Recent Entries

Video Thumbnail: Encryption Works – Don’t Break It!

Encryption Works – Don’t...

Every now and then, an ill-informed politician will stand before a microphone and say something along the lines of: encryption is helping bad guys (either terrorists, child pornographers, or other similarly acceptable target), because law enforcement can’t see what the bad guys are doing because they’re using sophisticated tools that use encryption. Said politician will urge tech companies to “work with us” to help catch these bad guys. This constant demand for encryption backdoors is something that no longer surprises me. It comes from a misunderstanding of what encryption is: it’s not some magic piece of code that can do whatever the programmer wants it to do. It’s a tool that is defined by mathematics: in short, it can only do what the math allows it...
Video Thumbnail: Targeted Attacks: Not All Attacks Need To Be Sophisticated

Targeted Attacks: Not Al...

The security industry loves to talk about how “sophisticated” attacks can be. Usually this takes the form of us saying how advanced and sophisticated an attack is, what new methods were used to hide servers or make analysis harder, etcetera. However, it’s easy to forget that not all attacks need to be technically sophisticated; instead it can be in the social engineering used and how the attack is carried out. For example, a few months ago we talked about the Arid Viper campaign, a sophisticated attack that targeted users in Israel. However, that well-organized attack shared some of its attack infrastructure with Advtravel, which was far less sophisticated. Arid Viper was advanced; Advtravel was less so. How could this be the case? Weren’t targeted attacks supposed to be the work...
Video Thumbnail: Defending Critical Systems: Does It Have To Be “Smart”?

Defending Critical Syste...

Everywhere I go it seems to be that “critical” systems are being attacked. Earlier this year people were talking about whether planes could be hacked. We’ve talked about whether smart grids can be hacked, too. Just a week or so ago, LOT Polish Airlines was almost completely grounded by a distributed denial-of-service (DDoS) attack. In many cases, these critical systems turn out to have been built on off-the-shelf open-source software. Almost a decade ago, I said that open-source software was safer. While that’s turned out to be mostly true, more recent issues like Heartbleed and Shellshock have illustrated that open-source software has its own problems, too. Non-technical people may ask: “Why did nobody spot these problems earlier? Are we software developers...
Video Thumbnail: The Internet of Things: Whose Data Is It Anyway?

The Internet of Things: ...

Everywhere you look, it seems to be that everything is becoming “smart”.  On my wrist, I frequently wear a smart watch that monitors how many steps I take, what my heart rate is, and so on. At home, a smart thermostat can be controlled via an app, or even be programmed based on my own behavior. I can even have a camera that will either let me see who’s at the door, or let me talk to my cats while I’m in the office. All of these devices are generating one thing: data. The smartwatch is keeping track of my health data. The thermostat is keeping track of what’s going on inside my home. The cameras are keeping track of what they see and when they are turned on. A lot of this data is passed on to the providers of these services, which frequently say they are “free”. This may...