Sean Gallagher at Ars does an admirable job of breaking down a security topic, threat modeling, that doesn’t get much attention outside of research and professional circles. This piece is a long read but well worth it, both to understand the tecnique and for all the references and practical advice.
Read More …
Tag: security
Let’s Encrypt to offer wildcard certificates for free
After only a year with a paid authority, I gladly switched to the free and open certificate authority that EFF helped stand up. I haven’t minded having to enter multiple alternative names on my certificate every time I renew (which is evert 90 days, a security feature of Let’s Encrypt.) Wildcards make an already fantastic resource that much better. Read More …
GnuPG project holding a fund raising rally
Gnu Privacy Guard, an open source crypto tool compatible with OpenPGP and laterally supporting dozens of different uses is trying to raise funds for a few months of some additional developers time. I use GPG daily, including signing and encrypting my mail, securing online chats, keeping my password store safe, and so much more. Please check it out and help if you can. If you want to know more ways to use GPG, find me on Freenode at #cmdln or keybase.
Read More …
New stewardship for Thunderbird
I stopped using Thunderbird some time ago in favor of the email client that is part of my Linux distribution. I recognize the importance of Thunderbird given how webmail has generally erode the ability for regular folks have to have secure and confidential email correspondence. I am glad to see the project find new footing and a means to sustain.
IoT security anti-patterns
Saw this on Boing Boing, thanks again to Cory. Junade Ali at CloudFlare catalogs a few practices implementing IoT devices that contribute to the overall poor state of security. Importantly, there are recommend alternatives that maintain or improve security. We clearly need more of this, alongside existing resources like the OWASP security guide, both for manufacturers and for expert users to effectively hole them to account.
Malware that permanently disables non-secure IoT devices
Karl Bode at Techdirt has a good corollary to the article I shared earlier today about the hajime worm. The motivations are arguably similar between that worm and these PDoS malwares. The approach in the latter case is much more drastic, to so badly damage the targeted devices so as to remove them from the Internet.
Vaccinating IoT worm possibly uncovered
A bad idea comes back around, this time applied to the Internet of Things. The notion of a bit of self propagating code that defends instead of attacks is arguably as old as the Internet. It is never a good idea given the huge space of unintended consequences from unpredictable interactions with existing software to simple bugs exposing affected devices even more so than untouched ones. It is always better for devices owners to be aware of updates to their devices, ideally through a known and trusted mechanism.
Researchers spoof smartphone fingerprint readers with master fingerprints
That fingerprint systems are rarely as secure as advertised is no secret in the security world. Worse, if your device is vulnerable to this approach, you cannot exactly revoke your fingerprints and get new ones.
Android devices can be fatally hacked by malicious Wi-Fi networks
The exploit is just about the worst case scenario. Users don’t even have to connect to a malicious AP and turning off WiFi may not stop an attack. iOS has been patched but it is likely still weeks, if not months or in some cases ever, that Android will receive a patch. I can confirm that Broadcom makes some terrible chips after being stuck running Linux on a Mac for work recently. A coworker still routinely has disconnects and other issues with the same configuration.
More on usable security from O’Reilly
The O’Reilly Security Podcast previously had a great conversation with Scout Brody of Simply Secure about making security software usable. This looks like another great conversation in the same vein. Worth subscribing for these two episodes alone.