Monthly ArchivesDecember 2009

The Best of 2009 standard

2009 was an interesting year for all of us in information security.  We lived through one of the largest breaches in our short history on this spinning blue ball eclipsed only by the inauguration of a unique president-elect.  Anton Chuvakin & I published a book.  I moved my blog here amidst a divestiture of my business at VeriSign.  Apple released a new version of their operating system and a new iPhone.  MasterCard went all crazy on us. I wanted to take the opportunity to thank all of you for an amazing 2009, and I’m looking forward to fantastic things in 2010! Here are the five most popular posts in 2009: Upgrading to Snow Leopard. Ironically enough, the most popular post ...

Continue Reading

Wireless On a Plane? standard

Go-go-gadget WI-FI ON A PLANE! I imagine that the next two weeks will see a significant amount of Wi-Fi trials or sales as parents and children alike take to the skies to visit loved ones over the holidays.  While I am sure it has happened already, you don’t find too many documented cases of wireless attacks happening on airplanes.  There are a couple of ways that attacks can happen. The first attack does not even require an internet connection, just a lazy passenger that does not follow their airline’s electronic device policy.  I’ve seen tons of weary road warriors working on their laptops without removing their 3G data card or with that little Wi-Fi light blinking furiously.  While going after ...

Continue Reading

MasterCard’s Got Its Flippy-Floppies standard

The PCI DSS world was shocked yet again this week when MasterCard backed off its position from earlier this year, requiring Level 2 merchants to obtain validation from a QSA, and publicly are aligning its levels directly with Visa—including setting reciprocity with their levels.  The reason I put “publicly” in there is because the merchant operating regulations are NOT public for MasterCard like they are with Visa, but I understand that level reciprocity remains in those regulations even though they were removed from the public facing information. This is why merchants and service providers alike don’t take deadlines seriously.  Visa has (in the US anyway) at least tried (and mostly succeeded) to stick by their deadlines, though I’m not sure ...

Continue Reading

Hackers Love Social Media standard

USA Today published a great article on Monday about search engines now beginning to index various types of social media.  Bad guys now have even more ways to correlate information and with less of our lives being private (albeit by choice), it makes those stupid security things we do even more relevant. Last month’s Herding Cats tackled Privacy, and specifically the expectation of privacy for future generations.  Social media addicts have the ability to tell the world exactly where they are, what they are doing, and show them visual or auditory evidence by posting geo-tagged videos or audio.   Now add in a near real-time index of this stuff, and you can see how much more powerful (and scary) social ...

Continue Reading

The Book, It’s OUT baby! standard

That’s right!  If you pre-ordered our (Anton Chuvakin & mine) book, you should be receiving it today!  It’s chocked full of all kinds of fun stuff.  For example, did you know that I worked in the word “brewdog?” In fact, let’s make a contest out of this.  The first five people to email me the page number in the book where that word appears will be entered to win a $30 Amazon.com gift card! Anton has a video in his blog where he talks about the book, and I have something special coming up soon.  I’ve got it half done, but have not recorded the actual video of me talking yet.  Look for that early next week or late on ...

Continue Reading

Craking as a Service (Caas)? standard

This is not a new concept, and has even been discussed here before.  PC World is reporting that a new service is available for all of us.  Have a WPA PSK you want to crack?  It will cost you $34 and about 20 minutes. WPA Cracker is a new service launched by the same researcher that has spent time attacking SSL/TLS over the last few years.  While the price may be a little high, it certainly represents an interesting shift in activities typically reserved for botnets or universities with large computing resources.  Where else could we take this? Rainbow tables for most hash types are readily available through Bit Torrent, or can be generated with simple scripts and a chunk ...

Continue Reading

SIEM and VOIP standard

What in the world are those two topics doing in the same post?  Well, I’ve got a small roll-up for you.  Here are two blog posts you should read.  Both are short and relevant, exactly what most of us like! The first is a post from my co-author Anton Chuvakin entitled Log Management + SIEM = ?, a post that lays out four scenarios where SIEM and LM can be combined as part of the technology deployment of a security strategy.  This field is something that I’m enjoying watching grow, and in fact my new employer plays in the space.  Log management and SIEM are both critical functions to any security environment.  While mature installations may not be able to ...

Continue Reading

“PCI Compliance” Book 30% Discount code standard

It’s coming!  Don’t miss getting your copy on December 15th! During the entire “launch month”—December 2009—you can get our book at a 30% discount using the code: “SYNGRESS30“. Here is some more info: Book website (check out a couple of free PCI DSS sample policies there!) Official page of “PCI Compliance” at Amazon Book page at Syngress website (has full book Table of Contents); for the above discount code, you have to buy it from here. My co-author, Anton Chuvakin, and his blog. Anton & I worked VERY hard on this book, and under a very tight deadline.  Of course, the final week of writing occurred during BlackHat, and I distinctly remember late night writing sessions at home while Anton ...

Continue Reading

Herding Cats December: Disclose Me standard

Everyone is entitled to SOME right to privacy, right? Boy, thank goodness that isn’t the case, otherwise YouTube would be dead. In this month’s edition of Herding Cats, I explore the history of the right to privacy as well as the challenges with Social Media and the next generation of netizens. So go check out this month’s edition of Herding Cats here! Update 9:00pm: Fixed the link.  Sorry bout that!  Thank you, Nick!

Continue Reading

November 2009 Roundup standard

Taking a hint from Anton Chuvakin’s blog, I thought I’d start posting the five most popular posts from the previous month. If you have not had a chance to read everything here, give these five a try! Here are the five most popular posts from last month: To New Beginnings. It was an epic run.  Six years with the same company, seeing it through two acquisitions/divestitures, and working with some of the best in the industry to build a world class consulting organization makes you nostalgic.  It was time to move on, and lots of folks were interested! Will PCI Mandate the Use of Data Discovery Tools? Some views on the ups and downs that DLP and data discovery tools ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!