M-A-O-L

Dataguise Presents 10 Best Practices for Securing Sensitive Data in Hadoop. Yeah, you gotta hop over to read it at myNoSQL…

Two-Step Verification Will End Consensual Impersonation:

IT security pros are typically delighted to do away with employees’ option for consensual impersonation, and indeed, privileged identity management systems work really hard to make it impossible for those with superuser powers to do. But I suspect the consumer world isn’t quite ready for widespread two-step verification that cuts off this option.

I don’t know if that’s really so much a use case? Then again, I’m just one of these corporate IT security obsessed guys…

Via Two-factor authentication in two years.

New Amazon CloudHSM service vows enterprise-grade security:

Amazon Web Services runs on tons and tons of shared hardware. That’s a huge benefit in terms of cost but also spooks customers with strict regulatory requirements that prevent them from running their applications on shared infrastructure. [...] CloudHSM could make regulation-constrained companies and agencies more comfortable entrusting workloads to the Amazon Web Services public cloud.

At $1,373 per month… how much is a HSM if you buy your own (let’s ignore management etc. for a moment).

Going Bright: Wiretapping without Weakening Communications Infrastructure:

Mobile IP-based communications and changes in technologies have been a subject of concern for law enforcement, which seeks to extend current wiretap design requirements for digital voice networks. Such an extension would create considerable security risks as well as seriously harm innovation. Exploitation of naturally occurring bugs in the platforms being used by targets may be a better alternative.

Apparently VoIP implementations are so buggy that there’s no need for vendors to include backdoors!

Google Wants Your Next Password To Be A Physical One:

New research from Google suggests what we all likely know to be true – your pet’s name followed by a few numbers just isn’t cutting it as a password these days.

Google Declares War on the Password:

Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time.

Here’s the article (PDF), it’s been published since TechCrunch and Wired wrote about this.

Google’s Vint Cerf talks identifiers vs. pseudonyms online:

Cerf suggested to imagine a device running on hardware that can generate public and private key pairs in which the private key can’t be extracted without destroying the pair. Furthermore, imagine that the private key can’t be computed from the public key — at least not in any amount of time that would be useful. Finally, this device needs to encrypt or decrypt digital objects on demand.

[...]

He continued to say that there might be hundreds of devices associated with us (and therefore, our personal data) at home, in cars, at work, and elsewhere. Thus, he said we don’t want them to be interfered with or release information to parties other than the ones we want to authorize.

Too bad the article doesn’t really mention what he said abot pseudonyms, but here’s a bit more.

Big Data brings intelligence-based security, RSA chief says:

Big data will transform the way enterprises architect and manage security and will finally help get the good guys out in front of the bad guys, said Art Coviello, executive vice president of EMC and executive chairman of RSA.

He said an “intelligence-driven model can be made future proof. It evolves and learns from change”. He added that such a system can detect anomalies and respond to them.

Another industry where the mere availability of Big Data changes everything… not. But used well, Big Data can certainly help find additional threats that otherwise would have gone unnoticed for longer.

Cloudera who? Intel announces its own Hadoop distribution:

Hadoop is a juggernaut when it comes to big data. Intel is a juggernaut when it comes to data center infrastructure. Its decision to enter into the open source software market is a big one for the chip company, for the Hadoop ecosystem and for the myriad startups playing in this space.

Plus Project Rhino: Enhanced Data Protection for the Apache Hadoop Ecosystem:

As the Apache Hadoop ecosystem extends into new markets and sees new use cases with security and compliance challenges, the benefits of processing sensitive and legally protected data with Hadoop must be coupled with protection for private information that limits performance impact. Project Rhino is our open source effort to enhance the existing data protection capabilities of the Hadoop ecosystem to address these challenges, and contribute the code back to Apache.

Via myNoSQL.

Two-factor authentication won’t protect Twitter, Google: OneID:

We basically said, let’s take a clean sheet approach to the problem and design a solution that eliminated the use of shared secrets, used modern-day cryptography, and that made it user friendly. The result is a system that has the security that is far better than even using those hardware tokens and so forth, but yet has the ease of use of Facebook Connect.

He’s suggesting to use public key cryptography to solve the problem that hackers gain access to accounts through breaking into the service provider’s servers, instead of guessing the passwords.

Just replacing the authentication mechanism won’t fully solve the problem, you will also have to secure the end to end chain of events of the service to ensure that a hacker who’s got privileged access isn’t able to see-all and do-all in the service with god-like powers. But a public key based approach can also help with that.

Mobile App Security – Application Security’s “Where’s Waldo”:

Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners  were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages.

The widening coverage gap of application security scanners.