Blaming users for security incidents is counterproductive

The Associated Press has done some important research into the cause of cybersecurity incidents in the federal government. Unfortunately, they come to the wrong conclusion. They document the huge rise in security incidents, and then add: And [federal] employees are to blame for at least half of the problems. Specifically, not …

Tozny demo video: Login and out of band transaction verification

Take a look at the primary features of the Tozny login and out of band transaction verification system. Key points: Tozny is both easier to use and more secure than passwords. Tozny defeats advanced malware like man in the browser attacks. Tozny adds an extra layer of defense against CSRF.

Shellshock: Making sense of the question, “Am I vulnerable?”

It seems like such a simple question, “Am I vulnerable to Shellshock,” but it’s surprisingly complicated. Lots of Internet forums suggest pasting some magic code into your command line. If the code outputs “Vulnerable” then you need to upgrade. Unfortunately, it’s not that easy.

Man in the Browser: Attack and Defense

A successful man in the browser attack is devastating: The attacker gets full control over your account and you have no idea it is happening. In this post, we discuss the attack, its impact, and why typical mitigations fall short. Finally, we toot our own horn a bit and show …

A Guide To Insider Threats

Insider attacks are particularly difficult to defend against. Insiders have internal knowledge of the network, and often know a system’s vulnerabilities. Even if they don’t violate security policies, they can perform authorized actions in a malicious way. I like Common Sense Guide to Mitigating Insider Threats. It’s light reading, if …