InfoSec

Witness Signatures Add Authenticity

Part of the Apple/FBI court case involves how software updates are protected with digital signatures. The key ensures that the update comes from Apple and therefore has a level of trust associated with the history of the company. The government is not asking Apple to turn over the signing key and Apple is not likely […]

Encryption Ensures Privacy

Encryption techniques are mathematically designed to be uncrackable, at least in an amount of time that relates to the value of the secret. This means the time and computing resources needed to successfully attack the encryption will cost more than the attacker is willing to spend. More computing power means less time. If it takes […]

Hacking an Encrypted Phone

Recent news has the media atwitter with misinformation about hacking phones and encrypted data. Here are some of the basic issues: ENCRYPTION Encryption is the process of using a coding technique to obscure information. Simple substitution techniques like using a number for each letter of the alphabet have been in use for many years. These […]

Password Strength Requirements

While the main premise of the article linked below is correct, it understates a key part of password cracking methodology. There are two primary means of cracking passwords: using word lists, and brute force. There are also many hybrid combinations, which is an important focus of the article. In brute force cracking, every element of […]

New Release of Kali Linux

Kali Linux is a penetration testing framework that contains over 600 penetration testing tools. It is a Debian based toolkit built on the foundation created by BackTrack. Some of the better known tools include: Wireshark – packet sniffer and protocol analysis nmap – port scanner john the ripper – password hash cracker metasploit framework – […]

NIST Adds New SP-1800 series

NIST (National Institute of Standards and Technology) has announced a new Special Publications (SP) series of documents called SP-1800, intended to augment the SP-800 series. SPECIAL PUBLICATIONS – [nist.gov] SP 1800, NIST Cybersecurity Practice Guides (2015-present): A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; […]

Super Criminal from Silk Road

Ross Ulbricht is a super criminal like Lex Luthor in the Superman comics. Ross is the creator of the darknet trading post and web site known as “the Silk Road”. Named after the trade route of history that connected China and Europe, the Silk Road became an online black market where illicit goods could be […]

APT versus OODA Security Controls

Advanced Persistent Threat (APT) is a kind of attack comes from a team with advanced skills, deep resources, and specific targets. They use advanced tools and techniques that are capable of circumventing defenses. They use stealth and demonstrate good situational awareness in evaluating the state of the defenders they face. They respond quickly and with […]

Overlays of Tailored Security Controls

Tailoring security controls involves adapting the generic baseline sets of security controls to better fit a specific operating environment. Here is a list of tailoring activities: Defining “Common Controls” that are centrally managed and can be used by several information systems. Applying “Scoping Considerations” Using “Compensating Controls” Defining “Organizational Parameters” Adding “Supplementary Controls” Using “Overlays” […]

FISMA Law vs Home Email Server

Working for a federal agency that has IT functions regulated by public law and running an email server from home to use for agency business seems problematic, but it may be possible. Here are some of the laws and regulations that come into play: FISMA – PUBLIC LAW 107–347, DEC. 17 2002 is known as […]