Tom Olzak

Archive for the ‘Uncategorized’ Category

Patchwork Security Regulations: Politics as usual

In Uncategorized on July 6, 2015 at 04:00

In an article for SearchSecurity, Mike Chapple writes about the potential for states to begin passing their own information security laws.  I agree with him that a patchwork of local and state laws could present a big problem.  But there is also another issue here: politics as usual.

We have enough regulations on the books, and the vast majority of large companies follow them.  Although no organization can block all breach attempts, our politicians take opportunities like the Anthem breach to make it look like they’re doing something about the problem.

“Doing something” usually translates into legislating or bureaucratic regulating.  Over time we end up with a quagmire of laws and regulations, most of which are redundant or reflect lack of technical understanding.  The real effects are felt by organizations or individuals who have to contend with disparate compliance challenges.

Cybercrime’s 5 Most Wanted

In Uncategorized on July 1, 2015 at 19:01

The FBI has a most wanted list for cybercriminals.  Meet the enemy…

Underwriters Lab (UL) ahead for security solutions

In Uncategorized on June 30, 2015 at 15:33

Peiter Zatko had left Google to respond to a request by the Whitehouse that he develop a cyber UL, a concept described in a paper published in 1999 by Tan from the L0pht.  The paper reads in part

“Just as in the late 1800’s, the consumers have little understanding of
the inventions they are purchasing. They are presented with claims by
the product’s marketers and have no way of proving those claims to be true or false. Just as it was back then, this has not stopped the large-scale application of these inventions, regardless of public safety. In the late 1900’s, nobody has stepped up to the plate to expand the UL’s role into computer security products or to take that role as their own. To some extent, groups like Nomad Mobile Research Center and L0pht Heavy Industries have acted as modern day Merrill’s, publishing non-biased findings to this affect.

Product certification needs to be performed on every version of a
product. Small changes that could ripple through traditional
technologies causing safety problems are at least ten fold when
applied to computer software. Many similarities may be drawn between the certification of computer security products and the listing of alarm systems and components that UL performs today.”

I think this is a great idea.  I also think they have made a start getting the right people to work on the project.  Let’s hope major security solutions vendors sign up.  If this is just something pushed by the government, it’s likely to die: no matter how potentially effective it might be.

Cisco and OpenDNS: Nothing changes for current users

In Uncategorized on June 30, 2015 at 14:40

As a user of OpenDNS for several years, I’ve been very satisfied with the protection provided to my systems.  Cisco obviously sees the value of OpenDNS, since they have decided to acquire the company.  Fortunately, OpenDNS announced their free personal service will continue.  Further, existing paying customers will see no change for the period of existing agreements.

Laptop encryption under attack

In Uncategorized on June 29, 2015 at 16:05

In a recent post by Bruce Schneier, he quotes a paper and Wired article in which researchers claim to be able to capture decryption keys.  The capture uses a device, buildable for about $300, that can extract keys from electromagnetic radiation emanating from a laptop.  The device, however, must be within 50 cm (19.68 inches) of the target machine.  So using the device means access to a targeted office or theft of the laptop.

According to the paper’s authors,

“Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.”

We’ve been relying for years on encryption to protect our laptops, and it’s still a good idea.  The researchers write that this attack doesn’t necessarily work across all computers or on other algorithms other than the GnuPG solution tested.  Further research is required.

%d bloggers like this: