Risk assessment: a glimpse of the future

I believe a great risk assessment gives you a glimpse of the future. It gives you more control, more certainty; trust is good, control is better. If you are like me and on occasion have a niggle in the back of your mind about the security of your company or a new project going live, a risk assessment is the way to get that peace of mind. If you like to be confident that you have thought through the all the issues and angles, this is an exercise you should do regularly. When you need to decide on anything security related and you need to know is this the right decision, you need to first answer the question of what is the risk? If you need to know am I getting  value from this security investment? This is why you need to do a risk assessment.

RSA and SCADA: two ends of the disclosure spectrum

In the last week we have seen what I feel is two ends of the disclosure spectrum for security. The RSA SecurID incident with such a high level statement on one end (called "corporate spin" by Schneier) and 34 vulnerabilities and proof of concept code on SCADA systems on the other; disclosed by a researcher without following responsible disclosure principles. Both are far from ideal and badly in need of improvement.

Feeding an offline reading habit


Ever since I got an iPhone 4 with the retina display I have been hooked on keeping up with my favourite tech and security blogs on the move. Yes I’m one of those annoying zombies you see reading on their phone while walking, standing in line, on the train etc. It has enabled me to make better use of this time and keep entertained. However one of the major problems  is that I live in London and most of my reading is done on the one hour commute to and from work on the tube (underground subway). The tube has no Internet access so I have had to find some offline ways to feed my habit. These are some of the best ways I have found to read and share what I like:

Mitigating OWASP top 10 without any code

We have been taught in the last 10 years that application security is what is important, that software must be coded securely and that infrastructure was becoming less and less relevant. So why is it then that when I am writing a security view for a recent project, the majority of my web application security threats are mitigated via the infrastructure?

Google+ - many ways to do identity?

Update 2011/06/28 :

Looks like Google+ finally launched if only to a select group of invites: http://techcrunch.com/2011/06/28/google-plus/

Analysis of security identity implications of circles as more information comes out. Having it baked in should make a lot of difference. Lessons look learned with Instagram type filters for photo sharing and a mobile application built from the start.

Lets just hope it doesn't take a Wave time timeframe to launch to everyone.

Exciting news today with Google circles to be announced at SXSW and then disappointingly not. Lets hope that Google can learn the lessons of Wave about not stretching the hype for too long before the launch and not screwing up privacy. Lets also hope they can deliver something that is truly engaging and delivers the vision of law 5 in the laws of identity where others have failed:
5. Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers
Facebook groups has yet to solve this problem and Zuckerberg's quote "Having two identities for yourself is an example of a lack of integrity” may suggest they will never get it and don't see that as a problem.

More analysis as details on Google Circles is released. Until then, this deck outlining what is possible the vision behind Google circles is well worth reading:

The videos are well done:

DDOS protection strategies

Distributed Denial of Service (DDOS) has drawn attention lately with incidents ranging from Anonymous taking down the Visa and Mastercard sites as retribution for cutting donations to Wikileaks, to Wordpress being attacked by the Chinese. A talk at the DC4420 meetup in London described DDOS as the modern political protest, comparable to a crowd protesting on Oxford street. The protest means that some people cannot go shopping, and there is media attention drawn to the cause; Paypal goes down for a few hours, the techblogs, Twitter and eventually old media play a similar role. In addition, the few million the site loses to downtime means that they may think twice about bowing to pressure so quickly from a US senator. Regardless of motives, if you operate a major website today, especially one where every minute of downtime has an impact to the bottom line, DDOS protection is something you have to think about.

Password stolen: an ounce of prevention

My response to a HARO question: Recent hacks potentially compromised the passwords of hundreds of thousands of users on popular websites, a real problem since people seldom maintain unique passwords. This story looks at what you should do when your password is potentially compromised, outlining good password hygiene.

Why advertise your Facebook site?

If you do not learn from history:

Data classification: start with the end in mind

My response to a HARO question:  To be read by IT managers at SMB's: tips for setting up a data classification system that assigns levels of sensitivity to data. What do they need to know to get started and what tools will they need to invest in? What are the costs involved and what are the benefits and pitfalls?

Apple succeeds where security failed with web developers

Interesting article today some malware with the linkbait title "The mother of all Android malware has arrived". It involves the malware writer downloading over 50 free applications from the Android appstore, adding a trojan to them, repackaging them and releasing them for download. Aided by the fact they were existing applications, it is reported there were between 50,000-200,000 downloads in over 4 days (it took Google that long to shut down the malware spreading applications). The trojan used a root exploit and allowed stealing of data as well as opening up a back-door for download of further malware.

There is some really good discussion on comparison of the Apple vs. Google approaches to their respective appstores on Hacker News. What struck me the most though was how Apple's review process appears to have succeeded where security professionals have failed for years with developers.


Written by