4nomore.net » security

Quiz: What Should You Really Fear?

xabbu — Thu, 23 Oct 2008 23:12:10 +0000

Quiz: What Should You Really Fear? – Interesting Quiz revealing how much our perception of risks and events differs from reality. E.g. related to things about terrorism.

Bruce Schneier: CYA Security

admin — Fri, 23 Feb 2007 00:10:00 +0000

Again a very good, though sad, blog entry by Bruce Schneier speaking about CYA security: the reason for security related actions are very often not for the sake of security, but just to CYA in front of the voters, the bosses etc.
Sounds very true and explains a lot of ’security actions’ going on.
Also reminds of the problem of politicians and their main goal getting reelected.

RFID Virus: “Is Your Cat Infected with a Computer Virus?”

admin — Fri, 17 Mar 2006 00:14:00 +0000

Just published was an interesting article describing for the first time the possibility and example implementation of a RFID based virus. Although it seems quite astonishing that a passive device with such limited resources (about 128 bytes of storage) can do harm, this nicely corresponds to a biological virus – limited in information (although the latter are of course much more complicated usually), passive until in the correct expressive environment and somehow ‘physical’ due to its incarnation in a physical tag.
The basic idea is that the tag id stored on the RFID tag can be used for various attacks in the RFID middleware, which typically contain DB and Web servers. This could be via buffer overflow attacks (possible since there are commands like ‘write multiple blocks’ available) or SQL injection attacks which can be very small.
The scenario starts with an infected RFID tag, i.e. a RFID tag with carefully crafted tag id. The RFID reader will activate the tag, read the data, the middleware will use it for SQL queries against a database – where the SQL injection happens, which will prepare data later to be written to subsequent RFID tags. This will spread the virus to other RFID tags (which then will travel around the world).
The authors are able to actually implement such a virus with 127 bytes in a demo scenario, including a small payload which in combination with Apache Server Side Includes will open a backdoor for a brief time …

Title: “Is Your Cat Infected with a Computer Virus?”
Authors: Melanie R Rieback, Bruno Crispo, Andrew S Tanenbaum
available at http://www.rfidvirus.org/papers/percom.06.pdf.
For more information, see also http://www.rfidvirus.org/

Do-It-Yourself Security Inspection

admin — Wed, 31 Aug 2005 22:12:00 +0000

Source: http://eurobsd.org/2005-WhatTheHack/reports/markhoekstra-030805/DSC04345.JPG

Bad Security Device

admin — Wed, 31 Aug 2005 22:10:00 +0000

Very nice example of a security device, which was not completely thought through …

Source http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg,
pointed out by Peter G. Neumann in comp.risks (see NewsSources).