Security researchers at IO Active have tested 40 iOS-based banking apps from 60 banks around the world and the results are not reassuring. All apps could be installed on a jailbroken iOS device, 90 percent used also some non SSL links, roughly half of them lacked some security feature or left sensitive information non protected and easily readable.
We have a long way to go before mobile platforms will become safe to use for any use.
The Hubble Tarantula Treasury Project has just released some amazing pictures (see here and here with more technical details) of the Tarantula Nebula with more than 800.000 baby and young stars. Worth a look.
Happy New Year, and we start the new year with a very old bug which really amazes me.
This (see here for some explanation) is a bug introduced on May 10th, 1991 in X11 (now also Xorg), the graphics environment of any Unix and Unix-like OS. The bug is a buffer overflow which when exploited could give administrator rights (if X11 is running with these rights).
We have seen too many of these bugs and now they are almost history, in the sense that it is so well-known how to avoid them that they should not appear in any program. How is it then possible that in an open-source program, very well-known, very well scrutinized, widely adopted, a bug like this will remain undetected for 22 years?
In line with the previous post, it is of interest, albeit only at the research level and we should not really worry about it right now, the paper published by Adi Shamir, Daniel Genkin and Eran Tromer (download here and here for a comment) in which they describe how they have been able to extract an RSA private key managed by GnuPG 1.4.x (current version is 2.x) by listening to the noises of the PC.
Yes, an acoustic attack on cryptographic private keys seems very unlikely, even if the idea has been discussed for long time. It is very interesting that it has been shown possible in practice, and this means that also other side channel attacks, like listening on the power cord, should be considered seriously at least when your security requirements are really high.
Security is not an easy business, we all should know it quite well. Probably the main issue is that you have to implement security with a comprehensive approach (the term often used is “holistic”). In other words, you have to consider all possible sides of the issues at hand, both technical, procedural and human. And if you forget one side of your problem, then all the rest you did, could add up to nothing. Not easy at all.
And this is what an Harvad kid should be thinking right now (see here for example): he did use Tor and other anonimization tools to send an anonymous threat to his university in order to avoid taking a test, but he used his campus network and did not consider the fact that very few students did use such tools and that the fact of using them would attract attention to himself. So it was not so hard to find him after all.
A couple of interesting news on authentication and passwords:
I have been following at a distance since a few years the development of Quantum Computers. One of the more controversial approaches to Quantum Computing is the one proposed by D-Wave. D-Wave is also the only company which claims to have a specialized version of Quantum Computer ready to sell, and actually they did sell at least one Quantum Computer to a consortium made by Google, NASA, and the Universities Space Research Association.
What it is not yet clear is if it is really a Quantum computer, and even if it is, if it gives any advantages with respect to traditional computers. There are quite some different opinions about this, and this IEEE Spectrum article tries to understand where we stand now.
This is a 1 Million USD settlement in a consumer fraud against the on-line video gaming company E-Sports Entertainment, LLC. On top of its online gaming business, the company found quite profitable to use the customer PCs to mine for Bitcoins and to monitor the customers’ use of the PC even when they were not running the E-Sports’s program.
Recently there have been quite some news about failed large ICT projects, starting from the Obamacare rollout and so on. One of the latest news is that Bridgestone is suing IBM for fraud for $600 Million over a failed IT implementation (see here for details).
We know since at least 20 years that large ICT projects are hard and that quite often they fail, at least as far as they do not deliver what has been agreed at the beginning. (A very easy and often adopted way of guaranteeing that an ICT project is succesful, is to change the its requirements and goals at the end.)
What seems new to me is the fact that the news about these failures are becoming more and more public, probably because they affect more and more people, and that someone is starting to complain, in this case to the point that the customer thinks that there has been a fraud against him.
Actually this trend could help the ICT business in the long run, since it will force us to learn how to manage large ICT projects and implementations and to produce (at last) higher quality ICT software products.
This is really a disturbing news. Renesys has announced that this year there have been many cases of traffic redirection via BGP which look suspicious at the least.
Without entering in details of how BGP works, it suffices to say that BGP is (together with DNS) the hardcore infrastructure protocol which makes the global Internet working. BGP is used to build traffic routes so that the data can flow from one network to another. Each Internet provider (ISP) uses BGP to announce his own networks to the other ISPs and to learn where and through whom to send data to other destinations.
It is well-known that BGP has some weaknesses in particular due to its trusting that every ISP would not try to cheat. Indeed it possible in some particular situations that an ISP could announce the networks of another ISP and manage to receive all traffic for these networks. In this way, it could be possible to divert the traffic and possibly read it (if it is not encrypted) and tampering with it.
From the Renesys blog entry it seems that this has actually happened this year and that those involved claimed that these incidents have been due to “bugs” in some “vendor BGP software” and that there were no malicious intentions. Let’s just hope that this is true and that there will be introduced soon ways to prevent this to happen in the future.
Andrea Pasquinucci 