“… a secret NSA program code named DROPOUTJEEP has nearly total access to the Apple’s iPhones ….” This includes access to cameras and microphones. http://thehackernews.com/2014/01/DROPOUTJEEP-NSA-Apple-iPhone-hacking-tool.html
Fun with flash memory
Multiple posts covered a presentation at the CCC outlined how they could write programs onto flash memory like SD cards. A quote from the ThreatPost article referenced below:“In other words, the maker of these particular chips, and likely a whole slew of others, is not adequately securing the firmware update process. From this point, the… Continue reading Fun with flash memory
Security isn’t just about keeping bad people out
Responsible risk management should assume breaches are inevitable and while effort must be put towards securing boundaries efforts should also be directed to ensuring proper authentication (AuthN) and appropriate authorization (AuthZ) within the system(s). Trust must be extended to employees and authorized parties but stakeholders in a system should regularly review access to ensure that… Continue reading Security isn’t just about keeping bad people out
Kevin Bacon & the NSA
Members of Stanford Law School’s Center for Internet and Society has published some blogs recently (Nov 13 & Dec 12, 2013) regarding phone metadata and connectedness of individuals via phone calls based upon NSA standards for searching/parsing data about phone calls (from declassified NSA documents). The blogs do not assert that the NSA bypassed legal requirements… Continue reading Kevin Bacon & the NSA
Password Managers
Password Managers and Post-It Notes
Annoying or funny vignette?
As a security professional at a Fortune 500 I can tell you that few security professionals in a mature enterprise want to spend the resource hours to police where you keep your passwords. It’s a wasted investment. I’d rather give you better options & make doing “the right thing” (more appropriately, “the more secure & effective process”) easier for all users.
Moral: incentivize the behaviors you want.
In the corporate world single sign on (#SSO) or federated identities are enabling capabilities we target but given the lack of commoditization in this industry pricing for these abilities can be prohibitive (see #Okta or #OneLogin). This functionality will reduce in price with age & competition. The capabilities delivered securely will always cost though as any worthwhile business enabler does.
For personal use I’m a fan of LastPass. You can set it up with a Yubikey from Yubico as well.