It’s just another day. So what that, many years ago, you happened to be born on that day. Yes, I am talking about birthdays. Evidently when it’s your birthday it means people should treat you nicely, let you do what you want, write you cards, and shower you with gifts. We’d probably all like that treatment the other 364 days too, right? But on your birthday I guess everyone deserves a little special treatment. Well, my birthday was this past weekend, and it was pretty much perfect. The day started like any other Sunday, but things were a bit easier. I got the kids up and they didn’t give me a hard time. No whining about Sunday school. No negotiating outfits. I didn’t once have to say “that’s not appropriate to wear to Temple!” They made their own breakfast, not requiring much help. The kids had made me nice cards that said nice things about me. I guess one day a year they can get temporary amnesia. I dropped them off for Sunday school and headed over to my usual Sunday spot to catch up on some work. Yes, I work on my birthday. To put myself in a good mood, I started with my CFO tasks. Think Scrooge McDuck counting his stacks of money. That’s me. Scrooge McIncite making sure everything adds up and every cent is accounted for. I did some writing – Scrooge McIncite gets things done. I got ahead of my mountain of work before I head out on my golf weekend. Then I got to watch football. All day. The Falcons won. The Giants won. The Panthers, Eagles, and Redskins lost. It was a pretty good day for my teams. The Giants game was televised on local TV, and through the magic of DVR I could record both the Falcons and the Giants and not miss anything. How lucky is that? Then my family took me out to a great dinner. I splurged quite a bit. Huge breakfast burrito for dinner. That’s right, I can eat a breakfast burrito for dinner. It’s my birthday, and that’s how I roll. Then I had some cheesecake to top off the cholesterol speedball. When was the last time I did that? Evidently rules don’t apply on your birthday. The servers had no candles, and they sang Happy Birthday to me, which I didn’t let ruin my day. In fact, nothing was going to ruin my day. Even when the Saints came back and won the Sunday night game. As I snuggled into my bed at the end of a perfect day, I did take a minute to reflect on how lucky I am. I don’t allow myself to do that too often or for too long, because once he’s done counting today’s receipts Scrooge McIncite starts thinking about where tomorrow’s money is going to come from. But the next day will be here soon enough, so one day a year I can doze off thinking happy thoughts. –Mike Photo credits: Scrooge McDuck: Investment Counselor window in Mickey’s Toontown originally uploaded by Loren Javier Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Denial of Service (DoS) Attacks Defense, Part 1: The Network Attacks Understanding and Selecting Identity Management for Cloud Services Introduction Securing Big Data Recommendations and Open Issues Operational Security Issues Incite 4 U The DDoS future is here today: I mentioned it in last week’s Incite, but we have more detail about the DDoS attack on financial firms that happened last week thanks to this great article by Dan Goodin at Ars Technica. As I continuing to push the DoS blog series forward, one of our findings was the need to combine defenses, because eventually the attackers will combine their DoS tactics… like any other multi-faceted attack. Last week’s attacks showed better leverage by using compromised servers instead of compromised consumer devices, providing a 50-100x increase in attack bandwidth. The attacks also showed an ability to hit multiple layers from many places, or one target at a time. This is clear attack evolution, but that doesn’t mean it was state sponsored. It could as easily be more disinformation, attempting to obscure the real attackers. So the DoS arms race resumes. – MR OAuthorized depression: For many years I deliberately avoided getting too deep into identity and access (and now, entitlement) management. Why? Because IAM is harder than math. That has started to change as I dig into cloud computing security, because it is very clear that IAM is not only one of the main complexities in cloud deployments, but also a key solution to many problems. So I have been digging into SAML, OAuth, and friends for the past 18 months. One thing that has really depressed me is the state of OAuth 2.0. As Gunnar covers at Dark Reading, we might be losing our dependence on passwords, but OAuth 2.0 stripped out nearly all the mandatory security included in OAuth 1. This is a very big deal because, as we all know, most developers don’t want (and shouldn’t need) to become IAM experts. OAuth 1 effectively made security the default. OAuth 2 is full of a ton of crap, and developers will need to figure out most of it for themselves. This is a major step backwards, and one of the many things fueling the security industry’s alcohol abuse problem. – RM Human intel: The headline U.S. banks could be bracing for wave of account takeovers hits the FUD button in yet another attention whoring effort to get more page views with less content. But there is an interesting nugget in the story – not the predicted (possible) bank attacks, but how opinions have formed. In the last year many CISOs