Il 26 settembre presento un intervento dal titolo “Fraud Management: affrontare la sfida dell’online banking attraverso la gestione in tempo reale dei Big Data” in collaborazione con HP, al Banking Summit 2013, a Milano.
Category Archives: Security
On Trust and Security
Since a few months we have been reading and discussing the Snowden’s documents. Most of the information present in these NSA documents is not new since we have been discussing the possibility of similar facts at lenghts in many occasions. For example, years ago the modifications introduced in the cryptographic algorithm DES by the NSA led initially to suspicions: were they backdoors or algorithm improvements? (In this case later it turned out to be improvements.)
The real difference is that now we know that our worst suspicions in many recent cases were correct.
So what can or should we do? This is a very interesting and hard question since the main issue in my opinion is that we are mostly dealing with the possible introduction of backdoors in hardware and software, for example to weaken cryptographical algorithms. As normal, even if technical-savy, users we do not have personally the competences nor the resources to verify that all hardware and software we use, from mobile phone to super-computers, are clean of backdoors. So we have to trust third parties, in particular hardware and software makers, that hardware, operating systems, applications, libraries (in particular cryptographic libraries) etc. do not have hidden functionalities or backdoors.
This is not new, we trust car, train, airplane makers with our life, so we should also trust hardware and software makers with our information, or not?
Is our trust in today ICT companies well-founded?
Honeypot per Sistemi ICS/SCADA
L’idea di connettere ad internet un Industrial Control System (ICS/SCADA) fa sicuramente tremare i polsi a chi ha una minima idea di cosa possa succedere. Ben venga quindi l’iniziativa di TrendMicro di realizzare un Honeypot dedicato agli scan e attacchi ai device ICS/SCADA connessi direttamente a internet.
I risultati raccolti dall’Honeypot possono essere letti qui, e non mancano di farci paura. Infatti basta pensare a cosa potrebbe succedere alle centrali elettriche, idriche ecc. se fossero (ed in troppi casi già lo sono) connesse a internet, ma anche più semplicemente ai piccoli oggetti casalinghi che sempre più offrono la possibilità di essere controllati via internet da una App sul nostro smartphone.
Statistiche sulle Vulnerabilità
Secunia ha rilasciato il suo Vulnerability Review 2013 (qui c’è un breve riassunto) da cui risulta che la grande maggioranza delle vulnerabilità che hanno afflitto i sistemi Microsoft nel 2012 hanno avuto origine in applicazioni di terze parti quali flash, acrobat, java ecc.
E’ probabile che i numeri citati da Secunia siano corretti, ma la cosa importante è quale conclusione se ne trae. E’ ovvio che la presenza di vulnerabilità in qualunque applicazione è una mancanza, ma quello che personalmente mi preoccupa di più è che un sistema operativo, che per definizione ha come principale scopo quello di gestire le risorse hardware e software, quindi anche le applicazioni, possa essere sovvertito a causa non di una propria vulnerabilità interna ma di una vulnerabilità di una applicazione.
More Trouble for SSL/TLS
Besides CRIME, BEAST and Lucky13, two new attacks for SSL/TLS have been just announced. One attack exploits weaknesses in the RC4 cypher, which is used by most websites starting from Gmail, and many cryptographers had been thinking about this possibility for a long time, now they found out how. The second attack, called TIME; is a new timing attack, in part a refinement of CRIME.
As of today, both attacks are not practical, but they could become real threats in the future. Notice that the adoption of RC4 by many websites has been mostly to withstand BEAST attacks. Now that Lucky13 and this new attack aim at RC4, it is not clear what to do in practice.
Of course, we should seriously consider what to do with SSL/TLS and even more the CA model, but it will take a long time and I do not see among the big internet players, enough motivation or incentive to change the current situation.
You can find a summary description of these new attacks for example in this article by ArsTechnica.
Security Summit a Milano
Per chi avesse perso l’annuncio, dal 12 al 14 marzo si terrà a Milano la consueta edizione del Security Summit, un appuntamento di sicuro interesse per i professionisti, gli esperti e gli interessati di sicurezza informatica.
On Web Browser Security
This week two news about web browser security got my attention.
First of all, the CanSecWest’s Pwn2Own contest ended with a complete debacle for all web browsers (for example see here for a summary). Only Chrome OS has survived untouched. I interpret this more as an indication of the poor security state of the web browsers than the (undeniable) ability of the participants. From the implementation point of view, the security of our web browsers is not great at all, and this notwithstanding all what has happened in the last years.
From the strategic point of view, the participants to this ACM panel discussion state very clearly that the security of Web Browsers is broken by design, which just confirms the very sorry state of affairs in which we are. Even more, they claim that there is little if no incentive to improve the situation.
And it is no joke that our lifes daily depend more and more on web browsers, from banking to health, work, education etc.
Still on Java, Updates and Security
For unclear reasons, the Java saga is continuing, and there have been more news about updates, patching and security in the last days. Just a few I picked up of possible interest:
- VMware promises better security and is considering scheduled updates (see VMware blog)
- Apple updates its own Java version (see here) to the latest version released by Oracle, but too late since in between it has been widely exploited including its own developers, Facebook, Twitter etc. (see for example here and here)
- At the same time it seems that until February 20th nobody (Apple, Facebook etc.) informed iPhoneDevSDK that its site was compromised and distributed the malware responsible for the above mentioned attack (see here for more details).
This last news leaves me quite puzzled: one of the golden rules in managing a security incident is to notify all people and organizations involved: so why was iPhoneDevSDK not notified of what was going on?
Bypassing iOS 6.x Passcode Lock
According to JBN, with a sequence of moves it is possible to bypass iOS 6.x passcode lock, to directly access the address book and from here to make calls, get emails, SMS, pictures etc.
I am just curious to know if this is a planned “feature”, a back-door or just a bug and in this last case how someone managed to discover it.
The security consequences for iPhones’ owners who have their phones stolen, lost or just borrowed, should be obvious.
Ridisegnare i Sistemi Operativi per una Nuova Sicurezza
Ho appena pubblicato sul mio sito un breve articolo intitolato “Ridisegnare i Sistemi Operativi per una Nuova Sicurezza” sulla presunta necessità di ripensare i fondamenti della sicurezza dei Sistemi Operativi per poter soddisfare le nuove richieste di funzionalità di sicurezza necessarie in ambito Cloud e Mobile. L’articolo può essere scaricato da www.ucci.it.
Andrea Pasquinucci 