Post Tagged with: "conferences"

Heartbleed For Poets And Other Must-Reads

April 10, 2014 18:380 comments
The (nerdy) Heartbleed SSL vulnerability story has jumped into the mainstream led to lots of rumination about the proper short and long term response.

It’s H-Day + 2 – two full days since we learned that one of the pillars of online security, OpenSSL, has contained a gaping security hole for the past two years that rendered its protections illusory. As I wrote over on Veracode’s blog today: this one hurts. It exposes private encryption keys, allowing encrypted SSL sessions to be revealed. Trend Micro data suggests around 5% of one million Internet top-level domains are vulnerable.  IOActive notes that Heartbleed also appears to leave data such as user sessions subject to hijacking, exposes encrypted search queries and leaves passwords used to access online services subject to snooping, provided the service hasn’t updated their OpenSSL instance to the latest version. In fact, its safe to bet that the ramifications of Heartbleed will continue to be felt for months – even years to come. In the meantime, there is a lot of interesting coverage and […]

Read more ›

Vint Cerf: CS Changes Needed To Address IoT Security, Privacy

April 2, 2014 16:140 comments
Cerf said that the advent of the Internet of Things poses a real challenge to the field of computer science. Namely: how to secure IoT devices. (Photo courtesy of Google.)

The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist. Cerf, speaking in a public Google Hangout on Wednesday, said that he’s tremendously excited about the possibilities of an Internet of billions of connected objects, but said that securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – and one that the nation’s universities need to start addressing. “I’m very excited,” Cerf said, in response to a question from host Leo Laporte. He cited the Philips HUE lightbulb as an example of a cool IoT application. “So you’re going to be able to manage quite a wide range of appliances at home , at work and in your car. Eventually, that will include things you’re […]

Read more ›

Web to Wheels: Tesla Password Insecurity Exposes Cars, Drivers

March 31, 2014 15:430 comments
Web to Wheels: Tesla Password Insecurity Exposes Cars, Drivers

We’ve interviewed security researcher Nitesh Dhanjani before. In the last year, he’s done some eye-opening investigations into consumer products like the Philips HUE smart lightbulbs. We did a podcast with Nitesh in December where we talked more generally about security and the Internet of Things. Now Dhanjani is in the news again with research on one of the most high-profile connected devices in the world: Tesla’s super-smart electric cars. In a presentation at Black Hat Asia on Friday, he  released findings of some research on the Tesla Model S that suggests the cars have a weakness common to many Web based applications: a weak authentication scheme. (A PDF version of the report is here.) Specifically: Tesla’s sophisticated cars rely on a decidedly unsophisticated security scheme: a six-character PIN. Dhanjani’s research discovered a variety of potentially exploitable holes that would give even an unsophisticated attacker a good chance at breaking into […]

Read more ›

Perverse Security Incentives Abound In Mobile App Space

March 24, 2014 12:510 comments
Perverse Security Incentives Abound In Mobile App Space

Security problems abound in the mobile device space – and many of them have been well documented here and elsewhere. While mobile operating systems like Android and iOS are generally more secure than their desktop predecessors, mobile applications have become a major source of woe for mobile device owners and platform vendors. To date, many of the mobile malware outbreaks have come by way of loosely monitored mobile application stores (mostly in Eastern Europe and Russia). More recently, malicious mobile ad networks have also become a way to pull powerful mobile devices into botnets and other malicious online schemes. But my guests on the latest Security Ledger podcast point out that mobile application threats are poised to affect much more than just mobile phone owners. Jon Oberheide, the CTO of DUO Security and Zach Lanier, a researcher at DUO, note that mobile OS platforms like Android are making the leap […]

Read more ›

Internet of Things and the Enterprise (InfoGraphic)

March 18, 2014 16:420 comments
Internet of Things and the Enterprise (InfoGraphic)

I’m a big fan of infographics – at least when they’re well done and present insightful facts. That’s why I’m always on the lookout for good ones – especially when the subject is The Internet of Things. So I was interested to come across the latest contribution from IoT firm Xively (part of the company LogMeIn), which pulls together some factoids on IoT’s potential in the enterprise. Among the interesting statistics gussied up in this one: an Economist Intelligence Unit data point saying that 95 % of C-level executives expect their company to be using the Internet of Things in three years time, while 74% of them predicting that it will play a ‘major role’ in their business in that time. That’s kind of astounding when you consider it: executives saying ‘Here is this new kind of technology that we barely use now. But in three years, it will be […]

Read more ›

Is Analog The Answer To Cyber Terrorism?

March 17, 2014 09:405 comments
Ralph Langner, an expert on the security of industrial control systems, suggests that the critical infrastructure sector might consider the use of analogue systems as a backstop to cyber attacks on ICS software. (Image courtesy of the Library of Congress).

Ralph Langner is one of the foremost experts on the security of critical infrastructure that we have. So, generally, when Ralph says something – whether its about Stuxnet, or cyberwar or the security of nuclear power plants – folks listen. And these days, Ralph is wondering, out loud, whether our reliance on digital systems to manage critical infrastructure has gone too far. The answer, he suggests, may be to go “back to the future,” as it were: reintroducing analog systems into the control process chain as a backstop for cyber attacks. Case in point: the Department of Homeland Security’s ICS-CERT warned on Friday that firmware for Siemens SIMATIC S7-1500 CPUs (Central Processing Units) contain nine vulnerabilities that could enable attacks such as cross site request forgery, cross site scripting and URL redirection. (Siemens has issued a firmware update that patches the holes.) Langner is among the world’s foremost experts on […]

Read more ›

Google Readies SDK For Wearable Tech

March 10, 2014 11:070 comments
Google Readies SDK For Wearable Tech

Google will soon release a software development kit (SDK) for adapting its Android mobile operating system to wearable technology such as smart watches, according to statements by Sundar Pichai, Google’s Senior Vice President of Android, Chrome and Apps.   Pichai was speaking over the weekend at the South by Southwest (SXSW) festival in Austin, Texas. He said that the SDK for wearables will be available sometime in the next two weeks and is intended to help flesh out the company’s vision for how wearable technology should work. The news was first reported here by The Guardian. Wearables are just another “platform” on which small, powerful sensors will be deployed, he said. “Sensors can be small and powerful, and gather a lot of information that can be useful for users. We want to build the right APIs for this world of sensors,” he is quoted saying. [Read more Security Ledger coverage […]

Read more ›

RSA Perspective: Outrage With A Side Of Salsa

March 7, 2014 14:280 comments
RSA Perspective: Outrage With A Side Of Salsa

Let the record show that one of the most dramatic expressions of discontent over rampant government surveillance of U.S. citizens and private companies during last week’s RSA Conference in San Francisco went down at a taco joint. As the world’s cyber security elite gathered in San Francisco’s Moscone Center for the RSA Security Conference, a group of privacy and online rights activists that go by the name “Vegas 2.0” used donated funds to rent out Chevy’s, a popular Mexican food restaurant located next to the exhibit halls and frequented by conference goers. As reported by ZDNet’s Violet Blue, paying RSA attendees and speakers – identifiable by red badges – were refused entry to Chevy’s and handed flyers explaining the protestors’ grievances against the Conference’s parent company, RSA Security, which is alleged to have colluded with the NSA to weaken encryption standards in its products. Among those reported to have been […]

Read more ›

Cisco Pledges $300k For Next Big Thing In Internet of Things Security

March 3, 2014 09:080 comments
Cisco Pledges $300k For Next Big Thing In Internet of Things Security

Most folks are still trying to figure out what “security” in the context of “The Internet of Things” actually means. But that didn’t stop Cisco Systems from throwing down a challenge to the tech sector: develop security solutions that address problems specific to The Internet of Things and win a cash prize.   In a blog post, Chris Young, a Senior Vice President in Cisco’s Security Group, announced The Internet of Things Security Grand Challenge, saying the contest would offer “visionaries, innovators, and implementers…the opportunity to define a future of a secure IoT,” and pledging up to $300,000 in prizes and awards up to $75,000 for six winners. Cisco has set its sights on the emerging “Internet of Things” in a big way – leveraging its deep roots as a networking infrastructure provider to carriers and enterprises, and ancillary businesses such as set top boxes and low-cost networking equipment for […]

Read more ›

Security and The Internet of Things: An RSA Roadmap

February 21, 2014 13:520 comments
Interested in learning about security as it applies to the Internet of Things? Here's a roadmap to sessions at next week's RSA Conference in San Francisco.

The RSA Security Conference starts next week in San Francisco: the central event of a week-long orgy of IT security wheeling and dealing in the Bay Area. Though its roots are as a small and clubby gathering of cryptographers, RSA long ago stopped being that, and started resembling a kind of speed dating event for technology and IT security firms. Sure – there are plenty of interesting talks at RSA, but the important work takes place in private suites of adjoining hotels and chance encounters in the halls of the Moscone. If there’s a big IT security deal in the offing – like IBM’s $1 billion acquisition of Trusteer, or FireEye’s purchase of the firm Mandiant – chances are good that the conversation started at RSA. Long and short: RSA is a snapshot of the security industry at a particular place and time. As such, it tends to be a […]

Read more ›

Security Ledger Uses: