Roger Halbheer on Security
In certain areas, getting security right can seem to be very easy. But, hmm, let’s look at this: Poorly anonymized logs reveal NYC cab drivers’ detailed whereabouts. They used MD5 to anonymize the license plate numbers of the taxi drivers – and they did not use any salt. So, it is fairly easy to run…
DetailsWhen I look at the way security is treated in a lot of companies, I see two fundamental challenges: Security is seen as a compliance function only. In other words, security people tend to hide behind policies. This is fairly simple for us, isn’t it? We can take the policy and tell somebody to follow…
DetailsLet’s assume for a second, that the content of this article is correct: Google’s backward step on Android app privacy. Then it shows – once more – that Google is a very innovative company with a very limited view on user’s privacy and security. When you look at the new security user experience in the…
DetailsI recently had an interesting discussion: If you want to get malware onto a smartphone, what do you need to do to make the user install? Well, it depends technically pretty much on the smartphone. But from a user perspective it is fairly simple: Write an app a lot of people want. How do you…
DetailsA lot has been written about the European court decision and the right to be forgotten. It seems that about 12’000 people now asked Google to get something deleted. There are different aspects now, when we look into this: I guess it would cause a wrong sense of security – well better privacy – if…
DetailsYou might have read the articles how you can download security updates for Windows Embedded onto Windows XP to address vulnerabilities in Windows XP. This is an interesting problem. So, it is easy to force XP to download updates for a different OS. Is this now good or bad? Well, it is kind of both.…
DetailsTo start with the way I look at the answer of the question above: Yes, I think so. Basically, when you talk with people knowing the industry, the classical signature-based approach never even worked. It was able to detect a certain number of viruses, which typically is a just small percentage of what the technology…
DetailsI think I really do not need to comment this as the title itself says it all: US arrogance puts further doubt on cloud data sovereignty If you add some content, I just think they do not get it: New York-based U.S. Magistrate Judge James Francis last week ruled that local search warrants must include…
DetailsMaybe Heartbleed has the positive side-effect that users think about using different passwords for different sites (and then a password manager?) or websites start to think about using two-factor authentication? The downside typically is, that these effects tend not to last all too long… or how far did Snowden really change people’s behavior? Heartbleed’s silver…
DetailsThat’s a big “outch”: Be Careful what you Scan for! Just to quote SANS: After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed. However, their implementation of SSL…
DetailsI was doing quite some PKI projects in my former life. One of the key themes during the policy discussion and then afterwards in the implementation was always the way somebody can revoke a certificate and then how the revocation was communicated. Shall OCSP be used or shall we stay with the good old CRLs?…
DetailsThis is the first time, I had to go through an emergency update process of that scale – well better, my team went, I do not want to claim any success here for myself. I was basically just an observer. However, there were a few interesting things, which I learned during the last few days:…
DetailsI guess, you have have been through such meetings as well? At least I felt fairly often like that, when I was in consulting
Roger
The next development in the whole NSA discussion. The EU and Brazil decided to build a transatlantic cable between Europe and Latin America – as a reaction to protect privacy, they say. Well, the quotes are fairly harsh and direct… We have to respect privacy, human rights and the sovereignty of nations. We don’t want…
DetailsRemember my post back in November? If something is free – you are the product! – Now I read an article today, which completely proves this point. It is about Google being sued for scanning student emails. The really interesting thing is this quote: Of course it’s not news that Google reads the emails in…
DetailsIt is fairly well-known that “the Internet” knows a lot about us. However, there is a really good story on ZDNet, which shows how far you can go even with people who try their best to protect their identity. Before you read the article, there is one thing to mention: To my knowledge there are…
DetailsA teacher in the US reached a settlement with his former employer regarding an age discrimination suit. It was agreed that the $80k settlement should remain confidential. However, the teacher informed the court that they had to tell their daughter “something”. Which led the girl to post on Facebook (“only” to her 1200 “friends”): Mama…
DetailsIt is obvious: Less admin privileges reduces the risk of successful attacks. This is not really news, isn’t it? That this reduces the attack surface dramatically, well, not new either: Time to drop unnecessary admin privileges What I am really wondering: We are all talking about Bring Your Own Device scenarios, where it is to…
DetailsWeak and lost passwords are always a challenge in an online world. Different countries work now on a protocol to support different authentication methods in an online world to make passwords redundant. I think that this is a really good an interesting approach to keep an eye on: Password-free online authentication a step closer Roger…
DetailsThe White House released a framework for the critical infrastructure regarding Cybersecurity. The interesting part is, that it is not based on a certification approach but on risk management. Definitely the right mindset as it allows companies to move away from compliance management to risk management. I am absolutely convinced that managing compliance has its…
Details