I’ve just added a new paper to the resources section of my site. The paper is titled Cryptography in a very small nutshell; it is a very brief introduction into the concepts and types of crypto.
As of today, the resources section now has the following papers.
– Perry
Posted in Security, Resources, Cryptography | No Comments »
I guess that I’m on a Bruce Schneier kick this week. My last post was related to an article that he wrote about New York City’s upcoming ability to accept camera phone images and videos in their 911 centers.
Today I’ve been reading and pondering another article by Bruce about how psychology plays into people’s perception of risk. The following chart, from his article, speaks volumes:
Conventional Wisdom About People and Risk Perception
This chart just scratches the surface of the overall content in his article. I encourage you to check it out.
We see examples of this in our lives and in the media everyday. One of the things that we have to guard against, as security professionals, is exploiting this to our advantage. My playing off of people’s irrational fears, we will only lose credibility.
If, in our companies and our communities, we are able to show people how to examine risk logically, we will ultimately gain trust.
We don’t have to be fear-mongers to be successful.
Posted in Security, Awareness, Psychology, Risk | No Comments »
I just posted at my Computerworld blog about how New York City is in the process of enabling their 911 systems to receive images and video from cell phone callers. I think that this is a huge leap forward – but I am circumspect regarding the security of any proprietary systems involved in enabling this functionality.
With systems such as this, several questions and concerns come to mind. As such, I posed the following “top-of-mind” questions in my Computerworld post:
[C]an someone doctor image files to falsely implicate someone? Is the software that is receiving and processing the images/videos vulnerable to embedded code within the media files?
Again – a huge leap forward. I just hope that the folks in charge of the systems looked before leaping.
Posted in Security, Computerworld, 911 systems, PowerPhone | No Comments »
For years, security professionals have known and been saying that passwords themselves are inadequate — thus the need for two-factor (or stronger) authentication. However, multifactor authentication implementations are typically known to be costly (e.g. issuing tokens or biometric readers). Further, many companies report user push-back: some end-users reject or express disdain for biometric authentication.
So, this begs the question: “Is there a multifactor authentication method that is transparent to end-users?” And the answer is, “yes.” The technology is referred to as “keystroke dynamics,” and it extends the authentication paradigm a bit. That is, you usually hear about authentication factors such as:
- Something you know (e.g. Password)
- Something you have (e.g. token)
- Something you are (e.g. biometric)
Keystroke dynamics, as well as signature and speech dynamics, add to that list “Something you do.”
Keystroke dynamics systems check the specific characteristics of how someone enters his/her password (i.e. speed, pauses). So, in effect, keystroke dynamics systems are keyloggers who have turned from the Dark Side. 
In theory, the use of such systems allows users to simply continue entering a single password – the way they do now. Yet, because individual and unique characteristics are being measured, many of the traditional weaknesses associated with passwords can be overcome. For example, normal “problem areas” such as password sharing and shoulder surfing may be mitigated because other parties cannot mimic the “dwell time” (length of time that the key is pressed) and “flight time” (speed between individual keystrokes) dynamics of the actual user.
Though I’ve not yet done any tests with this technology, I do see it touted as an affordable, reliable alternative to biometrics.
Links for further reading/research:
General info:
Vendor products:
Posted in Security, Management, Resources, keystroke dynamics, multifactor authentication | 2 Comments »
Ugh…. Less than a year after the reported loss of a laptop containing the data of 26.5 veterans, the VA looses another laptop. Oh yeah – and in the intervening months they developed processes and procedures to ensure that such data is encrypted; yet this report mentions that there were upwards of 20,000 unencrypted records.
Here are a couple links. No further commentary needed.
Portable Hard Drive Missing From Department of Veterans Affairs
VA Loses Another Hard Drive, Vet Data At Risk
Posted in Security, Privacy | No Comments »
