On Trust and Security

Posted on 2013-10-06 by Andrea Pasquinucci

Since a few months we have been reading and discussing the Snowden’s documents. Most of the information present in these NSA documents is not new since we have been discussing the possibility of similar facts at lenghts in many occasions. For example, years ago the modifications introduced in the cryptographic algorithm DES by the NSA led initially to suspicions: were they backdoors or algorithm improvements? (In this case later it turned out to be improvements.)

The real difference is that now we know that our worst suspicions in many recent cases were correct.

So what can or should we do? This is a very interesting and hard question since the main issue in my opinion is that we are mostly dealing with the possible introduction of backdoors in hardware and software, for example to weaken cryptographical algorithms. As normal, even if technical-savy, users we do not have personally the competences nor the resources to verify that all hardware and software we use, from mobile phone to super-computers, are clean of backdoors. So we have to trust third parties, in particular hardware and software makers, that hardware, operating systems, applications, libraries (in particular cryptographic libraries) etc. do not have hidden functionalities or backdoors.

This is not new, we trust car, train, airplane makers with our life, so we should also trust hardware and software makers with our information, or not?

Is our trust in today ICT companies well-founded?

I’m back

Posted on 2013-10-06 by Andrea Pasquinucci

After a few months absence due to personal reasons, I am back to my blog. In the next days I will catch up with what has happened recently, sharing my comments and ideas.

Honeypot per Sistemi ICS/SCADA

Posted on 2013-04-04 by Andrea Pasquinucci

L’idea di connettere ad internet un Industrial Control System (ICS/SCADA) fa sicuramente tremare i polsi a chi ha una minima idea di cosa possa succedere. Ben venga quindi l’iniziativa di TrendMicro di realizzare un Honeypot dedicato agli scan e attacchi ai device ICS/SCADA connessi direttamente a internet.

I risultati raccolti dall’Honeypot possono essere letti qui, e non mancano di farci paura. Infatti basta pensare a cosa potrebbe succedere alle centrali elettriche, idriche ecc. se fossero (ed in troppi casi già lo sono) connesse a internet, ma anche più semplicemente ai piccoli oggetti casalinghi che sempre più offrono la possibilità di essere controllati via internet da una App sul nostro smartphone.

Statistiche sulle Vulnerabilità

Posted on 2013-04-02 by Andrea Pasquinucci

Secunia ha rilasciato il suo Vulnerability Review 2013 (qui c’è un breve riassunto) da cui risulta che la grande maggioranza delle vulnerabilità che hanno afflitto i sistemi Microsoft nel 2012 hanno avuto origine in applicazioni di terze parti quali flash, acrobat, java ecc.

E’ probabile che i numeri citati da Secunia siano corretti, ma la cosa importante è quale conclusione se ne trae. E’ ovvio che la presenza di vulnerabilità in qualunque applicazione è una mancanza, ma quello che personalmente mi preoccupa di più è che un sistema operativo, che per definizione ha come principale scopo quello di gestire le risorse hardware e software, quindi anche le applicazioni, possa essere sovvertito a causa non di una propria vulnerabilità interna ma di una vulnerabilità di una applicazione.

More Trouble for SSL/TLS

Posted on 2013-03-15 by Andrea Pasquinucci

Besides CRIME, BEAST and Lucky13, two new attacks for SSL/TLS have been just announced. One attack exploits weaknesses in the RC4 cypher, which is used by most websites starting from Gmail, and many cryptographers had been thinking about this possibility for a long time, now they found out how. The second attack, called TIME; is a new timing attack, in part a refinement of CRIME.

As of today, both attacks are not practical, but they could become real threats in the future. Notice that the adoption of RC4 by many websites has been mostly to withstand BEAST attacks. Now that Lucky13 and this new attack aim at RC4, it is not clear what to do in practice.

Of course, we should seriously consider what to do with SSL/TLS and even more the CA model, but it will take a long time and I do not see among the big internet players, enough motivation or incentive to change the current situation.

You can find a summary description of these new attacks for example in this article by ArsTechnica.

More Evidence for the Higgs Boson

Posted on 2013-03-15 by Andrea Pasquinucci

At the 2013 Moriond Conference, CERN has released more data indicating that the particle discovered last year is really a Higgs boson, and it looks more like the Standard Model particle we studied in text books, see here for CERN announcement.

The ATLAS experiment has also published here some very nice animated plots which show how the measured events slowly build up statistics which give the above mentioned results.

Security Summit a Milano

Posted on 2013-03-10 by Andrea Pasquinucci

Per chi avesse perso l’annuncio, dal 12 al 14 marzo si terrà a Milano la consueta edizione del Security Summit, un appuntamento di sicuro interesse per i professionisti, gli esperti e gli interessati di sicurezza informatica.

On Web Browser Security

Posted on 2013-03-09 by Andrea Pasquinucci

This week two news about web browser security got my attention.

First of all, the CanSecWest’s Pwn2Own contest ended with a complete debacle for all web browsers (for example see here for a summary). Only Chrome OS has survived untouched. I interpret this more as an indication of the poor security state of the web browsers than the (undeniable) ability of the participants. From the implementation point of view, the security of our web browsers is not great at all, and this notwithstanding all what has happened in the last years.

From the strategic point of view, the participants to this ACM panel discussion state very clearly that the security of Web Browsers is broken by design, which just confirms the very sorry state of affairs in which we are. Even more, they claim that there is little if no incentive to improve the situation.

And it is no joke that our lifes daily depend more and more on web browsers, from banking to health, work, education etc.

Project Management and Boeing’s 787 Battery Blues

Posted on 2013-03-04 by Andrea Pasquinucci

I found interesting this article by Prof. Tang and Zimmerman and this interview with Prof. Tang about complex Project Management like the one needed to build the 787 Dreamliner, and the problems and risks associated with it.

Needless to say I wonder what it could come out by looking at the IT part of this project. We know that IT projects are almost by definition exceedingly over budget, outrageously behind schedule and full of bugs. Add to this that for the 787 Dreamliner detailed requirements, specifications and integrations have been left to tier 1 suppliers, that for the first time ever the entertainment system is on the same network as the flight-control system, and I am not sure of what has been the final outcome. On the other side, if the IT part of the project has come out right, I believe we have a lot to learn from it.

Physics, Mathematical Models and Human Intuition

Posted on 2013-02-24 by Andrea Pasquinucci

I have just written a short essay entitled Physics, Mathematical Models and Human Intuition (the title should say it all) drawing on my previous job as researcher and professor in elementary particle physics.

Since it is a little too long for a blog entry (just 4 pages) you can download it here.

(You can also check my website for most of my recent papers.)

A blog covering ICT, Security and Technology