Tuesday, August 28, 2012

And the Password is... Monkey!

   If you've been following the news about hackers and cracked passwords, then you know that one of the most often used passwords for online sites and services is: Monkey.  Who would have guessed?!

   All the buzz is about an article appearing in ArsTechnicaWhy passwords have never been weaker - and crackers have never been stronger, by Dan Goodin.  It's an eye-opening piece about how the state of the art in password cracking has been greatly advanced by the security information intelligence gained from recent hacks, and password file disclosures, from LinkedIn, eHarmony, Battle.net and others.

   Everyone "knows" they should be using strong passwords - yet passwords like 123456, password and Monkey are routinely on the top of the list of the most used passwords on hacked sites.  Similarly, everyone "knows" they should not reuse passwords between sites (is your Facebook password the same as your online banking password???).  But the article refers to a 2007 Microsoft study which reports that the average web user has accounts on 25 different sites, but protected by only 6.5 unique passwords!

   Here's my take...

Tuesday, August 21, 2012

Inspiration, Aspiration and Perspiration

   I recently read the book, "Start With Why" by Simon Sinek.  Actually, as I usually do with books, I listened to the audiobook.

   One of the key points in the book, and one that I am using, is what Sinek calls the Golden Circle.

Tuesday, August 14, 2012

Is the Help Desk the New Perimeter?

    Unless you've been under a rock, you've read about the unfortunate hack of tech jounalist Mat Honan's home iPhone, iPad, Mac, Gmail, iCloud, Amazon and Twitter accounts (not necessarily in that order).  You can read the details in Mat's Wired article here.  Also, some great twit.tv podcast coverage on TWIT, TWIG and Security Now!.

   I won't rehash what others have said on this matter.  But I do have a couple of different thoughts.  A number of people have written takes on what you should do to protect yourself.  I have some thoughts on this that I'll share in a future post.

Tuesday, August 7, 2012

The Case for Security Awareness

   There have been a number of articles lately talking about the value of Security Awareness. In particular, this post, by CSO Online blogger Dave Aitel makes the case that Security Awareness training is not useful or effective. A number of examples are listed trying to show that even in supposedly "enlightened" companies, like RSA, simple mistakes like opening a malicious email attachment, still happen.

   I think this is too simplified a view.

   It's hard to quantify how many things don't happen, prevented by basic awareness training. But, a big problem could be the training itself.  From this Dark Reading post: