Roger Halbheer on Security
It is and was a big theme in politics: e-Voting. Even though I was confronted with the first projects early 2000 I do not like them more 14 years later… There are different reasons for that: At least in Switzerland, I do not see any value. We can vote personally as well as by postal…
DetailsRecently a (at least for me) new phenomenon appeared on the web: Faked data breaches. As the announcement of a data breach typically draws a lot of attention, it is just to be expected that faked announcements will hit the web. Additionally in a lot of media like Twitter and Facebook, speed is more important…
DetailsAges ago, a few companies founded SAFECode – an organization to help improve security in development. In a lot of cases, they really publish interesting work which can be leveraged by organizations. Steve Lipner (one of the developers of the Security Development Lifecycle at Microsoft) and Eric Baze, EMC just published an interesting post on…
DetailsAgain, it was to be expected that scammers would jump on the new domains ending in – like .support. The interesting thing now is, that as they own the domain they can fake two thing: If you mouse-over the link, what you see is what is under the link. So, we trained users for years…
DetailsThis is kind of interesting: IDC reports endpoint security market is booming, but isn’t antivirus dead? I am still deeply convinced that Anti-Virus by itself does not add a lot of value. You can use better technology to protect against malware (see Is Anti-Virus Technology Dead?). If I see that this market is still predicted…
DetailsThe longer the more the industry as well as the customers move towards outsourcing or the Cloud (which – to me – is a special case of outsourcing). If we look at the security impact of such moves, I guess that for most customers/enterprises it makes a lot of sense. IT and Security is often…
DetailsThe economy of cybercrime is one of the themes I often look at. Basically, when defending against criminals, it is all about raising the cost in a way that their balance sheet reaches a tipping point towards cost. In other words, it is too expensive to carry out an attack to be attractive. Raising the…
DetailsIn certain areas, getting security right can seem to be very easy. But, hmm, let’s look at this: Poorly anonymized logs reveal NYC cab drivers’ detailed whereabouts. They used MD5 to anonymize the license plate numbers of the taxi drivers – and they did not use any salt. So, it is fairly easy to run…
DetailsWhen I look at the way security is treated in a lot of companies, I see two fundamental challenges: Security is seen as a compliance function only. In other words, security people tend to hide behind policies. This is fairly simple for us, isn’t it? We can take the policy and tell somebody to follow…
DetailsLet’s assume for a second, that the content of this article is correct: Google’s backward step on Android app privacy. Then it shows – once more – that Google is a very innovative company with a very limited view on user’s privacy and security. When you look at the new security user experience in the…
DetailsI recently had an interesting discussion: If you want to get malware onto a smartphone, what do you need to do to make the user install? Well, it depends technically pretty much on the smartphone. But from a user perspective it is fairly simple: Write an app a lot of people want. How do you…
DetailsA lot has been written about the European court decision and the right to be forgotten. It seems that about 12’000 people now asked Google to get something deleted. There are different aspects now, when we look into this: I guess it would cause a wrong sense of security – well better privacy – if…
DetailsYou might have read the articles how you can download security updates for Windows Embedded onto Windows XP to address vulnerabilities in Windows XP. This is an interesting problem. So, it is easy to force XP to download updates for a different OS. Is this now good or bad? Well, it is kind of both.…
DetailsTo start with the way I look at the answer of the question above: Yes, I think so. Basically, when you talk with people knowing the industry, the classical signature-based approach never even worked. It was able to detect a certain number of viruses, which typically is a just small percentage of what the technology…
DetailsI think I really do not need to comment this as the title itself says it all: US arrogance puts further doubt on cloud data sovereignty If you add some content, I just think they do not get it: New York-based U.S. Magistrate Judge James Francis last week ruled that local search warrants must include…
DetailsMaybe Heartbleed has the positive side-effect that users think about using different passwords for different sites (and then a password manager?) or websites start to think about using two-factor authentication? The downside typically is, that these effects tend not to last all too long… or how far did Snowden really change people’s behavior? Heartbleed’s silver…
DetailsThat’s a big “outch”: Be Careful what you Scan for! Just to quote SANS: After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed. However, their implementation of SSL…
DetailsI was doing quite some PKI projects in my former life. One of the key themes during the policy discussion and then afterwards in the implementation was always the way somebody can revoke a certificate and then how the revocation was communicated. Shall OCSP be used or shall we stay with the good old CRLs?…
DetailsThis is the first time, I had to go through an emergency update process of that scale – well better, my team went, I do not want to claim any success here for myself. I was basically just an observer. However, there were a few interesting things, which I learned during the last few days:…
DetailsI guess, you have have been through such meetings as well? At least I felt fairly often like that, when I was in consulting
Roger
