Blog | InfoSec

Pins and Staples: Enhanced SSL Security

Posted on November 16, 2017Link 

With Chrome backing away from HTTP Public Key Pinning and other industry thought-leaders calling for its death, I figured I'd take some time to review some existing and upcoming (and tedious) controls that aim to fix some of the many shortcomings within the SSL/HTTPS ecosystem. In so doing I figured I’d summarize some of these concepts into a...Continue reading 

New Details on CitiGroup Compromise

Posted on June 14, 2011Link 

The Daily Mail has a short article about how the recent compromise of 200,000+ Citigroup accounts occurred. Of course there is not much technical detail but the vulnerability and exploit are pretty obvious if what the article says is correct: "They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account...Continue reading 

How to Get Properly Owned

Posted on May 20, 2011Link 

Expose unnecessary ports via NAT and firewall rules to your DMZ. I'm talking SSH, telnet, HTTP/S, SNMP, MS-SQL, MySQL, YourSQL, NetBIOS.... everything. If you're really serious about getting compromised, NAT public addresses to your internal Active Directory servers and database.If you don't have a firewall or a DMZ, all the better.Make sure no effective firewall policies exist...Continue reading 

Have Questions?
Get Answers