Security via obfuscation: MAC Address

| 0 comments

Every network interface card has a unique 48 bit identifier known as a MAC address. This address is burned into the EEPROM on the card, and often is used by networking equipment to track users as they come and go, frequently associating MAC address to a hotel, credit card, credentials, and so on. In fact, even most consumer gear will record the MAC addresses of all computers that have ever issued DHCP requests to them, and these logs usually cannot be purged. When you combine this with the fact that most Cable/DSL service providers will also record your MAC address and bind it to your account, and the fact that some of them don’t even seem to wait for a court order to turn your info over, it becomes apparent that your MAC address essentially is your identify, but I of course disagree with this! One particularly useful hack is to change your MAC address. This can be useful if you want to make it a bit more difficult to track your device down. Thus, changing your MAC address is highly desirable for a number of reasons. If you curious about finding the manufacturer and location of a given MAC …

Continue reading

Using the web application attack and audit framework known as w3af to test your security

| 0 comments

w3af is a Web Application Attack and Audit Framework is an amazing tool that is written in Python and has the capability to find more than 200 defined vulnerabilities. Not only does it look for the usual suspects such as SQL injection, it also handles crawling, bruteforce, authentication, and so much more. There are a number of vulnerability scanners both commercial and open source, but it all comes down to what you prefer. I tend to lean toward the open source community because of transparency, community involvement, and the fact there is zero cost. Unfortunately web applications pose one of the greatest risks to organizations because often these applications are either public facing, open to business partners and of course employees (the insider threat). The fact is web applications are a rich target because there are so many different attack vectors. For example, the following five examples a very often used and very easy to exploit once vulnerabilities have been identified. Cross-site scripting (XSS): Is the act of injecting lines of code into web pages in some shape or fashion. If not defended against, malicious code will eventually lead to a breach. Session Hijacking: Each unique user is assigned a …

Continue reading

The Dollars and Sense of Enterprise Access

| 0 comments

This week I attended the 2014 US Business Leadership Network (USBLN) conference in Orlando, Florida where I was honored to speak on the subject of accessibility. I took part in a panel discuss where I spoke with a number of very knowledgeable people from a number of organizations that included Sprint, Verizon, and IBM. I of course represented Northrop Grumman and I focused on policies and procedures around accessibility. If you are interested in this subject, you will find the PowerPoint deck at the end of this post. Today more than ever, we conduct our lives in a digital medium. In many cases, a task may only be able to be completed digitally. Awareness of the nature and implication of legislation and policy regarding accessibility is significant in shaping organizational policy. In the era of the Internet, accessibility, or the lack there of, often erects obstacles to employees, business partners, and the general public. An article titled Accessibility in Practice: A process-driven approach to accessibility by Sarah Horton and David Sloan make a number of very interesting points: Involve people with disabilities effectively. Remediating accessibility barriers early. Introducing accessibility into the development process may be experienced as a disruptive. Electronic, …

Continue reading

Intelligence and Security Professional Certification

| 0 comments

Next month I embark upon my journey with the Center for Governmental Services at Auburn University to obtain intelligence analytic trade-craft skills essential for analysts in today’s operational environments. My goal is to develop skills in the handling and analysis of locally generated information, intelligence as related to homeland security, and classified and unclassified intelligence generated from the various intelligence communities. This study should prove to be very informative and educational to say the least. The fact that the faculty are former senior intelligence officers and managers from the CIA, DIA, NRO, NSA, State/INR, NGA, ODNI, Military Service intelligence components, and Capitol Hill says it all. If I am going to learn anything, then it makes sense to learn from those who have walked the path. The coursework includes the following subject matter: Introduction to U.S. Intelligence Intelligence For Policy Makers Risk Awareness Intelligence Operational Intelligence Intelligence Budget Process Cyber: Corporate Risk & Responsibility Intelligence Collection Analyst Training: Writing, Analysis, and Preparing Briefings National Security Policy Process History of U.S. Intelligence Homeland Security Intelligence Counter Terrorism: Actionable Intelligence Intelligence and the Law

Tools provide a false sense of accessibility compliance

| 0 comments

When you set out on the journey to achieve accessibility you will naturally turn your attention to tools to help facilitate they journey. If you paid attention, you had noticed that I stated journey and this is for a very good reason. The fact is, today’s websites are not your father’s website, which is to say they is little to no content that is static. The dynamic state of a website means that the content changes at any given interval and for this reason, accessibility is a continuous process. Although the tools are worthwhile and enterprises should procure and use them, it is important to realize that the tools are mechanical in their approach and of narrow scope. By itself, a tool does not guarantee a usable site; any more than spell check guarantees that the author’s document will be well written and comprehensible. The tools focus on the “letter of the law” rather than the spirit of the law. They ensure compliance with guidelines, but the guidelines have limitations. Most accessibility efforts center on the needs of the visually impaired users rather than People with Disabilities (PWD) in general. Accessibility in Business Develop a vision and statement that commits …

Continue reading