Archiv der Kategorie: English

Posts in English

Unterschätzte Risiken: Literaturrecherche

English, Forschung, Security, Unterschätzte Risiken, , ,

»There is another questionable use of the word “standard” that is frequently encountered in the literature. After a complicated interactive problem P has been used in a couple of papers, subsequent papers refer to it as a standard problem. The casual reader is likely to think that something that is standard has withstood the test of time and that there’s a consensus among researchers that the assumption or problem is a reasonable one to rely upon—although neither conclusion is warranted in such cases. The terminology obfuscates the fact that the new problem is highly nonstandard.«

(Neal Koblitz and Alfred Menezes: The Brave New World of Bodacious Assumptions in Cryptography)

Must read

English, Off Topic

Markov Indecision Processes: A Formal Model of Decision-Making under Extreme Confusion

Abstract:

»We present a mathematical model of indecisive agents faced with a sequence of diffcult decisions, extending Adams‘ bistromathics to the multistage case. This is almost the first work on modeling stochastic processes for which the probabilities are fundamentally unknowable. This paper describes a novel algorithm, complexity results, and a model-free learning algorithm for Markov indecision processes. Two applications are discussed based on real-world domains: presidential elections and the stock market.«

Stolen laptop case study

English, IT, Security,

Shocking news: it is easy to steal laptop computers in universitites!

»In this study, we look at the e ffectiveness of the security mechanisms against laptop theft in two universities. We analyze the logs from laptop thefts in both universities and complement the results with penetration tests. The results from the study show that surveillance cameras and access control have a limited role in the security of the organization and that the level of security awareness of the employees plays the biggest role in stopping theft. The results of this study are intended to aid security professionals in the prioritization of security mechanisms.«

(Laptop theft:
a case study on e ffectiveness of security mechanisms in open organizations)

By the way,

English, IT, Security, Trusted Computing, , ,

… if it’s worth the effort, this TPM hack may nicely complement an Evil Jan attack. First the attacker carries out the Evil Jan attack to obtain any user-provided key material, next he takes the machine away and cracks the TPM for the rest of the key material. Usually there are easier ways after the initial step, but if, for whichever reason, they should become infeasible, going for the TPM might be an option.

Leaving the TPM exposed to physical attacks while protecting the RAM of a system from wire access, DMA, and cold boot attacks would be a pretty stupid design error, though. But who knows?

Fighting back

English, Forschung, ,

Sherr, M.; Shah, G.; Cronin, E.; Clark, S. and Blaze, M.: Can They Hear Me Now? A Security Analysis of Law Enforcement Wiretaps. CCS’09.

Abstract:

»Although modern communications services are susceptible to third-party eavesdropping via a wide range of possible techniques, law enforcement agencies in the US and other countries generally use one of two technologies when they conduct legally-authorized interception of telephones and other communications traffic. The most common of these, designed to comply with the 1994 Communications Assistance for Law Enforcement Act (CALEA), use a standard interface provided in network switches. This paper analyzes the security properties of these inter- faces. We demonstrate that the standard CALEA interfaces are vulnerable to a range of unilateral attacks by the intercept target. In particular, because of poor design choices in the interception architecture and protocols, our experiments show it is practical for a CALEA-tapped target to over- whelm the link to law enforcement with spurious signaling messages without degrading her own traffic, e ectively preventing call records as well as content from being monitored or recorded. (…)«

Naked Truth

Angst, English, Erich fragt, Risiko, Security, Sicherheitshinweise, Stammtisch, Wahrnehmung

In the current discussion about the use of body scanners at airports (aka strip machines) many people seem to forget, that these scanners do not pose a remedy to the latest security threat, i.e. explosives. So I am amazed that in this day and age we still are preoccupied with knives and guns. And I ask myself, do we really need expensive technology to spot them? Are the Indians really the only part of the scenario that has changed? And isn’t touching my privates a bigger privacy infringement than taking a x-ray-picture?

Threat Modeling in Action

English, Freundlich zum Nutzer, Security, , , ,

After the videos on threat modeling an example seems in order. Securology provides us with a good one in Selecting a Pistol Safe as (part of) the basis of a procurement decision. This is his set of requirements:

So, I needed a way to „securely“ (that’s always a nebulous word) store a firearm– namely a pistol– such that it could meet the following criteria:

  1. Keep children’s and other family members‘ hands off of the firearm
  2. Stored in, on, or near a nightstand
  3. Easily opened by authorized people under stress
  4. Easily opened by authorized people in the dark
  5. Not susceptible to power failures
  6. Not susceptible to being „dropped open“
  7. Not susceptible to being pried open
  8. Not opened by „something you have“ (authentication with a key) because the spouse is horrible at leaving keys everywhere.
  9. For sale at a reasonable cost
  10. An adversary should not know (hear) when the safe was opened by an authorized person

But I didn’t care a lot about the ability to keep a dedicated thief from stealing the entire safe with or without the firearm inside.

Read on at Securology to see how various products fail to fulfill this set of requirements. This example is illustrative in that it addresses several distinct threat aspects and tradeoffs. The pistol is not simply an asset needing protection, it is also by itself a security mechanism against certain threats. The resulting optimization problem is pretty interesting: keeping (some) unauthorized people from accessing the pistol while maintaining availability to the authorized in a practical sense.