Stefan Esser is an iOS security researcher based in Cologne, Germany. Last month when returning to his Frankfurt hotel room after dinner one evening, he noticed that his laptop had been tampered with in his absence. On investigation he concluded that the hard drive had been removed and then improperly replaced. It appears Stefan may have become victim of an Evil Maid attack. A bit of a give-away indication was the hotel room door handle which also appeared to have been the target of tampering.
Continue reading
Evil maid and the short-comings of full-disk encryption
Of Volkswagens and malware sandboxing
So everyone knows about the VW emissions scandal. Software in the car’s engine management system can detect when an emission test is being carried out (a give-away clue is when the vehicle is on a dynamometer), and reduce engine performance in order to provide better emissions test results. Malware developers use a similar technique to evade file-based sandbox detection methods.
Continue reading
The ascension of man over fridge
Comments I’ve seen indicate that many are concerned about the advent of IoT. Specifically, misgivings are about the security and privacy of data. Historically, the information technology sector has not had a good track record with security and privacy, and people are worried that more connected devices will only exacerbate the situation.
Continue reading
Dridex elicits same old tired advice
This week saw a resurgence of the Dridex malware. There is little novel or outstanding about the malware – it infects PCs through a Microsoft Office document which victims are encouraged to open in order to trigger a malicious macro. Once installed, the malware harvests data when the victim conducts online banking. Normal stuff. Reports say £20 million has been stolen.
Continue reading
The future shape of IoT
Three core components make up the IoT ecosystem: Things, People and Events. A simple example is a smart thermostat (Thing), operated by the home owner (People), which activates home heating when the temperature drops below a certain point (Event). IoT is essentially about the interaction and relationships between, and within, these three core components.
Continue reading
IoT’s PII tsunami
Thelma Arnold, a 62-year old widow living in Lilburn Georgia with her beloved dog Dudley, was quietly minding her own business. Dudley had an incontinent problem and consequently peed on everything. In 2006 Mrs Arnold was suddenly thrust into the spotlight. An employee at her ISP thought it would benefit academic researchers if he published the anonymised 3-month search histories of more than half a million of their customers. Little did the over-zealous employee realise, but individuals can be identified from snippets of anonymous information, such as their search history. A reporter examined the published search history of person #4417749, and through the search items was able to identify Mrs Arnold and track her down.
Continue reading
IoT inference attacks from a whole lotta talkin’ going on
It was late at night in Arlington county on 16th January 1991. An unusual number of lights were on in the offices of the Pentagon. The employee car park was much fuller than normal. Another telling indication a keen observer would have noticed was the frequency of late-night pizza deliveries to the building. This seemingly innocuous information indicated something big was up at US Defence HQ. It was of course, the start of Operation Desert Storm. One local pizza outlet reported deliveries to the Pentagon up 600% that night. Seemingly innocuous data can lead an acute observer to infer meaningful information and conclude that a military offensive was imminent.
Continue reading
Hacking for asymmetry in military capabilities
After completing school, like all fellow countrymen my age, I was conscripted into the South African army. While coerced into military servitude my time was split between being trained in infantry combat and working on the Defence HQ computer system. This was a world of punch cards and mainframes, before the invention of the PC. In those days, the only hacking we knew was how to use a 10 cent diode to get free calls on a payphone. While the army taught me about bits and bytes, my colleagues made a conventional force ground incursion deep into Angolan territory. Once there, they discovered to their chagrin, an important asymmetry between the enemy’s Cuban-piloted MIG fighters and our own French-built Mirage jets. Without vital supremacy in the air, our ground troops were in some danger.
Continue reading
Securing the “God Platform” in IoT
Forbes magazine coined the term “god platform”. At the nucleus of IoT is a Command Centre that provides the user interface, data storage and sharing junction. The million dollar question is how to secure the “god platform” and the IoT ecosystem.
Continue reading
I am Shrödinger’s cat
I live in Austria with my owner Shrödi – Mr Shrödinger as everyone else calls him – and he is a really cool guy. He talks about me quite a bit. Shrödi told me that I will become famous as he has even had a chat with Einstein about me. Yes, that Einstein – Albert – my owner Shrödi is mates with Albert.
Continue reading
Dave Waterson on Security 