Categories ArchivesConsumer Security

Implementation is Everything standard

Last week gave way to a flurry of activity around RSA and an alleged cryptographic flaw in the algorithm based on this report by Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, THorsten Kleinjung, and Christophe Wachter. RSA’s Sam Curry writes a post here, as well as posts by Dan Kaminski, Nadia Heninger, and this New York Times article. As I was reading through this whole mess and understanding the technical issues at hand, I started thinking that the description of the problem, ultimately a lack of entropy in a particular implementation, is something that the security industry has dealt with before. You don’t have to look very far to see implementation problems that cause both minor ...

Continue Reading

Cracking iOS Privacy standard

I had an article pop up on my radar yesterday on iOS Privacy, specifically where a researcher found that a particular app (Path) was uploading data without explicit permission. iOS, in some respects, feels like it has been given a pass with the type of traffic it passes (and how it does so) because a significant number of iOS users are in fact iPhone users, where traffic often moves over cellular networks. Those networks are coming under increasing scrutiny as the equipment required to disrupt or spoof cellular communications is quite affordable whereas in years past that was a massive barrier to entry. With Facebook getting in all kinds of hot water over privacy concerns, how did iOS get a ...

Continue Reading

Hardware Security, the New Frontier? standard

RSA Conference is right around the corner, and I’m excited to actually be able to see some talks this year. I’m on a panel with Dave Navetta and Serge Jorgensen on Tuesday covering the Dark Side of a Payment Card Breach (LAW-107, Room 131, 2:40pm). I am sure if you are there, we will bump into each other somewhere along the way! One of the topics that I want to explore with other security folks while I am there is a shift to hardware-focused exploits whereby you bypass software and focus on firmware to control machines. It’s not a new concept and has been seen in both theoretical and actual attacks on systems. But as software vulnerabilities are closed, the ...

Continue Reading

DNS Query Logging—Looking for Fires standard

Yesterday morning I was catching up on some RSS feeds1 and came across this interesting post from Trevor at ThreatSim entitled Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now. After reading it, I had one of those “Ah-ha” moments where I looked at one of the recommendations and asked myself, “Why am I not doing that?” For those of you who know me (or have ever had to get on my home WiFi), you know that I have made my home network entirely too complex for what I need it to be. Three different DMZs is a little insane, don’t you think? But I did it for a reason—so that I can talk ...

Continue Reading

Don’t Forget, it’s Christmas for Scammers Too! standard

We’re well into the holiday season in the States, and that means that scammers are everywhere. With all of the holidays coming to a head this month, it’s Christmas for those scammers too. Here are several sites that can help you navigate scam from deal! As always, remember to be vigilant. Caveat emptor! If a deal looks too good to be true, it often is. That’s not to say there are not good deals to be had. If you are shopping for last minute holiday deals, be sure to deal with reputable establishments. If you smell something fishy going down with a deal, don’t be afraid to terminate the transaction and find somewhere else to buy. Be especially vigilant if ...

Continue Reading

Collateral Damage is One Click Away standard

Social engineering is now recognized as one of the top threats to enterprise security. I think we all have had side conversations with security leaders inside companies validating this concept for years, but not until recently have we seen it pass other threats in such a public forum. Those same security leaders have struggled with mitigating the threat because they instinctively jump to a Draconian view of information security policy enforcement as the only solution. It certainly would be effective in some ways, but morale would plummet and the creative technophiles would find ways to free themselves from such Athenian legislation. The irony is that many of these controls are not only designed to protect our information assets, but also ...

Continue Reading

Man Up MDs! standard

Doctors have been the butt of jokes for years. But this post is no joke. Over the last five years I’ve been exposed to the back-of-house operations in healthcare in ways that helps put the front-of-house issues I observed into perspective. But one thing has always driven me batty, and I’ve never been able to figure out why. I’ve met some extremely talented doctors in my time that absolutely shocked me with their sheer intellect and problem solving abilities. But when it comes to protecting the information of the patients they serve, they just cannot be bothered. Even when they attempt to be bothered, many of them miss the point. MDs must understand that malpractice lawsuits aren’t the only thing ...

Continue Reading

Exploiting Human Trust and Complacency standard

I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency. I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful? Before we delve into that, ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

The End of Subscriber Privacy standard

I’m not sure if anyone actually believes in internet privacy anymore, but what little we may have had may now be completely eroded thanks to a new bill in the US House of Representatives, Protecting Children From Internet Pornographers Act of 2011 (H.R.1981). If the bill in its current state becomes law, internet service providers must maintain the following subscriber data for a period of 18 months: Names Address(es) Temporarily-assigned IP addresses While this measure does not aim to maintain detailed activity logs of subscribers, it is designed to be a point of reference for companies to trace actions to individuals. For example, if a temporary IP address of a home internet subscriber is found to be used in an ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!