There is no better publicity for a security company than a good scare. Apparently, some guys at Smobile are taking publicity seriously. They have published a report entitled Threat Analysis of the Android Market, which got them some news coverage. The report includes some pretty scary statements, like: 3% of all of the Market submissions […]
Smart Card Web Server security
UPDATED ON 04/06/10: Additional comments about security requirements Securing Web servers is hard work, as OWASP periodically reminds us. Of course, this applies to smart card web servers, regardless of the underlying technology. I received a comment from someone who noticed that some of the Java Card 3.0 Connected sample applications have really bad security. […]
Mobile applications may be dangerous
That’s a question that I have been asking myself for quite a while. How dangerous can a mobile application be? How can it be made more dangerous? Or less dangerous? Here’s a grabbag from Internet today. First, the good side, with two Microsoft articles pointed by Bruce Schneier: The first one is about the authorization […]
Smart card security on the radio
Smart card security doesn’t often get on traditional media, so we can all (at least, the French-spaking ones) be happy that France Culture will spend an hour discussing the security of payment cards, trying to provide an answer to the question “Comment améliorer la sécurité des cartes bancaires?“. Among the speakers, we will have Jean-Louis […]
Live from Cardis 2010: Reactions to my presentation
My first Cardis presentation led to a few discussions about possible paths for the exploitation of smart cards, or for challenges to be considered. Here is a selection of the most interesting discussions. TPM. Somebody asked the question about the relationship of TPM and smart card. The latest TPM specifications give the impression that they […]
Live from Cardis2010: Combined attacks on Java Card
I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack […]
Live from Cardis2010: User-Centric Smart Card Ownership Model
That speech is by Raja Naeem Akram, from Royal Holloway. He proposes a system in which the end user buys the smart card from the manufacturer, and then customizes it by going to a service point that will interact with smart card service providers. The services would be leased with specific conditions depending on the […]
Live from Cardis2010: Protecting RNG from side-channel attacks
The next talk is given by Suresh Chari,from IBM’s Watson research center, who are still working on their Caernarvon secure operating system, this time protecting random number generation from side-channel attacks. The talk starts on an interesting property of security certification. The FIPS140-2 certification scheme mandates the testing of random-number generation (RNG) features before they […]
Live from Cardis 2010: Where is our smart card AppStore?
UPDATED: Added slideshare link. Here is a transcript of my invited presentation at Cardis2010, or at least the things that I thought about before getting there. The slides are available on SlideShare.
Live from Cardis 2010: Bertrand is back
I am just sitting in the room where Bertrand Ducastel is starting his speech about The Emotion of Identity, of course starting with a 2500-year old Texan religious painting. Now, let’s go for the (live) meat. With cloud computing, it is hard to figure out where my computer is in the world, mostly for fiscal/manpower […]