Tag Archives: Security

Live from JavaOne: Making the Business Case for Security

This session is about selling security internally. This was my first session from Oracle OpenWorld, by Oracle people, and I expected it to be from the database’s point of view. It was true, but the part I liked most was in fact from a business guy, with no relationship to databases. The database view was […]

Smart Card Web Server security

UPDATED ON 04/06/10: Additional comments about security requirements Securing Web servers is hard work, as OWASP periodically reminds us. Of course, this applies to smart card web servers, regardless of the underlying technology. I received a comment from someone who noticed that some of the Java Card 3.0 Connected sample applications have really bad security. […]

Smart card security on the radio

Smart card security doesn’t often get on traditional media, so we can all (at least, the French-spaking ones) be happy that France Culture will spend an hour discussing the security of payment cards, trying to provide an answer to the question “Comment améliorer la sécurité des cartes bancaires?“. Among the speakers, we will have Jean-Louis […]

Live from Cardis2010: Combined attacks on Java Card

I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack […]

Chip And PIN Is Broken (A Little)

By now, there has been sufficient hype around Ross Anderson’s latest attack on EMV banking cards. Once again, the Cambridge guys have scored a good one here, as the simplicity of the attack is outright incredible: Intercept the PIN Presentation command, make the terminal believe that the PIN is correct (i.e., return Status Word 9000), […]

One less flaw in secure USB keys

We all know by now that some German testers have broken certified USB keys. Breaking a secure product is not big news. Breaking a certified product is less common, so it makes the news. Now, the reactions are worth analyzing, because it is very hard to figure out what certification is about, in particular when […]

e-Smart is back …

It’s that time of the year when summer turns in to fall (rather violently around here), and when smart card R&D people gather in Sophia Antipolis for the Smart Event. I will be present throughout the week, with quite a busy schedule, between my own participations and the interesting sessions that I want to hear. […]

DPA is annoying (again?)

I am currently in Limoges, visiting the University to work on a collaborative research project. The buzz in the computer science department is that Christophe Clavier, one of their researchers, has just won the DPA contest, organized at CHES. And of course, I took the opportunity to discuss that with him. I won’t even start […]

Thank you for the wonderful threat, M. Hadopi!

I work for a company that sells security technology and consulting for smart cards and mobile devices. Although we would most likely deny it, we take new threats as opportunities. We don’t go as far as writing viruses ourselves (because we don’t do such things, and also because we don’t sell antivirus), but a good […]

Buying on Internet with fake card numbers

One would think that buying real goods on Internet with fake card numbers is not possible today. After all, there are many countermeasures that are quite hard to defeat, among which: You need to provide a 3/4 digit security code that is written on your card, and that is some kind of digital signature of […]