Archive for the ‘Security’ Category

Dragged by the roots

This one had me scratching my head for a while today. A client and an ex-client both contacted me with strange HTTP connectivity issues, which manifest as errors occurring on one server while the exact same code is working elsewhere. The logs revealed that a HTTPS connection was being rejected because the connection to the external site could not be validated. The problem was that the root certificates were out of date, and the external site was using Let’s Encrypt SSL certificates, which as of this month (October 2021) has a new compatibility restriction meaning their certs can only be validated by a client if the client trusts the ISRG Root X1 certificate. That restriction prevents functionality on iPhones running [click title to read more…]

e-Criminals

I woke this morning to the news that Ireland’s health service was hit by ransomware, crippling a vital component of our society in the middle of a global pandemic. The first reported casualty of this evil deed was a maternity hospital. As the day goes on we will find the consequences of this attack will expand to include more hospitals, medical clinics, doctors’ surgeries and particularly worrying the Covid-19 processes (testing and vaccination). Some or all of these will have to go offline. Much will have to move to alternative mechanisms, such as pen and paper!

Undoubtedly any ransom demand will be rebuffed. To accede would simply raise a flag saying “we pay” and invite more attacks. No, this will [click title to read more…]

Sneak peek

In the past few days the tech community has gone into a panic over a discovery that computers have been vulnerable to a specific kind of attack for over 20 years. Despite being present for a very long time, it would seem that nobody has exploited the vulnerability. The details are complicated, but let’s consider a part of their discovery in more simple terms:

The problem is in the processor (CPU), the thing that does calculations using information in the computer’s main memory (RAM). Decades ago, CPU designers from companies like Intel, AMD and others, decided that they could speed up a computer if they could get it to do some calculations ahead of time, even if the results of [click title to read more…]

Front doors

We’ve all heard of “back door” access. This refers to a situation where some kind of access to the system is available that does not go through the normal procedures, and is sometimes present during the early stages of development to provide convenient and efficient ways to interact with a partially complete system.

Obviously, it is essential that the final version of the solution is built without these back doors present, otherwise you have a major hole in your security.

Then there is the front door, and that will be present in the final version you put into the hands of your customers.

During development it is tempting to make the front door as “convenient” as the back door, just [click title to read more…]

Bleeding hearts

It’s the first weekend after the announcement of CVE-2014-0160, aka “Heartbleed” and if you were to believe even a small fraction of what’s been written about it you’d think the world had come to an end. There’s a lot of nonsense. A lot of dumbed-down explanations seem to add more confusion (Randall Munroe’s angle is a notable exception). The detailed investigations will be read by many, but only understood properly by those who already understand.

As a consequence of this bug I’ve been particularly busy with many of the systems around the world in which I have a role (always behind the scenes). All is a bit quieter now, so I’ve had a chance to peruse what has been written, [click title to read more…]