According to lore, apples both "keep the doctor away" and also precipitate the fall of humankind from Eden. Which is it? The security press is no less dichotomized:
Apple slapped for inferior security
Apple praised for superior security
and with it, possibly 200,000 users' account information. According to this NetworkWorld Fusion report, "Ameritrade warns clients about potential breach," some backup tapes were damaged in transit and one of the tapes is currently unaccounted for.
This incident is a good reminder that data security concerns extend beyond the physical boundaries of the enterprise. Or, in other words, one of the easiest ways to get to an enterprise's critical data could be to socially engineer the driver of the Iron Mountain truck.
Cameras at traffic lights came up for a vote in NH this week. And I quote:
"So when a bill came up in early April to consider allowing robotic traffic cameras at the busiest crossroads, mocking laughter from the gallery preceded the measure's demise."
Mocking laughter... Have I said how much I love it here recently?
Aritcle about the "state of affairs" in quantum cryptography. While almost completely content-free, the conclusion of this article where Martin Illsley says, "[Quantum cryptography] still needs biometric proof" did sufficiently raise my hackles enough to comment.
Will someone please explain to me how quantum cryptography and biometrics are related? I'm just not seeing it... Unless the photons in question are bouncing off my fingerprint, iris, or retina, I would contend that the two technlogies are completely unrelated...
In addition to being unrelated, I keep going on record, having worked for a biometrics company at one point, that biometrics are in some cases worse than a password or token. Just ask the poor guy who lost his finger for his beamer a few weeks back.
ChoicePoint CEO prepares acceptance speech for this year's "Big Brother" Awards. "I would like to thank the academy..."
Wow... Business Week recommends litigation against companies exposing personal data? Go, Business Week; I didn't see that coming...
Typically, I come down on the side of "sufficient protection" when debating what type of authentication mechanism to employ in a given security scenario. Up until now, that meant that I felt that passwords were a fairy robust vehicle for protecting data. However, a recent ruling determined that passwords alone were insufficient protection to preserve trade secret information. In other words, data placed in a directory secured by passwords was found to not be sufficient protection to preserve trade-secret status. In this instance, the judge questioned why other measures weren't taken - e.g. data labeling, confidentiality notices, etc.
In context, I agree with the ruling. While what the judge said is true (e.g. that the employees of the firm needed to be advised of data confidentiality,) I'm concerned about the precident and how the industry will react. The judge said in his ruling, "[r]estricting access to sensitive information by assigning employees passwords on a need-to-know basis is a step in the right direction". "a step in the right direction" but not "sufficient." What is sufficient? A confidentiality label at the bottom of the screen? I don't think that will cut the mustard if passwords don't...
This is just the kind of thing that a unscrupulous company could spin into a FUD-fest to try to sell two-factor products.
The bogus paper entitled, "Rooter: A Methodology for the Typical Unification of Access Points and Redundancy" was accepted to the WMSCI 2005 conference! I love this story... Thanks to John for passing it my way!
Simmonds, head of security for "pharmaceutical giant ICI" called for more email encryption" because "it's built into every email product." There are no silver bullets. For example, Mr. Simmonds may be well versed in the phamaceutical space, but apparently isn't versed in current SEC regulations which require email archives for 7 years. The ability to archive isn't built into every browser, bringing a world of compliance pain and suffering for folks in FS listening to this advice. Bottom line: be careful who you listen to, know what's right for your company, and understand that there's rarely a panacea or a free lunch...
Of course, the recent data theft incidents are only the tip of the iceberg at LexisNexis and ChoicePoint. I think we pretty much all saw that one coming. What scares me, however, is the fact that a) they didn't know about it themselves or b) if they did, they weren't going to tell anybody.
Their plan to "improve the security of their passwords and ID administration" is too little too late in my opinion. Why can't I, as an innocent spy-ee of their system, opt out of their "protection" measures and just not be included in the database?
Interesting article about forensics, but reading between the lines, I'm curious about the "encrypted filesystem" comments made. Could it be that EFS is throwing these investigators off the scent? If so, maybe it's time for a white-paper about how to get around EFS in a forensics context?
Given that fact that outsourcing overseas is a politically charged topic, I expect that this will see quite a bit of attention in the media. People are looking for an excuse to throw stones at the practice of FS outsourcing operations overseas; I am of the opinion that fraud can happen anywhere at any time: across the street or across the ocean. My question is how the details of this got leaked to the press; usually there would be a concerted effort to keep the details hush-hush.
Apparently, a gentleman was getting into his Mercedes and was assaulted by thieves. In order to bypass his biometric theft deterrent system, they took his finger with them. I think I'd rather not have the biometric system than lose a finger because of it...