Posts

Showing posts from January, 2010

Cracking encrypted VOIP?

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Cryptography in the dock

As if to mark the release of our latest security awareness module on cryptography *, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper. * Not so, of course, it was purely a coincidence.

ISO27k application security standard

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'. I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon. Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas. The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security...

Making money from the Haitian quake

I can barely believe the cheek of this email that plopped into my inbox today: HELP HAITI LONDON 13 Liverpool Road, Islington, London, N1 0RW Dear.Friend On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast. This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti. Haiti is racing to confront the enormous devastation -- and the OFA community can help. Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere. we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives....

Privacy/security awareness

A report from Government Technology caught my eye this morning: CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors. "Mmmm, looks interesting" I thought, especially when I saw this: "But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate. "I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said. Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well." So, les...

Secure software development

In connection with this month's NoticeBored awareness materials on the security aspects of software development , I've been listening to a podcast by Ralph Hood and Kim Howell (two Microsofties) about how both privacy and wider information security issues are integrated into Microsoft's development practices. From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish. One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should ...