| By mian,on April 18th,2011 I am a security architect. My job is not to provide the best in class security,just in case you didn’t get it,MY JOB IS NOT TO PROVIDE BEST IN CLASS SECURITY. I strive to provide the RIGHT LEVEL of security based on the risk,always taking into account the usability and cost of the solution I am recommending. There is a reason why enterprise architects and people who run the business and pay the bills sometimes hate the security types. More often than not,we try to recommend super duper secure solutions which cost a fortune and are mostly unusable. We love 8…oops is it 12 or 16 characters now passwords with alphanumeric,upper case,lower case characters. Doesn’t matter if nobody,includng us could remember them;and we want them to change those every other week ?. We love to spread fear and create confusion. My brother called me last night asking what can he do to protect his social security number;some security type had told him that last year 5 million identities were stolen in USA alone. Who comes up with these absurd numbers ? On a serious note,when . . . →Read More:Security:Sometimes less is more By mian,on April 3rd,2011 Blogosphere is abuzz with the fake certificates being issued by the Comodo certificate authority (CA) as if this is the end of the world and those fake certificates can do a lot of harm. The architects of the CA system always took that possibility into account. A certificate can be issued by mistake or fraudulently and the system has the capability to revoke any issued certificate. Every certificate should contain a URL for the Certificate Revocation List (CRL) and all Comodo had to do was to revoke those certificates and update the CRL,which has already been done. Let’s stop the non-sense. The Comodo announcement clearly states that those certs were immediately revoked. All of these certificates were revoked immediately on discovery. Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation. Please calm down,the CA world is not about to collapse,your gmail and live.com accounts cannot be compromised as long as you are using a modern browser which will actually check for a CRL before trusting the certificate. And those of you who are suggesting to actually delete Comodo CA from the list of trusted CAs should probably find . . . →Read More:Let’s stop fear mongering and non-sense about Comodo Compromise and import the CRL By mian,on April 2nd,2011 Every security professional knows that 2 factor authentication is better than a single factor system. A fact commonly misunderstood is that not all 2 factor authentication systems provide equivalent security protection. A prevalent confusion among enterprise architects and even some security professionals is that One Time Password Tokens (OTP) and Smart Cards provide an equivalent level of security protection. After all both of these are,“something you have,”and thus equivalent. This is a gross over simplification when comparing two entirely different technologies. In fact,even something you have is not always a true statement when it comes to OTP. Let’s look at this in a bit more detail. OTP is not ALWAYS something you have when it comes to authentication OTP tokens rely on the fact that it is almost impossible to predict the next value of the number provided by the token. Thus a commonly made in-correct assumption that someone who is able to provide the correct token value ALWAYS possesses the token. This ignores the fact that one can simply choose to convey the value of the token over phone or SMS. We are of course assuming intentional communication here but . . . →Read More:Why Smart Cards are better than OTP tokens in two factor authentication systems |
