A cautionary tale about the dangers of keeping everything in the Cloud


“Once the hacker gained access to Honan’s iCloud account, he or she
able to reset his password, before sending the confirmation email
to the
trash. Since Honan’s Gmail is linked to his .mac email address,
hacker was also able to reset his Gmail password by sending a
recovery email to his .mac address.

Minutes later, the hacker used iCloud to wipe Honan’s iPhone, iPad
Macbook Air remotely. Since the hacker had access to his email
it was effortless to access Honan’s other online accounts
such as Twitter.”

Every new technology has people, the pioneers, who buy into the vendors hype … and pay a price for that.

We should learn from them.

Computer Security

Enhanced by Zemanta

Naval War College uses Russian software for iPad course material



The Navy’s premier institution for developing senior strategic and
operational leaders started issuing students Apple iPad tablet
computers equipped with GoodReader software in August 2010,
unaware that the mobile app was developed and maintained by
a Russian company, Good.iWare, until Nextgov reported it in February.

OK so its not news and OK I’ve posted about this before, but …

Last week I was reading another report about malware and it stated that most malware yamma yamma yamma had it origins in the USA. No doubt you’ve seen reports to that effect with different slants.

So the question here is: Why should software produced in the country where there are more evil-minded programmers be superior to software produced in Russia? Continue reading Naval War College uses Russian software for iPad course material

Mistaken Thinking – Risk not threats

Various mobile devices creating interoperability.
Image via Wikipedia

Via a LinkedIn posting in the Infosecurity magazine forum titled
“Internet Threats Posed By Mobile Devices: How Can We Prevent Them?”
I came to


The mobile devices don’t pose threats.
The mobile devices represent risks.

Threats are external. They are not under your control.

The article title is clearly confusing THREATS with RISKS.

There are aspects of risks which ARE under your control.
You can control how EXPOSED you are to threats and how they will IMPACT you – or more specifically your assets. In this case the mobile devices.

You can’t prevent threats, you can only mitigate their IMPACT.
You can instigate preventive measures.

Mobile devices and the data on them are ASSETS, not threats.

Correct terminology leads to correct thinking.
Eliminating misunderstanding and confusion leads to effective results.

Enhanced by Zemanta

Passwords Suck!


Indeed they do.
Its beginning to look like the point I’ve been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you’re securing something.

For those new here, I’ve long recommended Rick Smith‘s excellent book on this matter:
“Authentication: From Passwords to Public Keys” ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html

Grandpa Rob Slade reviewed this, rather more kindly than some books he’s reviewed.
The author of the article recommends passphrases – a passphrase is easy too remember.
In “Password Expiration Considered Harmful” Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also ‘The Strong password dilemma‘ and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, “But that was in another country and besides, the wench is dead”). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won’t flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I’ve used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don’t even have to ‘say’ the passphrase in my mind so even a telepath couldn’t “sniff” it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I’m getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford’s blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Reblog this post [with Zemanta]