There has been some growing speculation as to whether the NSA was aware of the Heartbleed vulnerability in advance. The story was raised and reported by Bloomberg, denied in the New York Times, and then sort of questioned again by the New York Times.
But the thing that strikes me the most is a quote from former NSA Head Michael Hayden who is on record as saying:
Some vulnerabilities are such that they marginally (but importantly) weaken a system but exploitation still depended on skills, systems and technologies that few, if any, can match. If the judgment is what is called NOBUS (nobody but us could do this), the risk management decision is pretty easy. Of course, that judgment could change over time and still requires continuous due diligence. (Security Current)
Given the ramifications that Heartbleed could potentially have on the fundamental infrastructure of the Internet, if the NSA was involved I think there needs to be some holding of account.
Reported fairly widely in the press is the story about a 5 year old managing to gain access to his father’s X Box Live account and access otherwise restricted video games.
The reports seem very consistent detailing the steps he went through to gain access to the account. Essentially finding a vulnerability in the password reset feature of the X Box One log on screen.
Microsoft have apparently rewarded the youngster with money, games and recognition; and for a 5 year old it must be a nice little 15 minutes of fame, not to mention free games.
What I am a little concerned about is that with all this coverage, no one seems to be asking how a vulnerability that is simple enough for a 5 year old to discover and exploit managed to get into a production system. Also, where else is the code for authentication used?
Don’t get me wrong, I am all for supporting innovation in security research at any age. But let’s get some perspective and start asking the questions that should really be asked.
For details either Google it, or try this link:
http://www.tomshardware.com/news/microsoft-xbox-one-security-5-year-old,26471.html
Granted part #1 of this article turned out to be a little more complex to execute that first reported (don’t believe EVERYTHING you read in a blog!), but this one turns out to be a little more serious.
Reported fairly widely in the mainstream tech-press, this vulnerability permits the retrieval of private data from the iPhone and bypasses any user passcode available. Looking at the process involved, this puts the technique into the hand of someone with mid-level technical expertise (thankfully we aren’t quite at the Hollywood-security model of hitting a few keystrokes to bypass a password prompt).
The following video gives you a good demonstration of the process and for those wanting a little more detail, the technical paper supporting this process can be found here.
At first glance this could be some talented computer animators take on Google. However, when you add the fact that it was a paid commercial shown in Times Sqaure on the Jumbotron it takes on a bit of a new meaning.
Essentially this is a fight between a privacy advocate group and Google (who appear to have snubbed them at their own peril) over liberties taken with the use of user (i.e. most of the Internet) personal information.
While I think their intentions may be noble, I think they are fighting a battle that has been fought, lost and celebrated by the victor over a few generations! If you wanted privacy on the Internet, around 1995 was the time to put these mechanisms in place.
Two refuges exist for the true privacy seeker:
(Oh, and slight irony alert. I wonder how much YouTube found out about you and your viewing preferences while watching this video?)
First up let me say; I own an iPhone, I like the iPhone and will probably use one until a smart phone alternative appears that has the application eco-system developed to a level I am comfortable. I generally fall into the category of smart phone users who use their device as a phone and portable ultra-mini computer.
Now that said, I do have concerns about the security of the device and the way it is slowly creeping into the corporate arena. The the following link from www.h-online as an example; Vulnerability in iPhone data encryption.
I will let you read the page for yourself, but in brief bypassing iPhone encryption can be as easy as turning it on! Add this to the amount of personal information that can be stored in 8 GB or more, and I would really recommend changing every password you have if your phone gets stolen, lost or even out of your possession for a matter of minutes.
Coming soon: iPhone in-Security Part #2: adventures with iPhone data theft
The recent release of Opera Mini for the iPhone has seen it shot straight to the top of the Free Apps charts. This in general is good. The Safari iPhone browser is a little lacking in feature and competition is always generally good in such a regimented environment.
Now here comes the but. One thing that isn’t widely known by the majority of the consumer market (I am excluding those with some technical knowledge here) is how Opera Mini works and the ramifications on visit any secure site such as online banking (which should be noted a few banks are now offering mobile device friendly websites and I am sure more to follow).
One of the big selling points is the speed that Opera Mini achieves. Unfortunately it achieves this via proxying all content, compressing it for mobile platform delivery and then passing it on. On the average website this isn’t such a huge problem, however on a secure site such as a banking website, this will expose your details to the servers that are acting as the proxy.
On the whole this itself may not even be a problem, I am certain that Opera have security around this infrastructure to prevent disclosure of information. However I think this does raise a few general questions:
Am I saying not to use Opera? No, it is a viable option as a web browser. All I want to point out here is that you need to be aware exactly what is happening to your information and the fact that Opera should be making this fact a little more accessible to the average user