CategorySecurity

Password fails, continued.

I’ve noticed that one when registering for my ADT online account. That account allows you to manage your secret passwords, turn off your security system, etc.

These are so common these days that you could probably have a blog dedicated to them alone. It’s annoying when it happens in general, it’s bad when your favorite financial institution does it, but it’s particularly egregious when it’s done by a security company. Even if that security company is in a business of physical security. Perhaps it’s even worse that it’s in that space, since it can mean your personal security is at risk.

 

adt_password

 

Skills gap in IT security

The article tries to explain why companies have trouble hiring security pros. Some good items in there, but I think it misses the larger point. Too many companies simply don’t understand what they need and treat security as a check box that they mark off on some form. They believe that “security” consists of creation of myriads of policies, procedures and documents for every eventuality. Doubtless, that’s a part of it, but it has to start with evaluating risks, threats and having a proper mindset.

This reminds me of a security position that I once interviewed for. One interviewer really wanted to know the specific number of Active Directory Organizational Units (OUs) I have worked with. That is akin to asking a prospective sysadmin how many files he has worked with. The number is arbitrary and absolutely irrelevant to underlying complexity, nesting, policies, etc.  At the time, they told me that they’ve been trying to fill the position for more than 6 months…..Somehow that wasn’t surprising to me…

CRIME Attack

SSL is now vulnerable to session hijacking in some circumstances. If your site runs SSL/TLS, the compression needs to be off.

 

http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor/19914#19914

 

Browser Security

There was a recent poll where Opera came out on top as the most secure browser and this article tries to figure out why. It is indeed the most “secure”, but for a whole different reason. It’s the same reason as Apple used to claim that they didn’t have viruses. It’s just “security by obscurity”. Because the market share is so small, most malware authors won’t bother to target that particular browser. If Opera was #1 in market share, I would posit that it’d be marginally different from any other browser.

 

Incident Response

This is a problem with Incident Response “templates”.  I would draw an analogy to a lot of DR plans. It’s only as good as your last test.

http://www.secure-value.com/douglasdavidson/2012/09/what-did-you-do-with-that-incident-response-template-your-cyber-liability-insurer-providedsion.html

 

© 2017 Mind End

Theme by Anders NorenUp ↑