My digital camera uses exif to convey a vast amount of contextual information and imprint it on each photo: date, time, the camera, shutter, aperture, flash. I have GPS in the camera so it can tell the location, elevation. The exif protocol also allows for vendor specific information and is extensible and customizable.
Unless and until we have an 'exif' for IoT its going to be lame and useless.
What is plugged in to that socket? A fan, a PC, a refrigerator, a charger for your cell phone? What's the rating of the device? How is it used? What functions other than on/off can be controlled?
Lame lame lame lame.
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
Well, yes .... but.
This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What's that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.
Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.
No technical measure can overcome human frailty in this regard.
- Avira antivirus upgrade wreaks 'catastrophic' havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser 🙂 (shanicomputers.wordpress.com)
- Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don't Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- 'Catastrophic' Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
So do my cats. But so what?
Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in "Minority Report".
And I'm sure there are _other_ ways to hack that than the one mentioned in the movie.
- SSL governance and implementation across the Internet (net-security.org)
- Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
- Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)
So to have great (subjective) protection your layered protection and controls have to be "bubbled" as opposed to linear (to slow down or impede a direct attack).
I have doubts about "defence in depth" analogies with the military that many people in InfoSec use.
Read what they are really talking about in those military examples: its "ablation": that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2). They try to slow down a direct and linear attack, hopefully to a standstill.
As the Blitzkrieg showed in dealing with the Maginot Line, if you "go around it" the defence isn't a lot of use.
Through the ages of war and politics and empire-hood and nation-hood and tribalism we've seen many threats and attacks and subversions used.
The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form. What's needed is more like an all-enclosing "bubble" rather than something linear with the 'defence in depth' model. But that gets back to the problem of the perimeter.
Many wifi enabled devices are really "spies inside the defensive perimeter".
There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them. No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public -- its form of showing that "its doing something".
But how can we tell? The reality is that "security specialists" are finding errors - never mind deliberately malicious code - in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find "errors" that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that's a no-brainer isn't it!) never mind commercial databases.
I dedicate this to the memory of Ken Thompson
Some people seem to be making life difficult for themselves with risk models such as "Impact * Probability" and as such have lead themselves into all manner of imponderable ... since this model hides essential details.
I discuss the CLASSICAL risk equation in my blog
There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using "impact".
Any asset is going to be affected by many
Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.
Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.
As such, the CLASSICAL risk equation can then be viewed as addressing residual risk - the probability AFTER applying the controls.