One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat (APT) bandwagon, handwaving wildly and claiming disingenuously that their product — or “solution” to be even more self-aggrandizing — would protect against APTs. That, combined with the RSA SecurID breach last week and a recent article by Bill Brenner at CSO Magazine, made me want to weigh in on this topic.

On one hand, it’s obvious why vendors do it: IT security people are …

Increasing smartphone adoption rates coupled with the rapid growth in smartphone application counts have created a scenario where private and sensitive information is being pushed to the new device perimeter at an alarming rate. The smartphone mobile device is quickly becoming ubiquitous. It is not inconceivable to predict, in the near future, a world where smartphone and mobile device Internet usage becomes the de-facto standard for average business and personal consumer use, surpassing the desktop and laptop computing solutions. While there is much overlap with common operating system models, the mobile device security model has some distinct points of differentiation.

Many …

Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money.

Recap
Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate over time and the code must be re-worked to get out of debt. Security debt is based on the latent vulnerabilities within an application. Application interest rates are the real world factors outside of the control …

When good Twitter accounts go bad. Whether it’s malicious intent or simple human error, Twitter users are increasingly at risk when it comes to protecting their privacy and reputation online. This infographic details several of the most recent and now infamous Twitter hacks, and examines common entry points for hackers, including weak passwords and malicious email attachments.

Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place:

Little to no vetting of apps for malicious behavior before being made available from app stores
Android kernel code with known privilege escalation vulnerabilities and no way for many mobile users to patch their devices
Attacker motivation in the form of big numbers of vulnerable devices and several proven ways to monetize their attacks: premium SMS/dialing, in app purchases, …