-
The final installment in my series called " Security is About Passwords and Credit Cards " is now up on TechNet Magazine. This part of the series discusses updating technologies, including how not to abuse them, messaging about security, and the checkbox syndrome. It ends with the final comments...
-
The second part of my " Security is About Passwords and Credit Cards " article just hit the web. This installment looks at logon processes, misleading security eye candy, and insecure communications with customers. As always, I'd love your thoughts on it.
-
Security is About Passwords and Credit Cards. That's what a very nice lady told me a few months ago. At first I shrugged it off. Of course security is so much more than that. As I started to process it though I realized that is exactly what it is about to end-users. They don't care about the...
-
This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld , on Security by Obscurity . It is another one of those point-counterpoint...
-
I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. ...went to run some tool. Hey, where did that tool go? It was there when I left...
-
The May 2008 issue of TechNet Magazine is out. It has an article in it that I have been wanting to write for a long time, called Quantum Security . In it I posit the argument that there are some fundamental laws of security, similar to the laws of physics, which we must not ignore in our risk management...
-
This morning there was an interesting question in the Windows Vista Security Newsgroup . The poster had written an application that users were downloading. However, when they ran the application they received a warning dialog, like this one: The poster wanted to remove this warning dialog to avoid confusing...
-
Susan just pointed me to a " Self-assessment questionnaire " for the Payment Card Industry Data Security Standard (PCI/DSS). While, on the whole, the intent of that standard is good, there are some areas of it that, as usual, stray into the realm of regulatory silliness. For example, on page...
-
Chris Hoofnagle, of the Berkeley Center for Law And Technology just published a fascinating report entitled " Measuring Identity Theft at Top Banks ." If you have not already, and you are at all interested in security and privacy, you owe it to yourself to read the report. It analyzes identity...
-
A few years back I caused quite a stir when I mentioned in passing during a presentation that writing down your password is a really good idea. A journalist in the room decided that saying so qualified me as insane, and my employer sending an insane person all the way to Australia to give a presentation...
-
At last, there is a biometric authentication technique that cannot be stolen. Or, well, it can, but at least it won't work any longer. Drs. Philip M. Rodwell and Steven M. Furnell recently published "A non-intrusive biometric authentication mechanism utilising physiological characteristics of...
-
Another day. Another data leak. Another round of buck passing. Another round of unsubstantiated claims that they really do care about people's personal information. This one is a doozy though. A junior IT admin at Her Majesty's Revenue & Customs (the UK tax office) apparently put personal...
-
No matter how smug you are about it, and how much you claim that security is someone else's problem, software will have vulnerabilities. It is a fact of life because software is, by far, the most complex engineering task mankind has ever undertaken. In that light, I found a quote by Alan Paller,...
-
If it weren't because too many security departments are like Mordac, today's Dilbert would be funny. Unfortunately, there are still far too many people working on security that fail to recognize that nobody actually wants security. Nobody bought their computer, or built a network, or hired an...
-
A couple of weeks ago I got myself invited to my oldest son's fourth-grade class to talk to the kids about security. The teacher is really into technology and is doing some very cool stuff. Unfortunately, he is not very into security, yet, so that part was, shall we say, lacking. He created this...