Greg Young

Some unhappy bloggers ended up on the Wall of Shame at a recent security/hackers conference and (I summarize…) cried foul because it wasn’t pre-advertised that the network would be hostile.  There is a good post on the hub-bub here.
The yin of rubbing elbows with vulnerability researchers and semi-bad guys who reveal the most recent [...]

[Read more →]

John Pescatore and I published today “Defining The Next Generation Firewall” (NGFW).  The note ‘liner notes’ may help provide some context.  Gartner has been talking about Next Generation Firewalls (NGFW) for a while – in 2004 we had a note titled “Next generation Firewalls Include Intrusion Prevention”. 
We have been increasing the weighting for NGFW [...]

[Read more →]

Two items this week bring into focus the security issues around cloud computing.
According to an article on DISA’s RACE (Rapid Access Computing Environment), the comment is made that RACE is more secure and stable than the Google cloud.  Arguments aside about the definition of clouds and whether private clouds are really clouds, I find this [...]

[Read more →]

The child actor who died from drinking Pop Rocks candy and Coke and the Nigerian minister who just needs a little help with some money transfer.. I need to call someone at Snopes.com and pull in some favors to get “Enterprise UTM” added to the myths list.
The Loch Ness Enterprise UTM message has again [...]

[Read more →]

People, it turns out, are really bad at dealing with uncertainty and randomness.  We are pre-programmed to see direct causes between independent factors and to treat direct links as unrelated or random.  Likelihood, causation, and randomness are fundamental to IT security, and humans having blind spots in these areas are but one reason why we [...]

[Read more →]

I was honored to be the lead author for the 2009 Hype Cycle for Infrastructure Protection (limited to Gartner customers).
First in thanks and second to demonstrate the depth the depth of work and research we do at Gartner, I’d like to thank my 15 co-authors:
Vic Wheatman, Joseph Feiman, Neil MacDonald, Adam Hils, Jeffrey  Wheatman, Peter [...]

[Read more →]

My colleague and guest blogger Lawrence Orans joins me today in giving his take on the DNS BIND vulnerability:

Another July, another DNS vulnerability.  Last year, it was the Kaminsky vulnerability.  Yesterday, the ISC announced another vulnerability in BIND.  It’s serious — a specially-crafted dynamic update message can crash your BIND 9 name servers.  According [...]

[Read more →]

TMI: Too Much Info.  Sure the below example isn’t as egregious (i.e. bad) as the others I’ve posted recently, but it falls into that soft gray category of TMI.

See the other posts on this thread:
Social Media Data Leaks: Password Reset Helpers
Social Media Data Leaks: The Polarity of Security Models
and Social Media Data Leaks.

[Read more →]

There are some slightly sensitive things which if leveraged can be turned into more sensitive things.  Ye olde Mother’s Maiden name is one of those often used in attacks on password reset challenges, of the likes of which have been reported on here.

Here is an example via Twitter of making an account reset [...]

[Read more →]

There were some thought-provoking comments on yesterday’s post: is this kind of information a data leak, a breach, or just being too informative?
In the example below I had to blank out the username because it was the same as the Twitter name. 

We’ve become accustomed to the positive security model for email, which is to [...]

[Read more →]