Tag Archives: Security

Azure Releases ExpressRoute

Microsoft has recently announced “ExpressRoute” for their Azure stack!  This is great news for security centric partners needed to ensure private access to the service hosted on Azure.

http://azure.microsoft.com/en-us/documentation/services/expressroute

If you utilize a network service provider that supports ExpressRoute connections, your connection can even bypass the public internet entirely!

I am personally excited to see where this technology goes, and how many providers start to pick it up.

Please note, even if your carrier does not support ExpressRoute directly, you can still utilize the ExpressRoute service!

Tagged , ,

A U.S. State paid over $1,000,000 USD (million) for “fake” security in their web application!

I have the “pleasure” of interacting with a software for a US state that was contracted out to a third party.  The third party vendor is not known for high caliber software, but what found recently while digging around their web application really made me cringe.

When you first login to the application, a little modal pops up and alerts you to the fact that it is connecting to secure servers.

I noticed after the redirect, I ended up in a non-ssl web application.  I mean, literally, no SSL ANYWHERE.  Every piece of information posted back and forth to the web application is done in PLAIN TEXT across the magical internet pipes.

This piqued my interest, and led me to dig around the HTML/JS that was loading during that modal.

To my surprise, NOTHING was being done at all!  This piece of code literally LIES to its users, suggesting that it is going into secure channels.

Knowing the state paid over $1,000,000 for this web application makes me sick to my stomach.  The system has been plagues with issues since launch, (as most web applications do), but this really is going above and beyond.  Seeing the commented “alert” let’s me know someone was debugging this thing at some point.  What was the time spent to write this code (essentially misleading users about security) vs the time it would have taken to install an actual SSL certificate?!

BioCrap_SecureLogin

Tagged ,

WordPress Security

WordPress Security

A great collection of .htaccess and theme functions for securing WordPress

Tagged ,

Phishing Scam : Walmart TV’s

http://www.moneytalksnews.com/2013/05/17/scam-scares-people-with-fake-900-walmart-tv-purchase/

Ha!  That is pretty damn clever.  I think this is the first time I can remember of a “receipt” being sent out.  I am still curious as to why they can’t proofread their emails for spelling/grammar.  Is it for spam detection, or are they really just that lazy with it?

Furthermore, why isn’t there more done to ensure email origination?  I can see when a Twitter account has been “verified”, or if a Facebook account is authentic.  Where is the system for emails?  Maybe it is out there, and I just don’t know about it?

Tagged

Simulated Bank Heist:

http://money.cnn.com/2013/05/15/technology/security/bank-heist/index.html

Pretty impressive stuff.  Looks like Nish Bhalla from SecurityCompass was able to create $14 million dollars from “thin air”.  Granted, he had access to an internal network ahead of time, but still this is impressive.  A little sniffing, a lack of encryption, and some wherewithal and Nish was able to create a new account.

I would think banking of all places would be more serious about encrypting their data.  Shouldn’t there be some kind of compliance for passing banking data, even on internal networks? Or is this more about a lack of decent talent, capable of coming up with these security measures?

Tagged ,

Microsoft Security Compliance Manager

I just discovered the Microsoft Security Compliance Manager through the Microsoft Security blog.  Looks like a great tool I will be able to use very soon with a new SBS setup I just did for a client.

http://blogs.technet.com/b/security/archive/2013/01/15/microsoft-s-free-security-tools-microsoft-security-compliance-manager-tool-scm.aspx

Tagged , , ,