Holly Towle, an attorney specializing in electronic commerce, offers 10 principles for handling toxic waste, or personally identifying information (PII). Each of these is addressed in depth in her article (Towle, 2009): 1. Do not touch it unless you have to; 2. If you have to touch it, learn how or whether to do so … Continua a leggere
Schneier su Heartbleed
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11. https://www.schneier.com/blog/archives/2014/04/heartbleed.html Continua a leggere
Vint Cerf sulla sicurezza dell’Internet delle Cose (IoT)
The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist. Vint Cerf: CS Changes Needed To Address IoT Security, Privacy Continua a leggere
La sicurezza di Internet delle Cose: i protocolli sicuri
Sui limiti dei protocolli di sicurezza (IKEv2, TLS/DTLS, HIP/Diet-HIP, PANA/EAP) dell’Internet delle Cose (IoT) in relazione all’eterogeneità della comunicazione tra IoT e Internet. Attualmente: Risorse limitate. L’IoT è costruito su risorse limitate (CPU, banda, memoria,…) che influenzano fortemente la progettazione di protocolli di sicurezza. Ad esempio la necessità di scambiare pacchetti di piccole dimensione porta … Continua a leggere
Academics (John Viega)
When I first got into security, I was an academic, writing conference papers, grant proposals, and crap like that. Even in my time consulting and in product development, I have tried to do some things that were both academically interesting and practical. Having been on both sides of the divide, I’d say that for the … Continua a leggere
Obfuscated TCP
Obfuscated TCP è un interessante progetto di Adam Langley che propone delle modifiche al protocollo TCP in modo da avere comunicazioni cifrate e firmate: Attualmente l’implementazione consiste in una serie di patch per il kernel di Linux e in una libreria. Da leggere il draft con le specifiche (ecco l’abstract): This document describes an extension … Continua a leggere
Analisi dei costi del Vista Content Protection
Interessante lettura sui costi del Content Protection di Microsoft Vista: Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and … Continua a leggere
SQL Injection: novità da HP e Microsoft
HP e Microsoft hanno rilasciato due tool per l’analisi del codice alla ricerca di SQL injection HP Scrawlr: Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for … Continua a leggere
Nuovo standard per la sicurezza mobile (3G)
La TIA ha pubblicato uno standard, IMS Security Framework (TIA-1091), sulla sicurezza delle tecnologie 3G. Questo è l’abstract: TIA-1091 addresses the access and network security for IP-based services. The scope for this document is to specify the security features and mechanisms for secure access to the IM subsystem (IMS) for the 3G mobile telecommunication system. … Continua a leggere
Nessuno compra sicurezza
Bruce Schneier sul mercato della sicurezza: No one wants to buy security. They want to buy something truly useful — database management systems, Web 2.0 collaboration tools, a company-wide network — and they want it to be secure. They don’t want to have to become IT security experts. They don’t want to have to go … Continua a leggere