February 16th, 2013
Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages.
The widening coverage gap of application security scanners.
December 30th, 2012
Are younger people less aware of online security risks, or do they simply prefer to take more risks with their personal information? That’s one of the questions raised by the findings of our recent poll of 2,129 U.S. adults (aged 18 and over) by Harris Interactive.
The new study, undertaken by Harris Interactive for ESET, questioned more than 2000 people online from August 27–29, 2012 on their use of passwords. Passwords remain by far the primary method of authentication on the internet, and remain fundamental to our security and privacy.
And one more – Password Practice: With Age Comes Wisdom?:
My friend and colleague Stephen Cobb has shared some interesting survey data in a blog article indicating that the age group between 18 and 34 is less likely than older groups to use complex passwords or even to use different passwords according to the sensitivity of the context.
Don’t say I didn’t warn you…
December 29th, 2012
You have a secret that can ruin your life. It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.
Soon on this blog: why rich people use better passwords than the young folks.
December 19th, 2012
Lately, I have been spending my time preparing and finally taking the GIAC Information Security Professional (GISP) and the Certified Information Systems Security Professional (CISSP) certification exams. I passed both. The exams are very different, though they cover the same material.
Still considering what’s right for me… suggestions, anyone?
October 31st, 2012
It’s never too late to change important terminology and confuse customers, that’s what Oracle must’ve been thinking…
Security Patch Update (SPU) terminology is introduced in the October 2012 Critical Patch Update as the term for the quarterly security patch. SPU patches are the same as previous CPU patches, just a new name. For the database, SPUs can not be applied once PSUs have been applied until the database is upgraded to a new base version.
October 24th, 2012
Homomorphic encryption: computation on encrypted databases without ever decrypting them. An important step that should eventually allow even the most privacy focused institutions off-loading some of their data processing into public clouds.
Alice hands bob a locked suitcase and asks him to count the money inside. “Sure,” Bob says. “Give me the key.” Alice shakes her head; she has known Bob for many years, but she’s just not a trusting person. Bob lifts the suitcase to judge its weight, rocks it back and forth and listens as the contents shift inside; but all this reveals very little. “It can’t be done,” he says. “I can’t count what I can’t see.”
September 13th, 2012
Following up from the Epic Hack, here’s an interesting piece about the guy who supposedly pioneered some of the new social engineering hacks.
I wonder how much of everything else Cosmo has told me is true. The only thing I am certain of is that online security is an illusion. But I think he is being honest now. I think he’s genuinely remorseful and just wants all these gaping account holes, many of which he found or helped publicize, closed at last before anyone else has their identity stolen, or the SWAT team sent to their door. That’s what I believe, at least.
August 10th, 2012
Why can’t I get rid of the nagging feeling that this guy asked the hacker himself to do it, to get a great story into Wired and everywhere? Staged like this, the story is much better than if he simply reported that it was theoretically possible to remote wipe somebody’s iDevices just by abusing Amazon’s and Apple’s flawed password reset routines.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
Maybe it’s because of a flood of recent stories where journalist’s ethics were less than questionable?
April 20th, 2011
Intel’s McAfee Acquires Sentrigo To Boost Database Security Offerings. That’s not surprising, given that Sentrigo has the best product in that space. Oracle already acquired Secerno last year, so other vendors now have to build their portfolio.
Dave DeWalt, president of McAfee said of the acquisition: McAfee is continuing to broaden its security portfolio to now-secure databases, as well as endpoints, networks, email and web. He added that the company is also announcing a “complete database security platform” which includes products across the McAfee portfolio.
McAfee’s Vulnerability Manager for Databases will automatically discover all databases on the network, collect a full inventory of configuration details, and determine if the latest patches have been applied and scans for vulnerabilities. McAfee’s Database Activity Monitoring (DAM), not only tracks database changes, but also protects data from external threats and malicious insiders with real-time alerts and session termination.
Let’s see what the combined companies are going to bring.