Tuesday started my week out poorly, with my elbow making a large cracking noise as I rolled my hand off of my mouse from left to right as normal. This crack was immediately followed by a sharp and severe pain in the joint, and a loss of 10º of extension. Any attempt to extend the elbow was met with painful resistance. I did what most people would do, I called my Dr’s office, setup an appointment, and got in to see her on Wednesday. For the rest of the day Tuesday, the pain level slowly rose, until it was a steady 6 (on a scale of 1-10, 10 being the worst), and I went home and took some pain relief. Wednesday morning, I saw my Dr, got some X-rays taken, and scheduled the referral with the surgeon who did my last elbow surgery in November of 2013, for Thursday the 23rd of Jan.
I go see the Orthopedic Surgeon on Thursday, who tells me the following: “Well, the sharp cracking sound was you breaking off a bone spur, and now it’s floating around in your elbow… I need to schedule an MRI so we can determine how best to remove the pieces, and possibly we’ll discuss removing the entire radial head of the radius.”
We spent a few minutes discussing next steps, and we parted, with the knowledge that someone will be calling me to setup the MRI, once Insurance approves.
In the mean time, I’m taking an extra heavy dose of Naproxen Sodium, and being very delicate with my elbow. Thankfully, typing doesn’t harm the elbow…
So, now I’m just in a holding pattern… waiting for the call to setup the MRI… or to hear what excuse United Healthcare will provide for denying it.
So, I get to spend the weekend resting, and keeping from using my right arm, until I hear back from the Ortho… Yippee!
Today has been an eventful day.
To finish off dealing with my elbow popping and causing me incredible pain, organizing a return visit to my surgeon to see what is wrong, to dealing with people at the office that don’t understand why they have to encrypt PII being sent to a 3rd party.
As I drove home to get some pain meds for my elbow, less than a mile from home, I’m struck by another driver, who moved into my lane on North El Camino Real and made contact with the right rear of my vehicle. I contacted 911, who told me since there were no injuries, to share information with the other driver, and let the insurance companies deal with the issue.
The woman who was driving refused to provide her insurance information, and when I told her that I wasn’t going to give her any information if she wasn’t going to provide the information, she called the police.
So, when I finally got home, I wrote this up to memorialize the information from the accident.
I was driving a Blue Honda Accord (Vehicle A) in the left most lane on El Camino Real in Oceanside, approaching a slight left turn on to Douglas drive. As I had passed the White Lexus (Vehicle B) in the middle lane, the driver of the Vehicle B moved into the lane I was occupying, and struck my vehicle (B) on the right rear quarter panel, with their left front quarter panel. As seen in the images below, the damage to the Honda (Vehicle B) is on the left rear quarter panel, and the White Lexus (Vehicle B) front left quarter panel showing damage.
How this woman believes that this was not her fault, is beyond me.
Now to submit to insurance… groan…
Dear News Agencies – Please wake up.
Marc Rogers prepared a fantastic writeup on his blog entitled “Why the Sony hack is unlikely to be the work of North Korea.”. I suggest that EVERY media outlet take a moment, and review it. It is clear that there is far more research and digging to be done with regards to this security breach, and ANY future stories pertaining to Information Security breaches.
For the most part, (Brian Krebs being the primary exception), mainstream news has a significant knowledge gap when it comes to technology. They haven’t figured out how to report security breaches, without flogging the word “hack” or immediately blaming someone to gain headlines.
The most alarming part, IMHO, is that there is a chance that we will NEVER know the real root cause, however, Marc’s blog post does find some very insightful indicators that the North Korea angle is simply wrong.
Lastly, Thank you Marc, for a well reasoned and thought out contribution to the current Sony issues.
Welcome to the December Holiday Season! With our current December busy schedules, we need to be aware data breaches also occur during the Holiday Season. Criminals understand that the holiday season is a very busy time, not just for individuals, but also for employers, companies, and all sectors of industry.
For those that may have missed it, 60 Minutes did a short 13-minute piece on Credit Card fraud, and for those that remember, there were several breaches this past year, and many of them were in place far before the 2013 Holiday Season. The main point of all of this is to create an environment where we can all be on the lookout for the risks, have open discussions, and to ensure that we are all doing our part to secure our personal information. Please take a moment to view the video.
Original Video – More videos at TinyPic
Some Data Breach Presents for under your tree!
We have found a few infographics for you that show the number and sources of some of the largest breaches of 2013/2014. You can find them below.
As always, have a productive, safe and happy holiday season, from all of us here.
- 60 Minutes Video – As hacking of top retailers make headlines, Bill Whitaker discovers how insecure your credit card information is this holiday season(opensourcesinfo.org)
- More data breaches expected this holiday season(bizjournals.com)
- Avoiding credit card fraud in the holiday season(lexingtonlaw.com)
For those who have been following, there are some nuances of the latest Crypto Security flaws that may have been missed by most…
Adding to my previous post, you should not only completely disable SSL v 3, and 2, but consider disabling TLS v 1.0 as well.
As well, another good site to test your browser / client for it’s security configuration is https://www.howsmyssl.com/
- New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue(threatpost.com)
Not So Fast on BEAST Attack Mitigations (threatpost.com)
Wow, that happened FAST!!! (time flies…)
Well, it’s now the middle of October. We’re back, and had a wonderful time in Hawaii, getting married, and spending our honeymoon in Wailea and Kihea on the wonderful island of Maui. For those who care, we held a very private ceremony on Po’olenalena Beach (aka Changs Beach) with only our officiant and ourselves. There will be photos, soon… as we’re waiting on them from the photographer.
Now on to what I missed and fell into upon returning.
The POODLE vulnerability
The Great Californian Shakeout
National Cyber Security Month
You may, (or may not) have noticed that there is a gap in my posting recently.
I’m getting married on October 4th of this year, and now, I’m running at 110 mph finalizing and preparing to go out-of-town for that event! [i know, i can’t believe it either!]
I plan on returning to this space sometime after the middle of October with some new articles, opinions and thoughts around all things information security related.
Hope you all have a great week, and if you wish to contact us, please do so at dc0de at foundpackets dot org.
Ok folks… I know… you don’t want the drivel to end… but, I have to take a break. DEFCON 22 is around the corner, and I’m going into full on preparation mode.
However, this post isn’t without some warnings that you should heed if you’re going to be in Las Vegas next week for BlackHat, DEFCON, and/or BSidesLV, (What I like to call InfoSecMecca).
Your Smart phone is vulnerable. Period.
- Lock your smart phone (with battery removed if possible) in a Faraday cage in your hotel room, and don’t turn it on for any reason, except in a life threatening emergency. (No, I’m not kidding)
- Disable ANY/ALL automatic update service, either from Google Play, the Apple Store, and/or any other source of software updates. This also includes the Amazon store, and your carrier automatic updates.
- Purchase an OLDER pay-as-you-go phone, and forward your mobile number to that one, or simply get with the 20th century, and use Google Voice. This will set you back a few $30-50, depending on what phone and what services you buy, and how much you plan on using it, but it’s far cheaper than having your smartphone “pown3d”, and your office getting emails from you saying “I went to and all I got was digitally raped”.
- Believe that your [insert security vendor app] is going to protect you. It won’t.
- Bother discussing or commenting if you are one of those who takes their smart phone to “see what’s going to happen”. For you, I have no words.
- Enable purchasing from any mobile device while in Las Vegas during InfoSecMecca.
- Worry, be happy.
That’s all I’ve got, and I hope to see you in Vegas during the InfoSecMecca, I’ll be running around between BsidesLV, and working @ DEFCON.
For those Travelling this and next week, please be safe.
In the past weeks, as I’ve restarted blogging about Information Security, I’ve been much more curious as to how non-technical people view Information Security. In my non-scientific assessment of casually watching people use their computers and mobile devices all around me, I’ve determined, again, very unscientifically, that the majority of the people, simply don’t care. I’m over being shocked, stunned, or befuddled, now I simply accept it. So, I’ve been asking myself the following questions.
- Does Information Security for Consumers need to be fixed?
- Who is responsible for fixing Information Security for Consumers?
- Where should Information Security for Consumers be fixed?
- How should Information Security for Consumers be fixed?
So, in this entry, I’m going to try to tackle the first bullet, and leave the other three (or more, if I get some good suggestions), in follow-up blogs. So, here goes.
Does Information Security need to be “fixed” for consumers?
Wow, what a loaded question. The short answer? There isn’t one. On this question, I see a variety of issues, opportunities, and simply, a bunch of FUD. There will be companies claiming that they do this for you, for your mobile devices, and IMHO, there are that do this job adequately, however, they don’t have a desktop equivalent, preventing the consumer from having ONE tool to use. Remember, consumers want the “Easy” Button. (Thanks Staples, you ruined it for the next guy). Most of the tools are cumbersome, written with technical experts as the audience and are filled with bloat. What happened to the software community? There once was a time when a tool simply did it’s job & functioned, without damaging, or [severely] impacting performance. Can we get back to that please? (Looking at you Symantec and a few others) I truly want to be able to recommend some tools to the consumers who are in my life that aren’t tech savvy, and when I do, I end up supporting said tools. So, [insert big software companies names here], I’m done recommending your tools and utilities. I’m simply going to tell those people, that they’re on their own and that Your Mileage May Vary (YMMV). But I’m straying from the question… back to point… should Information Security be fixed for Consumers? In order for Information Security to be functional for the Consumer, it needs to be simple. It needs to continually, and repeatedly remind Consumers what data they are l̶e̶a̶k̶i̶n̶g sharing, and give them the options to return to a more secure posture. The updates should be automatic, and secure. Sign everything that you do with your code/software/updates. If it takes a little longer, background the process so that it notifies the Consumer that it’s going to take a few minutes/hours, and that the tool/software will let them know when it is completed. These are SIMPLE things. And yet, it seems that it has to be called out.
So, the simple answer to this question?
It needs to be fixed.
Do you have any thoughts on this? Any suggestions for any more bullet points? Comments? Let me know…
We have worked long and hard in the Information Security world to keep ourselves anonymous for many reasons on the internet, and yet, he were are, with some new revelations, that we’re being tracked yet again.
We have seen may articles on the use of TOR, it’s beginnings, and how the CIA, DARPA and others have actually funded it to enable their resources to use the internet with anonymity, and that they have methods available to actually find the actual end user communicating using the service. (see Almost everyone involved in developing Tor was (or is) funded by the US government) for more info.
However, what I’m talking about here, is something that I heard this morning on the SANS Daily InfoSec Podcast for July 22, 2014, There is a topic of great interest to me. Recently, I disabled flash in my browser, (Firefox on Linux), and moved to HTML5. I did this to make my browsing more secure, however, the report from the Podcast showed me that this comes with a new privacy leak. Meet the Online Tracking Device That is Virtually Impossible to Block, is the title of the writeup, and it shows, that in HTML5, there is;
“A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.”
Basically, as I understand it, canvassing is a method in HTML5 that allows a website to draw pixels in your browser, meant for drawing objects, and the difference in fonts, operating systems, and many other variables, there are now methods to fingerprint the system, and potentially the end user. One of the primary offenders is the popular blog plugin called “AddThis”
“First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”
The article is very disturbing, and they include a proof of concept URL to test your own browsers. If you want to see an example of fingerprinting, also take a look at http://www.browserleaks.com/canvas.
The only method that I can use to prevent this action is to use No-Script in Firefox, however, it makes any HTML5 page useless.
Stay tuned, I’m hopeful someone will create a browser plugin to selectively stop HTML5 from rendering pixels on your canvas, in a hidden format. I’m proposing the name NO-CANVAS, something that works like No-Script, and allows you to whitelist sites, and or objects that request access to the HTML5 canvas.
Until then, I’m going to be taking a much closer look at what sites are doing with HTML5, and I’ve already added “AddThis” to my Adblock and No-Script plugins.
What are your thoughts, is this paranoia, or a significant risk?
- How companies use Canvas Fingerprinting to track you online(ghacks.net)
- The hidden threat in your browser: Share buttons reveal personal information each time you visit certain popular sites (and even the White House is affected)(dailymail.co.uk)
- What You Need to Know About the Sneakiest New Online Tracking Tool(gizmodo.co.uk)
- Canvas fingerprinting is like a cookie you can’t block, and thousands of sites are using it(geek.com)
- 404 – New online consumer tracking tool is virtually impossible to block(welsh.typepad.com)