Sunday 18 May 2008

Taking laptops abroad

Some interesting advice from Bruce Schneier on protecting private or company confidential information held on a laptop PC when travelling abroad.

Thursday 15 May 2008

Is the NSA (still) ahead of the crypto community?

This blog post speculates on how much the NSA knew about cryptography that the public crypto community didn't, and whether it still maintains some kind of advantage. It refers to a recently de-classified Top Secret document "Third Party
Nations: Partners and Targets"
from 1989, although many words and paragraphs are still concealed.

Thursday 8 May 2008

VoIP - the next malware battleground

This article provides an interesting analysis of the relative state of immaturity of today's VoIP products and technologies, and illustrates the type of vulnerabilities that malware will undoubtedly seek to exploit. The lesson here is: the unquestioning trust we have in PSTN telephony, developed over decades of use, means we are ill-prepared for the brave new world of IP telephony. This is suitably illustrated by the following sound-bites:

"Researchers found more than 100 design or implementation flaws in products from Avaya, Nortel Networks and Cisco Systems that could allow outsiders to execute code on handsets, PCs or servers; compromise systems; block service; or steal accounts."

"It's only a matter of time until IP telephony is hit by spam and malware, experts say."

Wednesday 7 May 2008

The double-edged sword of dual-use technology

This is an article by the security guru Bruce Schneier in Wired magazine. It explores the implications of global commercial technology (e.g. operating systems, browsers, firewalls, routers) that is increasingly being used by governments around the world to protect systems containing classified information. The dilemma is: if a national security agency discovers a vulnerability, should it keep it secret and exploit it against its enemies (with the risk they may be doing the same), or do they tell the product vendor so that everyone benefits from the fix (including commercial organisations)?

Declassified NSA documents online

The US NSA (National Security Agency) and CSS (Central Security Service) have a programme of de-classifying old documents and putting them on-line. Topics range from cryptanalysis techniques to the Cuban missile crisis to the assassination of JFK and even UFOs. Lots of interesting stuff for academics and historians, or anyone with a curious nature and some spare time...!

Tuesday 6 May 2008

YubiKey - tiny OTP authentication token

This is a great new OTP authentication token - a tiny USB device that emulates a USB keyboard and generates a long, complex OTP each time you need it.

It seems to have multiple benefits over traditional OTP tokens that use an LCD screen:
  • very small
  • no battery
  • generates much longer OTPs
Because it emulates a USB keyboard, it will work in most computers regardless of operating system (i.e. it does not require any special driver to be loaded). It should also be incredibly cheap, being so simple. Read more about the technology here.

Hear (or read) Steve Gibson's views on YubiKey in his Security Now podcast.