Either someone is doing some serious academic work in researching password strengths, or someone is building a really great hashed password dictionary. The Steam community forum compromise, in which attackers gained access to a database containing usernames, encrypted passwords, and e-mail addresses, is just the latest in a series of compromises targeting a subset of the online community: gamers.
It’s difficult to say whether these attacks are increasing in frequency or whether media reporting and voluntary disclosure has created the illusion of a growing trend. In either case, our activities are continually moving online, often protected only by a username and password, instead of staying safe and warm in hard disks on our home desktop computers. The attack surface is increasing as more web services require more usernames and passwords and the opportunity for password reuse increases.
Read More »
Tags: authentication, security, strong passwords
Nearly all of us depend on public key infrastructure (PKI) when we engage in secure transactions on the Internet. Digital certificates, most commonly based on ITU standard X.509, are used to prove that one is communicating with an intended website or Internet host. They are also used to establish the ownership of specific email addresses when S/MIME signing and encryption are used. Having a secure way to determine who you’re communicating with is important because an impostor or “man in the middle” site could decrypt the data sent to it, effectively defeating the security of the transaction.
Certificates issued by Certificate Authorities (CAs) digitally sign a public key presented by the subject (website/host or user) after some diligence (usually for a fee) is done to determine that the entity requesting the signature is in fact the legitimate owner of that host or address. The public keys of the Certificate Authorities are, in turn, configured into Web browsers, email clients, and other software that makes sure connections. If the host being communicated with proves ownership of a certificate that is signed by a recognized CA, the certificate is recognized as valid.
Security and process problems at several X.509 CAs, most notably DigiNotar and Comodo, have received considerable coverage in the past year. This has led to doubts about the long-term viability of the X.509 ecosystem, and alternatives have been proposed. I’d like to step back from that a little bit and look at the properties we would like to have in an idealized replacement system and then how that might be accomplished.
Read More »
What a week! From October 31-November 3, Cisco hosted its annual internal security event—SecCon 2011. Co-hosted by Greg Akers, SVP of Cisco’s Global Government Solutions Group and Ed Paradise, Vice President of Engineering, this marked the fourth year in which we shared the latest in product security practices, policies, processes, and thought leadership with employees who participated in live and virtual sessions around the world.
Read More »
Tags: common crypto, CSDL, product certifications, product security, public policy, Secure Development Lifecycle, security, trustworthy systems
“Security must be built into every aspect of our systems architecture and be seamlessly compatible with our business architecture.”
– Rebecca Jacoby, Cisco Chief Information Officer
When Cisco’s CIO Rebecca Jacoby and I agreed that security would be built into every aspect of our IT systems architecture, we knew this was no small task. To some degree, security requirements were bolted on, not baked in, and what “security” meant was different from person to person in our organizations. We knew that we had to raise awareness and knowledge about security—not just among the security practitioners in our IT organization, but also with the IT generalists and those architecting applications and systems. That way, systems would be designed and embedded with security from day one. Read More »
Tags: Cisco, cyber security, cybersecurity, security
Okay, this may sound like gibberish. But I’m sure that many of you know what I mean. Just to be clear, let me put the title in plain English: Mobile Device Management (MDM) is not the only approach to help secure a Bring Your Own Device (BYOD) environment.
Read More »
Tags: bring your own device, byod, MDM, Mobile Device Management, mobile devices, SecureX, security