Shaping the Security Minds of Tomorrow

So it seems I will be lecturing 'Mobile Computing and Security' for Northern Sydney Institute of TAFE's Bachelor of Network Security this semester.  It should be an interesting challenge and I'm quite looking forward to it.  It seems like a pretty good program they run, with a mix of industry certifications and a good broad range of more traditional university type subjects.

IE Cursor-tracking Data Leakage.

Now this is really interesting, especially if you're using onscreen virtual keyboards to prevent MITM capture of keystrokes.

And according to Spider.io: "The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month".

Mega Security?

Interesting look at some of the security architecture in the new Mega site

http://fail0verflow.com/blog/2013/megafail.html

I think the key message here is that if you are going to implement cryptographic systems, even standards based ones, you need to understand the limitations of that particular implementation and it's correct uses.

A New Take on Insider Threat?

This is just plain funny
http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/

Stand back...

Nice description of why regex based blacklists are bad

http://deadliestwebattacks.com/2013/01/14/a-lesser-xss-attack-greater-than-your-regex-security/

Complexity the worst enemy of security

First post for 2013. The plan is to hopefully be a bit more active after a slow 2012!

I came across this interesting article that has the details of an interview with Bruce Schneier.

While I pretty much agree with Bruce and especially like Bruce's last comment: "Is my data more secure with you than it is with me?", I think the problems begin with the follow-up to that question - which is "prove it".

Now 'proving security' is fraught with danger (and is most likely an impossible task), but while you may have a good understanding of what you do - or don't do - from a security perspective, it's the lack of details that cloud providers will supply on their security practices (other than to say "we use military-grade encryption" or "we follow industry best practices") that always concerns me.

"Trust us" seems to be the mantra from a number of cloud or SaaS providers and trust them we have, sometimes with less than stellar results.

Before signing over the keys to the kingdom to cloud providers, I think it's important to get a good understanding of exactly how they protect your data, what will happen if they do suffer a breach (at what point do they notify you? When they suspect something happened or 2 weeks later when they've confirmed the breach?) and what you can can do to protect your data (such as encrypt everything and keep the keys to yourself).

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme