Schneier on Security

Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier.

Prevention and detection are necessary, but not sufficient, he said. Improving response means that organisations stay on their feet even after they are hit by a serious security breach or hacking attack.

“A sufficiently motivated, funded and skilled hacker will always get in,” Schneier told delegates during a keynote at the IP Expo conference in London. The security guru added that criminals and hackers are now using the sort of tools and techniques that were once the sole purview of intel agencies…

RSA 2014 If you thought NSA snooping was bad, you ain’t seen nothing yet: online criminals have also been watching and should soon be able to copy the agency’s invasive surveillance tactics, according to security guru Bruce Schneier.

“The NSA techniques give about a three to five year lead on what cyber-criminals will do,” he told an audience at the RSA 2014 conference in San Francisco.

“These techniques for exfiltrating data aren’t magical, they are just expensive. Everything we know about technology is that it gets cheaper. So the notion of putting up a fake cell tower or wireless access point, of jumping air gaps, you’re going to see this stuff—it’s really just a matter of time.”…

Cryptography guru Bruce Schneier called for more creative thinking and a broader perspective as a means to tackle security problems.

For example, the music industry, faced with an explosion in online file-sharing, hired security pros to develop anti-piracy measures, such as digital rights management technology. But these inconvenienced punters while doing little or nothing to stem copyright infringement. A better approach was making songs affordable and easy to buy, a model that has since lined Apple’s deep pockets.

“This [the latter approach] is not something a security person would think up,” Schneier said at the RSA Europe conference. “Security professionals would be too focused on building a better door lock.”…

RSA 2012 Usually the bête noire of the annual RSA conference is the criminal hacking community, but security guru Bruce Schneier asserts that government, business, and the military may well pose a bigger threat to security professionals.

“The current risks to internet freedom, openness, and innovation don’t come from the bad guys—they are political and technical. I suppose I should call this talk ‘Layer eight and nine threats’,” he told his audience on Tuesday at RSA 2012.

Attempts at ill-conceived legislation are a major concern, he said. Outsiders trying to legislate something they have no understanding of (a “…

Last month we reported the triumph of two Belgian academics in the US encryption standard contest. But how was the contest organised? If you’re not interested, stop reading now.

In the early seventies the US government put out a call for an encryption algorithm. It had no response. A year later in 1973 they tried again and got one response, from IBM. Then followed a bit of politicking, but by 1975 DES was born.

DES was initially a FIPS (Federal Information Procurement Standard), but was quickly adopted around the world as the de facto standard for encryption…