Looks like S4D (and the co-located FDL) is becoming my most regular conference. S4D is a very interactive event. With some 20 to 30 people in the room, many of them also presenting papers at the conference, it turns into a workshop at its best. There were plenty of discussion going on during sessions and the breaks, and I think we all got new insights and ideas.
Category: security
Worm Attacking Industrial Control Systems
There is a very interesting worm going around the world right now which is specifically targeting industrial control systems. According to Business Week, the worm is targeting a Siemens plant control system, probably with the intent to steal production secrets and maybe even information useful to create counterfeit products. This is the first instance I have seen of malware targeting the area of embedded systems. However, the actual systems targeted are not really embedded systems, but rather regular PCs running supervision and control software.
Continue reading “Worm Attacking Industrial Control Systems”
Wind River Blog: True Concurrency is Different
I have another blog up at Wind River. This one is about multicore bugs that cannot happen on multithreaded systems, and is called True Concurrency is Truly Different (Again). It bounces from a recent interesting Windows security flaw into how Simics works with multicore systems.
C in Danger – and thus Higher-Level Languages (?)
Some recent developments among development environments for mobile phones have made me consider the hereto unthinkable: that C might be on a decline as the universal programming language. Indeed, maybe there is even a chance that we will not have a universal low-level language in the future at all. What is happening is that the hitherto “given” role of C as the base language for a platform is being questioned. The reason appears to be security, which cannot be said to be a bad thing. However, a large-scale move away from C might hurt many of today’s higher-level languages and even model-based engineering.
Continue reading “C in Danger – and thus Higher-Level Languages (?)”
500K Spam
We recently had a malfunction in our spam filters at work, so I had to go back and review the catch for possible false positives. I sort things into two bins using spamassassin, one for most likely spam, and one for probable spam. When things started to go bad, the most likely folder had reached more than 2 GB, and the probable some 500 MB.
Yubikey Follow-Up
Now I have had my yubikey for about a week, and I have put it on my keychain. It really works extremely well! The only small issue is that I tend not to have my keys immediately within reach while at home in the house or on travel, so there is a step of “go retrieve the keys” before I can use it for login.
I Got a Yubikey!
I been listening to the SecurityNow! podcast raving about the coolness of the Yubikey, created by Swedish startup Yubico. It seems like the device has captured the imagination of quite a few people, and I have been kind of curious about it. So I was quite pleasantly surprised when I got one a few days ago, since we are testing it as a new way to authenticate to our VPN at work.
Cool Obscure Hardware: Sun SCC and Software License Protection
In a very roundabout way, I recently got to hear about a cool Sun server feature introduced sometime back in 2003 or 2004: the SCC System Configuration Card. This is a smart card that stores the system hostid and Ethernet MACs, along with other info, and which can be transferred from one server to another.
Continue reading “Cool Obscure Hardware: Sun SCC and Software License Protection”
Off-topic: Crime Medicine
The Swedish national medical products agency is running a very cleverly marketed campaign right now to inform people about the perils of buying medicine over the Internet. They are running fake advertisement spots on television, mimicking the typical medical adverts found in the US (and the few other countries where such advertising is allowed for prescription medicine), with a trustworthy doctor talking about the benefits of this and that… and slowly going into weird land about how the products might not be want you think and maybe don’t contain the right stuff, etc.Finally, you are pointed to www.crimemedicine.com, a site setup for this campaign. All very clever. In fact, so clever that some people reported the spots to the consumer watchdog as being illegal advertisements… brilliant!
SiCS Multicore Days: The Debate Points
It is a week ago now, and sometimes it is good to let impressions sink in and get processed a bit before writing about an event like the SiCS Multicore Days. Overall, the event was serious fun, and I found the speakers very insightful and the panel discussion and audience questions added even more information.
Google Chrome and Parallel Browsing
Everybody seems to think the launch of the Google Chrome browser is very important and cool. Probably because Google itself is considered important and cool. I am a bit more skeptical about the whole Google thing, they seem to building themselves into a pretty dangerous monopoly company… but there are some interesting architectural and parallel computing aspects to Chrome — and Internet Explorer 8, it turns out.
DNS: Hardware Accelerator Time!
In Episode 157 of Security Now,Steve Gibson and Leo Laporte discuss the recently discovered security issues with DNS. In particular, the cost of making a good fix in terms of bandwidth and computation capacity. Fundamentally, according to Steve, today’s DNS servers are running at a fairly high load, and there is no room to improve the security of DNS updates by for example sending extra UDP packets or switching to TCP/IP. As this theoretically means a doubling or tripling of the number of packets per query, I can believe that. The “real solutions” to DNS problems should lie in the adoption of a truly secured protocol like DNSSEC. As this uses public key crypto (PKC), it would add a processing load to the servers that would kill the DNS servers on the CPU side instead…
VMM Detection Myths and Realities from a Simics and Embedded Perspective
It must have been Google Alerts that send me a link to the HOTOS 2007 (Hot Topics in Operating Systems) paper by Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin called Compatibility is not Transparency: VMM Detection Myths and Realities. This paper is slightly less than a year old today, so it is old by blog standards and quite recent by research paper standards. It deals with the interesting problem of whether a virtual machine can be made undetectable by software running on it — and software that is trying to detect it. Their conclusion is that it is not feasible, and I agree with that. The reason WHY that is the case can use some more discussion, though… and here is my take on that issue from a Simics/embedded systems virtualization perspective.
Continue reading “VMM Detection Myths and Realities from a Simics and Embedded Perspective”
BBC Documentary: On the Trail of Spammers
If you are looking for a good popular introduction to what spam is and how it works, the BBC World Service Documentary Podcast has a very good documentary up right now. I cannot find a direct link, but go to the overview page and then download “Doc: Assignment – On the trail of spammers 17 Jan 2007”. Enjoy!
The Customer is not always Right
I just listened to Episode 103 of the Security Now podcast, where Leo Laporte and Steve Gibson talk to the head of security at PayPal. PayPal is doing the right thing right now, issuing their customers with RSA security keys. Which gives them two-factor authentication (password and security key passnumber).
But for some reason, they do not enforce the use of security keys on their customers. Even when you have obtained a security key (which is optional, weirdly enough) and said you are using it, you can still login without it doing some additional security questions. For the reason of convenience! Which basically reduces the security added to nothing, since you can still login in a traditional fashion.