There have been 2 big announcements this week that impact the TV industry - 1) Apple announcing their OTT proposition and 2) Google announcing Stadia and I’d like to argue that of the two the most significant for the TV industry is the Google announcement.
If we review what we know about each announcement
Apple TV+ A PayTV Service reaching Apple and some non-apple devices (FireTV) A large potential global audience Lots of content - both original and from existing networks Aimed primarily at Apple Ecosystem, with some support for 3rd party devices (Amazon Fire, Samsung, LG, Roku) Google Stadia A Gaming service based on cloud servers and low latency streaming A Game controller offer low latency response Tools to enable games to be ported to the service Targeted at any device - runs on Phones and Browsers These are both big announcements but I’d argue the Apple one is less significant.
Read more →
The recent ransomware attacks have focused lots of minds onto cyber security, however many of the solutions being proposed are little more than sticking plasters to the larger underlying issue - namely systems are not secure by default. The ‘trend’ in software has been to launch it, then fix it. This is a very attractive proposition for business, as it lets them discover the ideas that work and don’t work, and then iteratively improve them.
Read more →
This weekend we saw ‘the biggest cyber attack ever’ and a few people (who don’t work in IT) have asked me - will it be good for you (as I work for Irdeto - a Digital Platform Security company). It’s an interesting question to consider - these big attacks make a lot of noise, so you’d expect on Monday morning the business of cyber security will get easier! However I think the reality is a bit more nuanced.
Read more →
Yesterday the news rapidly filled up with reports on a ‘massive cyberattack’, as I’m in the UK the press coverage was focused on the NHS and initially was full of comments about ‘smart’ hackers. This reporting is, in my opinion, giving these organizations an excuse for their negligence. The reporting often implies the attack is some kind of ‘act of god’ that they could not avoid, in this case it was trivial to avoid it, simply don’t connect out of date systems to the internet.
Read more →
How lucky do you feel today? It’s an important question as your IT security is probably mostly down to luck.
If we examine most ‘hacks’ we usually see the organisation hit issuing statements about ‘sophisticated hackers’ and the public image of hackers, as lone genius’s wearing hoodies in darkend rooms is re-enforced. In fact most attacks are perpetrated by far less skilled people and succeed by luck. That’s not to say there aren’t some super skilled experts out there, but they are few and far between.
Read more →
Computer systems are complex, and the complexity has been at the point for quite a few years now it’s impossible for any one person to understand ‘everything’ about any given system. There will often be people with a good understanding the ‘building blocks’ but it’s pretty much impossible to understand all the detail of the code, libaries and platforms it depends on.
Complexity has massive implications for the security of computer systems.
Read more →
Once again a major CA (Symantec) has been ‘caught’ issuing certificates improperly. There is a great write up on Ars Technica. This is really significant as falsly issued CA certificates are one (of many) way to MITM SSL.
This underlies the extreme difficulty in securing anything in IT. There are simply too many ‘moving parts’ and people in involved in securing anything. Your computers security depends on thousands of people and companies all doing everything correctly all of the time, and simple law of averages suggests this is unlikely to ever happen!
Read more →
Ouch - Kaspersky have been enabling MITM attacks on their customer base. The Register citig a Chrome bug report explains how you can use this to trick consumers in thinking a site is valid/safe when it is not.
This underlines the ease of MITM SSL/TLS - see my previous article for all the different ways this can be done!
Read more →
I’ve been travelling quite a bit recently for work and have been reminded (again) how ‘human factors’ can defeat any attempt to improve security.
A good example of this is chip and pin/contactless. Chip and Pin is common and popular in Europe and as a result in Europe I never ‘give’ my card to members of staff for them to process it. This reduces the risk of fraud substantially as staff cannot easily clone/copy cards when they’ve never handled them.
Read more →
I’m often heard saying it’s quite easy to MITM HTTPS (also called SSL/TLS) and decided that maybe I should list all the methods I know of (there are quite a few).
The attacker has many options to try and get in the middle between the user and web server/API
Pure Technical Approaches Zero Day Vulnerabilities in browsers TLS/SSL Breaks Incorrectly Issued Trusted Certificate Aquire vendor issued ‘trusted’ certificate Social Engineering Approaches Convince user to install MITM certificate Convince user to install software Malicious Browser Extensions Conclusion Pure Technical Approaches The pure technical approaches rely on attacks that don’t require users to make any mistakes and anyone can be vulnerable.
Read more →