标签: Security

System-on-Chip (SoC) devices are increasing in size and becoming more complex day-by-day, with ever-increasing numbers of intellectual property (IP) blocks combined with humongous quantities of custom ("secret sauce") functionality. Not surprisingly, designing and verifying these devices is becoming ever-more problematic.   Traditional solutions include JTAG, IP vendor offerings, and in-house tools and technologies. JTAG has the advantage of being universal, but it is a decades old technology that runs at an extremely low-level. Furthermore, on-chip JTAG is pretty dumb -- all of the intelligence resides in external tools running on workstations, which means it's of use in the lab, but less so after the SoC has been deployed to the field.   IP Vendors (e.g., ARM and Imagination) have some very powerful solutions that are great in their own domain, but typically cannot span the functionality of the entire SoC. Meanwhile, mega-companies (e.g., Apple and Qualcomm) have typically made use of internally-developed tools, but the complexity of the devices they are designing is increasing at such a rate that these companies are increasingly licensing more-sophisticated offerings from external vendors while freeing up their own engineers to focus on differentiating and adding value to their products.   All of which brings us to the folks at UltraSoC , whose vendor-neutral modules operate non-intrusively across the whole SoC, reporting rich information in real-time from both hardware and software. As a rough ballpark, the folks at UltraSoc tell me that -- based on their existing customer experiences -- on an 18-month development project, using UltraSoC's solutions for debug and verification can accelerate time-to-revenue by two months (this also means saving two months of development costs).   Following deployment to the field, an UltraSoC-equipped SoC can unobtrusively monitor its own operation, thereby allowing you to refine your products on the basis of data acquired in actual, real-life usage. You can gather trend data to pre-empt in-field malfunctions; and you can access key status information in the event of a failure incident to facilitate the forensics required for root cause analysis (RCA).   Now, UltraSoC has extended its monitoring and analytics capabilities with Bare Metal Security that provides the security functionality demanded by products ranging from Internet of Things (IoT) devices to embedded systems to enterprise systems.   Conventional security tends to live at the operating system (OS) level. By comparison, Bare Metal Security features are implemented as hardware running below the OS; these features are nonintrusive and remain robust and vigilant, even if the system’s conventional security measures are compromised.   (Source: UltraSoC) As the folks at UltraSoC say: Bare Metal Security functionality uses the UltraSoC monitors to watch for unexpected behaviors such as suspicious memory accesses or processor activity, at hardware speed and non-intrusively, with minimal silicon overhead. Because it is an orthogonal on-chip hardware infrastructure independent of the main system functionality and software, there is no negative impact on system performance and it is very difficult for an attacker to subvert or tamper with. By offering resource-efficient and highly effective protection against malicious attack and malfunction, the UltraSoC on-chip analytics and monitoring system provides both development support and functionality enhancement from the same on-chip blocks. Teams which are already using UltraSoC to accelerate the debug, silicon validation and bring-up process can therefore utilize the same infrastructure for security processing; while designers who need Bare Metal Security features get the development benefits of a vendor independent on-chip debug infrastructure at zero additional cost. I, for one, am becoming increasingly concerned about security (or the lack thereof) in our electronic systems. Having the ability to embed powerful, intelligent, orthogonal security directly into the hardware seems to me to be a very good way to go, and I will be watching the progress of UltraSoC's Bare Metal Security products with great interest.

We are definitely living in interesting times. Over the years I've read a lot of science fiction stories that depicted various flavors of the future, many of which involved the concept of cyber security and nefarious strangers trying to access one's data.     Generally speaking, this sort of thing really didn’t affect most of us until relatively recently in the scheme of things. How things have changed. Now it seems that we hear about data breaches on an almost daily basis, many of which can put their victims at risk of identity theft.   In 2013, for example, we discovered that hackers had managed to steal the credit and debit card information (including names, addresses, and phone numbers) associated with more than 70 million customers. My wife (Gina the Gorgeous) was hit by this one. She received a call from a company in North Carolina asking if we had really ordered a super-large screen TV on her credit card. Of course we hadn’t. The main thing that had alerted them was the fact that the delivery address was to another state. Based on this, Gina ended up swapping out all of her credit and debit cards, which is a frustrating and time-consuming exercise.   Meanwhile, in 2014, I was informed that hackers had managed to access tens of millions of records from my health insurance company. I'm still waiting for the axe to fall from that one (we can only hope that I'm insured against axe-related incidents).   The reason for my rambling on about this here is that, whilst driving to work this morning, I heard a report on the National Public Radio (NPR) that hackers have just posted the data they stole from a company called Ashley Madison.   The report said that the ~10 gigabyte data dump was posted to the Dark Web using an Onion Address which is accessible only via a Tor Browser . Fortunately, I recently read Surviving The Zombie Apocalypse: Safer Computing Tips for Small Business Managers and Everyday People by Max Nomad (no relation), so I can now parse statements containing terms like "Dark Web," "Onion Address," and "Tor Browser" without thinking (which is, of course, my usual modus operandi ).   Thus, I was feeling pretty pleased with myself for my technical acumen, but I soon started to feel like I'd been living under a rock, because my knee-jerk first impression was that Ashley Madison was some sort of home furnishing store. You can only imagine my surprise when I bounced over to the AshleyMadison.com website to discover that their reason for being is to promote infidelity by facilitating husbands and wives having affairs. (According to their website, they've been featured on Hannity, Howard Stern, TIME, BusinessWeek, Sports Illustrated, Maxim, and USA Today, which just goes to show how little I know about what's going on in the world.)   Apparently, the data released by the hackers includes the names, addresses, and phone numbers associated with the users of the site. Also, I hear that ~15,000 of these records have .mil or .gov email addresses (just how stupid do you have to be to use this site?). I think it's fair to assume that a lot of people are not enjoying a "stress-free day" at this moment in time.   The real problem is that we still don’t seem to take security seriously. In the case of my health insurance company, for example, we came to discover that they had taken such minimalist precautions as to make one shake one's head in disbelief.   And things are only going to get worse, which means that the designers of today's electronic, computer, and embedded systems have to consider security at every point in the system -- from the leaf nodes at the edge of the Internet of Things (IoT) to the mega servers in the cloud -- because each system is only as secure as its weakest link.     "But where can we learn about this stuff?" you cry. Well, there are the Black Hat Conventions that put you face to face with people on the cutting edge of network security, and there are the Embedded Systems Conference (ESC) events that boast sessions covering the latest in embedded system security.

In 2012, three young software engineers in Switzerland developed their own secure mobile messaging app called Threema, with the clear goal to give users a tool to prevent their personal data to be stored, mined and possibly abused by big corporations and government agencies.   With the mounting interest in privacy rights and tales of data misuse in the news, the app attracted 3 million users to date, most of them over the last few months. Available for less than two euros, Threema became the most popular secure instant messenger in Germany and topped the download charts in German speaking countries for months according to Roman Flepp, Threema's Head of Marketing.   There are already many encryption services around, some more expensive, others open source and free to distribute, such as Tox - https://tox.im/ , OpenPeer - http://openpeer.org or Pretty Easy Privacy - http://pep-project.org now running a crowdfunding campaign on Indiegogo just to name a few.   So what could explain the popularity of this particular application today, ease of use for one?   “Ease of use is probably just one factor. Another important one is the possibility to use Threema anonymously” wrote us Flepp in an email exchange.   “Unlike other secure messengers, we do not use a mobile phone number (which can be easily traced to a real person) as a "primary key" to identify users but a randomly assigned 8 digit ID. This makes the «centralized hackable platform» much less of a problem than with traditional concepts”, he continued.   “Even if the server platform was hacked there's not much there to see since we do not store any meta data. Our architecture shifts most of the tasks normally done on a server, such as maintaining lists of group members, to the clients (i.e. the app itself). The role of the server is basically reduced to that of a buffer to temporarily hold the encrypted messages until the chat partners is back online.”   “The fact that we are an independent company without external funding and that our servers are located in Switzerland, where data protection laws are still pretty strict, might have added further to our popularity”, concluded Flepp. What sort of impact do you think the mass adoption of secure communication could have on society? We asked.    “More and more people now think twice before giving away private data. This growing awareness is a good thing. Using secure communication channels such as Threema is the best we can do at the moment. In the end it's going to be an arms race between surveillance authorities and citizens”. “People have a right to privacy. We give the society a tool to protect itself. At the end of the day each of us decides for its own. – It’s hard to say which impact the mass adoption of secure communication could have on society. We think it is definitely the better way to use secure communication than to contribute to data mining and to be exposed to the risk of arbitrary or possibly even abusive surveillance. A society built on mass surveillance and general distrust is probably not a place anyone would like to live in, anyway.” See Threema’s promotional video clip   So does Flepp see a shift among Internet companies making business on end-user data mining? “We don’t know how other companies make money in order to pay their bills. But you will probably agree, that there is a reason why many services in the internet and app industry are free. There's no such thing as free lunch. The question everyone should ask is: How do these companies make money?   In the long run, we think that there will be a comeback of the conservative approach such as Threema's: You pay a few bucks for a service so we can pay our bills with your money and not your private data.   The Threema app is available worldwide, an English language version has just been launched.   - Julien Happich

The industry is quite obsessed with security these days, particularly as it transitions from traditional, standalone devices to the design of connected, networked systems that are “always on.”   But sometimes it's the people on the inside, not the outside, who unwittingly present the biggest security threat.   I am a Certified Ethical Hacker, which basically means I get paid by companies to hack into their networks. My company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to attempt to expose any security weaknesses that might be lurking in the ether.   A company’s external infrastructure -- including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other applications publicly accessible from the Internet -- is typically considered the primary target of security attacks. So that’s where we start.   Our methods include cracking passwords and eavesdropping as well as using keystroke loggers, sniffers, denial-of-service, and remote controls. In this case, I tried attacking the firewall systems with every trick in our digital lock picker’s toolkit, but to no avail: The network was locked tight, so to speak.   So I told myself, “Screw it. I’m going in.”   You see, companies with an impenetrable wall against external attacks are often surprisingly open to insider threats. Hackers are able to expose these vulnerabilities by exploiting one simple fact: Most people will respond in a highly predictable way to a particular situation.   First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.   I hopped into my truck and drove over to the facility. Doing my best to look sheepish, I walked into the front lobby and approached the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”   She smiled -- always a good sign -- and buzzed me in. Once I was inside the men’s room and confirmed it was unoccupied, I quickly yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall. I gave myself a thumbs-up in the mirror, strolled back to the lobby, and flashed the receptionist a big smile as I walked out the door.   I drove back to my office and sat down in front of my computer to wait. I knew that as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto-run and execute a remote connection to my computer.   This would give me instant access and the ability to "pass the hash." Note that I’m not talking about the good ol’ college days here; what I'm doing is taking the encrypted credentials for the computer’s owner and passing them to the company’s own server, mimicking a real and normal login.   In a short time, my computer sprang to life: With the ability now to log into the company’s network, I was poised to unleash all kinds of mayhem -- from extracting user names and passwords to opening and interacting with files on the compromised system, to taking screenshots of current activity on a user’s desktop.   Needless to say, company management was horrified to learn how easily I had hacked into their system, simply by exploiting the fact that people tend to react the same way in certain situations.   My "Big Gulp" ruse was a success because, by and large, people are inclined to be helpful. And it’s true -- curiosity does kill the cat. Nine times out of ten a person who finds a random USB stick will wonder what’s on the thing and plug it in to find out.   In fact, my backup plan should my men’s-room story have failed was to toss it in the parking lot in a prominent locale.   This episode underscores the fact that security involves more than just protection of a company's network firewall. Internal threats are real -- and they aren’t all necessarily the work of a disgruntled employee.   Employees need to understand that security threats can be triggered in numerous ways and trained on how to protect against possible security threats that may be masquerading as something perfectly innocuous -- like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining accessing to the network in this case.   Companies also need to recognize when they have a problem -- and the sooner they know, the better their chances of minimizing the harm done. The good news is that most enterprises have an enormous amount of data scattered throughout firewall, application, router, and log sources that is useful for determining what sorts of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.   Security professionals need to put in place the technologies and processes that afford them access to security logs along with some type of log management to extract the information required to keep the infrastructure secure.   Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as well as a process to integrate security data with identity and access information. That way, in our hacking incident, a number of alerts would have been fired off to security managers long before any proprietary data was accessed.   While it’s true that security threats have become more menacing, remember that security defenses also have become more powerful.   Terry Cutler is a Certified Ethical Hacker and co-founder of Digital Locksmiths Inc., an IT security and data defense firm based in Montreal. He serves as the company's Chief Technology Officer. He specializes in the anticipation, recognition, and prevention of security breaches.   This article originally appeared on IFSEC Global .

Read on to know the various threat levels used by different countries. A friend in England just sent me this funny email... This purports to have been created by John Cleese of Monty Python fame. It certainly sounds like something he might have written, but with the way things zip around the Internet it's hard to be sure sometimes. But be that as it may, this certainly made me smile, which has to be a good way to start a Monday morning: ALERTS TO TERROR THREATS IN 2011 EUROPE By John Cleese The English are feeling the pinch in relation to recent terrorist threats and have therefore raised their security level from "Miffed" to "Peeved." Soon, though, security levels may be raised yet again to "Irritated" or even "A Bit Cross." The English have not been "A Bit Cross" since the blitz in 1940 when tea supplies nearly ran out. Terrorists have been re-categorized from "Tiresome" to "A Bloody Nuisance." The last time the British issued a "Bloody Nuisance" warning level was in 1588, when threatened by the Spanish Armada. The Scots have raised their threat level from "Pissed Off" to "Let's Get the Bastards." They don't have any other levels. This is the reason they have been used on the front line of the British army for the last 300 years. The French government announced yesterday that it has raised its terror alert level from "Run" to "Hide." The only two higher levels in France are "Collaborate" and "Surrender." The rise was precipitated by a recent fire that destroyed France's white flag factory, effectively paralyzing the country's military capability. Italy has increased the alert level from "Shout Loudly and Excitedly" to "Elaborate Military Posturing." Two more levels remain: "Ineffective Combat Operations" and "Change Sides." The Germans have increased their alert state from "Disdainful Arrogance" to "Dress in Uniform and Sing Marching Songs." They also have two higher levels: "Invade a Neighbor" and "Lose." Belgians, on the other hand, are all on holiday as usual; the only threat they are worried about is NATO pulling out of Brussels. The Spanish are all excited to see their new submarines ready to deploy. These beautifully designed subs have glass bottoms so the new Spanish navy can get a really good look at the old Spanish navy. Australia, meanwhile, has raised its security level from "No worries" to "She'll be alright, Mate." Two more escalation levels remain: "Crikey! I think we'll need to cancel the barbie this weekend!" and "The barbie is canceled." So far, no situation has ever warranted use of the final escalation level. John Cleese – British writer, actor and tall person