On a trip to the Bay Area recently, I drove past the first electronic billboard I ever saw. It’s right on the 101 around Palo Alto, and has been there at least 7 or 8 years. This specific billboard brings up a specific and painful memory – it was also the first billboard I saw advertising Barracuda’s spam firewall many moons ago. But clearly it wasn’t the last. Working for CipherTrust (a competitor) at the time, I got calls and then started getting pictures of all the billboards from our field reps, who were sporting new phones with cameras. They wanted to know why we couldn’t have billboards. I told them we could have billboards or sales people, but not both. Amazingly enough they chose to stop calling me after that. That’s how I knew camera phones were going to be a big deal. At that point a camera built into your phone was novel. There was a time when having music and video on the phone was novel too. Not any more. Now almost every phone has these core features, and lots of other stuff we couldn’t imagine living without today. For example, when was the last time you asked a rental car company for a paper map? Or didn’t price check something you were buying in a store to see whether you could get it cheaper online? And fancy new capabilities are showing up every day. Yesterday the Apple fanboys were all excited about thumbprint authentication and a fancy flash. Unless you are a pretty good photographer, there really isn’t any reason to carry a separate camera around any more. I’m sure Samsung will come out with something else before long, and the feature war will continue. But keep in mind that just 7 years ago all these capabilities were just dreams of visionaries designing the next generation of mobile devices. And then the hard work of the engineers and designers to make those dreams a reality. And we are only getting started. It’s a brave new mobile-enabled world. And it s really exciting to see where we will end up next. –Mike Photo credit: “Brave New World #1” originally uploaded by Rodrigo Kore Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Firewall Management Essentials Introduction Ecosystem Threat Intelligence Use Cases and Selection Criteria Assessing Ecosystem Risk The Risk of the Extended Enterprise Continuous Security Monitoring Migrating to CSM The Compliance Use Case The Change Control Use Case The Attack Use Case Classification Defining CSM Why. Continuous. Security. Monitoring? Database Denial of Service Countermeasures Attacks Introduction API Gateways Implementation Key Management Developer Tools Newly Published Papers Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Defending Cloud Data with Infrastructure Encryption Network-based Malware Detection 2.0: Assessing Scale, Accuracy, and Deployment Quick Wins with Website Protection Services Incite 4 U Touch me baby: I have long been skeptical of the possibility of widespread use of biometrics among consumers. What are the odds that someone could get a large percentage of consumers to carry around a fingerprint reader all the time? Phones were always the potential sweet spot, but most of the smaller optical readers we have seen integrated into smaller devices had serious usability issues. That’s why Apple’s Touch ID is so interesting (I wrote it up at TidBITS and Macworld). It uses a snappy capacitive sensor in a device with a crypto chip, ubiquitous network access, and even short-range wireless (Bluetooth LE). Plus, it is a single phone model which will see widespread adoption. Expect others to copy the idea (potentially a good thing, but good luck finding decent sensors) and to see some very interesting applications over the next few years. 2FA for the mass market, here we go! – RM Pull my finger: Schneier has it right that biometric systems can ‘almost certainly’ be hacked’, but shoving a fake finger in front of a fingerprint scanner isn’t it. Biometric analysis is more than just the scanner. Once you have scanned a retina or fingerprint, you send scanned data to some other location, comparing the data with a known representation of the print (probably a hash) in a database, and then send back a yea/nay to the service the user is trying to access – mobile phone, building, or whatever. That service may also perform some risk assessment before granting access. That entire ecosystem has to be secure as well. And the kicker is that the better the biometric detection piece, the more complex the system needs to be, leading to more potential methods to subvert the overall system! Biometrics should be a second factor of authentication, making fakery much more difficult. And the idea is popular because of the convenience factor for the user – biometrics can be more convenient than a password. But no one should consider them intrinsically more secure than passwords. Some people this is a bad idea. – AL Walenda CISO: Simon Wardley posted an interesting article about when it’s time to fire the CISO. You’d figure after a breach, right? Or maybe if a big compliance fine is heading your way. Those are both decent times to think about making a change. But Simon’s point is that when the CISO (or CIO, for that matter) can no longer balance the needs of business with the needs of security and make appropriate adjustments, then it is time for a change. Basically you need a tightrope walker, a Flying Walenda, to balance all the competing interests in today’s IT environments. If the business is constantly going around IT (to become Shadow IT), then there is clearly a failure to communicate or a resourcing problem. Either way, IT and/or security isn’t getting it done and some changes are probably in order. – MR Protection racket: I chuckled when completing the application for a corporate