[Cryptography] Long-term security (was Re: ratcheting DH strengths over time)

Bill Frantz frantz at pwpconsult.com
Wed Nov 18 17:34:14 EST 2015


On 11/18/15 at 12:13 PM, bear at sonic.net (Ray Dillinger) wrote:

>IMO, the Internet-of-Targets is a bad idea in the first
>place.  There is NO way my thermostat or my refrigerator
>has any business talking to the Internet or listening to
>the Internet.

The thermostat use case for internet connection is coming home a 
bit early after a trip where you put your house in 
low-temperature vacation mode. You want it to be warm when you 
come through the door, so you send it a message from your phone 
while waiting for your luggage to arrive.

Probably the best way to attach things to the Internet with some 
degree of security is to have an interface box which will 
greatly limit the things you can do on the box, and be regularly 
updated with security fixes. Some cars have a version of this 
architecture with the entertainment system, the phone, the nav, 
etc. being on a separate network from the engine controls and 
the brakes. The connection between the networks limits the 
things that can pass between them.

This message, from the SANS Security Digest is a harbinger of 
things to come in the Internet of Targets space:

====== Forwarded Message ======
Date: 10/27/15 5:16 PM
Received: 10/27/15 1:16 PM -0400
From: NewsBites at sans.org (SANS Institute)

  --Closed-Circuit Camera Botnet
(October 26, 2015)
A botnet made up of nearly 1,000 closed-circuit television (CCTV)
cameras has been detected. The devices were remotely accessible 
and had
easily guessed or default passwords. The botnet was identified by
Incapsula while investigating an attack on a client's system. The
compromised cameras were all running a Unix utility bundle known as
BusyBox.
http://www.zdnet.com/article/cctv-cameras-worldwide-used-in-ddos-attacks/
http://www.scmagazine.com/ddos-botnet-comprised-of-nearly-a-thousand-cctv-cameras/article/449499/
[Editor's Note (Murray):  Welcome to the Internet of Things.  
Even if
most appliances are resistant to compromise or misuse, there 
will always
be enough that are insecure as to represent a risk to the 
Internet that
will be difficult to mitigate.]
====== End Forwarded Message ======

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"After all, if the conventional wisdom was 
working, the
408-356-8506       | rate of systems being compromised would be 
going down,
www.pwpconsult.com | wouldn't it?" -- Marcus Ranum



More information about the cryptography mailing list