Archive for the ‘Security’ Category

PKI Revisited

A little more than two years ago, I set up a PKI and did a post on it. The main goal was to get a certificate on my EdgeOS router to get proper HTTPS support without the annoying red X. When I did it, however, I didn’t do it quite right, and so I decided to redo it all. Some of the major problems:

  • The cert for my router expired after two years. Hence, I as of today I need a new cert anyway.
  • The intermediate cert also expired after two years. Lame!
  • To trust the chain, I had to import the intermediate cert into Windows, not the root cert. I should just need the root cert.

So I decided to do it right, and do it all over again for posterity, again largely following this post from Didier Stevens and again having the same old issues. Details below.

Read the rest of this entry »

Encrypt All The Things

I am a security guy, and my profession is to protect the good guys – all of you – from the bad guys. Although the world is not full of bad guys, there are a lot of them, and the funny thing about information security is that the most poorly-skilled bad guy out there only has to wait for one smart person to “hack” something, and then everybody can do it regardless of skill level. That’s why, as Bruce Schneier says, “Attacks always get better, they never get worse”. It is for this reason that I am firmly on the side of Apple, because no matter who comes up with the attack, be it the FBI for ostensibly good reasons, or a hacker for all the wrong reasons, those attacks quickly spread to everybody, and put everybody at risk.

Read the rest of this entry »

Splunk Reporting: Port Scans

It’s been a while since I’ve done some Splunk work on my home network, but lately I’ve been thinking about port scans, specifically about reporting on port scans against my environment. I’m not terribly worried about people scanning my network since it is quite locked down, but why not check on it to see if anything interesting is going on? Before too long I had a new dashboard; details below the jump.

Read the rest of this entry »

The cost of NSA exploitation

There are plenty of good technical overviews of the Heartbleed vulnerability (including a great overview by XKCD). The security impacts of this issue have been covered well by people far smarter than me. But I feel the need to pile on to reports that the NSA has known about this vulnerability and exploited it for years, if this is indeed true.

Read the rest of this entry »

Dealing With Stolen Credit Cards

How funny: the day after I write about password breaches, I learn that one of my credit care numbers has been stolen. Thankfully, though, I was well prepared for this event, and should be back to normal operations very quickly.

Read the rest of this entry »

Password Breaches: Don’t Panic, Be Prepared

Hey, look, there’s been another password breach! Is it time to panic? I decided not to. In fact, I decided to pretty much ignore the whole story. As a result of this breach, I only rotated one password, and frankly, it wasn’t because I was worried that this password had been compromised.

Wait, shouldn’t you panic? Based on a lot of the news stories I”ve read, that’s a popular option. However, there’s no need to freak out if you are doing things right to begin with, and that’s where you really should start.

Read the rest of this entry »

Breaking Encryption

The big news today is that the NSA has “broken” much internet encryption. Details are scarce, and comments are plentiful, but it’s important to understand at a high level what it means to “break” encryption. There are essentially three ways to “break” encryption, and they all mean different things.

Read the rest of this entry »

Spying and corporate fallout

For good reason, a lot of discussion about recent NSA revelations has focused on the government, what they are actually doing, and what controls are in place. However, it’s important to keep in mind, however, that most of the data collection utilized the services of private companies in one of the best examples of outsourcing available: why have the government spend billions of dollars on data collection infrastructure when they can just ask the private data collectors to share? What remains to be seen, though, is the long-term consequences for those private companies, and whether they will remain so quiet and accommodating in the future.

Continuing to cooperate may have real costs. Bruch Schneier advocates that private companies resist because eventually, the government will hang them out to dry. ITIF suggests a more concrete reason for resisting: it could cost money for cloud providers. I find the monetary justification very interesting, although one without a good solution. There’s a great deal of (justified) fear in outsourcing IT to Chinese infrastructure for fear of data loss. Is it now time to extend that fear to U.S.-based cloud providers? If so, what are the alternatives? Europe has regulatory issues. What does that leave? South America? Australia? Bring back HavenCo?

It’s very early in this saga, and it’s going to be a while before companies understand this landscape. When it comes to managing enterprise risk, companies have long had to worry about hackers, natural disasters, and corporate espionage. It’s clear, though, that it’s likely necessary to add cooperation with government data collection practices to the list of risks to manage.

Chrome security and best practices

Many in the security community are all atwitter about the Chrome browser not encrypting passwords. They call this bad security; a lot of people disagree. I tend to agree with the latter group: putting a master password or otherwise putting some kind of encryption in Chrome’s password store wouldn’t materially increase security, and would give users false comfort. Many other software manufacturers feel the same way (see, for example, Pidgin).

Read the rest of this entry »

The CISSP Exam

Last Sunday, I took and passed the CISSP exam. I had made it a personal goal to pass the exam before the end of the year, and I’m happy to say that I have achieved my goal. What was my study plan? Read on…

Read the rest of this entry »

« Older Entries