Welcome to Collaborative Strategy Guild Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.
|
In interesting research news, there’s a paper out from Accuvant that attempts to compare the relative security merits of the “big three” browsers: Chrome, FireFox and Internet Exploder Explorer. It’s an interesting read, so I suggest checking it out.
Now, I admit that I was skeptical when I first started reading it. Not only can the “which product is more secure” evaluations be a little spurious, but this particular report is also actually sponsored by Google, so… well… you can see how one might wonder about that… At least without a deeper dive.
However, after reading… Continue reading: Chrome “most secure”? Depends on your frame of reference…
In light of continued shenanigans in the CA community, apparently the CA/Browser forum has put out some guidelines for certificates that are going to be trusted by default in various browsers.
The document is here if you want to check it out.
I get it why the CA’s want this. It’s important that people believe they’re taking action. It’s an entry-heavy, low-maintenance business. Meaning, you invest a lot in the beginning and milk it over a long period of time. But yet, there’s no reason why CA’s have to exist. The exist right now because of… Continue reading: CA Baseline Guidance… skeptical.
So if you recall, I received an inquiry the other day to take a bit further my post where I was quacking about credit unions.
As a refresher, the gist of that discussion was that I found it to be somewhat lame that credit unions were complaining about how they have stringent technical controls whereas merchants don’t. My meta-point was that merchants (at least for card-based payments) have some very stringent (i.e. technically prescriptive) security controls by virtue of PCI compliance. Credit unions, on the other hand, by virtue of their regulatory context, have more “interpretive latitude” in how… Continue reading: Chatting with an auditor about credit unions
So today we have some excellent coverage via the always-interesting Mocana DeviceLine blog (have I blog-rolled them enough do you think?) covering a technical deep-dive on Google Wallet from ViaForensics. An interesting read.
According to their inquiry of how Google Wallet works, they’ve determined that there’s some scary data stored cleartext on the phone, including:
- Card type and last 4
- Card holder name
- Current balance
- Available to spend
- Statement balance
- Payment due date
- Citi contact number
Well, that’s interesting. Folks might object to this kind of data being stored in cleartext within Google Wallet (I sure do), but I’d like to point out that the… Continue reading: Google Wallet, cardholder data, and the edge of PCI?
So the other day I came across this article that proudly pronounced “fraudsters defeat two-factor” as well as an extremely lucid response via the WikID blog. It’s worth reading the original article for folks implementing phone-based OOB two-factor authentication (since it highlights an interesting misuse-case) and it’s also worth reading the excellent follow-on piece that puts it in perspective.
Anyway, I won’t belabor this point other than to point out that the WikID folks are right on the money, but for those folks who follow the two-factor market space and who missed this discussion, I thought it… Continue reading: Was two-factor broken? I beg to differ
|
|
