That Printer is gonna GIT ya! standard

Of all of the devices we have out there on our networks, is it going to be printers, cameras, and thermostats that cause our undoing? “Wait… did you say, PRINTERS!?! Are you off your rocker, Brando?” That was one of the key warnings that came from HP, Inc. in January of this year. I was one of a dozen individuals invited to a day long summit at HP, Inc., where their product leaders and various security experts talked to us about hidden security problems in the enterprise, provided live demonstrations, a tour of the facility, and the highlight, an evening at the HP Garage in Palo Alto. Let’s take a moment and think back to the advancement of Voice over ...

Continue Reading

More EMV Bypass Fun standard

So I’m sitting here in San Diego, which we all know is German for… never mind. As I pay for my lunch, I present my chip card and there is some kind of error. I know I entered my PIN correctly, but it immediately came back as failed. The bartender taught me a neat trick that I am sure we all need to be aware of as people capture magstripes and write them to new cards. “Oh, no problem on bypassing that. Just turn the card around and insert it, it will fail, and you can swipe!” The Verifone VX-675 terminal this place used detected that a card was inserted without a valid chip read, and immediately told me to ...

Continue Reading

PCI Compliance, Version 3.2 Now Available! standard

Well folks, it’s finally here. What started as an experiment back in April has finally come to fruition. I’m happy to announce that PCI Compliance, Version 3.2 is NOW AVAILABLE! If you order via the CreateSpace bookstore, please use coupon code 4JRH748R for $2 off through the RSA Conference. You can also order it via Amazon here. For those who want to get the e-Book, it will be available in Kindle format by February 15 (same link as above). As always, huge thank you to all of you out there who keep the conversation going!

Continue Reading

Conference Wrap-Up, 2016 standard

As we get ready to close out 2016, there have been quite a few events I have neglected to post here. I know I owe a larger update and more tools soon, but here’s one in the meantime to recap October and November. For this post, I’m taking a cue from Bill Brenner and supplying some mood music. My mood music is a little more fun than his is, though. October and November was a busy month for speaking and writing. Here’s a quick recap. Ever wonder why it might be a good idea to segment your home network? All those smart devices have to connect somewhere. I wrote an article for Tactics and Preparedness that discusses some of these issues ...

Continue Reading

Is Retail Ready for the 2016 Holiday Season? When Toasters Attack! standard

The holiday season is upon us, and the biggest days for retailers to make their 2016 plan commitments is coming. The popularity of online shopping always seems to claim a few retailers every year who did not plan capacity accordingly. We’ve seen both Black Friday and Cyber Monday shut down websites in the past, and even though elastic computing has grown in popularity, we can expect one or two that under planned their capacity for this year. But this post is not about poor IT capacity planning—it’s about the latest string of Distributed Denial of Service (DDoS) attacks that has claimed a number of prominent web properties over the last month. Internet of Things (IoT) devices, when improperly designed, can ...

Continue Reading

Netgear (In)Security and their Failed Remote Management standard

I’ve been having issues with some home networking equipment and decided that after a couple of years, I needed to make some updates. I did my research and ultimately settled on the Netgear R8000. Not just because it looks dead sexy or because it’s called the Nighthawk, but because it had really great reviews and I’ve generally been on board with Netgear’s product quality and technology. That is, until today. One of my biggest complaints about today’s networking equipment is that it really wants to be the only router in your house. It wants to be the command center. So if you have a couple of pieces of networking equipment, they both want to be in charge. I get it, ...

Continue Reading

Why I am Skipping the PCI Community Meeting standard

I know, you guys have given me crap for so long. “Suuuure you are going to skip this year. Whatever, Brando, see you in X city at  happy hour.” This has been the discussion over the last few years, and every year I have made my way to the city in question going back to the initial meeting in Toronto, 2007. This will be the first year I will miss. For me, it comes down to two things: content and how the hard questions go unanswered. Content: I looked at the agenda this year. For new people to PCI DSS, there are quite a few great sessions to attend. If you have more than one year experience and perhaps have ...

Continue Reading

My Tea Journey, so far! standard

Many years ago, I started a long journey into the world of tea. I still consider myself a n00b, but a no0b who knows what he likes and is not afraid to try something new. A friend of mine was asking about my tea obsession so I ended up putting together this long email that represents my current thinking around the leaf. After spending all that time, I figured I’d post it here, and possibly update it over time. BTW, I recently found a guy who has an AMAZING YouTube channel if you want to learn about tea. I visited his shop in Camden Town (London) in October of 2017 and loved it! Check out his channel, or just start ...

Continue Reading

Just wait, Millennials… Gen-Z is coming. standard

I was at a panel discussion with a large group of Dallas-based executives last Friday when a panelist mentioned a term that many of us cringe at: Millennials. I’m one of those kiddos that is nearly straddling two generations (Gen-X and Gen-Y/Millennials), and identify with both generations as a technologist. Many of my peers that are in Gen-X are not nearly as technically savvy as those of us on the younger side of the generation, but the technology uptake of generation X is not the discussion. Millennials show up all over the place. If you ignore history, you would assume that Millennials present the GREATEST RISK to America’s survival in a competitive world. Don’t believe me? Take a look at ...

Continue Reading

Affective Forecasting Strikes Again! standard

Oh yes, that’s a real thing even if YOUR browser thinks “affective” is not a word and shames it with a red squiggly. Affective forecasting is the act of predicting an emotional reaction to some hypothetical future event. We use it frequently. Have you ever filled out a survey that asked you how likely you would be to refer a friend to some company? That’s affective forecasting. Affective forecasting has great uses, but it has serious drawbacks. In my research on the Consumer’s Attitudes Toward Breaches, we learned that nearly every survey related to the study of breached merchants was flawed. In fact, when you ask someone how they will react to a hypothetical event, societal norms will kick in ...

Continue Reading