Frederic D Rohrer

Satwika, I agree with your additions. I love that you mention patching. I never considered that myself, but keeping the firmware and software up to date is essential. I think that most end users never consider applying patches to their devices, because the devices are so out of sight (and out of mind). I believe the expectation that “It just…[Read more]

Vince,
this is an interesting issue and it outlines the dangers of cyber warfare. The publicized data literally painted US bases in active deployment areas and made them vulnerable to mortar attacks etc. You are right in saying that the problem stems from lack of security awareness. I think that ultimately US soldiers on active deployment should…[Read more]

Fraser,
I did not see anything about off-site log storage, but that definitely makes sense to implement. You could log on a IaaS server and then pull the logs to your backup using a secure service broker. If the attacker somehow manages to intercept the logs then you probably have bigger problems.

Scott,
you point out a great advantage for credit cards (besides the points you can earn). I feel that credit cards/ATM cards present a system that has to be secured like any other. Like you said, using a credit line for physical payments is a great way to limit risk. Separating your payment methods for physical transactions is also similar to…[Read more]

Brock,
this is an interesting topic. Some websites use a JavaScript based miner instead of running advertisement. I recently saw a Web Assembly miner, classified by Symantec as PUA.WASMcoinminer. Check out Remedy ticket 1198502 for that.

I found out that a Cloud hosted Domain Controller is not possible unless a VPN is used.

Here are my personal pros and cons of Google Cloud:

Pros:

– the price is comparable to other Cloud providers and there is no minimum contract length.
– you can actually figure out how much your instance will cost (looking at you AWS…)
– lots of options (hardware, networking, security etc)
– quick provisioning
– Load-balanced instance…[Read more]

We talked about the security problem with misspelling domains in class last week and I thought I’d share this similar issue. While you can fat-finger a URL, you computer can do the same. Bits can randomly flip and this can be taken advantage of by registering a domain that is one bit different than a popular domain.
For example, aeazon.com is one…[Read more]

Breaking the Ledger Security Model by Saleem Rashid | Mar 20, 2018

https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Saleem was able to break the Ledger Hardware Wallet by using a supply chain attack to modify the recovery seed. The recovery seed can be used to change or just extract the PIN. If the Ledger is used after the…[Read more]

Breaking the Ledger Security Model by Saleem Rashid | Mar 20, 2018

https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Saleem was able to break the Ledger Hardware Wallet by using a supply chain attack to modify the recovery seed. The recovery seed can be used to change or just extract the PIN. If the Ledger is used after the…[Read more]

I found out that a Cloud hosted Domain Controller is not possible unless a VPN is used.

I decided to try to host a Domain Controller in the cloud, using a public domain, so that the team can work on it anytime. This is a bad idea for many reasons, but I did not want to implement a VPN/routing service because that would have complicated things. Instead I looked at restricting all incoming connections using the built-in firewall.…[Read more]

Brock,
this is an interesting topic. Some websites use a JavaScript based miner instead of running advertisement. I recently saw a Web Assembly miner, classified by Symantec as PUA.WASMcoinminer. Check out Remedy ticket 1198502 for that.

Scott,
you point out a great advantage for credit cards (besides the points you can earn). I feel that credit cards/ATM cards present a system that has to be secured like any other. Like you said, using a credit line for physical payments is a great way to limit risk. Separating your payment methods for physical transactions is also similar to…[Read more]

Fraser,
I did not see anything about off-site log storage, but that definitely makes sense to implement. You could log on a IaaS server and then pull the logs to your backup using a secure service broker. If the attacker somehow manages to intercept the logs then you probably have bigger problems.