Security | BringYourOwnIT.com

How to Fix the Internet of Broken Things

November 20, 2015 2 Comments

iot-security The Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken. In my previous blog I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore – lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do – and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.

But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

Read more of this post

Filed under IoT Security Tagged with ARM, automotive, can bus, Cesare Garlati, embedded, exploit, firmware, hack, hacker, Internet of Things, IoT, kernel, linux, MIPS, Networking, open source, patch, prpl Foundation, root of trust, secure boot, Security, TEE, trusted execution environment, trusted zone, trustonic, virtualization, vulnerability

The Security Challenges Threatening to Tear the Internet of Things Apart

November 4, 2015 3 Comments

The Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it’s also developing at such a rate that it threatens to outstrip our ability to adequately secure it. A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-security experts designing and building connected systems the risks grow ever greater. So what can be done?

Read more of this post

Filed under None Tagged with ARM, automotive, can bus, Cesare Garlati, embedded, exploit, firmware, hack, hacker, Internet of Things, IoT, linux, MIPS, Networking, open source, patch, Security, trustonic, virtualization, vulnerability

Securing The Internet of (broken) Things: A Matter of Life and Death

October 6, 2015 1 Comment

If you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post

Filed under IoT Security, Top Posts Tagged with ARM, attack, audit, black hat, Cesare Garlati, cpu, exploit, hacker, hypervisor, information security, Internet of Things, kernel, linux, memory, micro kernel, MIPS, open source, pentest, reverse engineering, root of trust, secure boot, Security, soc, virtualization, virus, vulnerability, white hat

Major home gateway flaw tells us it’s time for hardware-level security

May 25, 2015 1 Comment

This week, security researchers found a major vulnerability affecting scores of home and SOHO Wi-Fi router products from over 20 of the biggest names in the market. That such a widespread flaw could go unnoticed and that it went unpatched for so long despite the researchers’ best efforts is a sad reflection on the commercially minded “sales first, security second” attitude of the technology industry and of the gaping holes that exist in the supply chain.

But it also raises questions about whether, instead of focusing on security at the software and network level, we should instead start looking down to build protections into the silicon in order to reduce the attack surface area.

Read more of this post

Filed under IoT Security, Top Posts Tagged with Cesare Garlati, corporate data, flaw, hack, home gateway, login, password, patch, Security, virtualization, vulnerability, Wi-Fi router

There is a bug in my Apple – Part 2

July 14, 2011 1 Comment

Intego announces first-ever iPhone malware scanner – really?

July 12, 2011 11:49 AM ET Gregg Keizer – COMPUTERWORLD

http://www.computerworld.com/s/article/9218339/Mac_security_firm_ships_first_ever_iPhone_malware_scanner

Follow up on my previous post on the new security flaw discovered in Apple’s iPhone and iPad – see https://bringyourownit.com/2011/07/07/oops-there-is-a-bug-in-my-apple/

With impeccable timing, this morning Intego announded the availability of the “first-ever iPhone malware scanner”. Sure enough I went to the Apple Store and downloaded the VirusBarrier app in my iPhone and iPad. My test drive impressions: the app still leaves to the end user the responsibility to check the attachments rather than enforcing it. It is quite clunky and may provide a false sense of security: if you tap the attachment and then release the finger a little too early, you’ll end up opening up the attachment instead of scanning it(!) Probably safer – and cheaper – not to open pdf attachment in general. And as any other consumer app, there is no centralized IT management whatsoever: no reporting and no policy enforcement. One more thing: Apple is supposedly working with Adobe to address this vulnerability and will provide an update soon. At that point this app may become simply useless … but I guess this is one of those situations where “something is better than nothing” …

A few comments from a couple of Trend Micro’s experts:

Mark Bloom, Director – Director Product Marketing @ Trend Micro : “Usage or not, they [Intego] will get a lot of brand awareness out of this…..just for that value, it was worth the development effort.”

Patrick Wheeler, Sr Product Marketing Manager @ Trend Micro : “[… Apple iOS] antimalware matters, which puts us [Trend Micro] at an advantage over MDM-only vendors like MobileIron, Airwatch, and Symantec, and allows us to talk up the differentiation for our own antimalware we get from integration with SPN.”

Filed under Mobile Security Tagged with Apple, gsm, hsdpa, iPad, iPhone, Mobile Broadband, Security

Oops … there is a bug in my Apple!

July 7, 2011 3 Comments

The new security hole found in iPhones and iPads reminds us that no platform is immune to security threats and that there is in fact a need for mobile security software for Apple products.

http://online.wsj.com/article/SB10001424052702303365804576431541102701136.html

Here we go. As it turns out Apple mobile operating system is not so secure after all. While it is common perception that iPhones and iPads are so secure that they don’t even need antimalware software, the reality is that any piece of software is potentially defective and therefore vulnerable to attacks. And Apple is no exception as shown by the recent discovery of a new security flaw affecting Apple’s best selling devices. Even worse, previously discovered security issues in iOS were limited to a minority of jail-broken devices, where end users deliberately patch the standard operating system to escape Apple’s suffocating control on device and apps – see my beer side chat on YouTube at http://www.youtube.com/watch?v=ZjbqI2V18sY.

Read more of this post

Filed under Mobile Security Tagged with Apple, gsm, hsdpa, iPad, iPhone, Mobile Broadband, Security

Bombmaking and Cupcakes

June 3, 2011 1 Comment

When the “bad guys” are in fact the “good guys”

Friday, Jun 3, 2011 09:41 ET

Spies hack al-Qaida’s Inspire magazine: British intelligence agents replace bombmaking instructions with cupcake recipe

URL: http://bit.ly/l0wDzN – PAISLEY DODDS, Associated Press

I have always been fascinated by the fine line separating good and bad in cyber security. Admittedly we tend to see the security world in black and white. On one side we have the “bad guys” doing any sort of “bad things” such as planting malware or hacking websites. On the other we have the “good guys” trying to stop them from getting away with their wrong doings. Well, as it turns out sometime the “bad guys” are in fact the “good guys” trying to stop the real bad guys from doing really bad things. Confused?Case in point: British intelligence agents hack al-Qaida’s website and replace bombmaking instructions with cupcake recipe. While it is not a surprise that intelligence organizations around the world use cybertools as part of their work, I always wondered how they maintain their leading edge, how they gain knowledge of zero day vulnerabilities and, in the end, at what extent governments are in fact indirectly funding the cybercrime underworld. Knowledge of Zero day vulnerabilities is worth millions – if not tens of millions – in the black market. What kind of organizations do you think can afford to buy this expensive know-how? Intrigued by the topic? Speak your mind. Leave a comment.

Filed under Mobile Security Tagged with intelligence, Security, zero day

Catching Android Tokens in the Wild

May 19, 2011 Leave a comment

Below is my interview with Shaun Nichols of V3.co.uk on the latest Android security flaw:

Unsecured Wi-Fi leaves Android users open to attack

/v3-uk/news/2071676/researchers-disclosure-flaw-android

18 May 2011, Shaun Nichols , V3

Experts are warning of the dangers of unsecured Wi-Fi connections after a group of German researchers uncovered a security flaw which could leave Android users’ contact information exposed.

Researchers from Ulm University reported that many Android handsets and tablets are currently vulnerable to attack via an unsecured Wi-Fi connection when used to access authentication tokens for Google’s Calendar, Contacts and Gallery services. The vulnerability lies in the handling of the authToken component. When the user is connected on an open Wi-Fi connection, an attacker could capture and reuse the token to access data on the Google services. “The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data,” the researchers wrote. “For Contact information, private information of others is also affected, potentially including phone numbers, home addresses and email addresses.” The flaw is found in handsets running Android versions prior to 2.3.4 and tablets running Android versions prior to 3.0. The authorisation is performed over a secure connection on newer versions which prevents harvesting of the tokens. The researchers suggest that, if possible, Android handset owners should update to the newest version for their device.

Read more of this post

Filed under Mobile Security Tagged with Android, BYOD, Consumerization, Google, handsets, Security, Tablets, Wi-Fi

Newer posts →

About Cesare Garlati

This is my personal blog about disruptive technology trends such as cyber security, open source processors, and the Internet of Things. It's full of my reasoned opinions, some of which will turn out to be absolutely wrong. You should not rely on anything in this blog for any reason other than for amusement.

This blog occasionally quotes excerpts from other publications, in which case it is done under Fair Use. I despise copyright trolls and think the EFF is due for sainthood any day now.

I am the founder of Hex Five Security and an active member of the RISC-V Foundation: some of my writing will appear here too if it's relevant. The opinions here are mine and mine alone, and are not representative of any professional organizations I belong to.

Comments are unmoderated. Say what's on your mind, be direct, speak the truth, etc., I'll try to keep all your comments ...

Happy reading!

Twitter @CesareGarlati

RT @JosephJacks_: From another reputable source: https://t.co/IIgFci61NG posted 2 weeks ago
David Patterson: Examining the Top Five Fallacies About RISC-V @risc_v design-reuse.com/news/53202/exa… posted 3 months ago
RT @hex_five: Learn how to quickly develop high-grade security applications with built-in remote firmware updates, telemetry, and device mo… posted 8 months ago
Congrats to team and investors! twitter.com/hex_five/statu… posted 1 year ago
New release of MultiZone Security for RISC-V available! v2.2.0 includes important security updates, secure DMA tr… twitter.com/i/web/status/1… posted 1 year ago

Follow @CesareGarlati

Intego announces first-ever iPhone malware scanner – really?

The new security hole found in iPhones and iPads reminds us that no platform is immune to security threats and that there is in fact a need for mobile security software for Apple products.

When the “bad guys” are in fact the “good guys”

Unsecured Wi-Fi leaves Android users open to attack

About Cesare Garlati

Recent Posts