RSA announces a new offering to protect password credentials. But is protecting the password file really that difficult?
The 2012 Global Reputational Risk and IT Study calls into question the assumption that IT security incidents have only temporary impact on reputation.
It makes me sad to have to report that this morning I took down the Secure Password Reset campaign from this site. The idea behind the campaign is still as sound as ever. We need to convince companies that using personal information as an authenticator is never a good idea and the practice must be […]
The new developerWorks security site has launched! Stop by, join the community, and see how-to articles and videos for developing secure code and securing your IT operations.
“All or nothing” authentication for low end privilege escalation hampers end-user adoption due to the inconvenience associated with authentication.
The recent Amazon / Apple account hack shows three examples of the same type of fundamental security flaw: using personal information as a credential.
The European Commission’s Article 29 Data Protection Working Party has issued a lengthy paper codifying the principle of “buyer beware” in its approach to cloud service providers in member states.
The FDA’s Office of Science and Engineering Laboratories referenced work in its FY 2011 report to collect requirements for medical data flight recorders in medical devices. Isn’t there a large mature industry in event management that can be applied to this?
In the aftermath of the LinkedIn password hack, much of the discussion has focused on secondary security issues like password hash algorithms and salting. But the root cause security issue and how to mitigate its risk are being overlooked.
The CloudFlare hack is interesting not because of the damage that was done, but because of the multiple authentication system failures that were exploited to make it happen. It also sheds some light on the Achilles’ Heel of web-based services, the password reset procedure.