Just own it…

“Even robust defenses and prosecutors aren’t sufficient to protect against the state-sponsored attack, especially when they’re extremely sophisticated and persistent,” Marissa Mayer testified.

Just own it. This “the Russians did it” is becoming a tired trope. There is now way to even conclusively know if a state sponsored entity did do it. From what I . . . → Read More: Just own it…


Being in the industry, I understand how difficult it is to secure an organization, so I have some sympathy for Equifax. As an ex-NSA colleague noted (paraphrasing), “A defender has to protect everything, an attacker only has to find one hole.” That said, their business is PII, so there is a higher standard there.

In . . . → Read More: Equifax

Installing Plixer’s “Scrutinizer” NPMD

Plixer makes a good “Network Performance Monitoring and Diagnostics” (NPMD) application called “Scrutinizer“. NPMD, as Gartner calls it, mostly omeans, collecting, aggregating, and reporting on Netflow data.

Plixer provides a VMware OVF for installation of a virtual appliance. I, however, ran into a few issues with the installation:

I couldn’t get the install to work . . . → Read More: Installing Plixer’s “Scrutinizer” NPMD

Good basic email advice

Professor Alan Woodward from the Department of Computer Science at the University of Surrey via The Register:

“Educate users not to open files that they are not expecting. Practice your ABCs – Assume nothing. Believe no one, and Check everything should be drummed into users – personally I preach ABCD – if in any doubt . . . → Read More: Good basic email advice

ASA Firewall Rules of Thumb

Some important Cisco ASA firewall details I and others have learned and shared over the years:

Don’t use “security-level” as your method of security. In the long term at best “security-level” will cause you to block traffic you didn’t expect, at worst, it will allow traffic you didn’t want. Why? Well… If you add an . . . → Read More: ASA Firewall Rules of Thumb

IC3 Alert on Microchip-Enabled (EMV) Credit Cards

Unfortunately quite accurate and what a number of us have been saying all along:


The gist can be found in a single paragraph:

Although EMV cards will provide greater security than traditional magnetic strip cards, they are still vulnerable to fraud. EMV cards can be counterfeited using stolen card data obtained from . . . → Read More: IC3 Alert on Microchip-Enabled (EMV) Credit Cards

More on “tiny” URLs…

I keep getting them from very smart, very security conscious people. However, to make my point:


I love what they offer but…

Some do offer a preview, but users aren’t used to seeing that and unfortunately won’t care (ie: they are so used to getting them without preview, they won’t expect it . . . → Read More: More on “tiny” URLs…

Nothing new here…

But everyone should read it:

Dear Secure Companies…

Dear Secure Companies,

Please stop sending me emails to pick up critical documents or surveys where the URLs I need to follow point into random unverifiable domains. A link that leads to a URL like:


is not going to inspire confidence and, assuming it isn’t spear-fishing or malware, is teaching end users . . . → Read More: Dear Secure Companies…

Dumping SSL certificate information

It seems lately I’m regularly having to dump the information from SSL certificates (for instance to get the “Subject” or CA signer). Since I keep having to look up the exact syntax, I thought it easier to save here and figured it might help others.

So, if in PEM format, use the following:

. . . → Read More: Dumping SSL certificate information