Categories ArchivesEnterprise Security

The Internet is falling down (falling down, falling down)! standard

Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years. Well, it’s a new month, and we have a new flaw. Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here. I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked… that pesky IMAP ...

Continue Reading

Timing is everything standard

So you all know (well the three of you that read this… Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won’t need? Check. Log into my credit card account to make sure we’re good? DOH! My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz. The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place. This is the only piece that annoys ...

Continue Reading

Low Tech Security System Hacking standard

When I was flipping through some RSS feeds and saw this fantastic post from Gizmodo, I HAD to bring it here for discussion. Now keep in mind, this is a photographer’s artistic work, but it sure does open the door to other low tech ways to subvert security systems. One of my personal favorites is the McGuyver style (sans chewing gum and dental floss) method of defeating magnetic lock doors with a balloon, tape, and a straw. Convenience says that we should not badge in AND out. Just on the way in is fine. On the way out, we’ll put sensors there so that the door will magically unlock for you. It’s the high tech version of the black treadmill ...

Continue Reading

DNS, Schmee-enn-ess standard

OK, yeah, that was a reach. As long as it makes me giggle, things will be just fine. I assume most of you are away from your RSS readers this week because you are furiously patching your DNS servers. The attack is actually quite genius, and continues to demonstrate the inordinate amount of trust we place in servers and data that should not be trusted. The details of how the attack works can be read in the above linked article if you are interested. You probably don’t have the time right now because you are rushing to patch though. Bruce Schneier takes this opportunity to lash out at the patching process. While some security pundits don’t take Bruce seriously, he’s ...

Continue Reading

Breach got you down? standard

Well, it has happened again. I received a rather menacing looking note in the mail today. You know, one of those heavy stock sealed letters that has the perforated edges? Yeah. That kind. Inside it looks like my information is on a lost tape from a bank. The funny thing is, I don’t remember banking with this institution… ever. I have a feeling that one of the brokerage firms I use (or used) was backed by this institution, but nevertheless, I thought of an interesting type of phishing attack that I bet would work. When I looked through this notice, it did appear to have a corresponding breach on PrivacyRights.org. I have already placed my fraud alerts, so I should ...

Continue Reading

PIN Security finally catching up? standard

Wired reports that a Citibank hack may be responsible for a recent ATM crime spree. Edit: Looks like some arrests have been made! I’ve discussed issues around hacking ATMs and challenges with skimming in the past, but this one appeared to be pretty lucrative. While bank networks are not impenetrable, attacking endpoints is becoming much easier and more lucrative. Anyone remember the old days when you had to make sure the ATM you were going to use was real? Speaking of that… Ladies, you should beware of this. Something of interest to me… As a consumer, do you check your bank statement with all of your receipts? Would you know if money started disappearing from your account in $10-$30 increments? ...

Continue Reading

June Edition of Herding Cats standard

The ISSA has posted the electronic version of the journal, so if you are itching to read what is coming to you via the post, go check it out! My column this month is titled “Don’t Get Cyberjacked!” It may be the first time that the phrase “This ain’t your daddy’s security incident” and the word “stripper” appear on the same page (or ever) in that fantastic publication. Go check it out! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

Am I too trusting? standard

Monday was presentation day at CSI-SX. I had a decent crowd, for the breakout session! One day, I’ll do a talk that is not the last session of the day 🙂 While I was in between sessions sitting in the speakers lounge, one of the other speakers (I did not catch his name) dropped his computer bag and jacket on the chair across from me. I looked up, nodded, and went back to my work. He proceeded to pull out one of those laptop locking devices that you see at public terminals. You know, the ones you can beat with a toilet paper tube. He then secured the whole apparatus (bag included) to the chair! A conference chair. The ones ...

Continue Reading

Dave Taylor gets it right! standard

Please don’t take the title to mean that Dave doesn’t get it right often, I just wanted to laud this recent column at StoreFront BackTalk. The quote specifically that drives the nail home is: If you’re thinking that the Hannaford security breach is a very isolated “blip” and that PCI compliance is the same as securing the enterprise against security breaches, you’d better think again. Why? It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward. Could not have said it better myself, Dave. The two points he brings out are, 1) Compliance is not the same as security, and 2) you have to MAINTAIN what is assessed. I had a ...

Continue Reading

Are you going to CSI-SX? standard

If so, LOOK ME UP! I’m speaking on Monday afternoon at 4pm at the conference. Hope to see you there! As always, I’ll be sending tweets! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!