3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Blog: SANS Security Trend Line:

Author - John Pescatore

Twelve Word Tuesday: Crypto Export Controls Helped Bad Guys More Than Law Enforcement - No Redux!

Encryption : data as vaults : cash - necessary protection, laws can allow legitimate access.

Twelve Word Tuesday: Internet Attack Cycles And Solar Cycles Have 11 Years in Common

2001 - 2003: - Windows vulnerabilities Windows enable worms

2012 - 2014: - Open Source vulnerabilities enable cybertheft

Simple Math: It Always Costs Less to Avoid a Breach Than to Suffer One

The Home Depot breach is the latest "largest ever," but it is really just another example of "you can pay me now, or you can pay me a lot more later" proving out once again as the details come out.

The root cause of the breach can be traced to Home Depot's failure to implement the first subcontrol under Critical Security Control 2:

Deploy application whitelisting technology that allows
systems to run software only if it is included on the whitelistand prevents execution of all other software on the system.

The whitelist may be very extensive (as is available from
commercial whitelist vendors), so that users are not
inconvenienced when using common software. Or, for some special-purpose systems (which require only


Twelve Word Tuesday: Browsers Should Be Like Car Windshields, Not Car Rental Agreements

More browser security popups are as useful as more drug side-effect warnings.

Google plans Chrome pop-ups for sites using SHA-1

Why Does Apple.com/security Try to Sell Me OS/X vs. Tell Me How to Stay Secure Using Apple Stuff?

There's nothing like nude pictures of celebrities to raise the visibility of a security breach — the iCloud exposure is the latest to zoom up the Google Trend charts. The underlying problem appears to be that while Apple does offer two-factor authentication for logging into iClouds and for making iTunes purchases, that strong authentication did not extend to all areas of iCloud — not to backups, for example. So, attackers were able to exploit the usual weak password and weak password reset processes — using "What you know" questions in password-reset safeguards is pretty silly for people whose dog's mother's maiden name is actually known by millions of