New password advice from GCHQ

New password advice from GCHQ

The GCHQ is the British equivalent of the NSA. They recently published a new document containing the GCHQ’s new password advice in light of the things we’ve learned in the last few years. It’s worthwhile reading, whether you’re a sysadmin or a web developer or just an end user who wants to stay secure online.

Some of the advice may be surprising.

Read more

Security flaws in security tools are all too common

Fireeye runs a bunch of its processes as root, a practice that’s been a no-no since the late 1990s, and they’re more interested in litigation than they are in working with the guy who discovered it.

The attitude is all too common.

Read more

A guide for safe and private web browsing

Continuing in the theme I’ve been following for the last couple of days, here’s a guide to security and privacy with web browsers. Like the guide I linked to yesterday, I’m not sure I agree with it 100%–I think saying never use Internet Explorer is too absolute–but I do agree with the overwhelming majority of it, and if everyone did all of this instead of what they’re doing now, we’d be in a much better state.

And, on a somewhat related note, here’s a rundown of what Windows 10 changes in the way of privacy, and some recommendations, but here’s a hint: You’re going to want to type privacy into your Windows search bar, pull up everything related, and start shutting stuff off. Use your discretion, but chances are there will be several things. If nothing else, there are things that are appropriate for a Windows tablet that aren’t appropriate for a desktop PC.

Let’s get back to privacy and safety in general, whatever OS you’re running. Here are some highlights.

Read more

Five things security experts do vs. five things non-experts do

There was a fair bit of talk last week about a study that compared security advice from security experts versus security advice from people who are at least somewhat interested but don’t live and breathe this stuff.

There were significant differences in the answers, and a lot of security professionals panned the non-expert advice. I don’t think the non-expert advice was necessarily bad. Mostly it was out of date.

Read more

Final thoughts on the Houston Astros’ database

One of my college buddies (Hi Christian!) shared my previous post on Facebook, pointing out that I’m a long-suffering Royals fan in Cardinals country, and adding that what I said was balanced and dispassionate.

I’m normally anything but dispassionate. But in this case, it’s not a baseball matter–it’s a business matter, and neither my employer nor any past employer is involved, so it’s easy to be detached and dispassionate. I guess you can say my take on hacking has changed. I was going to say “evolved,” but “changed” is more dispassionate.

Read more

All-in-One WP Security and Firewall plugin can be spectacular, but be careful

Over the weekend I installed the All-in-One WP Security and Firewall plugin to fix another issue–more on that tomorrow–and I ended up breaking my site. Hopefully I fixed it to a better state than it started in.

The lesson, as with many security tools, is to proceed with caution.

Read more

Worried about the wrong things? It’s always the wrong thing.

Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.

I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.

Read more

Don’t e-mail yourself a list of all your passwords and bank account numbers to yourself from work

So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.

Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.

Read more

You’re telling me someone gave a stranger his password?

I was talking breaches last week when a very high-up joined the conversation in mid-stream.

“Start over, Dave.”

“OK. I’m talking about breaches.”

“I know what you’re talking about,” he said, knowingly and very clearly interested.

Read more

This week’s photo leak is a reminder of the need for good passwords

This week, numerous celebrities, mostly female, had their Apple accounts hacked and intimate photos stolen and leaked. There are several things we all need to learn from this.

We don’t know yet exactly what happened, though I’ve heard several theories. One possibility is that the celebrities’ accounts were hacked recently. Another is that someone who’s been collecting these photos through various means was hacked.

The incident probably was inevitable, but it’s also entirely preventable. I can think of three things that led to it. While this discussion may seem purely academic, there are misconceptions many people, famous and not, have and need to get rid of.

Read more