Categories ArchivesConsumer Security

Fixing the CAs, A New Approach standard

The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process. Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, ...

Continue Reading

IDC Releases Alarming Trends for the Digital Universe standard

Nobody disputes the growth of digital information over the last decade enabled by technology developments in storage further put to use in the hands of consumers. We all create content every day; and as the phones get bigger and better processors, cameras, and radios, we can expect this to continue. To put the growth of digital information into perspective, think about how painful it was to download a thirty second HD movie clip five years ago or an entire music album ten years ago. Now we do it on our phones or tablets without thinking about it (until that data-bill comes in!). IDC released a study today (in conjunction with EMC) projecting that the digital universe will be so large ...

Continue Reading

Preying on National Disasters: Today’s Get Rich Quick Scheme standard

Earlier this week we started to see warnings from news outlets, bloggers, and other media warning people about scams to collect money in the aftermath of Hurricane Sandy. Unsolicited calls asking for donations, websites that seem to appear official, and random numbers you can text to donate money automatically start to pop up and disappear quickly. So if you are in a giving mood, how do you find the good ones from the bad ones? The first thing to be wary of is someone calling your phone and asking for money. It can be a great reminder, but if you want to guarantee your money gets to people in need and not into someone’s pocket, go find your charity of ...

Continue Reading

If I Derive PII/PHI, Does It Make A Sound? standard

The Big Data problem and solution is fascinating. In some respects it is incredibly powerful and has tremendous applications for humanity at large, but other implementations are frighteningly big brother-esque. If you hadn’t heard, Target knows you are pregnant before your family does. They do it by watching your behavior on their website. So the new question that we face is what do we do if we derive or create accurate PII/PHI in the normal course of learning about our customers? I’m worried that companies will recklessly create data about their customers in new ways never before possible, exposing we citizens to many privacy breaches. I’m doing research in this area now, and am very interested to see where this ...

Continue Reading

The Apple Incident standard

This weekend had some interesting security implications for a significant portion of you out there. Mat Honan had his digital life pwned. Erased. Disrupted. Even if only for a few days, I am certain it was incredibly stressful. The kicker here is that it wasn’t some sophisticated hacking scheme that got it done, it was simple social engineering and some crafty computing. Go read about Mat’s story and imagine what it would be like if it happened to you (regardless of your device). Lifehacker also answered a question about this, so check it out if you want to take steps to protect yourself against attacks like this. What I want to talk about today is how that incident forced Apple ...

Continue Reading

Payments and NFC Still Under Fire standard

After spending a few days around Security Week (BlackHat, Defcon, BSidesLV) last week, I was constantly amazed at the excitement and innovation around security. Unfortunately, most of this focused on the attack side, but nevertheless, it will drive security thinking forward (which is what we want!). Several researchers focused on Near Field Communication (NFC) implementations as this technology is quickly becoming embedded in many mobile devices. While you may not be an NFC expert, you certainly have used NFC before. Think about any time you have used your credit card in a contactless way, paid for transport in London with an Oyster card, or even started your new automobile, you are using a form of NFC. Businesses want NFC because ...

Continue Reading

Can You Trust Email Anymore? standard

I’ve been running my own email server for almost as long as I’ve had an email address. And when you roll your own, you have to figure out your own answer to the onslaught of SPAM that hits you every single day. A quick poll says that my SPAM server (Postini) blocked over 200 emails addressed to me today, and over the last sixty minutes there have been more SPAM than legitimate emails for all of my users. This isn’t surprising. We’ve all been victim to the, “Didn’t you get my email?” question countered by, “Just found it in my SPAM folder.” Postini is fantastic. It’s interface isn’t great (Google has done NOTHING with it), support is spotty, and frankly ...

Continue Reading

Fun with Password Managers standard

I actually started following my own advice a couple of years ago and started creating random passwords for each site that I use that requires a login. Yep, no more “Password123!” for me, it’s all random. But that poses another problem. How do I store these things in a way that is secure and readily available since I don’t have an eidedic memory? Enter Apple’s Keychain! Hooray! I’m now able to store these things relatively securely and make them quickly available for me if I need to log in somewhere. In some cases, I memorize the passwords if I have to use them frequently, but in most cases, I just grab it from Keychain. Every time someone asks me to ...

Continue Reading

Mystery Shopper Scams Getting Aggressive standard

Mystery shopper scams are nothing new, but I now have the experience of being personally targeted by one. From my research, most of these scams are carried out in a “pull method,” whereby ads are placed in classified sections asking for applicants for a part time job. I was targeted by someone using the “push method,” whereby a live (fraudulent) check was mailed to me in a haphazardly stuffed envelope with an official looking letter and survey form. Redacted versions of those documents are linked above. One of the first lessons I learned in high school economics was TINSTAAFL. And while I’m pretty far removed from high school at this point, that one came roaring back when I was mailed ...

Continue Reading

Facebook isn’t Professional Networking standard

I was checking into the happenings on Facebook last night and had a very strange request come up. Someone that I know and respect sent me a request through a product called BranchOut. While their about page does more to confuse than to clarify, what I understand it to be is a way to create a professional network of contacts with Facebook—or in easier terms, think about LinkedIn-type functionality sitting on top of your Facebook network of contacts. Frankly, this is a terrible idea. For those of us that use social media in our jobs, we tend to have things we keep professional (LinkedIn or Facebook Page), things we have that are personal (Facebook personal profile), and things we make ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!