What we’re reading, week of 10/27

From Schneier on Security…
Barack Obama Discusses Security Trade-Offs
Bruce Schneier uses a remark from Obama to illustrate his philosophy on security systems and how to manage them: “the person in charge of the security system can’t be the person who decides what resources to devote to that security system.”

From Zero Day…
“Joe the Plumber”’s data compromised by government insider
Adam O’Donnell writes about the latest in political data leakage incidents – test accounts have been used to access motor vehicle and record data for Joe Wurzelbacher.

From Security Fix…
Microsoft to Issue Emergency Security Update Today
Brian Krebs comments on Microsoft’s out-of-cycle patch release, giving updates on the particular vulnerabilities (and rumors of vulnerabilities) that have motivated this immediate action.

Biometrics for VPNs

Last week, NCP announced biometric security support for VPNs. We’re interested in hearing stories of how organizations have integrated biometric security technology with their VPNs, and how it has gone. Were there any major obstacles to implementation? Measurable improvements? New challenges this technology has created? Best practices you’d like to share?

Security versus compliance

In Massachusetts, legislation has just passed on an “Order Regarding the Secuirty and Confidentialty of Personal Information.” The measures contained within are intended to hold the state’s government bodies accountable for adhering to practices that protect against consumer identity theft.

Especially of interest is Section 4, which calls for the Commonwealth’s CIO to oversee the guidelines, plans, reporting and auditing of each agency. The order calls, in particular, for a lot of auditing. This brings to mind Martin McKeay’s excellent discussion of compliance through security.

Are these compliance regulations the right approach to preventing ID theft? Is there any realistic alternative?

What we’re reading, week of 10/20

From WindowSecurity.com…
Security in the Mobile Device Era
Deb Shinder discusses the security considerations and solutions for Windows Mobile devices, as well as the challenges that arise when using non-Windows devices in a corporate mobile network.

From IT Security…
Vulnerability Blog Roll
IT Security compiles a list of today’s most newsworthy security vulnerabilities.

From Emergent Chaos…
Discipline and Art
Adam Shostack writes about the particular paradoxes that plague the mindset of a security professional.

What we’re reading, week of 10/13

From Network Security Blog…
Looking forward to RSA Conference 2009
Martin McKeay points us to the RSA Conference 365 site, where bloggers and industry brains are gearing up for the 2009 RSA Conference in April.

From TaoSecurity…
Insider Threat Prediction Materializing
Richard Bejtlich discusses the realization of one of his security predictions for 2008: emphasis on internal security threats is shrinking. “[T]he insider threat is the one threat you can really control. Unless you’re a police or military organization, you can’t do anything about external threats. Anyone with firing power can do something about internal threats.”

From the Mac Security Blog…
Two iPhone Security Flaws Made Public
Intego alerts us of two subtle security flaws in the iPhone – including the truncation of URLs within emails, which could lead to decreased ability for users to prevent phishing. Alongside this post is a helpful guide, Six iPhone Security Tips.