I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack …
By now, there has been sufficient hype around Ross Anderson’s latest attack on EMV banking cards. Once again, the Cambridge guys have scored a good one here, as the simplicity of the attack is outright incredible: Intercept the PIN Presentation command, make the terminal believe that the PIN is correct (i.e., return Status Word 9000), …
We all know by now that some German testers have broken certified USB keys. Breaking a secure product is not big news. Breaking a certified product is less common, so it makes the news. Now, the reactions are worth analyzing, because it is very hard to figure out what certification is about, in particular when …
It’s that time of the year when summer turns in to fall (rather violently around here), and when smart card R&D people gather in Sophia Antipolis for the Smart Event. I will be present throughout the week, with quite a busy schedule, between my own participations and the interesting sessions that I want to hear. …
I am currently in Limoges, visiting the University to work on a collaborative research project. The buzz in the computer science department is that Christophe Clavier, one of their researchers, has just won the DPA contest, organized at CHES. And of course, I took the opportunity to discuss that with him. I won’t even start …
I work for a company that sells security technology and consulting for smart cards and mobile devices. Although we would most likely deny it, we take new threats as opportunities. We don’t go as far as writing viruses ourselves (because we don’t do such things, and also because we don’t sell antivirus), but a good …
One would think that buying real goods on Internet with fake card numbers is not possible today. After all, there are many countermeasures that are quite hard to defeat, among which: You need to provide a 3/4 digit security code that is written on your card, and that is some kind of digital signature of …
Bruce Schneier has written a blog about the fact that passwords should not be hidden, which has stirred quite an intense controversy (over 100 comments in a few hours). Some of the issues and solutions pointed in the comments are in fact quite interesting. Let’s make a little synthesis here.
I have loaded a few applications on my Magic phone, and this has allowed me to test some of the security features from the end user’s point of view. When I install an application, the screen displays a few warnings, indicating the privileges/permissions requested by the application. Let’s consider a small example, based on Google’s …
I am getting more and more message from e-mail marketers that start with “Re:” followed by a very generic sentence that I could have written, just like anybody else. This is of course based on the assumption that we are used to receive answers to our own messages, and that we are more likely to …
