Roger Halbheer on Security
This seems to be a discussion since I am in security – and this is quite a while. How and when shall vulnerabilities be disclosed? Shall be paid? Is it legal or illegal? Etc. I try to put a few experiences and thoughts “on paper” here. Before we go into details a disclosure: This is…
DetailsIs there still somebody saying that the police is not innovative? Clever idea (if you know the MAC address of your stolen phone): Police develop MAC-sniffing software to track stolen devices Roger Related articles US policeman goes war-driving to find stolen kit by MAC address (go.theregister.com) Cops Wardriving To Find MACs Of Stolen Gear (packetstormsecurity.com)…
DetailsAs criminals get access to better technology and as the underground markets get more active, it is not surprising that targeted attacks become more mainstream. This is something we have seen over the last 6-8 months as well as extortion threats grew in parallel. There is another trend I see talking to other organizations: Midsize…
DetailsJust read this post by Martijn Grooten ‘Why I fell victim to a LinkedIn scam – and why I would do so again tomorrow’. It is basically about when you accept connection requests on LinkedIn, Xing, Facebook etc. I agree with Martjin that I treat stuff I write on these platforms as public but still,…
DetailsIn my last blog post I claimed that I have not seen a good security metrics system working so far and asked whether it is a failure. On different channels I got some reactions, which I would like to share here. One claim is that – as risk management is at the heart of security…
DetailsMeasuring security is a problem – and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could…
DetailsThere is a jewel in a security professional’s toolbox, which – in my opinion – is highly underused. At least this is true in infrastructures I know. Since years, Microsoft offers a free tool called EMET (Enhanced Mitigation Experience Toolkit). EMET helps you to leverage the security technology built into Windows. To quote the above…
DetailsThe insider threat is a real threat – nothing new here, this is something we know since quite a long time. Protecting data against misuse by insider (accidentally or criminal) is a key challenge for security organizations as you have to protect data against abuse by people who need to have access to the same…
DetailsThis was interesting to me: I am used to receive these scam mails, promising me millions of dollars. Nothing new there and if I would have gotten rich if I just got 1% of the promised sums across all these years. Now, this week I actually got a letter, real paper with interesting content –…
DetailsI am guilty as charged: There was a time, where I was convinced that companies will never ever outsource their security functions. It seems that I was wrong. It even seems that for some companies the country, where the service is really delivered starts to get less relevant as long as quality fits. And the…
DetailsI am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
No, I am not offering you any consulting. In the US, a new platform just opened trying to close the gap between freelancers and businesses. It will be interesting to see, how they do:
Startup ‘Stealth Worker’ Matches Businesses With Security Talent
Stealthworker
Roger
I blogged about the work of Jonathan Lusthaus already in the past. To me, he does really interesting work in the area of the underground and how social links and norms impact the underground market. It seems that the Ukrainian war had significant impact on the Russian underground scene. Read yourself: All’s Fair in Love…
DetailsThe US government seemed to have initiated a 30-day security sprint to fix the most important vulnerabilities in their network (US Federal Agencies Launches “30-Day Cybersecurity Sprint” Program). I guess it is a good approach to generate attention and fix the immediate issues. What I do not get is how they are able to address…
DetailsThe typical discussion when it comes to the public cloud is the location of the data. To me, the underlying question is the question about jurisdiction. Who is responsible (legally) if you need support or want to go after the criminals? ZDNet seems to look at it as a question from the past: If you…
DetailsWhen I was working at Microsoft I was sometimes asked, what keeps me up at night. The answer was (and still is) fairly clear: If an attacker would be able to infect a security update, he/she would be able to infect millions of PCs at once. Blackhat is always the time, when such nightmare scenarios…
DetailsIn my opinion, this is an interesting problem: We are very used to today’s asymmetric crypto algorithms, which all base on the problem that it is unbelievably hard to factor a very large number into primes. A hard mathematical problem and security of the Internet is based on it. Now, with quantum computing, this mathematical…
DetailsIf I would have to speculate, I would guess that security in the internet of things will keep appearing in my blog continuously in the future… Looking at the last few weeks, there are different vulnerabilities and incidents which took place showing that the “things” connected to the Internet are more vulnerable than we would…
DetailsThe Dutch TV broadcaster VPRO made a great video (about 50 minutes) about zero-days and security leaks for sales.
It raises really good social questions about the role of governments and citizens. Really worth looking at.
Roger
It is really scary to me: We get discussions again about backdoors in crypto-algorithms, export control for encryption etc. etc. The list is endless. When I started in security just before the change of the millennium, we already had these discussions and I thought that it was agreed that this is a bad thing. Backdoors…
Details
