IoT Security: Old Problems + New Situations = New Problems


A few days ago, news broke concerning the unintended exposure of US Military around the world, due to a fitness tracker which allows it’s users to share their exercises and exercise locations. Perhaps even more disconcerting is that in this case, the fitness tracker or wearable (which is paired with the user’s smartphone) seems to have default settings that enable such sharing. Privacy problems introduced by location aware technology is not new. Research into mobile applications have revealed privacy concerns

Continue Reading

Quick Overview of Spectre and Meltdown Attacks – Vulnerabilities in CPUs


On Wednesday, January 3, 2018, security researchers announced a series of security vulnerabilities that affect most of the world’s microprocessors (CPUs), going back about 20 years. Unsurprisingly, it’s caused a major firestorm in the media, and although I’m a little tongue-tied on this one – as some might have guessed – it’s well worth it to provide a high level overview and link repository. Summarily, the vulnerability means that due to the way modern microprocessors schedule and execute instructions, it

Continue Reading

Most Critical Web Application Security Risks in 2017


As 2017 draws to a close, I find myself reminiscing about major application security risks today. Unsurprisingly, I recall the OWASP Top 10, which has become a de facto standard for web application security. In the Information Security industry, it is well known that once a web application or service is hosted, it is likely to be automatically probed for security flaws – and perhaps compromised – within hours. This year, the  OWASP Top Ten was revamped to cater to

Continue Reading

Using Deep Learning to Build Secure Software


Neural networks are a set of algorithms, modeled loosely after the human brain, that are designed to recognize patterns. They interpret sensory data through a kind of machine perception, labeling or clustering raw input. The patterns they recognize are numerical, contained in vectors, into which all real-world data, be it images, sound, text or time series, must be translated.… a great resource for concepts, architectures, and tools. Neural networks (also referred to as deep neural networks or deep learning)

Continue Reading

How to Create Good Architecture Diagrams for Securing Systems


Most software projects, especially those that are considered to be particularly valuable to attackers should go through the Threat Modeling and Security Architecture Review activities of the Secure Development Life cycle. Threat Modeling is a process by which potential threats can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. Security architecture review involves the analysis of the architectural and design solutions that mitigate threats identifies in the Threat Model. Good architecture diagrams are vital to effective

Continue Reading

Complex Passwords Are Probably Useless


For a time the security industry and many technology users have wondered about the usefulness of complex passwords. To protect access to systems, passwords provide the most basic security. It’s often recommended that passwords are combined with other authentication mechanisms, but that’s a different blog post. Since simplistic passwords like names, birth dates, places etc. are easily guessed by automated software, a recommendation for years has been complex passwords. I’m sure you have come across instructions like this when creating passwords for

Continue Reading

9 Basic Rules for Using Crypto in Application Development


At its simplest, cryptography (or crypto in nerd parlance) is the study and practice of secure transmission of secrets between two parties, given the presence of a third party. In the wide expanse of information technology systems and applications, crypto forms the foundation of trust for many interactions that require confidentiality. One example is an online banking web application that requires a secure means of transporting the user’s authentication credentials from their web browsers to the back end server that house the bank’s

Continue Reading

After NSA leak aids Cybercriminals, should Governments keep hoarding Security Backdoors?


Earlier this month, May 2017, hospitals, corporations, and government offices in 74 countries around the world, were hit by ransomeware attacks. Ransomware is malicious software that locks a computer and it’s data with strong cryptographic algorithms, until the owners of the computer pay a ransome. Interestingly, the computer code used in crafting the malicious software that compromised those systems with ransomeware was derived from code developed by the United States’ National Security Agency (NSA). The NSA had identified security flaws in

Continue Reading

8 Basic Rules for Handling Passwords Securely


Authentication, Authorization, Authentication… some say passwords have failed. They may be right, but passwords are still here. Software developers should expect users to select strong passwords and likewise, software users expect their data (including passwords) to be stored securely by software vendors. There never seems to be a wrong time to talk about this considering the almost constant trend of data breaches. Here are 8 basic rules for handing passwords securely: Provide Brute Force Protection at Authentication Points: This defeats

Continue Reading