Categories ArchivesSecurity Tools

The UCF Common Controls Hub, You Need This Thang! standard

Full disclosure, I was contacted by UCF’s marketing folks and given a demo of the Common Controls Hub, but I did not receive any compensation for this post. These are my thoughts. You get the call from the boss you have been dreading for weeks. “Jimmy, it’s time to add FISMA to our control set, and we need to be compliant in three weeks. GO!” Great, another compliance initiative to work into the alphabet soup of controls-pain that haunts security professionals. More standards means more work to make sure that the standard control set you use in your organization will cover any new requirements you face. Compliance and Security frameworks often overlap, and usually just have a small number of ...

Continue Reading

Fun with Password Managers standard

I actually started following my own advice a couple of years ago and started creating random passwords for each site that I use that requires a login. Yep, no more “Password123!” for me, it’s all random. But that poses another problem. How do I store these things in a way that is secure and readily available since I don’t have an eidedic memory? Enter Apple’s Keychain! Hooray! I’m now able to store these things relatively securely and make them quickly available for me if I need to log in somewhere. In some cases, I memorize the passwords if I have to use them frequently, but in most cases, I just grab it from Keychain. Every time someone asks me to ...

Continue Reading

Guest Post: Functionality and Benefits of WAF standard

The following guest post was provided by Ben Henderson, CISSP from Ensure Networks. Email him here. You can download the full paper here. The foremost functionality of a WAF is to secure web applications against application layer vulnerabilities. WAFs can be hardware devices or software that is deployed to monitor and protect web traffic. WAFs have the ability to enforce default and custom configured policies for browser to server transactions. They are similar to network firewalls on in the that WAF policies generally apply to IP addresses and ports. However, WAFs inspect HTTP traffic to normalize the data in the headers and URL parameters. They employ a variety of functions and work in parallel with IPS technology to enhance the ...

Continue Reading

Pwn3d by the Hoffacino standard

Yep, I did it. And WOW what a ride it was. Chris Hoff (@Beaker) started a movement in fueling today’s security professional, and I don’t even know if he realized the animal he’s unleashed on the world.  It’s called a Hoffacino (or Hoffachino), and boy are you in for some fun if you order one.  This ain’t your daddy’s coffee! Before being allowed to consume one of these things, you should have to present passing results from a full physical and psychological examination. The experience of the Hoffacino starts when you order.  I was slightly embarrassed to order such an intricate drink from my neighborhood Barista. I mean, I might see this fine young citizen at the market! I have ...

Continue Reading

What’s a Token? standard

Along with the confusion on the term End to End Encryption, Tokenization (or just simply tokens) is a term used to describe many things.  But what is a token really?  The PCI Council does not provide any guidance other than the definition for an Index Token in the glossary: A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. But even this does not really help us.  To make matters worse, the term “token” itself is defined in the PCI DSS Glossary in the context of a 2-factor authentication device like SecurID.  I’m going to take a crack at defining it and discussing what the variants might be and how they could be weaker ...

Continue Reading

Wireless On a Plane? standard

Go-go-gadget WI-FI ON A PLANE! I imagine that the next two weeks will see a significant amount of Wi-Fi trials or sales as parents and children alike take to the skies to visit loved ones over the holidays.  While I am sure it has happened already, you don’t find too many documented cases of wireless attacks happening on airplanes.  There are a couple of ways that attacks can happen. The first attack does not even require an internet connection, just a lazy passenger that does not follow their airline’s electronic device policy.  I’ve seen tons of weary road warriors working on their laptops without removing their 3G data card or with that little Wi-Fi light blinking furiously.  While going after ...

Continue Reading

The Power of Pipes standard

Boy, after today, I feel like a guy that just discovered how to send a text message. Yahoo Pipes has been around for over two years and I remember lots of buzz about it in 2007.  For whatever reason, I never could find a good application for Pipes, and when I played around with the interface, I never got things to work right. Until NOW. I’m a football guy.  Yeah, some of you out there have your baseball, hockey, basketball, and NASCAR, but I’m a football guy.  Maybe it’s growing up in Texas, or maybe it was all the Sundays watching the legendary Dallas Cowboys of the early 90s, or the Dallas Cowboys patterned shirts that my mom made for ...

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!