For a time the security industry and many technology users have wondered about the usefulness of complex passwords. To protect access to systems, passwords provide the most basic security. It’s often recommended that passwords are combined with other authentication mechanisms, but that’s a different blog post. Since simplistic passwords like names, birth dates, places etc. are easily guessed by automated software, a recommendation for years has been complex passwords. I’m sure you have come across instructions like this when creating passwords for …
Category: Information Security
At its simplest, cryptography (or crypto in nerd parlance) is the study and practice of secure transmission of secrets between two parties, given the presence of a third party. In the wide expanse of information technology systems and applications, crypto forms the foundation of trust for many interactions that require confidentiality. One example is an online banking web application that requires a secure means of transporting the user’s authentication credentials from their web browsers to the back end server that house the bank’s …
Earlier this month, May 2017, hospitals, corporations, and government offices in 74 countries around the world, were hit by ransomeware attacks. Ransomware is malicious software that locks a computer and it’s data with strong cryptographic algorithms, until the owners of the computer pay a ransome. Interestingly, the computer code used in crafting the malicious software that compromised those systems with ransomeware was derived from code developed by the United States’ National Security Agency (NSA). The NSA had identified security flaws in …
BlackDuck, the open source security company, have made their security assessments available online. Open Hub is a free version (with certain limitations I’m sure) of their BlackDuck Hub tool. Not every package has been assessed. Project searches will be in the form of https://www.openhub.net/p/boost, as an example. …
Authentication, Authorization, Authentication… some say passwords have failed. They may be right, but passwords are still here. Software developers should expect users to select strong passwords and likewise, software users expect their data (including passwords) to be stored securely by software vendors. There never seems to be a wrong time to talk about this considering the almost constant trend of data breaches. Here are 8 basic rules for handing passwords securely: Provide Brute Force Protection at Authentication Points: This defeats …
An IOCTL (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. It’s an interface in a system call by through which the user space can communicate with device drivers. Ioctl interfaces are a primary attack surface for drivers (especially in less audited 3rd party or non-OS code) since they parse input from the user space – hence that input should be validated properly. Vulnerabilities in …
I often get asked, “How can I can become a security expert?” or “What certifications can I take to improve my information security skills?”. Daniel Miessler’s insightful Guide to Information Security Certifications describes the content, cost, and purpose of numerous internationally acclaimed information security certifications. …
Cyber attackers come in different shapes and sizes; different goals, capabilities, risk tolerance etc. As defenders protecting the enterprise, the network or data in our software systems, it’s well worth the effort to understand the different characteristics of those who may attack us. Armed with that knowledge, we can identify which malefactors may be interested in our systems, and equip ourselves for defense. The matrix below (an excerpt from Securing Systems by Brook Schoenfield) provides a good summary of the …
Corporations have always worried about certain nefarious entities compromising or stealing their trade secrets – even before the advent of the Internet. The global accessibility that the Internet provides has driven those fears outer space high, and nation states have hopped aboard the fear wagon – as well they should! Hardly a week goes by without a mention of a data hack, breach, or leakage. The current debate – if we could call it that – concerning cyber attacks during …
Programming in C or C++ often results in better application performance as both languages do not have the – sometimes clunky – abstractions that are present in higher level languages like Java, Python, C#. C/C++ allows for more flexibility in accessing OS resources including memory. The caveat is that C/C++ does not have the inbuilt protection, provided by higher level languages, that reduce or eliminate the possibility of security vulnerabilities like stack overflows, heap overflows, integer overflows, integer underflows, format string attacks …