tilt-cards

State of PCI Compliance: Verizon Report Tracks Highs and Lows

In addition to publishing the Metadata Era’s favorite source for hacking stats, Verizon also has a separate survey on PCI Data Security Standard (DSS) compliance. Since 2009, Verizon and its associated QSA testers have done 4,000 assessments of mostly large multi-national companies. With the recent high-profile credit card number heists, it’s a particularly opportune time…

privacy ftc

FTC Says Do the Reasonable Security Thing

Metadata Era readers know the FTC has become the de facto enforcer of data privacy and security protection. When there aren’t specific laws to apply, it uses the broad powers given to it by Congress—back in the earlier part of the last century—to prohibit “unfair or deceptive acts or practices” in the digital realm.  A…

399px-Golden_North_Samon_Derby_Winner_1955_Meyer

Phishing Attacks Classified: Big Phish vs. Little Phishes

The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the CERT team was able to categorize phishing attacks into two broader types: single- versus multi-stage. What’s the difference? Think of single-stage as catching lots of…

personality-traits-more-prone-to-phishing

Do Certain Traits Make People Vulnerable to Phishing?

The Computer Emergency Response Team (CERT) at Carnegie-Mellon University is a research institute devoted to computer and network security. CERT is often referenced by other security researchers, and for good reason: they have deep knowledge of vulnerabilities and have developed cyber-engineering techniques both to analyze and prevent attacks. CERT also has an entire practice area…

pos attack

Point-of-Sale Cyber Attacks Are Back With Backoff

Point-of-Sale attacks are back in the news. But they never really left us. In the wake of the Target attack, the FBI issued a bulletin in January warning about future incidents. They identified the malware type (RAM scrapers) and the infection vector (phish mails, and compromised websites or “watering holes”). And they even pointed out…

Ticket_example

In Search of Kerberos’s Golden Ticket

In a Kerberos environment, all users get tickets, or more specifically TGTs (Ticketing Granting Tickets). It’s the starting point for gaining access to services—network files, email, apps, etc.  In Windows, there’s one user who stands out, the all-powerful domain administrator. They have access to the keys of the kingdom, literally—the Domain Controller on which the…

Cerberus_(PSF)

Kerberos Weaknesses: Pass the Ticket Is a Real Threat

August is always a good time to check up on the dark side.  Black Hat had its annual conference earlier this month, and there’s always presentations worth looking at.  I’ve been writing about Kerberos recently, and while it’s a big improvement over Microsoft’s NLTM, nothing is ever perfect.  I came across a presentation that looks…

800px-SF_Police_search_the_car

Cloud Storage and the 4th Amendment: It’s Complicated

With the recent spat between the US Justice Department and Microsoft over emails stored in the cloud, the 4th Amendment remains in the rear-view mirror for IT people. Cindy recently posted about some of the issues related to Big Data and the 4th, but there’s an even more fundamental question about data stored in the…

DisneyTicketBook_wbelf

Authentication Lessons From the Magic Kingdom: A Closer Look at Kerberos, Part II

Let’s continue our journey into the Magic Kingdom as a way to explore Kerberos. Sure the comparison doesn’t completely track, but it’s close and easy enough to grasp that I think you won’t mind missing—trust me on this—the standard Kerberos protocol diagrams. Back to Disney World: you’re now in the park with your passport booklet…

800px-Syringe_and_hypodermic

Top Five Most Dangerous Software Errors

Over the years, Mitre, the MIT research group, has been analyzing software bugs and missteps that hackers have been able to exploit. Their Common Vulnerabilities and Exposures (CVE) classifications are something of a de-facto standard used for describing the root software causes in an attack.  Working with SANS, the Mitre CVE team has come up…