[http://feeds.engadget.com/~r/weblogsinc/engadget/~3/387757277/ Cheap SSD Drives] - [Larry] great, they are getting cheap - 32 Gig for $99, although slower and more power hungry than spinning disk. I bring this up, because the SSD drives provide a significant barrier to recovering deleted and or modified. This makes it very difficult to perform any type of forensics on these drives. How, as an industry do we deal with this situation? Not allow for system disks to utilize SSD?
[http://feeds.engadget.com/~r/weblogsinc/engadget/~3/387677950/ Secure RFID Technology?] - [
PaulDotCom] - Continuing our discussion from last week, here is a story about a new technology from Verayo which aims to use PUF (Physical Unclonable Functions) to generate a random identifier. Truth? Fiction? Who knows, this is why testing the security of devices is so important. [http://www.verayo.com/technology.html Read more here]
[http://feeds.feedburner.com/~r/AnInformationSecurityPlace/~3/387631828/ "21" Meets RFID and the 21st century] - [
PaulDotCom] - Chalk this up to "stupid ideas" here is an RFID poker table, nice!
[http://www.heise-online.co.uk/security/USB-stick-with-hardware-AES-encryption-has-been-cracked--/features/111194 Encryption is great!] - [Larry] - but bad implementations, and those that retrieve encrypted passwords are bad. We say all the time to use tried and try encryption algorithms, an this USB key manufacturer did just that. However, they added the ability for the password that is also used to access the device to be checked against a history of passwords. This function resides in memory, and brute force of the passwords can be conducted.
[http://www.f-secure.com/weblog/archives/00001487.html A Note About Mobile (in)security] - [
PaulDotCom] - So, make a long story short, while an F-Secure researcher was giving a presentation about mobile security, a bluetooth worm outbreak happened and people's phones in the room were infected. There is also this [http://www.f-secure.com/weblog/archives/00001483.html scary Java vulnerability] that could effect mobile phones, over 100 million of them in fact. So, how do you control this in your environment? Do you just give people phones, or do you have a managed system like Blackberry? But what happens if a bluetooth phone worms creeps into your building? "Hi, this is security, before you can enter the building you must disable bluetooth on your phone". Is there even such a thing as a bluetooth IDS/IPS?
[http://www.heise-online.co.uk/security/USB-stick-with-hardware-AES-encryption-has-been-cracked--/features/111194 SCADA Attack released] - [Larry] - No offense to Kevin, but this is a re-implementation of the attack released by CORE a month or so back. So why does this one seem to get more press? This implementation is a Metasploit module. Yep, you can attack the latest in SCADA vulnerabilities for free.
[http://hardware.slashdot.org/article.pl?sid=08/09/08/2246203&from=rss You own the hardware] - [Larry] - You own the hardware, so tinker with it. There is already some folks poking at the Esquire magazine E-ink cover. Sure, not a device that has huge security implications, but take ownership of all of the other small (or large) devices that you network in your home or office.
[http://securityvulns.com/Udocument473.html Wireless Driver Vulns, and no patches, oh my!] - [
PaulDotCom] - Laurent Butti and Julien Tinnes
from France Telecom have found vulnerabilities (DoS, possible remote code) in several wireless chipsets. For example, the Netgear WN802T (firmware 1.3.16) with MARVELL 88W8361P-BEM1 chipset is vulnerable to a bug that "...can be triggered by a malicious association request to the wireless access point with a Null SSID." Wow, thats pretty easy, and guess what, NO PATCH. [http://securityvulns.com/Udocument474.html This one, for Atheros, is patched]