For a long time, I have felt that SSL/TLS - the protocol that secures your communications with Web sites, mail servers and most everything across the Internet - is broken. It is broken to the point that it is fundamentally insecure, except for the most technically-aware and security-alert individuals, who also have the time to check the certificate for each and every Web site. SSL is supposed to provide three guarantees:

It seems every day there is another article about how "vulnerable" the Internet of Things (IoT) is. Here are two choice excerpts from the last year: "Hackers Remotely Kill a Jeep on the Highway," Wired, 21st July 2015 "Security Researcher Claims to have Hacked into Flight via Entertainment System," CNN, 19th May 2015 While these are major life-threatening issues - one cannot compare a malicious actor disabling your iPhone while you are on it with someone talking control of your car going 110 kmh down the highway, let alone a plane flying at 35,000 feet and 600 mph!

For a very long time, corporations treated their corporate networks as safe protected environments. The data and applications inside that network are: confidential and must be kept safe from unauthorized access (protect from loss), and crucial to business processes and must be kept accessible to employees (protect from denial of service). Over time, however, two trends have challenged these assumptions. First, more and more business-critical data has migrated to the Internet.

TrueCrypt was a great open-source encryption program. It created files that, when opened by the program, looked to your computer like an additional drive. Any files placed in that drive would be encrypted and protected from prying eyes. Why would you do it? To keep files protected on your computer. To send files securely from one person to another. To protect files that you might store in the cloud, for example, on Dropbox.

There is a belief in startup-land that you have to be younger than ___ to successfully innovate. To some extent, that is driven by the youth of the founders of a few highly successful companies like Facebook and Twitter, magnified by the adoring media coverage they get. And yet, even when I was back in my 20s and 30s, there was a nagging presence in my head that said, "

The browser is the single most ubiquitous piece of software on the planet. Nearly every computing device has at least one one. Because of its ubiquity, and its use across multiple applications from open (Google "how much does a banana weigh") to private (browser-based email) to secure (office applications or banking), it is also a source of many risks. This article will dig a little deeper into issues of browser security and privacy.

The Internet has been abuzz for the last week about a hitherto little-known clause in Samsung's "Smart TV" privacy policy. The news was most prominently covered in the Daily Beast, here. The Daily Beast includes a link to the entire privacy policy, but the important element is: Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.

In response to the Sony hack, in which not only valuable intellectual property, such as movies, was stolen, but also (previously) confidential emails, a number of experts have recommended increasing the usage of email retention policies. They go something like this: Email is confidential People put things in corporate email that they do not want seen outside the company Companies get hacked Therefore, we should limit the damage by forcibly deleting all emails older than some time period, say, 30 days The Wall Street Journal also had an article discussing the debate about email retention policies.

Recently, I had a conversation with a senior executive at a company about the firm's information security. The conversation, like others I have had, revolved around a sudden increase in interest in that security. To be clear, we are not talking privacy settings on Facebook (use them) or whether or not Snapchat pictures and messages really disappear (they don't). These people are seriously concerned about loss of data due either to security breach by bad actors targeting the company, or simple loss of data due to employee errors.

Today, we present the second guest post in the series by Ted Lloyd, editor of OnlineCISO. Yesterday, we explored why security spending need not be a bottomless pit, and how yesterday's tools, such as antivirus, can be evaluated using familiar risk management methodologies. Where then, should a business reinvest the funds previously allocated to antivirus solutions? Another analogy to the physical world can help to answer this question. Malware and variants are similar to microbiology in our physical world.

Today, we are honoured with the first of two guest posts in a series by Ted Lloyd, editor of OnlineCISO. Cybercrime has emerged as a multi-billion dollar business and spawned another mufti-billion dollar business to combat it. As 2014 closed, Gartner estimates that global spending on information security will top $71 billion representing a nearly 8% increase in spending over 2013. The trend and trajectory are expected to remain steady for 2015 as well.

In the first half of this year, I noted that ReCAPTCHA was a lot like the "TSA of the Web" - an annoyance that is sometimes necessary to keep bad actors out and good (or, in the case of ReCAPTCHA, "real") actors in. I also noted that Google, itself, had publicized that it had broken ReCAPTCHA, rather than wait for someone else to do so. In that respect, ReCAPTCHA was lot more like the TSA - weak, broken, but good "