My hometown news website recently published an article with the above title authored by University of North Carolina Professor Nir Kshetri. I've never met Professor Kshetri but after reading his essay I posted the following comment. Professor Kshetri is all wrong in his analysis and conclusions regarding monitoring minor students use of district supplied computing … Continue reading School Surveillance of Students Through Laptops May Be Doing More Harm Than Good
The Golden SAML threat vector enables an attacker to create a forged SAML “authentication object,” and authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism. In a golden SAML attack, the attacker can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they … Continue reading What is Golden SAML?
I was recently asked this question...I'm working on a project right now where my team wants to substitute passwords and usernames for biometric authentication. I have expressed my multiple concerns for the security of such a system, but the idea has now come up that we could use a system with at least 2 factors … Continue reading Using Biometrics to Replace Passwords
The Traffic Light Protocol (TLP) takes something that most people know and applies it to a new problem. In this case the simple concept of roadway traffic lights applied to information sharing. As defined by FIRST, an organization formed by cyber first responders; the Traffic Light Protocol is "a set of designations used to … Continue reading Understanding the Traffic Light Protocol (TLP)
The Internet is changing yet again. One of my predictions for 2018 is that everyone will witness a migration from corporate or private data centers to the 'Cloud', or Internet hosted data centers. There have been tremendous advances made in both securing the Cloud and sharing with the broader technical community how to secure the … Continue reading It all in the Cloud(s)
I recently came across two very good articles about USB forensics. The Hitchhiker's Guide to USB Forensics was published at the Cyberforensicator site by Oleg Skulkin and Igor Mikhaylov. It is a very well thought out an written description of how to find out by operating system analysis what files have been copied to a USB … Continue reading USB Forensics
In the past week I completed the work for the first MOOC (Massive Open online Course) that I've ever taken. The course was Surveillance Law which I completed via Coursera. Let me start by saying that this course was fantastic. The presenter, Jonathan Mayer from Stanford did a great job delivering a series of short … Continue reading Surveillance Law from Standford University via Coursera
BBC News is reporting today that Google has updated their search engine algorithm to provide a higher rank to websites that use HTTPS. The web news site Gigaom explains further that the algorithm identifies web sites that use HTTPS / TLS and uses it as a 'light factor' that impacts less than 1% of global queries.
After reading Thomas' article on re-evaluating the safety of Mac OS/X last week I finally managed to bring most of my Apple equipment up to current. I checked all the network devices and updated most of those. My Windows machines are all current. I do have that one Mac that won't run a current OS. … Continue reading Good References on Securing Mac OS/X
Five years ago I made a decision to move from PasswordSafe to AgileBits 1Password. As someone in the security field I've always tried to practice what I preach and using different passwords for different sites and cycling passwords (changing passwords every N months) is important. I looked at a number of different password management solutions. … Continue reading Password Managers & Escrow