Somehow, this story sounds familiar. A total of 243,000 credit card numbers stolen, that many more potential victims. Yet, they are far from alone, just a few weeks ago, data (including social security numbers) for 26 million vets was stolen. This is becoming an ugly trend.
No matter how many reminders, it seems the message never makes it through. There is no shortage of products that would have made both of these stories much less important, but it both cases there was no real attempt to protect the data. If the data had been encrypted, it’s likely that there would be no real risk to the public. But that wasn’t the case.
Due to bad and poorly enforced policies, laziness, and a lack of understanding, millions are at risk. Small mistakes can have a massive impact, when dealing with private data, take every possible measure to ensure it stays private.
Yesterday the news hit of a new vulnerability that threatens the security of all code; dubbed Trojan Source by the researchers from the University of Cambridge. From an initial analysis, it does seem to impact just about everything, and the status of fixes is very hit or miss at this point. But the real question is, does this even matter? Is this issue worth spending your time on? Let’s look closer.
My employer recently completed the final audit to confirm ISO 17799 compliance, the process was a real eye opener. In a process that should have been fairly short & painless, the ordeal lasted close to a year, with me joining the company just before the second, and largest audit. That made my first few weeks rather interesting, to say the least.
While 17799 does have some complex requirements, most of the issues found had more to do with the overall mentality than with the true technical issues involved.
When you are looking for TLS (SSL) certificates, there are three different types available, and vary widely by price and level of effort required to acquire them. Which one you choose impacts how your certificate is treated by browsers; the question for today is, are EV certificates worth the money? To answer this, we need to understand what the differences are just what you are getting for your money.
The Three Options For many, the choice of certificate type has more to do with price than type – and for that matter, not that many people even understand that there are real differences in the types of certificates that a certificate authority (CA) can issue.
@KimZetter We need to distinguish between "proof against NSA dragnet", "proof against NSA PRISM", and "proof against NSA TAO". @runasand — zooko (@zooko) September 17, 2014 For a long time, “military grade encryption” has been a red flag for snake oil, over-hyped, under-performing garbage, so much so that it’s become a punchline. Anytime that phrase is seen, it’s assumed that the product is a joke – quite possibly doing more harm than good.
There are two ways to implement security:
Real security, based on empirical evidence and analysis. Checklist security, based on the latest checklist somebody says is important. When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information.
On the other hand there’s security by checklist.
