Archive for the ‘Security’ Category

Splunk Reporting: Port Scans

It’s been a while since I’ve done some Splunk work on my home network, but lately I’ve been thinking about port scans, specifically about reporting on port scans against my environment. I’m not terribly worried about people scanning my network since it is quite locked down, but why not check on it to see if anything interesting is going on? Before too long I had a new dashboard; details below the jump.

Read the rest of this entry »

The cost of NSA exploitation

There are plenty of good technical overviews of the Heartbleed vulnerability (including a great overview by XKCD). The security impacts of this issue have been covered well by people far smarter than me. But I feel the need to pile on to reports that the NSA has known about this vulnerability and exploited it for years, if this is indeed true.

Read the rest of this entry »

Dealing With Stolen Credit Cards

How funny: the day after I write about password breaches, I learn that one of my credit care numbers has been stolen. Thankfully, though, I was well prepared for this event, and should be back to normal operations very quickly.

Read the rest of this entry »

Password Breaches: Don’t Panic, Be Prepared

Hey, look, there’s been another password breach! Is it time to panic? I decided not to. In fact, I decided to pretty much ignore the whole story. As a result of this breach, I only rotated one password, and frankly, it wasn’t because I was worried that this password had been compromised.

Wait, shouldn’t you panic? Based on a lot of the news stories I”ve read, that’s a popular option. However, there’s no need to freak out if you are doing things right to begin with, and that’s where you really should start.

Read the rest of this entry »

Breaking Encryption

The big news today is that the NSA has “broken” much internet encryption. Details are scarce, and comments are plentiful, but it’s important to understand at a high level what it means to “break” encryption. There are essentially three ways to “break” encryption, and they all mean different things.

Read the rest of this entry »

Spying and corporate fallout

For good reason, a lot of discussion about recent NSA revelations has focused on the government, what they are actually doing, and what controls are in place. However, it’s important to keep in mind, however, that most of the data collection utilized the services of private companies in one of the best examples of outsourcing available: why have the government spend billions of dollars on data collection infrastructure when they can just ask the private data collectors to share? What remains to be seen, though, is the long-term consequences for those private companies, and whether they will remain so quiet and accommodating in the future.

Continuing to cooperate may have real costs. Bruch Schneier advocates that private companies resist because eventually, the government will hang them out to dry. ITIF suggests a more concrete reason for resisting: it could cost money for cloud providers. I find the monetary justification very interesting, although one without a good solution. There’s a great deal of (justified) fear in outsourcing IT to Chinese infrastructure for fear of data loss. Is it now time to extend that fear to U.S.-based cloud providers? If so, what are the alternatives? Europe has regulatory issues. What does that leave? South America? Australia? Bring back HavenCo?

It’s very early in this saga, and it’s going to be a while before companies understand this landscape. When it comes to managing enterprise risk, companies have long had to worry about hackers, natural disasters, and corporate espionage. It’s clear, though, that it’s likely necessary to add cooperation with government data collection practices to the list of risks to manage.

Chrome security and best practices

Many in the security community are all atwitter about the Chrome browser not encrypting passwords. They call this bad security; a lot of people disagree. I tend to agree with the latter group: putting a master password or otherwise putting some kind of encryption in Chrome’s password store wouldn’t materially increase security, and would give users false comfort. Many other software manufacturers feel the same way (see, for example, Pidgin).

Read the rest of this entry »

The CISSP Exam

Last Sunday, I took and passed the CISSP exam. I had made it a personal goal to pass the exam before the end of the year, and I’m happy to say that I have achieved my goal. What was my study plan? Read on…

Read the rest of this entry »

DropBox Two-Factor Authentication

DropBox is cool. I use it to keep my many computers in sync. This includes keeping my password manager master safe file in sync (you all use password managers, right?) Even though that file is encrypted with a good encryption algorithm, it’s still a file I would like to protect. I used a pretty strong password on my DropBox account, but it’s still just a password.

Fortunately, though, DropBox now supports two-factor authentication. If you have a Google account, and you use Google’s two-factor authentication (like you should!), it’s incredibly easy to add, because it works with Google Authenticator. Just enable two-factor in DropBox, go to Google Authenticator on your phone, add new account, scan the barcode, and done.

Hopefully, this means that two-factor authentication is becoming more mainstream. I’ll be a lot happier when Facebook supports it, but for now, DropBox support is fantastic.

Privacy Around Me

There has been a lot of ink spilled about the Girls Around Me app that was introduced, and then pulled from the iPhone App Store. For those who are unaware, the app used the geolocation aspects of existing websites, such as Foursquare and Facebook, to show the user where women were located close to them. This was widely decried as creepy and stalker-y, and after Foursquare cut off access to their data, the app was essentially useless. The developer does, however, hope to bring it back sometime soon.

Was the app gross and juvenile? Perhaps. But it’s important to remember that this app was using data that was publicly available. The users who showed up were sharing, knowingly or unknowingly, their location data with everybody in the world. The whole point of Foursquare, and Facebook location tagging, is to tell people where you are: this issue here was that this data was being used in a way that people may not have agreed to, but they were making it public all the same. Plus, let’s imagine that the app wasn’t looking simply for women located close by: let’s imagine that it was looking for mothers with at least two children that have a household income of $70,000 per year. Now we’ve described a micro-targeting app that your favorite retailer of choice is most likely feverishly working on, again using public data to find what is of interest to them. Is that also creepy? Maybe, but it is the future of marketing.

Read the rest of this entry »

« Older Entries