Twitter is worried about all the media company accounts being hacked, and has released some guidance. These aren’t exploits of Twitter itself, but of media companies, typically through phishing.
On March 13th I received a birthday card. It was from my Dad. It was a nice card, it was clear he had put some thought into the card selection, and I was genuinely swayed by his thoughtful memento. On the Ides of March I received a birthday card from my grandmother. Another nice card and it was thoughtful that she remembered my birthday. Two weeks later a birthday gift arrived from my mother. Not for me, mind you, but for my wife. It was a beautiful gift, obviously expensive, and again a…
It probably went unnoticed by most of the security community, but yet another Twitter hack this week exposed more flaws with high frequency trading systems. When someone took control of the Associated Press twitter account and injected a fake news announcement that bombs had exploded in the White House, many people (unsurprisingly) believed the tweet without attempting to verify. That a 140-character message sent the stock market down in a “flash crash” – 140 points in a matter of minutes.
Perfect is my least favorite word in the English language. Nothing is perfect. There are always things that can be improved upon, no matter how good they are. And striving for perfection is an express train to disappointment and unhappiness. I’m a card-carrying disciple of “good enough”. It doesn’t need to be perfect to add value. So I don’t obsess about typos, misplaced pixels, or any other such nonsense. Which can irritate certain business partners [and editors] at times. But I’m not going to…
The good news about being in security is that you don’t have to look too far for criticism of your work. Most of the time it’s constructive criticism, so overall interaction with the security community makes your work markedly better. Which is why we live by the Totally Transparent Research process. It makes our work better.
This summer James Arlen and I are teaching the recently updated cloud security class we developed for the Cloud Security Alliance (CCSK Plus). We are pretty excited to teach this at Black Hat, and will be bringing a few extra tricks to handle the more advanced audience we expect.
I tend to avoid “security jazz” blog posts – esoteric arguments contrasting what we should be doing in security against what we do today. These rants don’t really help IT professionals get their jobs done so I skip them. But this is going to be such a post because I need to talk about big data security approaches. Many of you will to stop reading at this point. But for you data architects, CISOs, and security product development teams learning about how to plan for big data security…
There are two ways to respond to criticism of your security product, especially when encryption is involved.
Respond cautiously, openly, and positively as demonstrated last week by AgileBits, the folks behind 1Password.
A few hours after this post goes live, the Verizon Enterprise risk team will release their 2013 Data Breach Investigations Report. This is a watershed year for the report, as they are now up to 19 contributing organizations including law enforcement agencies, multiple emergency response teams (CERTs), and even potential competitors. The report covers 47,000 incidents, among which there were 621 confirmed data disclosures. This is the best data set since the start of the report, so it provides…
All the discussion so far in our CISO’s Guide to Advanced Attackers has been of preparation for the main event. The bell rings when an alert fires and it’s time for your incident response process to kick in. But as we have seen through our adversary analysis and intelligence gathering, “advanced attackers” present some unique challenges. In particular, they significant resources and time, which makes them difficult to deter – even if you successfully block one attack or stop a specific…