The forthcoming ubiquity of near-field communication payment technology in smartphones is especially worrisome.
Two-factor authentication originally emerged because people couldn't trust computers. Using mobile phones as an identity factor defeats two-factor authentication.
If anyone is trying to convince you to use a trust system, you have to ask, who do I have to trust and for how long?
Adding a CISO after the fact is like hiring a bodyguard after you've been fatally wounded. It creates an impression that there's a lack of accountability.
Security strategies that are based on hoping the mainframe will come back will be bypassed like those little towns that were built 20 miles apart (because that is how far a horse could go in a day) got bypassed when the Interstates were built.
Sandboxing provides a malware free device, mobile apps are controlled, and there’s no money to steal in mobile apps are all myths will be proven wrong.
There is a class of user who cannot be protected from themselves. Many users can learn from the mistakes of others, especially when the material is presented well. For the avid, rabid fan, sometimes the only way they will learn is to get bit a few times.
People believe that once you compile human readable 'source' code, that humans can no longer read the resulting binary 'object' code. That is in incorrect. Code can easily be decompiled back to (nearly) the original source. In our (Errata Security) pentests, we regularly find embedded usernames and passwords that nobody believe hackers can read. It usually takes us less than 5 minutes.
We've approached security layer by layer. I have one tool for Web access, another tool for network access, another tool for e-mail. And yet I can't answer the basic question: Am I secure?
Serious attacks are not stopped by running an anti-virus program, they are not stopped by having people change passwords, they are not stopped by firewalls, they are stopped by other means….The first and foremost thing is that diversity is good….From a network and systems perspective, I get a lot of sleep at night when there is an attack on an IP-based system knowing that it is not going anywhere near our TDM circuit-switched infrastructure; they are just separate. The technologies are different, the systems are different, and they are non-interoperable.
It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.
When a laptop is stolen, 99 percent of the time the [perpetrator] doesn't know he's got SSNs on it.
In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off. Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it.'
Fidelity doesn't pay when it comes to passwords – the most important passwords should be changed every three months. -- Dieter Kempf, a member of the presiding committee of Germany's Bitkom industry associationSrc: Passwords: The only constant in life - The H Security: News and Features
The Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. -- Joseph Lieberman, independent Senator for ConnecticutSrc: Senators tackle Internet security - The Boston Globe
We're in the security spotlight right now. There's no denying that the security community is really focused on ubiquitous third-party products like ours. We're cross-platform, on all these different kinds of devices, so yes, we're in the spotlight. -- Brad Arkin, Director for Product Security & Privacy at AdobeSecurity vendors & researchers agree on one thing: Adobe PDF & Adobe Flash are hacker favorites with F-Secure reporting that it's used in 61% of attacks (for Jan/Feb 2010) while Kaspersky's recent report gives it 47% (covering Q1 2010).
The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)Note: last emphasis added by me, earlier emphases from original document
The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.
Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.
When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system. -- David Marcus, Security Research and Communications Manager for McAfee
When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone else. And it’s not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others. -- The Windows BlogMicrosoft apparently wrote the post in response to media reports that Google was planning to drop the Microsoft operating systems from its internal systems. While Microsoft has made progress in securing software, there is no reason to get complacent. There are still too many bugs being found and usually fixed in a timely manner, except for those for which Microsoft waits seven or more years to fix.
Security threats today are less like a disease or a cancer -- it's more like a sniper shooting you in the head as you come out the door. Malware is slipping through our most protected systems and we can't even see the threat coming. -- Ken Silva, CTO of VeriSignSrc: Security Panel to IT: 'Expect a Breach' — Datamation.com
The organizational mantra should never be an 'us' (business users) vs. 'them' (IT) attitude. Today, it has be an 'us' (our company, united) vs. 'them' (our competitors). In this New Normal climate, IT needs to get on board and participate in business conversations about technology. Or else they will get thrown off the bus. -- Thomas Wailgum, Senior Editor at CIO.comSrc: Stupid Users Are So Stupid | CIO - Blogs and Discussion
We need to combat the complacency that sometimes prevails in our industry, the way that things have always been done may no longer be the *right* way to do things. Just because your incumbent security system tells you everything is rosy, it doesn't mean you're clean, as many corporations are discovering to their cost. -- Rik Ferguson, spokesman for Trend Micro
