I was talking breaches last week when a very high-up joined the conversation in mid-stream. “Start over, Dave.” “OK. I’m talking about breaches.” “I know what you’re talking about,” he said, knowingly and very clearly interested.
This week, numerous celebrities, mostly female, had their Apple accounts hacked and intimate photos stolen and leaked. There are several things we all need to learn from this. We don’t know yet exactly what happened, though I’ve heard several theories. One possibility is that the celebrities’ accounts were hacked recently. Another is that someone who’s […]
I’ve seen a lot of bad password advice lately. Guessing passwords is just too easy for a computer to do, especially as they get more and more powerful. Formulas are bad, but unavoidable, so here’s what I recommend if you’re not going to use a password manager creating completely random passwords: Unverifiable (or difficult to […]
Heartbleed, a serious vulnerability in a piece of Internet backend software called OpenSSL, is the security story of the week. Vulnerable OpenSSL versions allow an attacker to see parts of a web session they aren’t supposed to see, including passwords in transit. Timing is critical. If a site upgrades to a new version after you […]
If you have a Windows domain, there’s a fairly good chance you have Backup Exec servers, because you probably want to take backups. Because you need them. (As a security guy, I no longer care how you get backups; just that you’re getting them somehow.) Backup Exec is a popular solution for that. But there’s […]
As you probably know, last year some still-unknown criminals stole a whole bunch of credit and debit card data from Target. And the story keeps changing. First there weren’t any PINs. Then they got the PINs, but no personally identifiable data. Well, the latest news indicates they got credit card numbers, names, addresses, phone numbers, […]
A lot of organizations equate security with regulatory compliance–they figure out what the law requires them to do, then do precisely that. Forward-thinking organizations don’t. They see security as a way to get and maintain a competitive advantage, and rather than measure themselves against regulations that are often nearly out of date by the time […]
I mentioned the Yubikey as the ultimate solution stolen passwords on the excellent Yahoo Marx Train forum, and another member asked me to elaborate on it. Rather than take up a lot of space with some off-topic discussion, I decided it would be better to write about it here. The Yubikey is the best solution […]
I picked up a Celeron G1610 CPU last week and I’m using it to build a Linux box. Yeah, it’s a Celeron. But it performs like a 2011-vintage Core i3 or a 2010-vintage Core i5, consumes less power than either, and costs less than $50. It’s hard to go wrong with that.
Ars Technica talked three password crackers into doing their worst to a leaked database of 16,000 passwords, to see what they could learn. They learned a lot, and we can learn a lot from their experience as well. “qeadzcwrsfxv1331″ isn’t a good password. Neither is “Philippians4:13.” Neither is “correcthorsebatterystaple.” Neither is “Qbesancon321″ or “Qbe$@ncon321.” Password […]