Security

Some Thoughts on Securing IoT Devices

Tags: Cryptography, Embedded, Programming, Security

Security in the Internet of Things (IoT) leaves much to be desired. Some of the recent DDoS attacks such as those through Mirai on DNS provider Dyn or on popular security site KrebsonSecurity have been possible due to weak security measures in things like network connected cameras. There are many reasons why the situation is what it is today, but that will not be the topic of this entry. While we have seen some initiatives, notably the security guidelines (PDF) by NIST and some comments made by Bruce Schneier, I feel that this leaves a lot of people wondering what practical measures to take to secure their devices. Many companies in the IoT are start-ups lacking a proper understanding of what security in the embedded field entails, and might lack (or didn't plan for) the budget to hire dedicated security people. The goal of this blog entry are to (hopefully) lift the veil on some of the methodologies that should be employed to create more secure IoT systems from a very practical point of view.

IOT

This Is How We Build It

Tags: Cloud, Electronics, Embedded, GPS, Network, Security, Wireless

The problem with the Internet of Things is that few people truly understand what it is really about. A large percentage of people in the group that does understand it tend to discard it as yet another marketing hype such as “the cloud” with very little real substance. Due to all kinds of news reports on security issues, vendor lock-ins and lack of open standards, cost overruns, etc. these people tend to see their opinions confirmed. We at WRD Systems also tend to agree with this group – to a point. The reason we do is that we see the same mistakes being made as countless numbers of times before, including the critical security issues that WRD Systems has highlighted for years. However, we also see the great potential of internet connected devices. Probably not the refrigerators and such, but closer to the origins of the Internet of Things: Machine to Machine, also known as M2M.

paint city titlegraphic

SuperFish - The Saga Continues

Tags: Security

By now, some (most?) of you will have heard of Lenovo's blunder of shipping its PC's and laptops with a particular nasty bit of malware dubbed SuperFish. A quick recap. Lenovo thought it was a good idea to pre-install some malware on unsuspecting people's new computer which would inject advertisements into the browser. As if this isn't bad enough, researchers found that SuperFish would actually issue its own SSL certificates - effectively setting up a man-in-the-middle attack so that encrypted traffic could be analyzed. You can read a more in-depth article on the BBC website

The story doesn't end here though...

SuperFish!

Web Proxy

Tags: Network, Security

We just launched a free web proxy service: https://www.unblock-everything.com/. Not only will it help you get around firewalls and sites blocked by your ISP, it does so without logging user data. Oh, and we're 'Not Subject to American Law' - in reference to the recent NSA surveillance debacle ;-)

 

Smart Grid Security

Tags: Cryptography, Security

Just recently I had an article of mine published on embedded.com. In the text, I outline some of the security issues currently present in the Smart Grid, from the meter to the SCADA system. It is a brief overview only, and not too technical or in depth. It serves as a basis for a series of future research articles detailing the security aspects of each component of the Smart Grid. Hopefully the article can be a gentle introduction to the topic, and I hope you enjoy reading it!

Tips for the security minded traveler - and others

Tags: Cryptography, Security

A lot of business travelers have at one point or another sensitive information on their laptops. This information could come in the form of a corporate document, an email, or that PowerPoint you decided to finish on that transatlantic flight. It could also be credit card and bank information, social security numbers, or even just a list of customers or contact persons. Loss of this kind of sensitive information seems to happen all the time...

Security Guard

The Cloud Again...

Tags: Cloud, Cryptography, Security

Have you read the recent news reports about Microsoft Azure going down across the planet because someone at Microsoft forgot to update the SSL certificate? It was widley reported, for example here, here, here and again here. It's not that I'm picking on Microsoft. After all, remember the DropBox outage, the Amazon Cloud outage, and several more. And then there is the recent security problem at Evernote...

The main reason for writing this entry however is not to point a finger at any of these providers. It's to show you that The Cloud sometimes stops being there - and the potential for problems can be much worse than the outages mentioned above. I'm talking about a certain thing called "The Smart Grid"...

 

Power Transmission 

Dealing with Passwords

Tags: Cryptography, Programming, Security

After the recent leaks of password hashes from LinkedIn and others, I thought it would be a good idea to write down some 'best practices' in how to properly deal with user passwords and sensitive data. This entry is by no means complete, nor is it the be all, end all there is to say about the topic. What it does try to do is give a decent starting point to eliminate basic mistakes which could lead to embarrasment later one. If you're developing a new website, or bringing another one up to date or are otherwise working with users and passwords, these tips might be of help. Let's start...

X-Ray Key

LinkedIn leak

Tags: Cryptography, Security

So LinkedIn had some security issues a couple of days ago: 6 million or so password hashes from their users were leaked on a Russian hacker site. There seems to be quite some confusion among people as to what the impact of this really is, with several websites claiming that the actual passwords were leaked, that the passwords can be 'decrypted' etc. Let's put some of these things straight, starting with some of the terminology.

Syndicate content