We are spending billions on protecting the enterprise from hackers and malware, but we're letting the rest of the world burn around us. Most of what matters on the Internet isn't giant corporations or social networks, it's the average user, the person that doesn't know between a trojan and a sniffer. Whether you call them average joes, consumers, citizens or the unwashed masses, these are people that cannot defend themselves. ...
Welcome to our first ever survey on security budgets. It takes two minutes to answer and will provide our community with valuable data. The survey is anonymous and the results will be published next month. Fill out the
Over the weekend a twitter discussion led to an (oft-discussed) idea that we, the Canadian infosec community, need to start a CERT-like entity here in Canada (if you’re not Canadian and live in a country without a CERT, then keep reading but do a mental “s/Canada/$yourCountry/g”). Below are my initial thoughts (and some from the weekly podcast by Mr Arlen and Mr Lewis) on a few ...
You are at best fighting a delaying action. You cannot even hold back the tide. We are losing. Losing means that our current approach to defense is insufficient to stop the the existing threats and adversaries we are facing. I believe that our defenses will be and have been overrun, that we are in constant catch-up mode. A starting point Before we start: I see immense value in the infosec ...
It was not a great week for Western civilization as politicians worked to increase police powers without judicial oversight. Under the banner of stopping pornographers or terrorism, Canadian, American and British politicians are working hard to increase police access to information without judicial oversight. The Canadian Conservatives, under Minister Victor Toews, are pushing bill C-30 (an omnibus legislation echoing previously failed bills C-50, C-51 & C-52) the "Protecting Children from ...
An Israeli hacker group, IDF-Team (not to be confused with the actual Israeli Defense Force), responded to recent hacks of El-Al and the Tel Aviv Stock Exchange by returning the favour to the Saudi Stock (Tadawul) and the Abu Dhabi Securities (ADX) Exchanges: Israeli hackers brought down the websites of both the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX) Monday, in the latest episode of a ...
I know a lot of companies are struggling with watching their internal network (it's way easier to watch the perimeter, right?", but this is mind blowing, s San Fran college is reporting they've been breached by malware for 10 years. How did they not notice this going on for 10 whole years? From SF Gate (via Slashdot): At work for more than a decade, the viruses were detected a few days after ...
I love it when someone tells me most of my risk comes from insiders. In the past week I've had the insider breach conversation twice. Fortunately in both cases the person I was speaking with was quick to listen to my rebuttal (hint, it's based on actual data). First though, a tip of the hat to the folks at the New School of Information Security who have and continue to ...
Checkout the videos from the recent 28C3 conference here, some great ones include: The Science of Insecurity - a great primer on why network/communication protocols are such frequent sources of vulnerabilities The Coming War on General Purpose Computing - The must see keynote by Cory Doctrow (if you watch only one, make it this one) Kaminsky's TCP Black Ops - A long and rather windy talk but the best ...
I recently had the pleasure of being interviewed by a local news channel, an interesting experience and one that made me reflect on a bad practice of mine, a practice I hope to undo. As with all interviews the producer or anchor will ask "will we ever be secure against X?" and my instinctive reaction is to say no (or probably not). That's the wrong answer but not because it's ...