M-A-O-L

Mobile App Security – Application Security’s “Where’s Waldo”:

Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners  were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages.

The widening coverage gap of application security scanners.

Younger people less secure online than their elders new study suggests:

Are younger people less aware of online security risks, or do they simply prefer to take more risks with their personal information? That’s one of the questions raised by the findings of our recent poll of 2,129 U.S. adults (aged 18 and over) by Harris Interactive.

Passwords: young people are lax, rich people are careful:

The new study, undertaken by Harris Interactive for ESET, questioned more than 2000 people online from August 27–29, 2012 on their use of passwords. Passwords remain by far the primary method of authentication on the internet, and remain fundamental to our security and privacy.

And one more – Password Practice: With Age Comes Wisdom?:

My friend and colleague Stephen Cobb has shared some interesting survey data in a blog article indicating that the age group between 18 and 34 is less likely than older groups to use complex passwords or even to use different passwords according to the sensitivity of the context.

Don’t say I didn’t warn you…

Kill the Password: Why a String of Characters Can’t Protect Us Anymore:

You have a secret that can ruin your life. It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Soon on this blog: why rich people use better passwords than the young folks.

Comparing the CISSP and GISP Exams:

Lately, I have been spending my time preparing and finally taking the GIAC Information Security Professional (GISP) and the Certified Information Systems Security Professional (CISSP) certification exams. I passed both. The exams are very different, though they cover the same material.

Still considering what’s right for me… suggestions, anyone?

It’s never too late to change important terminology and confuse customers, that’s what Oracle must’ve been thinking…

Security Patch Update (SPU) terminology is introduced in the October 2012 Critical Patch Update as the term for the quarterly security patch.  SPU patches are the same as previous CPU patches, just a new name.  For the database, SPUs can not be applied once PSUs have been applied until the database is upgraded to a new base version.

via CPU, PSU, SPU – Oracle Critical Patch Update Terminology Update.

Homomorphic encryption: computation on encrypted databases without ever decrypting them. An important step that should eventually allow even the most privacy focused institutions off-loading some of their data processing into public clouds.

Alice hands bob a locked suitcase and asks him to count the money inside. “Sure,” Bob says. “Give me the key.” Alice shakes her head; she has known Bob for many years, but she’s just not a trusting person. Bob lifts the suitcase to judge its weight, rocks it back and forth and listens as the contents shift inside; but all this reveals very little. “It can’t be done,” he says. “I can’t count what I can’t see.”

via Alice and Bob in Cipherspace.

Following up from the Epic Hack, here’s an interesting piece about the guy who supposedly pioneered some of the new social engineering hacks.

I wonder how much of everything else Cosmo has told me is true. The only thing I am certain of is that online security is an illusion. But I think he is being honest now. I think he’s genuinely remorseful and just wants all these gaping account holes, many of which he found or helped publicize, closed at last before anyone else has their identity stolen, or the SWAT team sent to their door. That’s what I believe, at least.

via Cosmo, the Hacker ‘God’ Who Fell to Earth.

Why can’t I get rid of the nagging feeling that this guy asked the hacker himself to do it, to get a great story into Wired and everywhere? Staged like this, the story is much better than if he simply reported that it was theoretically possible to remote wipe somebody’s iDevices just by abusing Amazon’s and Apple’s flawed password reset routines.

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

via How Apple and Amazon Security Flaws Led to My Epic Hacking.

Maybe it’s because of a flood of recent stories where journalist’s ethics were less than questionable?

• Jonah Lehrer and the facts
• Sommerroman «Kalte Bässe», where a journalist hires a girl to plant bombs so that he’s the guy with the exclusive story about the girl…

Already 3 months gone by? April 2011 Critical Patch Update Released (direct link to Database vulnerabilities). Mostly obscure components that aren’t in widespread use in the DB world, but who knows…