Welcome!


Latest Blogs from Web Security Journal
On 11 June 2012 the Cyber Physical Systems Virtual Organization will be holding a symposium on Moving Target Research. In this context, think of Moving Target as meaning the creation of a dynamic attack surface to adversaries done in a way that dramatically increases the work factor re...
This week Ustream gets an injection of political reality, Apple fixes a critical encryption blunder affecting some of its users, FBI documents are leaked detailing their worries over Bitcoin digital currency, and Anonymous takes down more Governmental websites as part of its ongoing op...
Here are today’s federal cybersecurity and information technology news: The Missile Defense Agency has issued a request for proposals for a new methods to identify counterfeit electronics. More here. The Federal Bureau warns travelers not to update software on hotel wireless netw...
When developing your security architecture, look to the 500 year old medieval castle model to create layers of protection. And this best practice extends itself to the cloud as security-as-a-service. One of the true benefits of the cloud is the ability to reconfigure and create a stro...
Over the past decade, we’ve become much more robust in our approach to information security. We recognize that our company’s largest vulnerabilities have to do with its computer systems, and that data security is at the core of loss prevention, disaster recovery, and even normal operat...
RPost’s latest integration with Esquire is called iScrub. This new product removes metadata from important “reusable” documents such as loan application forms. One of the questions raised by using a product like this is what effect metadata cleaning would have on evidence used in the...
Today’s federal cybersecurity and information technology news: The White House has threatened to veto the Cyber Intelligence Sharing and Protection Act (CISPA) if it reaches the President in its current form. More here. The Office of Management and Budget agrees, asking President...
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals.  Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access co...
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access contr...
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control...
Symantec reported this past Wednesday that the number of total Flashback infections was down to approximately 140,000 from around half a million. However, the company has since revised its estimate to note that its method for detecting infected systems is reporting “limited infec...
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control...
I took great pleasure in reading the release below regarding the reconstitution of the Terrorism Research Center. The founders of the Terrorism Research Center (Matthew Devost, Brian Houghton, and Neal Pollard) are all highly regarded national security professionals and thought leaders...
This blog post is part of the series on Windows Azure. There are very few organizations that apply as many security measures as Microsoft does for its Windows Azure service. Listed below are some of the precautions Microsoft has implemented for Windows Azure to secure your applications...
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control...
The IT Dog is waggin’ his tail today with this one. I love progress and the SSD revolution is certainly pushing the storage industry forward on many fronts. New products with SSD in every segment of the IT data chain from the server side SSD to SSD raid storage. SSD capabilities has...
The idea that you might pay someone else to keep quiet a vulnerability while you fix it may seem a bit backward to some in computer security. It would also seem to invite attacks on infrastructure. It’s no surprise, then, that many companies with technological products don’...
Anonymous claimed credit for taking down the Department of Justice and Central Intelligence Agency websites, as well at the website of MI6 in the UK. More here. The Defense Advanced Research Projects Agency has issued a request for proposals for more power-efficient processes in embedd...
A recent article “Put Your Test Lab In The Cloud” outlined the pros, cons and considerations you must take into account when talking about hosting test labs in the cloud. Using the cloud for this purpose is not necessarily a new idea, and it’s one that certainly makes a lot of sense; R...
600,000+ Mac Computers Infected While this kind of activity wouldn’t rouse much attention from those esconced in WinTel (Windows and Intel) architechures, it is much less common for Mac users to be impacted by infections on this scale so quickly.  The infection, called Flashback, is in...
PerspecSys is a privately held company based in Toronto, Canada that specializes in eliminating the security barriers that inhibit enterprise companies from embracing cloud computing. Many companies want to move to the cloud for operational business purposes but are concerned about how...
I had the opportunity to write a post for SecureWorld Post’s site. You can view it at: http://secureworldpost.secureworldexpo.com/crawford-cloud-computing-turns-infosec-upside-down/
Botnet takedowns make front page in this week’s security news in review   This week saw a lot of activity on botnet control and disruption as several corporations struggled to disrupt or destroy major botnets and their command-and-control facilities.
While I’m not the biggest fan of taking surveys, I sure love the data/reports that are generated by such creatures. And boy has there been a bunch of recent statistical information released on cloud computing, information security, breaches and general IT. Since this prologue is kin...
I keep reading these stories about how various cloud service providers are building up their consulting practices around cloud computing mostly to address the enterprise market (see my previous post for some thoughts on that subject). These articles mostly read like it's a surprising r...
As the bad guys get more sophisticated with launching online attacks on your business PCs, you have to get smarter about how you are protecting them. And in the past year, many of the traditional anti-virus vendors have improved their … Continue reading →
Cloud computing brings many advantages including elasticity, flexibility, and pay-per-use. But when looking at cloud security, and specifically encrypted cloud storage the picture is much more complex. Cloud security (in IaaS and PaaS scenarios) is a shared responsibility. The cloud pr...
We have previously written about Kyrus Tech Inc and have highlighted their unique capability called Carbon Black. We have worked with the team of experts there in the past and I am very proud to have been professionally associated with Michael Tanji since we were both in government in ...
Transparent Data Encryption (TDE), sometimes also called Transparent Database Encryption, is one way to encrypt database content. TDE offers encryption at a column, table, and tablespace level. This makes TDE one of the more highly configurable ways to encrypt database content, though ...
Security is a pretty big word. It’s used to represent everything from attack prevention to authentication and authorization to securing transport protocols. It’s used as an umbrella term for such a wide variety of concerns that it has become virtually meaningless when applied to techno...
We’ve always had a close relationship with cloud providers, such as Amazon Web Services and Red Hat OpenShift. Lately we have been hearing from an ever wider spectrum of the cloud provider industry, and their cloud data security requirements show a pattern. Providers need to different...
Stewardship is a term implying the responsible use of important resources. The concept of stewardship can be applied to a variety of domains and has long been part of human dialog on what is right and wrong. A great dialog on stewardship in cyberspace is now underway, and it just took ...
Cyber security is a top priority for US government agencies seeking to protect critical information assets. As the number of attacks increases, so does the amount of data government needs to process. Federal agencies have therefore mandated support for stronger cryptographic keys and m...
Exposing a virtualization weakness for data theft, Snapshotting your data, and the internal threat, are new cloud risks that didn’t exist when the data was stored between the four walls of your datacenter. Data encryption is a critical first step for any organization considering the ...
Last week, I had the pleasure of discussing REST access control patterns with Enterprise Architects and partnering technology folks. I also had the opportunity to present on this topic and one of the questions that came up afterwards was from a security architect who was unsure whether...
Is the US Patriot Act a red herring? Some European countries, as well as Brazil and China, have been using the U.S. Patriot Act as an excuse to set up barriers for the transfer of data into the U.S., but according to Business Software Alliance CEO Robert Holleyman, those countries have...
NASA was hacked 13 times last year, resulting in major breaches of sensitive government data. Hackers working from Chinese IP addresses gained full access to NASA’s files, employee credentials and system logs. Unencrypted laptops were also stolen containing codes for controlling the In...
Linode Hacked, Bitcoins Stolen: Linode.com, popular provider of virtual private servers (VPS) systems responded to a morning breach of it’s control panel software, which apparently enabled a malicious attacker to gain control over several virtual servers of a bitcoin service named Bitc...
This is the second post of a two-part blog post that discusses HTML5 WebSocket and security. The first post, HTML5 WebSocket Security is Strong, talked about the security benefits that derive from being HTTP-compatible and the WebSocket standard itself. In this, the second post, I will...
Startup Porticor (privately held) has released its “Virtual Private Data” solution for enterprises wishing to make more secure use of public cloud resources. Secure use of public resources requires encryption of data at rest and in motion, to minimize the possibility of eve...