Categories ArchivesSecurity Tools

Introducing Where To Now standard

When I want to learn a new programming language, my typical method of doing this is to either take an existing small project and port it over to the new language, or come up with a small, yet practical problem to solve. I’m kinda like Johnny Five, in that I need input! I’ve been playing with Go for a little bit, but nothing very serious. I’ve also been playing around with Docker and Kubernetes, so I decided to kill two birds with one stone by building an application in Go as well as learning how to package it up in a Docker container. Introducing Where To Now. It’s designed to vary the webpage that might show up when a user ...

Continue Reading

Improve Outbound Email with SPF, DKIM, and DMARC standard

“Oh sorry, I missed your email. It got dropped into my SPAM folder for some reason.” Isn’t that frustrating? All you did was send over a proposal and it got dropped into the SPAM folder. Perhaps it was word choice, perhaps you ended up on a list somewhere, or perhaps you are not doing your part to elevate the confidence of your emails leveraging the tripod of email security frameworks known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). I started experimenting with these years ago noting that there are several vendors who will happily do this for you—and by the way, their products are pretty awesome. Given that I’m running ...

Continue Reading

The UCF Common Controls Hub, You Need This Thang! standard

Full disclosure, I was contacted by UCF’s marketing folks and given a demo of the Common Controls Hub, but I did not receive any compensation for this post. These are my thoughts. You get the call from the boss you have been dreading for weeks. “Jimmy, it’s time to add FISMA to our control set, and we need to be compliant in three weeks. GO!” Great, another compliance initiative to work into the alphabet soup of controls-pain that haunts security professionals. More standards means more work to make sure that the standard control set you use in your organization will cover any new requirements you face. Compliance and Security frameworks often overlap, and usually just have a small number of ...

Continue Reading

Fun with Password Managers standard

I actually started following my own advice a couple of years ago and started creating random passwords for each site that I use that requires a login. Yep, no more “Password123!” for me, it’s all random. But that poses another problem. How do I store these things in a way that is secure and readily available since I don’t have an eidedic memory? Enter Apple’s Keychain! Hooray! I’m now able to store these things relatively securely and make them quickly available for me if I need to log in somewhere. In some cases, I memorize the passwords if I have to use them frequently, but in most cases, I just grab it from Keychain. Every time someone asks me to ...

Continue Reading

Guest Post: Functionality and Benefits of WAF standard

The following guest post was provided by Ben Henderson, CISSP from Ensure Networks. Email him here. You can download the full paper here. The foremost functionality of a WAF is to secure web applications against application layer vulnerabilities. WAFs can be hardware devices or software that is deployed to monitor and protect web traffic. WAFs have the ability to enforce default and custom configured policies for browser to server transactions. They are similar to network firewalls on in the that WAF policies generally apply to IP addresses and ports. However, WAFs inspect HTTP traffic to normalize the data in the headers and URL parameters. They employ a variety of functions and work in parallel with IPS technology to enhance the ...

Continue Reading

Pwn3d by the Hoffacino standard

Yep, I did it. And WOW what a ride it was. Chris Hoff (@Beaker) started a movement in fueling today’s security professional, and I don’t even know if he realized the animal he’s unleashed on the world.  It’s called a Hoffacino (or Hoffachino), and boy are you in for some fun if you order one.  This ain’t your daddy’s coffee! Before being allowed to consume one of these things, you should have to present passing results from a full physical and psychological examination. The experience of the Hoffacino starts when you order.  I was slightly embarrassed to order such an intricate drink from my neighborhood Barista. I mean, I might see this fine young citizen at the market! I have ...

Continue Reading

What’s a Token? standard

Along with the confusion on the term End to End Encryption, Tokenization (or just simply tokens) is a term used to describe many things.  But what is a token really?  The PCI Council does not provide any guidance other than the definition for an Index Token in the glossary: A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. But even this does not really help us.  To make matters worse, the term “token” itself is defined in the PCI DSS Glossary in the context of a 2-factor authentication device like SecurID.  I’m going to take a crack at defining it and discussing what the variants might be and how they could be weaker ...

Continue Reading

Wireless On a Plane? standard

Go-go-gadget WI-FI ON A PLANE! I imagine that the next two weeks will see a significant amount of Wi-Fi trials or sales as parents and children alike take to the skies to visit loved ones over the holidays.  While I am sure it has happened already, you don’t find too many documented cases of wireless attacks happening on airplanes.  There are a couple of ways that attacks can happen. The first attack does not even require an internet connection, just a lazy passenger that does not follow their airline’s electronic device policy.  I’ve seen tons of weary road warriors working on their laptops without removing their 3G data card or with that little Wi-Fi light blinking furiously.  While going after ...

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!