobile operating system (or “Jelly Bean”) use a vulnerable version of the OpenSSL software. Also: more infrastructure and web application players announced patches to address the Heartbleed vulnerability. They include virtualization software vendor VMWare, as well as cloud-based file sharing service Box. If history is any guide: at some point in the next week or two, the drumbeat will soften and, eventually, go silent or nearly so. But that hardly means the Heartbleed problem has gone away. In fact, if Heartbleed follows the same […]

Read more ›

IDS And The IoT: Snort Creator Marty Roesch On Securing The Internet of Things

April 13, 2014 15:580 comments
IDS And The IoT: Snort Creator Marty Roesch On Securing The Internet of Things

Martin Roesch is one of the giants of the security industry: a hacker in the truest sense of the term who, in the late 1990s created a wide range of security tools as a way to teach himself about information security. One of them, the open source SNORT intrusion detection system, turned into one of the mostly widely used and respected security tools in the world. SNORT became the foundation for Sourcefire, the company Marty helped found in 2001. And Sourcefire went on to fantastic success: first as a startup, then as a publicly traded company and, as of October of last year, as part of Cisco Systems, after the networking giant bought Roesch’s company for $2.7 billion. These days, Marty serves as a Vice President and Chief Architect of Cisco’s Security Business Group, where he’s helping shape that company’s strategy for securing the next generation of enterprise (and post-enterprise) networks. […]

Read more ›

Heartbleed For Poets And Other Must-Reads

April 10, 2014 18:380 comments
The (nerdy) Heartbleed SSL vulnerability story has jumped into the mainstream led to lots of rumination about the proper short and long term response.

It’s H-Day + 2 – two full days since we learned that one of the pillars of online security, OpenSSL, has contained a gaping security hole for the past two years that rendered its protections illusory. As I wrote over on Veracode’s blog today: this one hurts. It exposes private encryption keys, allowing encrypted SSL sessions to be revealed. Trend Micro data suggests around 5% of one million Internet top-level domains are vulnerable.  IOActive notes that Heartbleed also appears to leave data such as user sessions subject to hijacking, exposes encrypted search queries and leaves passwords used to access online services subject to snooping, provided the service hasn’t updated their OpenSSL instance to the latest version. In fact, its safe to bet that the ramifications of Heartbleed will continue to be felt for months – even years to come. In the meantime, there is a lot of interesting coverage and […]

Read more ›

The Heartbleed OpenSSL Flaw: What You Need To Know

April 8, 2014 12:370 comments
Codenomicon warned of a widespread flaw in OpenSSL, a commonly used encryption software. (Image courtesy of Codenomicon)

There’s a serious vulnerability in most versions of the OpenSSL technology that requires an immediate update to avoid exposing sensitive information and Internet traffic to snooping. In response, the SANS Internet Storm Center (ISC) has raised its InfoCon (threat) level to “Yellow,” indicating that…well…the Internet’s not as safe a place today as it was yesterday, before the vulnerability was released. Here’s what we know right now: + Researcher Neel Mehta of Google Security discovered the vulnerability, which was apparently introduced with a OpenSSL update in December, 2011, but only fixed with the release of OpenSSL 1.0.1g on Monday. + Dubbed “heartbleed” (thank the Codenomicon marketing department for that one), the vulnerability (CVE-2014-0160) is described as a TLS heartbeat read overrun. TLS stands for Transport Layer Security. According to OpenSSL.org, vulnerable versions of the OpenSSL software have version numbers ranging from 1.0.1 and 1.0.2-beta. + Codenomicon described the vulnerability as an “implementation problem” […]

Read more ›

Vint Cerf: CS Changes Needed To Address IoT Security, Privacy

April 2, 2014 16:140 comments
Cerf said that the advent of the Internet of Things poses a real challenge to the field of computer science. Namely: how to secure IoT devices. (Photo courtesy of Google.)

The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist. Cerf, speaking in a public Google Hangout on Wednesday, said that he’s tremendously excited about the possibilities of an Internet of billions of connected objects, but said that securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – and one that the nation’s universities need to start addressing. “I’m very excited,” Cerf said, in response to a question from host Leo Laporte. He cited the Philips HUE lightbulb as an example of a cool IoT application. “So you’re going to be able to manage quite a wide range of appliances at home , at work and in your car. Eventually, that will include things you’re […]

Read more ›

Web to Wheels: Tesla Password Insecurity Exposes Cars, Drivers

March 31, 2014 15:430 comments
Web to Wheels: Tesla Password Insecurity Exposes Cars, Drivers

We’ve interviewed security researcher Nitesh Dhanjani before. In the last year, he’s done some eye-opening investigations into consumer products like the Philips HUE smart lightbulbs. We did a podcast with Nitesh in December where we talked more generally about security and the Internet of Things. Now Dhanjani is in the news again with research on one of the most high-profile connected devices in the world: Tesla’s super-smart electric cars. In a presentation at Black Hat Asia on Friday, he  released findings of some research on the Tesla Model S that suggests the cars have a weakness common to many Web based applications: a weak authentication scheme. (A PDF version of the report is here.) Specifically: Tesla’s sophisticated cars rely on a decidedly unsophisticated security scheme: a six-character PIN. Dhanjani’s research discovered a variety of potentially exploitable holes that would give even an unsophisticated attacker a good chance at breaking into […]

Read more ›

Analysis Finds Blurry Lines Between Rovio, Advertisers

March 28, 2014 15:520 comments
Analysis Finds Blurry Lines Between Rovio, Advertisers

Rovio, the maker of the massively popular Angry Birds, makes no secret about collecting personal data from those who download and play its games. But an analysis from the advanced threat detection firm FireEye is helping to expose the extend of data harvesting, and also to sketch out the blurry line that separates Rovio and third-party advertising networks it contracts with. In a blog post on Thursday, FireEye analysts Jimmy Suo and Tao Wei described the findings of an investigation into the interaction between Rovio’s mobile applications, including the latest version of Angry Birds, and third party ad networks such as Jumptap and Millenial Media. Using FireEye’s Mobile Threat Prevention (MTP), the two gathered and analyzed network packet capture (PCap) information and analyzed the workings of Angry Birds and its communications with third-party ad networks. The two were able to reveal a multi-stage information sharing operation, tracking code paths from the reverse-engineered […]

Read more ›

Cisco To Invest $1B Building Secure Cloud For Internet Of Things

March 25, 2014 18:350 comments
Cisco says its Intercloud service will add scale and security to IoT applications. (Image courtesy of Cisco.)

Cisco Systems announced that it will invest more than $1 billion building what it calls an “Intercloud” – a network of cloud platforms that will support a variety of new business applications, including those supporting connected devices that are part of the Internet of Things. The company said on Monday that the new initiative will greatly expand its cloud business over the next two years and provide APIs (application program interfaces) that will allow application developers to rapidly create new products suitable for use in the enterprise or by resellers and service providers. A range of Cisco’s existing partners have committed to deliver products or services for Cisco’s Intercloud Cloud Services including the Australian firm Telstra, Allstream, a Canadian communications provider and Ingram Micro Inc.a major technology wholesaler. Services provider SunGard Availability Services and Integralis have signed on, as has the IT consulting firm Wipro Ltd. “Together, we have the […]

Read more ›

Perverse Security Incentives Abound In Mobile App Space

March 24, 2014 12:510 comments
Perverse Security Incentives Abound In Mobile App Space

Security problems abound in the mobile device space – and many of them have been well documented here and elsewhere. While mobile operating systems like Android and iOS are generally more secure than their desktop predecessors, mobile applications have become a major source of woe for mobile device owners and platform vendors. To date, many of the mobile malware outbreaks have come by way of loosely monitored mobile application stores (mostly in Eastern Europe and Russia). More recently, malicious mobile ad networks have also become a way to pull powerful mobile devices into botnets and other malicious online schemes. But my guests on the latest Security Ledger podcast point out that mobile application threats are poised to affect much more than just mobile phone owners. Jon Oberheide, the CTO of DUO Security and Zach Lanier, a researcher at DUO, note that mobile OS platforms like Android are making the leap […]

Read more ›

Security Ledger Uses: