Rich here,
I need to apologize a bit for sending the Summary out a day late. As most of you know, this week is the big annual RSA Conference and we, Securosis, were busy as heck with conference activities. Between e10+, the Security Blogger’s Meetup, the Securosis Disaster Recovery Breakfast, and tons of conference meetings, it is the busiest week of our year.
In 2011, our friend Josh Corman codified “HD Moore’s Law”:
Casual Attacker power grows at the rate of Metasploit
For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as…
Seven years ago I had recently started blogging and emailed a few other bloggers to see if we should get together at the RSA Conference. Some of these people I knew, many I didn’t, and I thought it would be fun to have face to face arguments with a beer in hand, instead of behind a keyboard (with a beer in hand). Very very quickly we received offers to sponsor, and we turned it into an actual invite-only event organized by myself, Martin McKeay, and Alan Shimel, with Jennifer Leggio doing,…
Bit9 released more details of how they were hacked.
The level of detail is excellent, and there seems to be minimal or no spin. There are a couple additional details it might be valuable to see (specifics of the SQL injection and how user accounts were compromised), but overall the post is clear, with a ton of specifics on some of what they are finding.
Joe Kissell, with whom I ‘work’ over at TidBITS, just published Take Control of Your Passwords.
Joe asked me to review the book ahead of time, and it should be mandatory reading (no, I don’t get a cut – that’s my honest opinion). Joe covers the range of password issues I have ranted on before, then includes specific strategies for managing them. Many of you who read this site might not need the book, but I guarantee nearly everyone you know will get something out of it, even if they only read…
It’s funny how some technologies fall out of the hype cycle and folks kind of forget about them. But that doesn’t mean these technologies don’t work any more. Au contraire, it usually means a technology works too well, and just isn’t exciting to talk about any more. Let’s take the case of adaptive authentication: using analytics to determine when to implement stronger authentication. It appears Google has started taking an adaptive approach to authentication for Gmail over the past 18 months:
Let’s just say I almost failed sharing back in kindergarten. Almost 40 years later I’m not a hell of a lot better at sharing (just ask my kids), but if you want to be good at security, you had better do better at sharing than me. Good points here by Don Srebnick (CISO of the City of NY) on using an ISAC to your advantage:
After two years of development, yesterday we flipped the switch and our Nexus product is officially live with our first partner, the Cloud Security Alliance. After all the stress of a nearly-failed launch (one of our security controls decided to filter the payment system) it is incredibly exciting to have this out there for paying customers. Here are some details:
As the hubbub over Apple, Twitter, and Facebook being hacked with the Java flaw slowly ebbs, word hit late last week that Microsoft was also hit in the attack. Considering the nature of the watering hole attack, odds are that many many other companies have been affected.
You know a technology is close to the top of the hype cycle when talking heads start calling for its demise. Zeus Kerravala goes medieval on MDM in this NetworkWorld column: