Big Brother Watch report on breaches

by adam on November 30, 2011

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly (…)

Read the rest of this entry »

“It’s Time to Learn Like Experts” by Jay Jacobs

by adam on November 28, 2011

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development (…)

Read the rest of this entry »

The One Where David Lacey’s Article On Risk Makes Us All Stupider

by alex on November 25, 2011

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw (…)

Read the rest of this entry »

Risk Hose Podcast #14 with Adam and Alex

by adam on November 23, 2011

I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: (…)

Read the rest of this entry »

AT&T Hack Attempt

by adam on November 22, 2011

First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T (…)

Read the rest of this entry »

Privacy is Security, Part LXII: The Steakhouse

by adam on November 19, 2011

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information (…)

Read the rest of this entry »

More on Authorization Persistence Threats

by adam on November 18, 2011

Wade Baker has a quick response to my “Thoughts on the 2011 DBIR and APT,” including the data that I was unable to extract. Thanks!

Block Social Media, Get Pwned

by adam on November 17, 2011

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that (…)

Read the rest of this entry »

Breach disclosure and Moxie’s Convergence

by adam on November 15, 2011

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, (…)

Read the rest of this entry »

Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

by adam on November 7, 2011

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have (…)

Read the rest of this entry »