Security I believe is not to be fixed with tools only. Theres no silver bullet, so argumenting password vaults will fit all is unfortunate. For personal use I love both Googles Smart Lock and other password vaults. However, if you aim to control access to large sets of corporate services and apps, aim for SSO and complete IAM to prevent, detect and respond. This article adress this challenge well.
Had to share this as I´m getting tired of companies selling out my email to advertisers, leaked to spammers or them starting to spam my inbox just because I once registered on their service. So by adding a company-specific string to your email-address you can filter all spam and identify the origin of who sold out your address. E.g., I tested this when buying a travel ticket. Upon registration I did not provide them with my original email-address (firstname.lastname@example.org), but rather an address specifically crafted for this travel service agency (email@example.com). I will still receive the emails from the company, but also filter out its origin, even if they shared it with cooperating companies or advertisers.
Yesterday Microsoft blogged about their privacy journey, finally. It appears they have done improvements(?) to the privacy in Windows telemetry and “functional” reporting, and provided some custom privacy settings. Finally what I think is most interesting in this context is how to manage and utilize all this data for corporate security management, prevention and detection purposes. They claim to be “developing a set of analytics customized for your internal use” which sounds very interesting. However, it remains to see how and what they can offer. Upgrade Readiness is their first step.
So, there is a “basic level” and a full level?
Excited to hear more about how(if) this fits the GDPR.
…Google says. Or they don’t actually say so, but their BeyondCorp approach to enterprise security certainly address it. Instead of building a perimeter sound enterprise network, they push security to whom shall access what without building a wall around it. I have tried to split this graphically in four as follows: Continue reading “Move away from the Perimeter”
Looked into the Android SpySMS torjan as they say it has infected 40k users phones. This Mobile Trojan is using SMS as C&C protocol the way IRC C&C were used by PC Trojans back in the days. Got me thinking that the reliable SMS protocol is a nice protocol to control the android bots. The way this app try to block anti-virus from running and the long list of banking apps it controls is rather interesting as this has historically been more adapted by PC trojans and malware.
Nice blog post from Lenny Zeltser about mistakes to avoid working with Information Security. Most are probably obvious for many of you, but still… How many do just “Ban the use of external USB drives while not restricting outbound access to the Internet”? 🙂
In the need for privacy (with bad or good intentions), people search for tools that can provide anonymous communication online. Tor is well known for that and have existed for a long time as a respected network of multiple layers of hops and encryption (“onion rings”). Just found this interesting article from Aaron M. Johnson et.al. where they have exploited vulnerabilities in Tor network by using traffic correlation attacks. Continue reading “Tor’s problem; Traffic Correlation Attacks”