At the HackMiami Conference on May 16, 2015, I did a presentation on an Introduction to Internet of Things Security. The presentation is now up on YouTube. I have the link below.
As a tie-in to the presentation, I am providing here links to the various resources that I covered in the presentation, along with others I didn't have the time to. If you come across other items of interest, please add them to the comments.
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts
Saturday, May 16, 2015
Wednesday, April 23, 2014
Currently Reading: Schneier on Security
A book that I am currently reading is Schneier on Security (2008) by Bruce Schneier.
I would hope that most security professionals out there are familiar with Bruce. He has written several books and numerous articles. His blog, Schneier on Security, is well known as is his monthly e-newsletter Crypto-Gram (go to his blog to read and subscribe).
For myself, I've read many of his materials and seldom disagree with his views. I think mainly where I think he may not have all the info, I disagree with his conclusions. Frankly, I find that too many other security experts of his caliber are sadly a bit stuck in their ways and the views are too off.
Schneier is known for actually criticizing many of the so-called "security" measures put into place for really failing to make us more secure. He called this "security theater". So while some so-called experts push for new IDs or more surveillance, Schneier points out that all this stuff doesn't do what it claims, and may, in fact, make us less secure. You have to wonder what the real reason some people push these methods?
Schneier on Security is a collection of essays written between 2002 and 2008 that have appeared in various magazines, newspapers, websites and Crypto-Gram. A few he updated at the time of the publication of the book (2008), and all cite the original publication. Sadly, being over 5 years old, some of the statements are now a little dated, but if you overlook that, there are many interesting items here.
The book is organized into a dozen chapters:
<updated 5/1/2014>
I would hope that most security professionals out there are familiar with Bruce. He has written several books and numerous articles. His blog, Schneier on Security, is well known as is his monthly e-newsletter Crypto-Gram (go to his blog to read and subscribe).
For myself, I've read many of his materials and seldom disagree with his views. I think mainly where I think he may not have all the info, I disagree with his conclusions. Frankly, I find that too many other security experts of his caliber are sadly a bit stuck in their ways and the views are too off.
Schneier is known for actually criticizing many of the so-called "security" measures put into place for really failing to make us more secure. He called this "security theater". So while some so-called experts push for new IDs or more surveillance, Schneier points out that all this stuff doesn't do what it claims, and may, in fact, make us less secure. You have to wonder what the real reason some people push these methods?
Schneier on Security is a collection of essays written between 2002 and 2008 that have appeared in various magazines, newspapers, websites and Crypto-Gram. A few he updated at the time of the publication of the book (2008), and all cite the original publication. Sadly, being over 5 years old, some of the statements are now a little dated, but if you overlook that, there are many interesting items here.
The book is organized into a dozen chapters:
- Terrorism and Security
- National Security Policy
- Airline Travel
- Privacy and Surveillance
- ID Cards and Security
- Election Security
- Security and Disasters
- Economics of Security
- Psychology of Security
- Business of Security
- Cybercrime and Cyberwar
- Computer and Information Security
Because each essay is fairly short (2-3 pages max), and most are just gathered into each chapter by common topic, one can jump around and read what sparks your interest. In fact, that's what I have been doing.
As some of the topics go beyond just technical information security that many of us in the infosec world focus on, I think its good that we have a better understanding of security outside of IT, as well as the impact of what we do affects other areas.
So check it out. And if you like what you see, check out his other works as well. His latest book, Carry On, is actually a "sequel" to this work, collecting articles from 2008-2013. I don't have it yet, but plan on getting it soon.
<updated 5/1/2014>
Tuesday, December 10, 2013
Apple's TouchID on the iPhone 5S
Since the Apple iPhone 5S has come out, I've read a few articles on one new feature of the phone, the TouchID fingerprint recognition system. This is not the first time that fingerprint systems have been used in either smartphones or in technology devices, but I think this is the first time to put it in a system of more mass consumer use.
I recall that several laptops over the years have included a fingerprint system. My current laptop has one, tho I don't use it. With smartphones, the Motorola Atrix 4G has it. I used the phone for awhile, and it seemed to work ok, tho when a new version of Android was rolled out, it no longer worked. That was part of the problem. With the iPhone 5S, fingerprint recognition is actually built into iOS7, and is not an add-on service or like with the Atrix 4G or with various laptop.
But people will keep trying to added fingerprint systems to devices. I even have a USB thumbdrive that has a fingerprint system in it.
Thing is, fingerprint recognition is tricky. There are a lot of potential issues, especially as the finger can get dirty, which can affect the effectiveness of the scanner.
Why people want to use them is pretty clear. When it comes to authentication, there are 3 factors that can be used:
A system that uses more then one factor is considered more secure. Thus, your basic login system which uses username & password is actually using "what you know" twice. Whereas if you had a "what you have" such as a hardware token or a one-time code sent to your phone is considered more secure.
Biometrics is more tricky. But its getting better. I recall at a college I was at tried a handscan system for the cafeteria, but due to issues dropped it for an ID card. I think the face scanner ideas are interesting.
Another factor that people are really considered about is the privacy issues. People are concerned that Apple will be able to pull their fingerprints from their phones. Something to look into further.
This is a work in progress, and I plan to return to this topic.
I recall that several laptops over the years have included a fingerprint system. My current laptop has one, tho I don't use it. With smartphones, the Motorola Atrix 4G has it. I used the phone for awhile, and it seemed to work ok, tho when a new version of Android was rolled out, it no longer worked. That was part of the problem. With the iPhone 5S, fingerprint recognition is actually built into iOS7, and is not an add-on service or like with the Atrix 4G or with various laptop.
But people will keep trying to added fingerprint systems to devices. I even have a USB thumbdrive that has a fingerprint system in it.
Thing is, fingerprint recognition is tricky. There are a lot of potential issues, especially as the finger can get dirty, which can affect the effectiveness of the scanner.
Why people want to use them is pretty clear. When it comes to authentication, there are 3 factors that can be used:
- "what you know" (passwords, other information)
- "what you have" (hardware tokens)
- "what you are" (biometrics: fingerprint, handprint, iris scan)
A system that uses more then one factor is considered more secure. Thus, your basic login system which uses username & password is actually using "what you know" twice. Whereas if you had a "what you have" such as a hardware token or a one-time code sent to your phone is considered more secure.
Biometrics is more tricky. But its getting better. I recall at a college I was at tried a handscan system for the cafeteria, but due to issues dropped it for an ID card. I think the face scanner ideas are interesting.
Another factor that people are really considered about is the privacy issues. People are concerned that Apple will be able to pull their fingerprints from their phones. Something to look into further.
This is a work in progress, and I plan to return to this topic.
Friday, May 3, 2013
Security of the Internet of Things
Have you heard about the "Internet of Things"?
I have, thanks to trying to keep up with the whole Maker/DYI area, especially with things like Arduino, Raspberry Pi, BeagleBoards, and the like.
The whole idea, from a techie standpoint is pretty cool. All these little devices able to communicate with each other and to other devices like computers and the like, usually wirelessly (WiFi or IR or Bluetooth). Neat.
But what about security? Has anyone thought about that?
Everyone gets excited by the possibilities, but sometimes forgets about that. Even me. The whole thing seems cool and exciting, and security was furthest from my mind.
But it looks like others aren't ignoring that. In my research into MDM vendors, I came across one vendor that has a broader focus then just mobile devices to include the "Internet of Things": Mocana. This is not an endorsement of them, but I find it interesting that they do have stuff covering the Internet of Things as well as mobile devices. Am still looking over what they have, but others may also benefit by taking a look at their blog, their webinars, and reports in this area.
There are several book at Amazon on the Internet of Things. The only one I have is the one from O'Reilly/Make:
Check it out.
I have, thanks to trying to keep up with the whole Maker/DYI area, especially with things like Arduino, Raspberry Pi, BeagleBoards, and the like.
The whole idea, from a techie standpoint is pretty cool. All these little devices able to communicate with each other and to other devices like computers and the like, usually wirelessly (WiFi or IR or Bluetooth). Neat.
But what about security? Has anyone thought about that?
Everyone gets excited by the possibilities, but sometimes forgets about that. Even me. The whole thing seems cool and exciting, and security was furthest from my mind.
But it looks like others aren't ignoring that. In my research into MDM vendors, I came across one vendor that has a broader focus then just mobile devices to include the "Internet of Things": Mocana. This is not an endorsement of them, but I find it interesting that they do have stuff covering the Internet of Things as well as mobile devices. Am still looking over what they have, but others may also benefit by taking a look at their blog, their webinars, and reports in this area.
There are several book at Amazon on the Internet of Things. The only one I have is the one from O'Reilly/Make:
Check it out.
Subscribe to:
Posts (Atom)