Patching Archives

Patching

Missing in Action At BlackHat: The PC

June 3, 2013 Paul Roberts

Once the target of choice for hackers of all stripes, personal computers (PC) will be -at most- a side attraction at this year’s annual Black Hat Briefings show in Las Vegas, where presentations on ways to attack mobile devices and other networked “stuff” will take center stage. Just over ten percent of the scheduled talks and turbo talks at The Black Hat Briefings in early August (5 of 47) will be devoted to attacks against what might be considered “traditional” endpoints, like end user systems and servers running Microsoft’s Windows, Apple’s Mac OSX and Linux. By contrast, more than 30% will discuss security flaws and attacks against mobile phones or other “smart” devices including wireless surveillance cameras, home automation systems and smart meters. The dearth of PC-focused talks isn’t a new trend in and of itself. As far back as 2006, talks that explicitly discussed security issues with components of Microsoft’s […]

Monoculture 2.0: Will Android’s Rise Be A Security Nightmare?

May 31, 2013 Paul Roberts

There have been a bunch of interesting articles in recent weeks that highlight the rapid expansion of Google’s Android operating system from phones and tablets to all kinds of intelligent devices. They beg the question: is Android becoming the Microsoft Windows of the fast-emerging “Internet of Things.” And, if so, we might ask: ‘What are the security implications of that?’ First the skinny on Android’s growing dominance of the intelligent device sector. Ashlee Vance over at Businessweek.com delved into that with an article “Behind the Internet of Things is Android – and its everywhere.” Vance makes the point that Android is not only the choice for 75% of the handset makers these days – it’s also become the OS of choice for anyone making anything with a processor and a networking stack. The effect of that is akin to what Microsoft encountered when Windows went from being just another PC […]

Traffic Safety Agency Calls Vehicle Cyber Security Standards

May 17, 2013 Paul Roberts

The U.S. Government’s lead agency for vehicle safety has told Congress that more research into “vehicle cyber security” to address the threats to a coming generation of networked automobiles that connect to the public Internet and to each other. In testimony before Congress on Thursday, David Strickland, the chief Administrator for the National Highway Traffic Safety Administration (NHTSA) told a Senate Committee that the electronics systems are “critical to the functioning” of modern autos, and are becoming increasingly interconnected, leading to “different safety and cyber security risks.” The agency is requesting $2 million in the 2014 budget to research “vehicle electronics and emerging technologies” with an eye to developing requirements for the safety and reliability of vehicle controls. “With electronic systems assuming safety critical roles in nearly all vehicle controls, we are facing the need to develop general requirements for electronic control systems to ensure their reliability and security,” Strickland […]

AppSec And The Ghost In The Supply Chain

May 16, 2013 Paul Roberts

Tomorrow afternoon, Security Ledger, with help from our sponsor Veracode, will record its first video conversation. The show’s name: Talking Code (#talkingcode). The topic: application security, and – in particular – securing the supply chain. Joining me for the discussion will by Chris Wysopal, the co-founder and CTO of Veracode and Joshua Corman, the Director of Security Intelligence at Akamai Inc. Two things: you can send us questions or comments on Twitter. Our discussion will be filmed in studio, not live, but we’ll be tweeting comments live and engaging in realtime via Twitter. Just use the hashtag #talkingcode to pose questions. Say the term “supply chain,” and people immediately think of automobile and electronics manufacturers, who must assemble products from components makers scattered around the globe. These days, however, its not just manufacturers who have to worry about supply chains. Almost every company has a “supply chain” in one form or […]

New Search Engine Wants To Be A Google For Code

May 15, 2013 Paul Roberts

Researchers at The University of Cambridge in the UK have created a Google-like search engine that can peer inside applications, analyzing their underlying code. The search tool, named “Rendezvous,” has applications for a number of problems. It could be used to help reverse engineer potentially malicious files, copyright enforcement or to find evidence of plagiarism within applications, according to a blog post by Ross Anderson, a Professor of Security Engineering at the Laboratory. Rendezvous was unveiled in a seminar on Tuesday by Wei Ming Khoo, a doctoral student in the Security Group working at the University of Cambridge’s Computer Laboratory. The engine, which can be accessed here, allows users to submit an unknown binary, which is decompiled, parsed and compared against a library of code harvested from open source projects across the Internet. Code reuse has become a pressing security issue. The application security firm Veracode has named reused […]