Philosophically Secure

This is interesting research, but is it something you would use?

The researchers’ new approach, called CloudAV, moves antivirus functionality into the “network cloud” and off personal computers. CloudAV analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

In general, that’s not a bad idea. It might save a few CPU cycles on your local workstation by not having to directly virus scan files. Then again, you have to use network resources uploading each file to the cloud, where it is scanned for you.

Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis.

The privacy concerns here are obvious. Would you trust CloudAV to receive a copy of every file you want to virus scan? How sure can you be that they don’t use the contents for something else, or accidentally leak private information?

I think this idea has more merit as an internal virus scanning system for a large organization. That way sensitive data doesn’t have to leave the corporate boundary, or be sent to a third party. The benefit is that you have a more thorough and updated virus scanning engine, possibly using several different products at once.

Researchers develop next-generation antivirus system.

There is an insightful article in the Economist titled “Learning to live with Big Brother”. It makes some interesting points about the state of government (and commercial) surveillance as it stands today, and how it might evolve over the next several years. Here are some choice quotes that I liked:

Britain used to pride itself on respecting privacy more than most other democracies do. But there is not much objection among Britons as “talking” surveillance cameras, fitted with loudspeakers, are installed, enabling human monitors to shout rebukes at anyone spotted dropping litter, relieving themselves against a wall or engaging in other “anti-social” behaviour.

Ross Anderson, a professor at Cambridge University in Britain, has compared the present situation to a “boiled frog”—which fails to jump out of the saucepan as the water gradually heats. If liberty is eroded slowly, people will get used to it. He added a caveat: it was possible the invasion of privacy would reach a critical mass and prompt a revolt.

This is both scary and hilarious at the same time. I’m not a Skype user, so this hasn’t affected me at all. But apparently the huge number of Skype users rebooting last week, due to the patches released by Microsoft on Tuesday, set off a nasty chain of events. First of all, when all these systems came back up, each one attempted to log back in to Skype, causing a huge load on their servers. Coupled with the fact that Skype relies on a peer-to-peer architecture, and since the majority of their users were temporarily down for reboots, they simply could not handle the number of requests. This prevented users from getting back on Skype, and therefore prevented the recovery of the peer-to-peer network.

Skype may want to change their architecture slightly, so that users can initially join the network without logging in, and possibly allow not-yet-authenticated users to accept incoming data connections.

There is a good post about this topic on Security Fix.

Watch this video from TED 2005:

In this inspiring talk, Janine Benyus provides fascinating examples of biomimicry — humans mimicking nature in the products we build and the systems we implement. With 3.8 billion years of research and development on its side, evolution has already solved problems that human designers and engineers struggle with.

Do you trust standard RFID cards to perform a security function? Probably; most companies use electronic access cards based on RFID, such as those made by HID, to open doors. Unfortunately, they’re not much more secure than a secret handshake - someone could easily watch you do it, and then repeat it himself as needed. Granted, this isn’t news, since we all know that RFID is capable of being cloned. It’s even been done with the new US passport.

Why, then, is this fiasco at Black Hat in DC taking place? Chris Paget, of IOActive, created a simple proof of concept RFID cloner in his spare time over the course of a month. He then put together a 75 minute briefing on how it works, and how to build your own. There was no reverse engineering or hacking necessary, since RFID technology has been patented and therefore public knowledge.

Unfortunately for Mr. Paget, he demonstrated his device at the recent RSA Security Conference, using a typical HID access card and reader. HID happens to be one of the best selling implementations of RFID cards, and is a big company with too many lawyers. So when they came across the video of his demo, they decided it infringed on their intellectual property and therefore was not appropriate for presentation at Black Hat. Of course, the fact that Paget was going to show that unencrypted RFID should not be used in presumably secure access cards (the products that HID sell) had nothing to do with it.

Reminicent of the Cisco escapade at Black Hat in 2005, HID contacted IOActive and the conference organizers, demanding that they cancel the talk and remove the slides from everyone’s printed materials. Once again, there was a lot of ripping paper out of conference proceedings to do.

I can’t blame them for giving in to the legal pressure, since defending themselves in a legal battle would be much too costly. The real losers in this situation are you and me. First of all, they are restricting what appears to be free speech, in the name of protecting corporate interests. Second, as RFID technology becomes ever more pervasive, I believe it should come under increased scrutiny. Not only are RFID chips appearing in all kinds of products, but they are also embedded in our passports and the new “Real ID” identification cards. Full disclosure is the right answer here, not security through obscurity.

Luckily the truth will get out, someone else will release the schematics for this or another simple cloner, and HID and its competitors will be forced to reexamine their implementations. At the very least, having this fiasco in the headlines will alert more corporate security folks to the vulnerability of their favorite access solution.