While I did my thesis on this topic back in 2001, I haven’t used the knowledge or skills I gained from it much – or really at all. But I think it’s an interesting topic, and one that security folks and system administrators should at least be passingly familiar with. The technology has certainly changed since I did my thesis. When you look at an IP address or even domain name in your logs – where is that person coming from? You might need to know for forensics purposes, or even “cyberwarfare” purposes. Keep in mind that spoofing an IP address isn’t rocket science, and just knowing if the IP address in your logs is the one doing the activity[…]

I’ve mentioned Whole Disk Encryption in the past. There are a number of products, both free and paid, which will allow you to encrypt your entire hard disk, or the hard disks on your servers. In a recent study whole disk encryption (referred to as FDE in the study) has been shown to significantly hamper investigation. Basically, the encryption is too good. Even with techniques like cryogenic RAM freezing it’s often unlikely that the encryption can be bypassed. But there’s a huge, gaping hole in such protection: you can’t USE encrypted data. For it to be accessible and usable, it has to be decrypted. (In other news, it is not possible to open properly locked doors, nor to pass through[…]

I am currently experimenting with my smartphone, to see if its Mobile Access Point Functionality allows it to function as a wireless router independent of Internet connection. In theory, it should – it is capable of providing internet access to four attached devices, and that suggests that it should have router functionality, meaning that the attached devices should be able to talk with each other, rather than simply to the Internet. In practice, I know that sometimes seemingly important parts of networking implementations are, well, not implemented. The most egregious example, in my experience, was a commercial-grade firewall which was unable to pass UDP traffic under certain circumstances. The lesson I learned then was that just because the hardware and[…]

We’ve discussed the importance of properly implemented two-factor authentication before, but TFA is usually associated with computing fields or high-security facilities.  Earlier this year an InfoSec blogger wrote about his experience driving a new Ducati Diavel, in which he dealt with a dealer who did not provide a key for the bike he was test driving.  While the bike appeared to have been started before he left the dealership, apparently the dealer started it without a key, since new Ducatis can be started with an optional backup PIN in case you lose or forget your key fob.  To his surprise, the bike’s PIN was the last four digits of the bike’s VIN, although that was most likely an oversight from[…]

Let me first start off with the disclaimer that I am a CISSP and (nominally) a member of (ISC)2. I’ve been part of very few professional organizations throughout my career and college days. I even shied away from the women in engineering groups on campus, although I knew a lot of women in them. I tended towards the ad hoc, social groups instead. Blame it on the Cotillion club I was (forced to be) a part of when I was in high school, I just don’t like paying to be part of a “club”. I pay (ISC)2 only because I have to to keep my CISSP (and to other organizations for the same reason), I’m not a member because I[…]

In the past few years, we’ve seen point-of-service payment card hardware and software capabilities extend from an enterprise level (proprietary systems) to a small business level (financial instutution-backed merchant accounts) and finally to an individual level (web and mobile payments). And it makes sense; despite the growing popularity of e-currency, most people with a bank account have access to a credit/debit card and aren’t afraid to use it. And with each step of maturity, the technology surrounding payment cards gets more and more diverse and open to innovation. Jumio’s Netswipe is a new twist on entering payment card data online. Instead of swiping or typing, you essentially stream an encrypted video capture of yourself holding up your card. I’m assuming some[…]