Five things security experts do vs. five things non-experts do

There was a fair bit of talk last week about a study that compared security advice from security experts versus security advice from people who are at least somewhat interested but don’t live and breathe this stuff.

There were significant differences in the answers, and a lot of security professionals panned the non-expert advice. I don’t think the non-expert advice was necessarily bad. Mostly it was out of date.

Read more

What I would have done to secure the Astros’ database

The now-infamous breached Houston Astros database sounds like a classic case of what security professionals call Shadow IT: a project that the business needs, done without adequate involvement from security and, most likely, from the IT department as well.

These kinds of things happen a lot. A go-getter implements it, cutting through red tape to get a useful project done in record time, and it’s great until something goes wrong.

In this case, “wrong” meant a competitor got into the database and stole trade secrets.

Read more

Beyond compliance: Maturity models

A lot of organizations equate security with regulatory compliance–they figure out what the law requires them to do, then do precisely that.

Forward-thinking organizations don’t. They see security as a way to get and maintain a competitive advantage, and rather than measure themselves against regulations that are often nearly out of date by the time they’re approved, they measure themselves against a maturity model, which compares their practices with similar companies in similar lines of work so they can see how they measure up. Read more

You need a Yubikey.

I mentioned the Yubikey as the ultimate solution stolen passwords on the excellent Yahoo Marx Train forum, and another member asked me to elaborate on it. Rather than take up a lot of space with some off-topic discussion, I decided it would be better to write about it here.

The Yubikey is the best solution I’ve seen yet for the problem of remembering passwords. I am a computer security professional by trade, but I will try to avoid as much techno-jargon as I can, and explain what I do use.

Read more

New security features for Evernote

This comes courtesy of Dan Bowman: If you’re an Evernote user (I’m not, at least not yet), it now has three new security features, including the all-important two-factor authentication. Those of you who rely on Evernote would do well to look into enabling two-factor authentication, at the very least.

Beware of unexpected links in e-mail messages

Hackers are stealing Yahoo accounts by sending messages containing malicious web page links.

The message looks like a link to a web page on MSNBC. But if an unsuspecting user clicks on it, it redirects to another page that steals the e-mail account, allowing the hacker to use the account to send spam, or grab the account’s contact list.

The gory details are here.
Read more

Workable two-factor authentication

I’m several months late to this party, but I just saw Marcel’s post on Google’s two-factor authentication with a smartphone.

He’s right. It works until someone steals your phone. Once someone steals your phone, you’re in a world of hurt. It’s just a compromise, until we find a way to do two-factor authentication the right way.

The right way is with a smartcard, issued by some sort of central authority. Read more

Ways to keep your password from being guessed–today

Articles like Ars Technica’s Why passwords have never been weaker — and crackers have never been stronger are getting more and more common these days.

In a positive development, I don’t think the story had been live more than an hour or two before people started asking me questions. That’s good, because that tells me that people care.
Read more

Don’t let what happened to Mat Honan happen to you

Technology journalist Mat Honan infamously had his entire digital life hacked and erased this week. Slate published some advice to keep the same from happening to you, and my former classmate and newspaper staff mate Theo Hahn asked me to comment.

Read more

Don’t use Password1 as your password

CNN reported yesterday that Password1 is the most common password in business environments. It’s the simplest password that meets common “complexity” requirements. It illustrates the problem with complexity requirements–a password can meet those requirements while still being extremely predictable.

As such, those passwords can be easy to guess, and they cast doubt on the entire idea of complexity.

Read more