Study Shows Mobile Apps Scoop Up PII and Other Data


While finishing up a project related to the EU’s new data security law, I’m reminded again how advanced even some of their existing laws are as they relate to consent. In EU land, you’re supposed to explicitly get a consumer’s approval before accessing and processing their personal data. But here in the US, it’s more […]

Continue Reading →



Here are a few reliable signs the end of the year is fast approaching: the leaves are falling, holiday decorations are emerging, and tech bloggers are gazing into their lattes trying to decide what data security news 2016 will bring. My inbox is already starting to fill up with all the usual players wanting to […]

Continue Reading →

Living Off the IT Land With Malware-Less Hacking


We’ve been lately hearing more about the trend in malware-free attacks. At RSA 2015, it was a topic of conversation by security pros. Ed Skoudis told us about it as well in our interview. And Dell SecureWorks has been on the case with what they refer to as hackers’ “living off the land”. Ultimate Stealth We […]

Continue Reading →

Penetration Testing Explained, Part IV: Making the Lateral Move


You can think about the post-exploitation part of penetration testing as an army or rebel force living off the land. You’re scrounging around the victim’s website using what’s available — shells, networking utilities, berries, poorly protected password files, etc. Kidding about the berries, but the idea is to import as little malware as possible and […]

Continue Reading →

Complying with Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)


While in the US we’re still struggling with a national data security law, our northern neighbor has had uniform rules since 2000. It’s the law of the land in Canada for private companies to have security safeguards in place to protect personal information and to limit the retention of data. It’s a Privacy by Design […]

Continue Reading →

Meanwhile Back at the EU: Safe Harbor Framework Ends With a Whimper


Raise your hands if you knew anything about the US-EU Safe Harbor Framework? I mean before you read all the scary headlines. I thought so! This is one of those rare times when researching obscure areas of international data protection law helped me in decoding a tech news story. I had looked into the US […]

Continue Reading →

Our Version 1.0 List of Penetration Testing Resources


I barely scratched the surface of penetration testing in my own blogging, and I’ve already amassed a long list of resources. So rather than withhold any longer, I’ll spill the beans in this initial roundup. As an IT person, you may already have some of these tools or software. In a sense, anything that helps […]

Continue Reading →

Interview with Pen Testing Expert Ed Skoudis


We’re very excited to present this Q&A with Ed Skoudis. Skoudis is a very large presence in the security world. Here’s just a snippet from his lengthy bio: founder of Counter Hack, sought-after instructor at the SANS Institute, creator of NetWars CyberCity, and winner of the US Army’s Order of Thor Medal. We focused our questions […]

Continue Reading →

Penetration Testing Explained, Part III: Playing with RATs and Reverse Shells

Last week I broke into a Windows 2008 server and inserted a remote access trojan or RAT. Don’t call security, I did this in a contained environment within virtual machines. To continue on with my pen testing experiment, in this post I’ll explore a few basic steps and techniques used by hackers after they’ve entered […]

Continue Reading →

Penetration Testing Explained, Part II: RATs!


Remote Access Trojans or RATs are vintage backdoor malware. Even though they’ve been superseded by more advanced command-and-control (C2) techniques, this old, reliable malware is still in use. If you want to get a handle on what hackers are doing after they’ve gained access, you’ll need to understand more about RATs. A RAT’s Tale RATs […]

Continue Reading →