The news in security last month has been all over the board: there was a story of credit card skimming at Target stores and one of listening to PC speakers to detect encryption keys. Quite a range, to be sure.
The credit card skimming may involve actual compromise of the credit card terminals (readers). I don’t know how it was done and at the time of this writing, nobody has tried to explain it. It seems difficult to compromise a whole retail chain’s worth of readers, but if that’s indeed what happened, it is likely due to a hardware or software vulnerability. In other words, there’s nothing new under the sun.
The leakage of bits of an encryption key isn’t a new issue either, really. What’s new is how they discovered what was leaked. We’ve known for a long time that computers leak information via electromagnetic radiation (“radio waves”) and the US government has taken precautions to reduce the vulnerability with its TEMPEST program and by using SCIFs (secure compartmented information facilities) to block the radiation.
In Learning Tree Course 468, System and Network Security Introduction we discuss the basic ideas behind these attacks, as well as the types of countermeasures people and enterprises deploy to thwart the attacks. (These attacks are brand new, so we don’t go into their details, but the point is that the principles and concepts are the same as those we do discuss.) Over the past year Bob and I have discussed a lot of security issues on this blog and we’ll continue to do so in 2014. We and the other 468 authors also discuss issues when we teach the class. (I’ll be teaching in January in New York, but you can take the class live or over the Internet from your home or office or an AnyWare facility.) We think it is important to understand not just the specifics of a particular issue, but also the underlying mechanisms. That’s where 468 comes in. In the course we talk about attacks, countermeasures and the underlying technologies.
Next week I’ll be posting some end-of-the year suggestions for your personal information security. I won’t be posting New Year’s day, but I’ll be back in January with new posts and new information. If you have something particular you’d like me to post about here, let me know in the comments below.