If you haven’t heard already about the PlayStation Network compromise, you should pay attention if you have a PS3 and use PSN. Your PSN online ID, name, address and birthdate have all been compromised, and (potentially) your secret questions, and credit card numbers. What I don’t understand is why Sony can’t definitively tell us that the secret questions and answers or the credit card numbers have been stolen? PCI rules require strict controls over the CC information, and the PAN (CC number) must be stored *unreadable* Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches: • One-way hashes based on strong cryptography • Truncation[…]
Author: Laura Raderman
Many papers and online explanations of security protocols are dense and quite complicated. And sometimes even security professionals don’t understand the explanations. When I first started at CMU, there was a class called “Internet Security”. I went to the first lecture and promptly dropped the class. I understood practical security – but this class focused on theoretical security. In the first class, we were given the “security language” of Kerberos. At the time, I had barely used Kerberos as part of the CMU computer systems, and certainly didn’t understand it – and didn’t realize that that’s what the class was about, until several years later. Now, I finally understand more, and really wish I hadn’t dropped that class. However, there[…]
In a week or two (or 3 or 4), I’ll be leaving on at least two months of maternity leave. Short/Long term leave is a pretty common scenario, whether for maternity leave, disability, or a sabbatical. People who have accounts and company knowledge are just “gone” for extended periods of time. Sometime, there’s advance notice, sometimes there’s not. What can you (or your company) do to make the transition easier from a security perspective? Availability is one area of security – aka business continuity. If you know you’re leaving for an extended period of time, let your employer know as soon as reasonable. I know for maternity leave, many women and their partners wait until after the first trimester –[…]
How do you use a different strong password on every site without writing all of those passwords down or going mad – a password manager with randomly generated passwords. I have several machines I use on a very regular basis – both for work and personal use: at least one desktop and one laptop in each case, and then occasional use on my iPhone. So any password manager for me would have to work among all of these machines. In my case, they’re all OS X, but these tools work on Windows as well if you’re stuck using it 🙂 I use 1Password syncing with Dropbox. Dropbox synchronizes files between computer systems – Windows and OS X, and even iPhone,[…]
Enter Armitage. If you’re normally a windows/GUI person and aren’t comfortable with the command line (much less metasploit’s command line), you might want to look into Armitage. It uses xmlRPC to talk to metasploit and presents you with a nice pretty picture of your network and what you’ve compromised and allows you to launch metasploit plugins and attacks against the networks, as well as interface with meterpreter to pivot through compromised hosts. I have only scratched the surface of what Armitage can do in my own testing, but what I’ve seen so far has been excellent – especially for an initial release. Some folks will complain that this makes it too easy to “hack” into things, but I really think[…]
Cloud services are becoming ubiquitous, common, and more useful every day. What do I mean by cloud services? Google Apps, Dropbox, or basecamp are all cloud services. Many people (including me) use them to manage their productivity work flow. I’m a big fan of Dropbox to sync my to-do list (Things) and 1Password file between my office machine, my desktop at home, and my laptop. It just works. I also use MobileMe to take care of my calendar syncing. But, I’m careful about what I put in my calendar, or my to-do list. Those things can tell a great deal about information that should be kept confidential – who I’m having meetings with about what can give away who our[…]