US Deputy Attorney General Rod Rosenstein used a speech in Boston to criticize the technology industry’s use of strong encryption which he called “warrant proof,” even as he said law enforcement had no issue with its use.
I’m not much of one for milestones and the record will show that I’ve rarely taken the occasion to note significant Security Ledger dates. Actually, it would be more accurate to say that I’ve never noted them. But October 2nd marks what I consider an important one: the fifth anniversary of our first blog post. On October 2, 2012, this blog went live with a post on the VOHO watering hole attacks. That makes today – October 2, 2017, Security Ledger’s 5th birthday! So much has happened in the intervening years – and much remains the same. Sadly, we haven’t beat watering hole attacks, though maybe we talk about them less than we used to. The last five years have seen this blog focus more and more on the security of our physical world and the many, intelligent devices that inhabit it. That has proven to be a very rich seam […]
Hacker Eye on the Consultant Guy: Deloitte and the Art of spotting Vulnerable Firms from the Outside
In the latest Security Ledger podcast, we analyze the breach of Deloitte by talking to two people who spend a lot of time judging the security of firms by how they look to the outside world. Dan Tentler of the firm Phobos Group tells us what he found out about Deloitte doing some fast and dirty open source research. Also: we talk to Stephen Boyer of the firm BitSight about a new study that firm did of the gap between the security readiness of financial services firms and the third-party software supply chain they rely on.
The firm that discovered the CCleaner attack thinks there may be other common applications that, like CCleaner, have been secretly compromised and used to gain access to corporate networks. Engineers at the firm Morphisec are reviewing historical reports that were considered “false positives” to determine if any of those reports may have been evidence of compromises of other common applications, Chief Technology Officer Michael Gorelik told The Security Ledger. “It’s something we’re doing right now. We’re revalidating stuff that we caught within the last several months,” he said. While Gorelik declined to say whether they had found evidence that other, similar attacks had taken place, he said the initial findings of the investigation were “very interesting.” “They’re very interesting events and when you go deeper they become more interesting,” he said. He said he believed there were other so-called supply chain attacks like CCleaner, but declined to say whether his firm […]
Contributing writer Chip Block of the firm Evolver says the new NIST Digital Identity guidelines do much more than rethink passwords. They help solve an age old problem: how to prioritize security spending.