It’s a fact, as also Bruce Schneier often says: Security is about of trust. We have to trust about our hardware, software and cloud service vendors, we have to trust to their security and privacy politics and, if we don’t trust them, the only alternative is to quit from a service or renounce to use some hardware/software: quite drastic!
In this scenario, free software is a winning mentality that could help us to build trusted environments starting from the capillary control of the system by a world wide team of professionals, and amateurs too.
With Free Software anyone with programming skills can read the source code, searching for vulnerabilities, correct them a release the improved program with the imperative to release the new source code too, so other developers may cross check every patch.
iSEC Partners, Inc. has conducted an assessment on the source code of TrueCrypt 7.1a disk encryption suite.
Testing the open source code, searching for bugs, vulnerabilities, backdoors and defining if the code is well written, iSEC has published a detailed report about the security of TrueCrypt available for download in PDF format at this address: LINK.
Results highlight that TrueCrypt suite does not contain backdoor or other maliciously implemented code to exploit and lessen the security of the cryptographic environment.
Remote Control System (RCS) is a suite from the Italian company Hacking Team that provides all the functionalities that governmental interception needs. RCS, like softwares as FinFisher, is likely to provide a scalable, os-wide, spyware infrastructure.
Also the commercial of RCS Galileo claims that it is able to do really amazing things. Take a look at the commercial that follows
When we approach to a system we define a proper level of security based on how much we accept to risk that data or access to the service may be stolen. More important is the service, more strong will be the authentication and data protection.
So it’s natural, for example, that a PayPal password will be stronger than the Minecraft password because cracking the first will cause more problems than obtaining unauthorized access to the second.
In the previous article we have seen in depth how the Heartbleed vulnerability works. In practice we have seen the version of the bug usable in a client that attacks a server scenario (go to the article to learn more). What we will see now is the reverse vulnerability exploitation, where a malicious server attacks a vulnerable client.
The reverse heartbleed, in fact is dangerous too, because many clients are not upgradeable and will not receive fix for the openssl vulnerable version installed.
There’s about two months now that my old phone is gone. It was a dual sim QWERTY brick phone, so my next choice was to get out from the cave and finally take a smapho but just as a second phone.
Think on it. A smartphone is a mobile multiprotocol terminal, in practice it’s an ARM portable computer with the ability to make phone calls.
Privacy and smartphones are two words that doesn’t match. Also smartphones and reliability doesn’t match too.
Stop the World, we are going to talk about the security news of the week (maybe of the month or of the year too): the hearbleed bug (MITRE CVE).
For one who hadn’t already read something about it, the heartbleed bug is a bug of the openssl library, used to encrypt internet traffic between between client and server and also for the server authentication step.
The heartbleed bug allow the attacker to get back, after a well crafted heartbeat request, 64kbyte of server memory. What can be stored in these 64KB? Everything, encryption keys included, and the attack is not traceable.