The 6 million passwords stolen from LinkedIn have once again put password security in the news. Among the recommended practices, forcing users to change their passwords every 60 or 90 days comes up tops. This measure crystallizes users’ anger as it creates a strong and inevitable restriction. But is it the only effective measure? The subject is a hot topic for debate within the information security community, and the answer isn’t so clear-cut, even for Bruce Schneier.

This week, a piece of security news was in the spotlight – the publication of a report commissioned by French governmental organization, Hadopi. What security and information systems managers expect from their firewalls was clear: to block the threats mentioned in this report. But let’s take a look at what more can be done. 

 Now the dust has settled, what will happen next?
Last weekend, there was a lot of media noise about the shutdown of Megaupload.Even the US and French presidents have chipped in, although they perhaps weren’t expecting such strong reactions from Anonymous and their operation #OPMegaUpload.
While it’s not for NETASQ to take sides in the debate over digital rights, we nevertheless have a role to play, since we design, manufacture and sell solutions which our customers expect to help them stay the right side of the law. We therefore have to provide the tools to block unwanted sites including those potentially hosting illegal downloads.

Photo courtesy of John Palmer

Could “wait and see” be the best IPv6 strategy?

2011 was supposed to be THE year for IPv6. The depletion of version 4 addresses from the top level provider (IANA) and the announcement of “IPv6 world day” on June 8th, set the tone. The message was that we need IPv6 and we need it now!  While tech-Nostrasdamuses have never been in short supply in the IT sector, this particular message gained traction in the media. Put simply, it was a nice story: the exponential growth of the Internet has continued to the point where we now need more IP addresses than there are people on earth.

2am, Sunday morning. Bob receives a text message:“New vulnerability discovered on the system. Level: critical”. He has to go. The CSO (Chief Security Officer) of MyCompany has committed his team to a 4-hour SLA for new critical vulnerabilities. A few hours later, the system has been upgraded and Bob is back home enjoying the satisfaction of a job well done.

Why a "Bring Your Own Device" approach to mobile access security may not be such a bad idea.

When you ask Chief Security Officers for their nightmare scenario, they invariably mention either a network outage or an intrusion. For years, the enemies were known and relatively limited in number, but today we live in one open network, threats are more diverse, and the old “Maginot line” strategy is outdated. Times have changed, haven’t they? Well if you put yourself  in the shoes of an enterprise network security professional, limiting access to internal resources might still be your holy grail. Unfortunately though, you now have more than just the one perimeter to deal with; you are now in charge of dozens, hundreds, maybe thousands of small and mobile networks: your users.