BERKELEY, Calif.--A Princeton University student has shed light on security flaws in Java and .Net virtual machines using a lamp, some known properties of computer memory and a little luck. An attack requires physical access to the computer, so the technique poses little threat to virtual machines running on PCs and servers. But it could be used to steal data from smart cards, said Sudhakar Govindavajhala, a computer-science graduate student at Princeton who demonstrated the procedure Tuesday. "There are smart cards that use Java that you could shine a light on, flip a bit and get access to the card's data," he said. Govindavajhala presented the paper at the Institute of Electrical and Electronic Engineers (IEEE) Symposium on Security and Privacy here. The technique relies on the ability of energy to "flip bits" in memory. While cosmic rays can very occasionally cause a random bit in memory to change value, from 0 to 1 or from 1 to 0, Govindavajhala decided not to wait. He used … [Read more...] about Attack sheds light on security flaws
Ieee symposium on security and privacy
How secret are in fact the 'secret questions' used for resetting forgotten passwords? Not so secret after all, according to a just published study entitled "It's no secret: Measuring the security and reliability of authentication via 'secret' questions" according to which 17% of the study's participants were not only able to answer the 'secret questions' of strangers, but also, that the most popular questions were in fact the easiest ones to answer. Here's an abstract from the study presented at this year's IEEE Symposium on Security and Privacy, by Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman : "We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% … [Read more...] about Study: password resetting ‘security questions’ easily guessed
Researchers from the University of Washington and UC San Diego bought two identical 2009 passenger cars and managed to hack them, seizing control of the engines, brakes, heating and cooling systems, lights, instrument panels, radios, locks and other auto systems. Although they would not reveal the make and model of the cars -- the cars were chosen because they represent the direction of the entire auto industry, according to researcher Karl Koscher -- a picture of one of the cars, included in a paper the group is presenting today at the IEEE Symposium on Security and Privacy in Oakland, is above.The cars sold for around $25,000 each, Kosher said. Cars are becoming more and more like computers -- they have software, wireless telematics and internal networks that connect a growing number of electronic devices and sensors, some of which were introduced 30 years ago to improve fuel efficiency after California passed its Clean Air Act. Just this week, for instance, General Motors announced … [Read more...] about Security researchers hack a car
I don't know what the designers of Tor, a network and software used to facilitate anonymous Internet use, really intended when they built it. The PR answer is that they were promoting free speech, but if they were really creating a platform for concealing criminal activity they would have gone about it the same way. Tor is one of those Internet services, like BitTorrent, which is designed to live on without any central administration at all. This enhances — so the theory goes anyway — the anonymity, security and resilience of the network. There's no site for the government or anyone else to shut down that will bring down Tor, nor would it be easy — again, so the theory goes — for the government or any other party to determine who is doing what on Tor. Of course, the government found a way to hack around these restrictions , using vulnerabilities to collect hostnames and MAC addresses of systems providing Tor "hidden services." It's not clear to me if the same … [Read more...] about Who’s on Tor? Dissent, bots or porn?
This is a sequel to this morning's post about all operating systems, browsers etc. being vulnerable. A reader correctly noted that I forgot to mention that many of the security tools out there are flawed, too.The exchange on Twitter went down like this:@diretraversal: Kinda funny that @BillBrenner70 says its all vulnerable, and then says security tools are going to help you and weighing risk. How do you compare risk if its all just a big vat of vulnerable code, equally bad, yadda [email protected]: Well... I never said it was an exact science. :-) There's probably a sequel post worth doing about the issues you [email protected]: I do agree its all vulnerable, tho! (the "security tools" too)That last point was timely. Two stories out this morning illustrate how true it is.The first, by Dan Goodin, IT security editor at Ars Technica, is about about a smartphone hijacking vulnerability affecting AT&T and 47 other carriers. In what may be the mother of all ironies, the flaw was … [Read more...] about Busted: When security tools fail
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.Web advertisers and many others have long appreciated the volumes of information they can collect on us based only on our web browsing patterns. The data can be quite telling, revealing our locations, incomes, family status, interests and many other facts that advertisers can use to target you.Understandably, most of us would prefer that “big brother like” advertising networks aren’t always watching over our shoulder, while going about regular activities including product research and purchase option exploration and especially not while investigating medical or other highly sensitive topics.With this in mind, it only makes sense to spend a little extra time to remain anonymous while browsing. In addition to tracking, identification can result in sites blocking access to pertinent … [Read more...] about Browser fingerprints, and why they are so hard to erase
There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts.Fortunately, plenty of great conferences are coming up in the months ahead.If keeping abreast of security trends and evolving threats is critical to your job — and we know it is — then attending some top-notch security conferences is on your must-do list for 2018.From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you.We’ll keep it updated with registration deadlines and new conferences so check back often. While we don’t expect this calendar to be comprehensive, we do aim to have it be highly relevant. If there’s something we’ve missed, let us know. You can email your additions, corrections and updates to … [Read more...] about The CSO guide to top security conferences
We are bombarded daily with new password requirements. We have userids and passwords for everything and trying to remember them is difficult. We create little schemes to remember the passwords incrementing or decrementing a number somewhere within the password. We download userid and password safes to store them yet we need another userid and password to access the password safe. In order to make it easy for us to remember the myriad of credentials we need to access this application and that tool, companies have provided series of questions; ‘secret’ questions that we need to choose from – at least two from the list provided. This serves to reduce help desk calls for the company while making it easy for us to remember and retrieve our userid and password. A recent study, which I find to be quite ludicrous (we always seem to spend money in the U.S. on proving the obvious), researchers discovered the following:“In research to be … [Read more...] about Spending Money on Useless Research
Last month, Knight Capital Group lost $440 million in half an hour due to a bad automated financial trade. The loss disrupted the market, hurt consumer confidence and, according to Business Insider, led the Security and Exchange Commission (SEC) to consider new regulations for software that controls financial transactions.Meanwhile, most of the folks in the know aren't talking.Enter Richard Gardner, CEO of Modulus Financial Engineering. Based in Scottsdale, Ariz., Modulus has offered financial products and consulting to the industry since 1997. Today the company has 55 employees and a customer list that includes Barclays, Bank of America, Chase and E*Trade.Company founder Gardner began trading in financial systems at 15, using his family's account. At 23 he wrote his first software system to assist with trade; it analyzed commodities prices based on crop and weather data.In 13 years inside the financial services industry, Gardner has seen ups, downs, evolution and a crash or two. Let's … [Read more...] about How to Secure Your Future With Robust Risk Assessment
Despite the grumpy headlines coming out of the Consumer Electronics Show this year, it's easy to get excited about the prospect of hitting Vegas and checking out all the hip, new gadgets, along with the occasional useful new piece of business technology.For those of us who do tech for a living, there are, of course, a world of more focused and vertical-specific trade shows and conferences that are a little easier to rationalize in the expense budget. If you are considering attending a conference or two in 2012, here are some candidates where you can share ideas with peers and get courted by tech vendors. Oh yeah, there probably will be some neat chachkes, too.We've broken the shows out by category, for review by your team. We've included only shows occurring in the United States, and some obvious candidates (such as Gartner's Symposium/ITXPO) have yet to set their 2012 dates and locations. And, of course, this is only a small sampling of what continues to be a lucrative trade show … [Read more...] about Schedule of 2012 trade shows and conferences in the U.S.