The Equifax Data Breach and the Apache Struts Vulnerability

Last week (9/7/2017), Equifax announced that on July 29 they discovered that an exploited web application vulnerability was being used to access a trove of consumer information for the previous 2 ½ months, until discovery.  Various news outlets, such as the New York Post are starting to report that the… Continue reading

Has SHA-1 been hacked?

No, not exactly.  The SHA-1 hashing algorithm still does what it is supposed to do.  SHA-1 creates an unpredictable 20 byte “fingerprint” of the data input into the function, in this case a web server certificate.  It is the unpredictability of the output that makes cryptographic hash functions so useful. … Continue reading

HTTPS: Is it Possible to Forge a Web Server Certificate?

Yes, it is possible in theory to forge the Web Server Certificate that is used in SSL/TLS communication. This is because the certificate is signed by a certificate authority that your browser trusts using a cryptographic hashing algorithm of a specific length. The hashing algorithms that have been used to… Continue reading

Unsolicited Commercial Email

From time to time, you may receive email in your inbox that invites you to try an Internet service of some sort.  An example is included below. Are these Spam or a Phishing Attack?  Maybe or maybe not.  With all the recent reminders about Phishing, it is easy to see… Continue reading

Ironic OpSec

UPDATE: After writing this post, I was put in contact with Jack Emanuelson, a board member of the national OPSEC Professionals Society (OPS).  He was gracious enough to contribute some fantastic information on this topic.  Read his posting here: OPSEC is really not OPSEC. _______________ I went to Google to… Continue reading

How Hackers Get Passwords

Have you considered how some of the systems that you access every day are more critical than others?  Systems that contain more sensitive data need to have stronger passwords.  Strong passwords do not use words from the dictionary and use symbols and numbers.  When it comes to passwords, longer is… Continue reading

My Security Philosophy

A brand is a promise that is made to the company’s customers.  Over time, customers trust the brand based on the trustworthiness of the company.  Security plays an important role in protecting that trust by managing risks to confidentiality, availability, and integrity.  Customers expect that the information systems that they… Continue reading

Is Server Downtime an Information Security Incident?

The following excerpt is a thread from a discussion on Linkedin in the Information Security Community group. Question: Hi everyone, Information Security is about protecting the confidentiality, integrity, and availability (CIA) of Information Assets. So can someone tell me, at what point does availability become an issue? for instance, is… Continue reading