Which one, you ask.
This one has to do with another (yes, another!) rootkit problem. And it has to do with, ironically enough, their secure USB stick. How in the world, after learning a very bitter lesson with their idiotic DRM rootkit 'protection', SONY can create another fine mess is beyond me.
I really think they need a rethink on how they approach security, be it authentication via fingerprint analysis or simply protection of IP. Security by obfuscation is not security - it's a pathetic camouflage that will come unraveled before you know it. Companies such as F-Secure, McAfee are not twiddling their thumbs waiting for the next threat - they can already foresee what hackers are going to be up to.
And in such cases, rootkit exploits are passe' and so can be easily detected, as F-Secure did with SONY's misguided implementation of fingerprint data protection using that horrid method.
The problem here is not that SONY chose to protect the data, but the way they set about doing it. I think I can smell another class action suit rising up from within the dark war-rooms of plaintiff firms.
So, another lesson learned - a final one, we hope.
Be safe!
Friday, August 31, 2007
Monday, August 20, 2007
The State of Security
http://www.infoworld.com/article/07/08/20/34FEnextbigthing_grimes_1.html
In an interesting article, Roger Grimes talks about how the state of Security is pathetic and appalling (I agree), and how in future authentication on chips and such advances would make hacking unprofitable and eventually make our online experience safe (I disagree).
It's like this:
It doesn't matter what algorithm you create - and what keyspace you may have - but the weakest link is the human being and human error. Once the key is exposed nothing can save it - not even the strongest encryption.
Only one thing can save us from being such idiots when it comes to Security, and that is multifactor authentication. "What you have, what you know, and who are you" -- any two would help, yes, but all three would be NEARLY bulletproof. Notice I use "nearly" - and that's because NOTHING in unbreakable.
Everything has a weak point, a vulnerability (Patch Tuesday, anyone?) that people are more than happy to discover, exploit, and profit from. And in this respect, the abysmal state of Security literacy and lack of focus on such issues in our education system will together drag down any advances that Security scientists and researchers may make (may have made).
You have SSL for browsers? Hmm, just phish with real-sounding fake names. You have sitekey? Create an alternative site with a map of any and all authenticating images and ask the user to enter the password. Unless it's an educated user, you'll find that nearly 99.99% will enter the password DESPITE seeing an incorrect sitekey.
Why is that? Simple - psychology. People have this air of infallibility around them, and hackers use that to full potential, to their own benefit.
How does one really avoid such issues?
a. Multifactor authentication (iris scan/fingerprint; password; smartcard)
b. Intensive and regular education
c. Strict policies and granular access control
d. End-to-end monitoring of all packets - bidirectional
...
Simple monitoring and alarms will not work; what's needed is a total change in/of philosophy when it comes to revealing one's identity on the Web to complete and possibly criminal strangers. You would not give out your house key to just anyone - so why would you give your password/id out to shady sites without verifying they are who they say they are.
Ultimately, it does not matter how much progress we make in terms of Security (new algorithms, large keyspaces, complex passwords, password protection and PBE implementation etc) - but what matters is what end-users are willing to do to protect themselves. Having electrified fences, a guard dog, 12-foot-high gates, an advanced alarm system: these are all fantastic when it comes to protecting your home, but none of these can help if you left your front door ajar.
Be safe!
In an interesting article, Roger Grimes talks about how the state of Security is pathetic and appalling (I agree), and how in future authentication on chips and such advances would make hacking unprofitable and eventually make our online experience safe (I disagree).
It's like this:
It doesn't matter what algorithm you create - and what keyspace you may have - but the weakest link is the human being and human error. Once the key is exposed nothing can save it - not even the strongest encryption.
Only one thing can save us from being such idiots when it comes to Security, and that is multifactor authentication. "What you have, what you know, and who are you" -- any two would help, yes, but all three would be NEARLY bulletproof. Notice I use "nearly" - and that's because NOTHING in unbreakable.
Everything has a weak point, a vulnerability (Patch Tuesday, anyone?) that people are more than happy to discover, exploit, and profit from. And in this respect, the abysmal state of Security literacy and lack of focus on such issues in our education system will together drag down any advances that Security scientists and researchers may make (may have made).
You have SSL for browsers? Hmm, just phish with real-sounding fake names. You have sitekey? Create an alternative site with a map of any and all authenticating images and ask the user to enter the password. Unless it's an educated user, you'll find that nearly 99.99% will enter the password DESPITE seeing an incorrect sitekey.
Why is that? Simple - psychology. People have this air of infallibility around them, and hackers use that to full potential, to their own benefit.
How does one really avoid such issues?
a. Multifactor authentication (iris scan/fingerprint; password; smartcard)
b. Intensive and regular education
c. Strict policies and granular access control
d. End-to-end monitoring of all packets - bidirectional
...
Simple monitoring and alarms will not work; what's needed is a total change in/of philosophy when it comes to revealing one's identity on the Web to complete and possibly criminal strangers. You would not give out your house key to just anyone - so why would you give your password/id out to shady sites without verifying they are who they say they are.
Ultimately, it does not matter how much progress we make in terms of Security (new algorithms, large keyspaces, complex passwords, password protection and PBE implementation etc) - but what matters is what end-users are willing to do to protect themselves. Having electrified fences, a guard dog, 12-foot-high gates, an advanced alarm system: these are all fantastic when it comes to protecting your home, but none of these can help if you left your front door ajar.
Be safe!
Friday, August 10, 2007
EMC's Purchase of Tablus
http://www.thestreet.com/s/emc-expands-data-security-reach/newsanalysis/techsoftware/10373440.html?puc=googlefi
This is a really good buy - EMC is fast expanding its Security offerings. Coupled with its content management system, it's not that hard to see where EMC is headed. And you already know that EMC bought RSA - and the wealth of knowledge that comes from RSA is unparalleled. The main competitor to EMC, NetApp, has DeCru, but I have not read up much about it, although it seems like a very capable product.
Tablus makes content PROTECTION systems; you can call it 'leak management' systems. The idea is that an administrator will prepare a policy of what's sensitive and assign a grade of some kind. The system then parses through the various files and figures out if they match the criteria set in the policy. Based on settings it can block/inform/audit the actions that took place on the protected object.
You know the rest.
Be safe!
This is a really good buy - EMC is fast expanding its Security offerings. Coupled with its content management system, it's not that hard to see where EMC is headed. And you already know that EMC bought RSA - and the wealth of knowledge that comes from RSA is unparalleled. The main competitor to EMC, NetApp, has DeCru, but I have not read up much about it, although it seems like a very capable product.
Tablus makes content PROTECTION systems; you can call it 'leak management' systems. The idea is that an administrator will prepare a policy of what's sensitive and assign a grade of some kind. The system then parses through the various files and figures out if they match the criteria set in the policy. Based on settings it can block/inform/audit the actions that took place on the protected object.
You know the rest.
Be safe!
Subscribe to:
Posts (Atom)
