Blog

Blog

Vulnerability Management: Just Turn It Off! Part II

Our last post in the “Turn It Off!” blog series discussed some of the most common and yet unnecessary features that can make your environment more vulnerable, including JBoss JMX consoles, server banners and the Apache HTExploit. These risks are often encountered by our Vulnerability and Exposure Research Team (VERT), even on well-defended networks and many of which have been around for quite...
Blog

The 36th Article About VPN Split Tunneling

I have done is the most comprehensive meta-analysis on the security world’s view of VPN split tunneling. Will it change my IT team’s mind? Let’s find out…
Blog

NETGEAR Wireless Router Configuration Guide

This guide assumes that the reader has a NETGEAR branded wireless router and knows it’s address on the network. If you have forgotten the administrative password for your device, it may be necessary to perform a factory reset as outlined in this NETGEAR knowledge base article and then to login with the default password. Please note that while...
Blog

Friends Don’t Let Friends Mix XSS and CSRF

In preparation for my upcoming talk at BSides SF about finding vulnerabilities, I would like to share today some insights regarding two common types of vulnerabilities which leverage web browser in two unique ways. The goal of these vulnerabilities is quite different however. One is used to run untrusted code while the other is used to hijack authentication. The combined effect of these issues...
Blog

Why the Security Stack Has Ten Layers, Not Seven

The next item to tackle is the overall security architecture – and this includes several things. But let me first state the disclaimer that of course it is imperative that the correct governance and policies are in place and that technology can’t replace those things. But, it is also clear that however sophisticated, no paper document or process design will block an attack in the meantime until...
Blog

Bruce Schneier on Breaking Free from “Feudal Security”

“We live in a world where we’re ceding a lot of our power to other companies,” said Bruce Schneier (@schneierblog), security blogger and author of “Liars and Outliers” in our conversation at the 2013 RSA Conference in San Francisco. Schneier was referring to companies such as Google and Facebook that control our data as well as companies that control our devices, such as Apple. “These companies...
Blog

Penetration Testing with Smartphones Part 1

When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network remotely. Companies focus most of the security spending and policies on keeping hackers out remotely, from firewalls and other security hardening appliances, software and tools. However, given the proliferation of mobile devices in the workplace and use of Wi-Fi...
Blog

Intrusion detection and the “kill chain”

Last week, I sat in on a briefing by a guy who calls himself “Four” who happens to be involved in intrusion detection for Facebook. He shared some interesting perspective at the Black Hat conference through a discussion of ”Intrusion Detection Along the Kill Chain.” The information Four presented is based on the work done by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D of Lockheed...