Categories ArchivesConsumer Security

Fun with Password Managers standard

I actually started following my own advice a couple of years ago and started creating random passwords for each site that I use that requires a login. Yep, no more “Password123!” for me, it’s all random. But that poses another problem. How do I store these things in a way that is secure and readily available since I don’t have an eidedic memory? Enter Apple’s Keychain! Hooray! I’m now able to store these things relatively securely and make them quickly available for me if I need to log in somewhere. In some cases, I memorize the passwords if I have to use them frequently, but in most cases, I just grab it from Keychain. Every time someone asks me to ...

Continue Reading

Mystery Shopper Scams Getting Aggressive standard

Mystery shopper scams are nothing new, but I now have the experience of being personally targeted by one. From my research, most of these scams are carried out in a “pull method,” whereby ads are placed in classified sections asking for applicants for a part time job. I was targeted by someone using the “push method,” whereby a live (fraudulent) check was mailed to me in a haphazardly stuffed envelope with an official looking letter and survey form. Redacted versions of those documents are linked above. One of the first lessons I learned in high school economics was TINSTAAFL. And while I’m pretty far removed from high school at this point, that one came roaring back when I was mailed ...

Continue Reading

Facebook isn’t Professional Networking standard

I was checking into the happenings on Facebook last night and had a very strange request come up. Someone that I know and respect sent me a request through a product called BranchOut. While their about page does more to confuse than to clarify, what I understand it to be is a way to create a professional network of contacts with Facebook—or in easier terms, think about LinkedIn-type functionality sitting on top of your Facebook network of contacts. Frankly, this is a terrible idea. For those of us that use social media in our jobs, we tend to have things we keep professional (LinkedIn or Facebook Page), things we have that are personal (Facebook personal profile), and things we make ...

Continue Reading

Implementation is Everything standard

Last week gave way to a flurry of activity around RSA and an alleged cryptographic flaw in the algorithm based on this report by Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, THorsten Kleinjung, and Christophe Wachter. RSA’s Sam Curry writes a post here, as well as posts by Dan Kaminski, Nadia Heninger, and this New York Times article. As I was reading through this whole mess and understanding the technical issues at hand, I started thinking that the description of the problem, ultimately a lack of entropy in a particular implementation, is something that the security industry has dealt with before. You don’t have to look very far to see implementation problems that cause both minor ...

Continue Reading

Cracking iOS Privacy standard

I had an article pop up on my radar yesterday on iOS Privacy, specifically where a researcher found that a particular app (Path) was uploading data without explicit permission. iOS, in some respects, feels like it has been given a pass with the type of traffic it passes (and how it does so) because a significant number of iOS users are in fact iPhone users, where traffic often moves over cellular networks. Those networks are coming under increasing scrutiny as the equipment required to disrupt or spoof cellular communications is quite affordable whereas in years past that was a massive barrier to entry. With Facebook getting in all kinds of hot water over privacy concerns, how did iOS get a ...

Continue Reading

Hardware Security, the New Frontier? standard

RSA Conference is right around the corner, and I’m excited to actually be able to see some talks this year. I’m on a panel with Dave Navetta and Serge Jorgensen on Tuesday covering the Dark Side of a Payment Card Breach (LAW-107, Room 131, 2:40pm). I am sure if you are there, we will bump into each other somewhere along the way! One of the topics that I want to explore with other security folks while I am there is a shift to hardware-focused exploits whereby you bypass software and focus on firmware to control machines. It’s not a new concept and has been seen in both theoretical and actual attacks on systems. But as software vulnerabilities are closed, the ...

Continue Reading

DNS Query Logging—Looking for Fires standard

Yesterday morning I was catching up on some RSS feeds1 and came across this interesting post from Trevor at ThreatSim entitled Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now. After reading it, I had one of those “Ah-ha” moments where I looked at one of the recommendations and asked myself, “Why am I not doing that?” For those of you who know me (or have ever had to get on my home WiFi), you know that I have made my home network entirely too complex for what I need it to be. Three different DMZs is a little insane, don’t you think? But I did it for a reason—so that I can talk ...

Continue Reading

Don’t Forget, it’s Christmas for Scammers Too! standard

We’re well into the holiday season in the States, and that means that scammers are everywhere. With all of the holidays coming to a head this month, it’s Christmas for those scammers too. Here are several sites that can help you navigate scam from deal! As always, remember to be vigilant. Caveat emptor! If a deal looks too good to be true, it often is. That’s not to say there are not good deals to be had. If you are shopping for last minute holiday deals, be sure to deal with reputable establishments. If you smell something fishy going down with a deal, don’t be afraid to terminate the transaction and find somewhere else to buy. Be especially vigilant if ...

Continue Reading

Collateral Damage is One Click Away standard

Social engineering is now recognized as one of the top threats to enterprise security. I think we all have had side conversations with security leaders inside companies validating this concept for years, but not until recently have we seen it pass other threats in such a public forum. Those same security leaders have struggled with mitigating the threat because they instinctively jump to a Draconian view of information security policy enforcement as the only solution. It certainly would be effective in some ways, but morale would plummet and the creative technophiles would find ways to free themselves from such Athenian legislation. The irony is that many of these controls are not only designed to protect our information assets, but also ...

Continue Reading

Man Up MDs! standard

Doctors have been the butt of jokes for years. But this post is no joke. Over the last five years I’ve been exposed to the back-of-house operations in healthcare in ways that helps put the front-of-house issues I observed into perspective. But one thing has always driven me batty, and I’ve never been able to figure out why. I’ve met some extremely talented doctors in my time that absolutely shocked me with their sheer intellect and problem solving abilities. But when it comes to protecting the information of the patients they serve, they just cannot be bothered. Even when they attempt to be bothered, many of them miss the point. MDs must understand that malpractice lawsuits aren’t the only thing ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!