March 31, 2019 Comments Off on Free REST API Security guide
If you’ve worked with both major varieties of API (Web services & REST) for any length of time, you’ll know that the approach to security varies widely between them. In the Web services world, there are numerous standards bodies and security guidelines, such as:
These are just a few examples of what’s out there.
Thanks to all of this ancillary work, a common (mis)perception has sprung up that Web services are more secure than REST APIs. While there’s a kernel of truth to this assumption, REST APIs now benefit from their own set of security standards and best practices. To give you a better idea of what these are, check out this helpful eBook on Dzone, written by Guy Levin, CTO of RestCase.
January 28, 2019 Comments Off on Celebrate Data Privacy Day by protecting yourself from email tracking
This year, instead of firing up the barbecue, putting on elaborate costumes, or singing carols, why not commemorate Data Privacy Day (January 29) by making it harder for external parties to track your email. If you’re interested, check out a very informative article from the Electronic Frontier Foundation on how to do that.
November 10, 2016 Comments Off on Helpful article on journalist protection is relevant for us all
In the aftermath of this week’s US election, it’s worthwhile to – once again – revisit techniques to protect private information from those that have no business seeing it. Here’s a link to a very useful article from The Atlantic that might give you some ideas about how to safeguard your data. If you’re curious about other security and privacy topics that I’ve written about, here’s a shortcut to them.
March 30, 2016 Comments Off on Excellent article about FBI’s iPhone crack
Bruce Schneier has long been one of my favorite technology authors and bloggers. He manages to write about extremely complex topics in a very accessible way – a notably rare and highly admirable skill. His latest article explains why the secretive approach that the FBI is employing to unlock iPhones will eventually harm innocent users unless Apple is notified of the device’s vulnerability.
The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies. A vulnerability in Windows 10, for example, affects all of us who use Windows 10. And it can be used by anyone who knows it, be they the FBI, a gang of cyber criminals, the intelligence agency of another country … anyone.
This is precisely why Apple needs to understand what’s happened. Otherwise, the next entity to break into iPhones may not be doing so in the legitimate and honorable interest of solving crime.
I read Bruce’s blog regularly, and recommend it to anyone interested in security and information protection.
October 16, 2015 Comments Off on Helpful, easy-to-follow instructions to assess and correct your browser’s SSL vulnerability
SSL has long been the primary method for encrypting the communications between your browser and the websites you visit. However, for years there have been reports about potential ways for unauthorized parties to exploit SSL weaknesses and thus gain access to your ostensibly secure interactions.
The latest news is that the Diffie-Hellman key exchange algorithm (using 1024-bit primes) has been compromised. This has serious implications for the privacy of your sensitive communications, including banking, shopping, and email, to name just a few.
Fortunately, there’s a very helpful online tool that will evaluate your risk. You can find it at https://www.howsmyssl.com/
You should run this tool for each browser that you use, and take action based on what it tells you. More about that later in this post.
Here’s what I learned when I ran it on my system:
Opera (I haven’t updated this for a while, so it’s no surprise that it’s vulnerable):
Safari (Based on these results, Safari is now a no-go until I get it corrected)
Firefox (I applied the fix from the article that I’ll describe below. The results are good)
Finally, here’s Chrome. Once again, I configured this browser using the information from the article below.
So what should you do if you get a ‘Bad’ message from the How’s My SSL tool? The Electronic Frontier Foundation (EFF) has published an excellent, easy-to-understand article with step-by-step instructions about how to tighten your browser security.
You’ll find it here.
April 28, 2015 Comments Off on Excellent article on laptop encryption
Did you know that you have very few privacy rights when you cross a border (into the US or anywhere else in the world, for that matter)? I blogged about the dangers of bringing a laptop through customs a while back. Naturally, it’s a good idea to remove any sensitive information from your laptop, especially when you’re traveling. For those situations that require you to keep important data on a computer that’s at risk of being inspected (or stolen), full-disk encryption can be a lifesaver.
Operating system vendors have been doing a great job at strengthening their products, so there’s really no excuse not to take advantage of encryption. Here’s a link to an excellent article from Micah Lee on The Intercept that explains how to do this on Windows, Mac, and Linux computers.
With step-by-step instructions, it’s one of the best written tutorials I’ve seen about this topic. It’s well worth your time to make the effort, but remember: don’t lose your password!
October 1, 2013 Comments Off on Big Data security and privacy risk podcast
I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.
My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.
February 11, 2013 § 1 Comment
I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:
- The key diverse technologies contained within a typical Hadoop environment
- Current and trending security risks characteristic in Hadoop implementations
- Setting and attaining realistic goals
- Contrasting open-source vs. proprietary Hadoop security tools
- Protecting your Hadoop landscape through controlled access
- Inherent differences safeguarding data-at-rest vs. defending data while in motion
I hope you can join me there – it should be a very interesting conference.
September 14, 2012 Comments Off on Three free password strength web sites
As our data increasingly moves online, creating, managing, and using passwords is more important than ever before. Getting a password stolen – or decrypted by an unauthorized third party – can be very painful. Things are much worse if your broken password unlocks lots of doors. For this reason, it’s extremely unwise to use the same password for different websites, since a breach at one site exposes you everywhere. With this in mind, it’s smarter to create distinct passwords for each web site, application, email service, and so on. However, given the proliferation of online resources, many people must manage dozens of different logins, and some have many more. For example, I maintain nearly 200 different passwords.
When it comes to setting up passwords, there’s a perception that a strong password is hard to create – and even more difficult to remember. This is why I use a third party password management tool. There are many on the market, but I like Callpod Keeper. It’s up to you to set a master password, but once you’ve done that Keeper will generate passwords for each site you visit. Another choice is to simply create your own passwords on a site-by-site basis and store them in Keeper.
Regardless of where and how you create your password, it’s natural to wonder how secure it is. Believe it or not, it will often take a brute force decryption attack longer to break an easy-to-remember phrase than a short, unmemorable, cryptic password. To help you gauge the relative strengths of your passwords, take a look at each of these helpful sites:
1. How Big is Your Haystack? This site is from Gibson Research, provider of many excellent networking and security utilities.
2. Dropbox’ zxcvbn password strength estimator. This utility was created as a companion piece to a really well written blog post. I like how this utility shows you play-by-play of how a brute force attack might be launched against your password.
3. How Secure is My Password? Color-coding (red is bad, green is good) adds a nice visual effect that tells you how long it will take to break your password.
As you experiment with these sites, I recommend trying a variety of passwords and phrases. Don’t forget to thrown in special characters, uppercase, numbers and so on.