A rather large selection of news as I missed last week weekly digest!
Are Anti Virus Obsolete?
I recently had a discussion with a work colleague who was claiming Anti Virus are not as good at preventing infections as they used to be, technology is moving fast and Anti Virus vendors seem to be playing catchup with more and more delay. He also stated that most AV only detects 20% of new viruses… A claim I haven’t been able to verify by doing a quick search on the Internet, so let’s just say I agree we are seeing more and more new viruses that we, as security professionals, have to inform the AV vendors about.
On that topic, the future of AV looks to be a difficult road ahead as discussed in a recent Kaspersky’s interview below, what I found the most interesting is the last paragraph were they mention a hacker who wrote a tool which gathered many security company IP addresses. The hacker then used this information to change the behaviour of malicious software when installed in those security company sub-nets… meaning those companies could not properly study the behaviour of those malicious software, i.e.: it could be turning itself off or not show its true payload while being studied by AV vendors… I have to say… this is clever :)
Clean your smart-phone screen!
I saw 3 references from different sources on this topic this week. It is quite an obvious concept, as more and more mobile devices are using touch screen technology (think iPhone, Android, iPad) there could be an increasing risk that an attacker could analyse the oily smudge left by the user when typing his pass-code (which is typically 4 characters).
In practice this is not really useful, especially if you set your device to lock or wipe itself out after 10, 20 or more attempts (or less!). What I liked about that paper though, is that rather than trying all combinations of the 4 oily smudges left on the screen the attacker could try against a dictionary of most common patterns… i.e. increasing numbers, diagonals, etc
I don’t actually think this is of much value, unless you enter you pass-code and stop using the device… because if you don’t, very soon the full screen will be full of oily smudge!! moreover, it is much easier just to look at the person entering his pass-code than trying to guess by looking at the screen afterwards… so I would say you can keep you dirty screen as long as you hide your pass-code when typing it! still, an interesting concept!
The full paper is available here:
How to hack a car!
When you read the following article you realise how sometimes technology can be too much technology! Some researchers have managed to hack into wireless tire sensors with a relatively cheap hardware kit and managed to remotely engage wipers, horns… and disable breaks!
What makes this even worse is that it seems wireless tire sensors are mandatory in the US since 2008…
The following article is about the challenges enterprises are facing with the rise of smart”devices” such as iphones, androids and ipad like devices. Most of those devices are now being bought by employees and used to access their company’s network in a very uncontrolled way.
This introduces a risk on how potentially sensitive data is secured on those devices and also where they get synced (i.e.: on home computers). What makes it even more challenging, especially with Apple, is that most of those vendors are customer driven and companies are now left with 3 choices:
- To close down access to their network resources
- To adapt to the customerisation of their client hardware (from the type of apps used to awareness campaign)
- Try to emulate RIM like security regardless of the client by the use of 3rd party software.
I believe this is a missed opportunity for companies like Apple for not trying to be more enterprise orientated. Rather than forcing companies to adopt their product through the companies’ employees desire for new gadgets, they could capitalise on the user/customer demand and offer more flexibility, openness and speed to also meet the enterprise security needs. The result would be a drive for much larger deployment from within the different support teams rather than just a handful of (often powerful) individuals within a company :)
Smartphone Challenges Article
Position based cryptography
I never thought about providing encryption based on where a recipient/sender is located. But Bruce Schneier speaks about a paper on his blog which describe just that. A research group just published a paper discussing position based cryptography being possible through Quantum Cryptography.
Basically, it would allow a message to be decrypted only if a recipient is located in a very specific geographical place. This sounds like a very interesting concept and I will try to find the time to read that PAPER.
Test your SSL implementation
Qualys is offering a free service to test the SSL implementation of public websites and if they have any issues. Do you wonder if you have any public websites with SSL which would not pass the test ;)