As the enterprises are shifting more towards smart phone based access of company wide resources, the emphasis on establishing a secure connection between the nomadic device (read cell phone or tablet) and the enterprise is increasing. A tablet is mostly seen as an evolution of laptop and hence is expected to run applications like VPN …

Continue reading »

Bruce Schneier wrote an article on Google’s finding of unusual search patterns and eventual discovery of malware. Quoting directly from Google’s article, Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined …

Continue reading »

RSA’s announcement of a potential security breach got a lot of press. Read a related article here, company’s official letter here and the 8-K filing with US Sec here. Securosis wrote this summary article that is worth reading.

It is always enlightening to read contradicting viewpoints that are substantiated with good reasoning and ample evidences. Read this article by Prescott Winter and this related article by Alec Muffett. Can we ever have cybersecurity frameworks and/or laws that cut across national boundaries? Or, should we, in the first place? I am personally more inclined …

Continue reading »

This particular blog entry by Alex Rice of facebook unveils a couple of new features on horizon. I tried out https:// based access and found that applications like chat won’t work during https:// based access. I am also curious about the 2nd feature: identification of a friend for authentication: What if you use proxies that …

Continue reading »

Read this article by Alec on Password Security. A nice discussion on that age old feature and problem. The following code snippet takes me a few years back, when Alec demonstrated me how ill managed a typical large user/pass data could be. perl -nle ‘setpwent;crypt($_,$c)eq$c&&print”$u=$_”while($u,$c)=getpwent’ < /usr/dict/words Thanks Alec!

Earlier this month, Alec started writing for ComputerWorld UK. Details here. Congratulations Alec!

It is really amazing how simple, innocent looking and destructive a x-site scripting vulnerability could be. Read here and here…

The SSL cert issuing and validation process look clean individually, but this null character thingy spoils the party. Read more here. Good that Mozilla 3.5 is not vulnerable. Also, certain browsers restrict the validity of the wild card certs to a single level of indirection. Those browsers handle this case better.

This article by Roger Grimes presents a useful tool to evaluate the susceptibility of a network for password cracking attacks. The article also covers a wide range of items related to the topic. A good read.