Physical security is still key. Custom USB sticks bypassing Windows 7/8′s AutoRun protection measure going mainstream

Oracle’s July 2013 CPU Oracle Database Server Risk Matrix is one of the worst in recent history. Go patching!

Address all senses: Hearing, Seeing, Feeling. Honing your presentation skills for security awareness

Bruce Schneier: Why the FBI’s plan to require weak security in all American technology is a terrible, terrible idea

Dataguise Presents 10 Best Practices for Securing Sensitive Data in Hadoop. Yeah, you gotta hop over to read it at myNoSQL…

Two-Step Verification Will End Consensual Impersonation:

IT security pros are typically delighted to do away with employees’ option for consensual impersonation, and indeed, privileged identity management systems work really hard to make it impossible for those with superuser powers to do. But I suspect the consumer world isn’t quite ready for widespread two-step verification that cuts off this option.

I don’t know if that’s really so much a use case? Then again, I’m just one of these corporate IT security obsessed guys…

Via Two-factor authentication in two years.

New Amazon CloudHSM service vows enterprise-grade security:

Amazon Web Services runs on tons and tons of shared hardware. That’s a huge benefit in terms of cost but also spooks customers with strict regulatory requirements that prevent them from running their applications on shared infrastructure. […] CloudHSM could make regulation-constrained companies and agencies more comfortable entrusting workloads to the Amazon Web Services public cloud.

At $1,373 per month… how much is a HSM if you buy your own (let’s ignore management etc. for a moment).

Going Bright: Wiretapping without Weakening Communications Infrastructure:

Mobile IP-based communications and changes in technologies have been a subject of concern for law enforcement, which seeks to extend current wiretap design requirements for digital voice networks. Such an extension would create considerable security risks as well as seriously harm innovation. Exploitation of naturally occurring bugs in the platforms being used by targets may be a better alternative.

Apparently VoIP implementations are so buggy that there’s no need for vendors to include backdoors!

Google Wants Your Next Password To Be A Physical One:

New research from Google suggests what we all likely know to be true – your pet’s name followed by a few numbers just isn’t cutting it as a password these days.

Google Declares War on the Password:

Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time.

Here’s the article (PDF), it’s been published since TechCrunch and Wired wrote about this.

Google’s Vint Cerf talks identifiers vs. pseudonyms online:

Cerf suggested to imagine a device running on hardware that can generate public and private key pairs in which the private key can’t be extracted without destroying the pair. Furthermore, imagine that the private key can’t be computed from the public key — at least not in any amount of time that would be useful. Finally, this device needs to encrypt or decrypt digital objects on demand.


He continued to say that there might be hundreds of devices associated with us (and therefore, our personal data) at home, in cars, at work, and elsewhere. Thus, he said we don’t want them to be interfered with or release information to parties other than the ones we want to authorize.

Too bad the article doesn’t really mention what he said abot pseudonyms, but here’s a bit more.