secure

ECS, Educational, General July 8, 2023

Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions

This is the second article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers, embedded devices are typically integrated into other devices or systems and are dedicated to carrying out a specific set of functions. They are often characterized by their compact size, low power consumption, and optimized performance for their intended application. No wonder that embedded devices are becoming increasingly prevalent, powering a wide range of applications such as IoT devices, industrial control systems, and automotive systems. With their growing ubiquity, ensuring the security of these embedded devices has become a critical concern. Secure booting is a fundamental security mechanism designed to protect embedded devices from unauthorized access and tampering, playing a vital role in maintaining the integrity of the system. This article explores the concept of secure booting for embedded devices and highlights its significance in enhancing overall security. Understanding Secure Booting Secure booting is a security feature that establishes a chain of trust during the booting process of a computer and embedded devices. It ensures that only trusted and verified software…

Educational, security March 18, 2016

What is Pentesting, Vulnerability Scanning, which one do you need?

I get very often asked about these two concepts and I noticed that there is a lot of unclarity around these topics. At the end, I will tell you my own opinion and give you some advices. Vulnerability scan Also known as Vulnerability Assessment, looks for known vulnerabilities in your systems and reports potential exposures. Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps. It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them. Penetration test (aka “pentest”) Designed to actually exploit weaknesses in the architecture of your…

Educational, News June 16, 2015

How much is a blog instance worth?

I wrote in the post Do you really know who’s visiting your website? about how often hackers probe my websites. IT Security News has of today this: 5,914 blocked malicious login attempts / was 2092 on May 8th 2,182 spam comments blocked by Akismet. / was 2115 on May 8th The login attempts more than doubled in just 5 weeks. Of course, they are all automated attacks, so we can’t really speak of an effort from anyone’s site. Why ? If a hacker “owns” a website he is able to do a few things: Change content and possible deliver malware to your readers Host individual “sub-pages” or “sub-websites” in your blog and reference them from email campaigns or post spams. Send mail from your blog to just anyone, but the worst is when it sends to your subscribers. All are very bad things as they ruin your website’s reputation and drives your visitors away. And they can happen all together or just any combination of them. What can you do? It turns out that you can do quite a lot of things: don’t user the default admin account (WordPress: admin) set a hard to guess password keep your blog and its extensions/plugins up to date don’t install…