January 13th, 2016
13 January 2016 – You can add terrorist-controlled drones to the list of dangers we need to be prepared for, says the Oxford Research Group.
Its new report contains information about over 200 current and upcoming unmanned aerial, ground and marine systems, and evaluates their capabilities for delivering payloads (e.g. explosive devices), imaging capabilities (e.g. for reconnaissance purposes), and their general capabilities. Even though the report notes that commercial drones have a limited flight time, range of movement, and payload capacity, and that their operators still have to be relatively close to a potential target, the researchers are particularly worried about the possibility of drones being used as remotely controlled explosive devices. They say, “The technology of remote-control warfare is impossible to control; the ultimate defense is to address the root drivers of the threat in the first place.”… Read more
December 5th, 2015
5 December 2015 – Veracode has put together a report after static analysis of over 200,000 apps, and its results show that Classic ASP, ColdFusion, and PHP generated the most security bugs in scanned applications. Ignoring the first two, which are almost extinct languages, PHP, used for Drupal, Joomla, and WordPress (which recently announced it runs a quarter of the Internet) is the programming language with the most security woes.… Read more
November 2nd, 2015
2 November 2015 – Last week the media blogs lit up over the British police’s seizure of a BBC laptop and what is the right configuration and practices to ensure that such a seizure provides zero information to the cops?
Sarah Naomi was at the t2’15 infosec conference in Finland last week and described a presentation by security researcher Georg Wicherski. Wicherski is a Senior Security Researcher with CrowdStrike who we have met several times at Black Hat.
Wicherski outlined in his talk several steps that could be taken to render, for instance, an ordinary Chromebook immune (or at least make it very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have “an appliance, that comes with a manual, and low-skilled operators.” By using a setup that is not very common, the border cops might not know what to … Read more
October 30th, 2015
30 October 2015 – When Anthem revealed a data breach that exposed the details of more than 80 million people, the incident raised a lot of questions: who would conduct such a hack against a health insurance firm? Investigators finally have some answers… and they’re not quite what you’d expect. Reportedly, the culprits were Chinese hackers helping their nation understand how US medical care works. It may be part of a concerted campaign to get ready for 2020, when China plans to offer universal health care.
Next, maybe we should outsource politicians from China to fix our healthcare system.
… Read more
October 18th, 2015
18 October 2015 – Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they’ll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office:
“The government is coordinating with the transportation industry on the Security Credential Management System (SCMS), a project to verify that basic road-safety messages come from authorized devices. … At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing ‘a more active leadership role’ for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational.”
… Read more
October 7th, 2015
Gregory P. Bufithis
Eric De Grasse
7 October 2015 – Thousands of cloud fanatics have descended on Las Vegas this week for Amazon Web Service’s re:Invent conference. One item that grabbed our attention was the announcement of a group of researchers from Massachussets who published a concept test which uses a failure in the AWS virtual machines to steal their RSA cryptographic passes. Nowadays the failure is already patched, but according to the researchers we really need to think more seriously about the security on the cloud.
The group of professors … at Worcester Polytechnic Institute … demonstrated in a recently published paper named “Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud,” a proof of concept hack of secret cryptography keys used in an AWS virtual machine. The now-patched flaw – which was not specific to AWS — showed that a hacker could theoretically gain a user’s secret keys that are used to encrypt sensitive data.
Security experts say the risk of this specific attack being used is quite low … Read more
September 28th, 2015
28 September 2015 – Ars Technica takes a look at the cyberspying agreement between the U.S. and China. The article looks at what the accord does but more importantly, what it does not:
“But even assuming both sides would follow the pact, the accord is tall on rhetoric and short on substance. The deal, for instance, defines the method of enforcement as requiring the two nation’s to create a ‘high-level joint dialogue mechanism,’ according to a joint statement from Attorney General Loretta Lynch and Homeland Security chief Jeh Johnson. More important, the two superpowers make no commitment not to hack one another for intelligence-gathering purposes. That means the recent hack of the Office of Personnel Management’s background investigation data—5.6 million sets of fingerprints from US federal employees, contractors and other federal job applicants—doesn’t run counter to the accord. The OPM hack is believed to have originated in China and the data, as Ars has previously reported, is ‘in the hands of the foreign intelligence services of China.'”… Read more
September 28th, 2015
28 September 2015 – Scientists have developed the first ever memory chip that’s entirely light-based and can store data permanently. Sciencemag reports:
“Today’s electronic computer chips work at blazing speeds. But an alternate version that stores, manipulates, and moves data with photons of light instead of electrons would make today’s chips look like proverbial horses and buggies. Now, one team of researchers reports that it has created the first permanent optical memory on a chip, a critical step in that direction. If a more advanced photonic memory can be integrated with photonic logic and interconnections, the resulting chips have the potential to run at 50 to 100 times the speed of today’s computer processors.”… Read more
September 8th, 2015
Texts and contexts: the cultural legacies of Ada Lovelace
“That brain of mine is more than merely mortal; as time will show.”
A workshop for graduate students and early career researchers
Tuesday 8 December 2015
Mathematics Institute and St Anne’s College, Oxford
The mathematician Ada Lovelace (1815-1852), daughter of poet Lord Byron, is celebrated as a pioneer of computer science. The notes she added to her translation of Luigi Menabrea’s paper on Charles Babbage’s analytical engine (1843) are considered to contain a prototype computer program. During her short life, Lovelace not only contributed original ideas to the plans for this early computer; she also imagined wider possibilities for the engine, such as its application to music, and meditated on its limitations. Lovelace leaves a legacy not just as a computer scientist, but also as a muse for literary writers, a model to help us understand the role of women in science in the nineteenth century, and an inspiration for neo-Victorian and steampunk traditions.
As part of the University of Oxford’s celebrations to mark the 200th anniversary of Lovelace’s birth, … Read more
June 7th, 2015
8 June 2015 – In the past two weeks I have had the opportunity to attend the IBM Analytics Summit in Brussels which included a full day hands-on/interactive “Cybersecurity 101” class on cyber vulnerabilities, exploits and active attacks, viruses and other malware, spam, phishing, and malicious web content. The sessions also went through the whole process of applying security measures to ensure confidentiality, integrity, and availability of data, with one session focused on the law firm. Discussed were countermeasures that can be put in place in order to increase the security of data. Some of these measures include, but are not limited to, access control, awareness training, audit and accountability, risk assessment, penetration testing, vulnerability management, and security assessment and authorization.
And over the weekend during my flight to the States for client meetings I was able to finish Jamie Bartlett’s “The Dark Net” which chronicles the secret corners of the Internet that Bartlett likens to the “Wild West”: anonymous users visiting sites that can’t be censored. So anybody with something to hide, whether it’s for good reasons or … Read more