Skip to main content


Showing posts from May, 2012

Cryptography - As Strong As Your Weakest Link

Cryptography is as old as communication itself in many respects, with people (and even animals) developing mechanisms to shield messages from those who are not trusted.  One of the most common that has passed the test of time is that of the Caesar Cipher.  The Caesar Cipher is a basic substitution approach, changing each alphabet letter with a new letter, n positions away.  So if your movement was by 3, A would become D, B would become E and so on.  Pretty simple to use, but obviously simple to reverse too.

Modern day cryptography is generally broken into two areas - symmetric and asymmetric.  Symmetric uses the same key to both encrypt the plain text and decrypt.  Again, this is nice and simple to implement, but no matter complex the key could be, if the key is stolen, the message can be easily decrypted back in to the original plain text.

Over time, asymmetric encryption has become popular, mainly through the implementation of public key infrastructures.  PKI requires two keys, one …

Private Email - The Key To Your Personal Identity

Identity theft is big business, costing an estimated £2.7bn in 2010 [1], affecting millions of individuals.  Identity theft can occur from multiple attack vectors such as rubbish sifting for uncompleted credit card applications, right through to the more sinister underworld of fraudulent passport applications.

Whilst non-technical avenues such as dumpster surfing and social engineering are a major concern, technical methods of stealing the required information to assume a different identity are popular.  The most common is probably that of a fake URL to online banking and financial accounts.  URL Phishing is still common and still surprisingly effective.  A email correctly formatted with the appropriate wording, colouration and logo's, can often navigate through complex spam filters and land in the recipients inbox.
By arriving into the inbox, the email has instantly generated a level of trust from the potential opener, more so than if it had directly landed in to the 'junk&#…

3rd Party Software Library Security

I'm talking about software libraries of course, generally the 3rd party provided type.  That 3rd party could be from an open source community, a fully purchased library or a library even from previous employees or internal projects that are no longer active.

The likelihood is, that for nearly all of the internal and external software projects being run within an organisation, it's likely that libraries not created by the software project owner will be being used.  And why not?  Why bother creating yet another CSV parser, or email sender, or PNG generator, when 90% of  your use cases can be hit using a library already written?

Well, there are several areas of concern here.  Firstly, if you didn't write the code yourself, you can't testify that it meets the standards required either by the internal organisaion or your client, without going through the source line by line.  Secondly, a library built to do a specific task, will not necessarily be focused on security.  It&#…

Does Older Mean More Secure?

It's an interesting thought.  Most operational security plans will promote the constant need for operating system and application software to be running the most recent stable release.  Patching and roll out platforms are big business and take up a significant portion of a system administrators time.  Keeping mobiles flashed, operating systems patched, router firmware updated and the IPS/NGFW/AV/Blacklist (delete as applicable) at it's most recent signature release, is a constant cycle of automation and checks.  But is it worthwhile?

A new release of any piece of software would (should) have gone through rigorous QA and UAT before being released and made available for roll out.  The maker of the said software will nearly always promote that the customer roll out the most recent release, as it makes their support processes easier to manage and getting everyone onto the same (or similar) version as soon as possible, helps with bug management and security issues.  This is a prett…

The Internet Browser - A Gateway Out or a Vulnerability In?

Every month there is a report on the market share of internet browser tools.  The big 4 (Microsoft's Internet Explorer, Mozilla Firefox, Google's Chrome and Safari on the Mac) are generally seen as taking the majority share of the browser market with regional differences in countries and continents.

As more thin and mobile devices enter the mainstream, the main application being used by the end user will likely become an internet browser.  The subtle adoption of 'cloud' providers for goods and services (thinking music, books, news, basic storage, photo's) is now embedded in the standard home users approach to computing.  If required, there could be very little actually stored locally on a users machine with everything stored, subscribed to and accessed via an internet connection.

This concept has seen one of the first browser based operating systems in the form of Google's Chrome OS.  This is basically a single application operating system aimed solely at acces…