Interview

This Week In Security: Poking Holes In Two Factor Authentication

It was another busy week in the security world. There was big news on the legal front, as The U.S. Supreme Court took steps to protect the data stored on mobile devices from warrantless searches by police. (That’s good news.) But the week also plenty of concerning stories about the security of data stored on mobile phones, tablets and the like. One of the stories that gained a lot of attention was DUO Security’s report on a flaw in PayPal’s two factor authentication feature that could expose the accounts of  security-conscious PayPal users. As The Security Ledger reported, DUO researcher Zach Lanier discovered a flaw in mobile APIs published by PayPal that would allow anyone with a valid PayPal user name and password to sidestep two-factor authentication when accessing PayPal accounts that had that option enabled. After DUO went public with information on the flaw, PayPal disabled two factor authentication […]

Continue Reading

Internet of Things to Increase Shortage of Security Professionals

The tech publication eWeek has an interesting interview with Sujata Ramamoorthy, the director for global information security for Cisco’s Threat Response, Intelligence, and Development (TRIAD) group about the impact of Internet of Things technology on the (already painful) shortage of IT security workers. According to Ramamoorthy, adoption of Internet of Things technologies and platforms will exacerbate the IT security worker shortage.  “These trends are what are fueling the need for additional security skills in the industry, and because the networks themselves are getting more complex, the applications communicating over them are getting more complex,” she told eWeek reporter Rob Lemos. The increasing complexity  of information infrastructure in IoT deployments, an explosion in the number of connected endpoints and a corresponding lack of visibility into cloud services all make the shortage of corporate security experts more critical, Ramamoorthy said. Already there is an estimated 1 million information-security staff and manager shortage globally, according […]

Continue Reading

IPMI’s Inconvenient Truth: A Conversation With Dan Farmer

The work of brilliant computer security researchers often borders on a kind of madness. After all, it takes dedication and a certain amount of monomania to dig through the mush of disassembled source code or the output of application fuzzers and find the one software vulnerabilities – or chain of vulnerabilities – that might lead to a successful attack. Often, this work puts you at odds with what most of us consider “the real world.” Notably: the well-respected researcher Dragos Ruiu had many in the security community wondering about his sanity after he sounded the alarm about a super stealthy piece of BIOS malware he dubbed “BadBIOS” that seemed to be everywhere and nowhere, all at once. Dan Farmer finds himself in a similar position as he continues to sound alarms about the security threat posed by insecure implementations of the Intelligent Platform Management Interface (IPMI)– a ubiquitous protocol used to do remote […]

Continue Reading

Big GOV Shift To Secure Cloud?

For those of us covering the cyber security beat, there haven’t been many feel-good stories coming out of the federal government in – well – forever. Even before the advent of nation state sponsored hacking, the news was mostly of the federal government’s bloated and unwieldy IT infrastructure, byzantine procurement systems and the difficulty of attracting top talent away from private sector employers who could offer more pay, more autonomy and a better working environment.   Then came the gut wrenching display of offensive prowess by the U.S.’s main enemies – nations like China, Russia and Iran. Those stories started, in earnest, with news about operations like Titan Rain (in 2003) and continue to the present day. The problem has gotten so bad that the military’s preferred euphemism for Chinese hackers – “advanced persistent threat,” or “APT” has become part of the nomenclature of the IT security world far beyond […]

Continue Reading

This Week In Security: Ebay’s School of Hard Knocks

It’s the end of another busy week in the security world. As we’re wont to do at The Security Ledger, we had DUO Security Evangelist Mark Stanislav in to the deluxe Security Ledger Studios to talk about the events of the week. On the agenda this week: the continued fallout from the hack of online auction giant eBay. The company ran into a thicket of criticism this week for the breach and its botched response. Despite knowing about the security breach for weeks, eBay seemed unprepared for the fallout once the news became public. Beyond its statements to the press, the company hadn’t taken steps to streamline the (inevitable) flood of customers who wanted to update their password. In fact, more than a day after the news broke, eBay still hadn’t made mention of it on their home page. What lessons can we learn from the breach at online auction […]

Continue Reading
1 13 14 15 16 17 19