February 28th, 2013
Big data will transform the way enterprises architect and manage security and will finally help get the good guys out in front of the bad guys, said Art Coviello, executive vice president of EMC and executive chairman of RSA.
He said an “intelligence-driven model can be made future proof. It evolves and learns from change”. He added that such a system can detect anomalies and respond to them.
Another industry where the mere availability of Big Data changes everything… not. But used well, Big Data can certainly help find additional threats that otherwise would have gone unnoticed for longer.
February 27th, 2013
Hadoop is a juggernaut when it comes to big data. Intel is a juggernaut when it comes to data center infrastructure. Its decision to enter into the open source software market is a big one for the chip company, for the Hadoop ecosystem and for the myriad startups playing in this space.
As the Apache Hadoop ecosystem extends into new markets and sees new use cases with security and compliance challenges, the benefits of processing sensitive and legally protected data with Hadoop must be coupled with protection for private information that limits performance impact. Project Rhino is our open source effort to enhance the existing data protection capabilities of the Hadoop ecosystem to address these challenges, and contribute the code back to Apache.
February 22nd, 2013
We basically said, let’s take a clean sheet approach to the problem and design a solution that eliminated the use of shared secrets, used modern-day cryptography, and that made it user friendly. The result is a system that has the security that is far better than even using those hardware tokens and so forth, but yet has the ease of use of Facebook Connect.
He’s suggesting to use public key cryptography to solve the problem that hackers gain access to accounts through breaking into the service provider’s servers, instead of guessing the passwords.
Just replacing the authentication mechanism won’t fully solve the problem, you will also have to secure the end to end chain of events of the service to ensure that a hacker who’s got privileged access isn’t able to see-all and do-all in the service with god-like powers. But a public key based approach can also help with that.
February 16th, 2013
Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages.
The widening coverage gap of application security scanners.
December 30th, 2012
Are younger people less aware of online security risks, or do they simply prefer to take more risks with their personal information? That’s one of the questions raised by the findings of our recent poll of 2,129 U.S. adults (aged 18 and over) by Harris Interactive.
The new study, undertaken by Harris Interactive for ESET, questioned more than 2000 people online from August 27–29, 2012 on their use of passwords. Passwords remain by far the primary method of authentication on the internet, and remain fundamental to our security and privacy.
And one more – Password Practice: With Age Comes Wisdom?:
My friend and colleague Stephen Cobb has shared some interesting survey data in a blog article indicating that the age group between 18 and 34 is less likely than older groups to use complex passwords or even to use different passwords according to the sensitivity of the context.
Don’t say I didn’t warn you…
December 29th, 2012
You have a secret that can ruin your life. It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.
Soon on this blog: why rich people use better passwords than the young folks.
December 19th, 2012
Lately, I have been spending my time preparing and finally taking the GIAC Information Security Professional (GISP) and the Certified Information Systems Security Professional (CISSP) certification exams. I passed both. The exams are very different, though they cover the same material.
Still considering what’s right for me… suggestions, anyone?
October 31st, 2012
It’s never too late to change important terminology and confuse customers, that’s what Oracle must’ve been thinking…
Security Patch Update (SPU) terminology is introduced in the October 2012 Critical Patch Update as the term for the quarterly security patch. SPU patches are the same as previous CPU patches, just a new name. For the database, SPUs can not be applied once PSUs have been applied until the database is upgraded to a new base version.
October 24th, 2012
Homomorphic encryption: computation on encrypted databases without ever decrypting them. An important step that should eventually allow even the most privacy focused institutions off-loading some of their data processing into public clouds.
Alice hands bob a locked suitcase and asks him to count the money inside. “Sure,” Bob says. “Give me the key.” Alice shakes her head; she has known Bob for many years, but she’s just not a trusting person. Bob lifts the suitcase to judge its weight, rocks it back and forth and listens as the contents shift inside; but all this reveals very little. “It can’t be done,” he says. “I can’t count what I can’t see.”
September 13th, 2012
Following up from the Epic Hack, here’s an interesting piece about the guy who supposedly pioneered some of the new social engineering hacks.
I wonder how much of everything else Cosmo has told me is true. The only thing I am certain of is that online security is an illusion. But I think he is being honest now. I think he’s genuinely remorseful and just wants all these gaping account holes, many of which he found or helped publicize, closed at last before anyone else has their identity stolen, or the SWAT team sent to their door. That’s what I believe, at least.