The Importance of Secure Flashing for Embedded Devices and Secure Implementation Practices

This is the third article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices The second article was Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions In this article, we will explore the importance of secure flashing for embedded devices and discuss best practices for implementing secure firmware updates. Secure flashing refers to the process of updating or replacing firmware on an embedded device in a secure and reliable manner. Firmware is the software code that runs directly on the hardware of the embedded device, controlling its functionality and behavior. Secure flashing ensures that firmware updates are performed in a way that minimizes the risk of unauthorized access, tampering, or corruption. Secure flashing involves implementing a set of security measures and practices to ensure the integrity, authenticity, and confidentiality of the firmware during the update process. These devices often rely on firmware updates to enhance functionality, address vulnerabilities, and ensure optimal performance. However, the process of flashing firmware onto embedded devices can introduce security risks if not handled properly.   Significance of Secure Flashing Vulnerability Mitigation Firmware updates often address security vulnerabilities discovered in embedded devices. Secure flashing ensures that these updates are…

Lack of security made simple: Casual Insecurity

I am travelling quite a lot because of my job, working with Avira’s customers to integrate their OEM Technologies. For this reason, I am very often in hotels and airports. Almost everywhere these days, I can find free WiFis: wireless networks with free of charge access. We all know that accessing resources through free WiFis is not the best ideas. Especially, if these networks do not have any kind of password set.   This is how I think that the Lack of Security is made so simple: offer something everybody needs for free and make that as unsecure as possible. Maybe at the beginning it is going to be few which don’t access the free unprotected wifi. But in time, everybody will think that it is absolutely normal that a WiFi is supposed to be free and unprotected. And this is how you convert masses of people to lower their security expectations. I call this concept: “Casual insecurity”.   Read here in my free eBook how to “Improve your security“.  

About ransomware, Google malvertising and Fraud

I am sick and tired to see so many people affected by this wave of ransomware attacks. I don’t want to go into details about Ransomware like Locky because it has been written quite a lot about it. The most common way that Locky arrives is as follows: You receive an email containing an attached document. The document advises you to enable macros “if the data encoding is incorrect.” If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it. The saved file serves as a downloader, which fetches the final malware payload from the crooks. The final payload could be anything, but in this case is usually the Locky Ransomware. Read more details here (NakedSecurity of Sophos).   Now, desperate people who just got all their document encrypted by Locky, search the web for possible solutions. Remember: Locky scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X…

Quoted in Tech News World: Paris Attacks Deepen Encryption Debate

Paris Attacks Deepen Encryption Debate By Richard Adhikari Nov 18, 2015 5:00 AM PT   ISIS has threatened to attack the United States and continue its reign of terror elsewhere in the world, so an argument could be made that the high-tech industry would serve the greater good by agreeing to weaken encryption. “No, it should not,” maintained security expert Sorin Mustaca. “There has to always be somebody who controls those that control everyone else. The day when security companies give in to those demands is the day there’s no privacy for everyone,” he told TechNewsWorld.   Additional comments not in the article:   Weakening encryption is not helping fighting terrorism. There is too much data out there and even if everything would be plain text they would still not be able to detect discussions about a planned attack. It is like searching an exotic fish in an ocean. The usual fish is plain text, the data you are looking is the exotic colored fish. The fact that the exotic  fish is hiding (data is encrypted) doesn’t make much of difference, isn’t it?    


ENCRYPTION IS NOT SOLVING ALL CYBERSECURITY PROBLEMS     Sorin Mustaca, CSSLP, shares his thoughts from a recent Frankfurt-based automotive show on the overreliance of the car industry on Encryption, noting “…all those lights are sensors and processors which communicate with each other via the CAN BUS (Controller Area Network). If one of them is compromised, it will send invalid data to the others and the consequences are unpredictable. The data will leave the car encrypted and will be decrypted on destination, but the information is compromised.”      

No Image

Security checklist for “Back to school”

The summer closes to end soon and we know that the next thing to happen is: children go back to school. Parents are always concerned (for good reasons) for what and how their children will do, and since a couple of years they have other concerns. Their children have smartphones, multiple online identities – parents are worrying about the security of these physical and digital assets. Thinking of this, I created this checklist which parents and children (and not only) can easily go through and  easily improve their security. Mobile devices –          Password/PIN protect your laptop, smartphone, tablet For laptops, use a good strong password. Learn here how to make one. For smartphones and tablets, even if it is recommended to enter a password as well, sometimes is not very easy to enter a complex password. This is why you should enter a PIN. Don’t even think of 1234 or such. Think of a number that makes sense for you so that you can remember it. Please don’t write it on the back of the device. –          Encrypt your device Most devices support encrypting the internal and external storage either natively or with an external app. Doing so has the…

No Image

Truecrypt shutdown – 5 questions that must be asked

If you visit www.truecrypt.org you see this text below. If you install the software, you see it quite a couple of times. The domain www.truecrypt.org  is only redirecting now to www.truecrypt.sourceforge.net. There are many articles written on this topic, especially on “WHY?”. WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform. And when you try to download it: Download: WARNING: Using TrueCrypt is not secure You should download TrueCrypt only if you are migrating data encrypted by TrueCrypt. TrueCrypt 7.2sigkey If you use TrueCrypt on other platform than Windows, click here. So, you can still use it. And it works as expected, only that you will get from time to time some warnings. So far, so good…   But the biggest question is WHY did they…

No Image

Duplicati: How to create your own secure online backup for free

One thing that almost all online backup solutions (e.g.. Dropbox, CX, Memopal, etc.) have in common is that they don’t allow the user to store encrypted files on their storage. They encrypt the connection from user’s computer to the cloud service, but once the files are there, they will be stored either unencrypted or encrypted with a key that the service provider has. This practice allows the provider to index the files and check their checksum. Once a file has a known checksum (usually SHA1) it will no longer be uploaded to the storage, it will be only referenced, in order to spare some space. Although this allows the provider to massively optimize the storage, this has a major drawback: zero privacy for the user. If somebody hacks the storage (see Dropbox’s privacy problems in the past) then your files will be available unencrypted to the attacker. In the light of the NSA surveillance, this means that they can get their hands on your files without any problem at all. In the last two years it seems that the problem started to be solved by some providers (e.g. Wuala) which saw the opportunity and offered upload of the files which…

%d bloggers like this: