john_kindervag
Author Insights
Blog
If Dr. Seuss Could Comment Upon IoT, This Is What He Might Say…
Things Run Amok by John Kindervag (To be read in the style of Dr. Seuss) We live in a world all interconnected But how in the world will it get all protected? Some bad boys and girls will try to infect it Making the internet all broken-neck-ed When Timmy B-Lee created the net He […]
Blog
InfoSec, Structural Engineering, And The Security Architecture Playbook
Last year the country of Japan suffered a devastating disaster of unspeakable proportions. A massive earthquake on the eastern coast of the country triggered a deadly tsunami that caused the flooding of the Fukushima nuclear power plant. Three dominos fell at once, resulting in a significant and tragic loss of life and property. I visited […]
Blog
How To Survive And Thrive At #SXSW If You’re Not From Texas
I’ll be in Austin, TX this weekend to participate in South-by-Southwest Interactive. My panel “Big Data Smackdown on Cybersecurity” will be held Sunday, March 11 from 12:30PM – 1:30PM at the Austin Hilton Downtown. Hope to see you there. Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve […]
Blog
Lies, Damn Lies, Security Metrics, And Baseball
The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon […]
Blog
WikiLeaks And Stratfor Make The Case For More Data Encryption
Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies […]
Blog
Your Vertical Is . . .
Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed […]
Blog
RSA’s Acquisition Of NetWitness Validates Forrester’s NAV Concept
Today EMC’s security division RSA announced the acquisition of NAV (Network Analysis and Visibility) vendor NetWitness. Some pundits have suggested that this is a direct result of the recent breach of RSA, but Forrester has been aware that this acquisition was in the works long before the breach was known. In fact, the public announcement of the acquisition was […]
Blog
Go Long On Glue Manufacturers
FLASH TRAFFIC: This just in! The Washington Post is reporting a new wrinkle in cyberwarfare. In the article Defense official discloses cyberattack, the Post reports that “malicious code placed on the [flash] drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.” Perhaps SkyNet has become self-aware, as […]
Blog
Preview Of PCI DSS 1.3 – Oops 2.0 – Released
The PCI Security Standards Council released the summary of changes for the new version of PCI — 2.0. Merchants, you can quit holding your breath as this document is a yawner — as we’ve long suspected it would be. In fact, to call it 2.0 is a real stretch as it seems to be filled — as promised […]
Blog
Dialoging About Tokenization And Transaction Encryption
Last week I published two research reports on the hottest topic in PCI: Tokenization and Transaction Encryption. Part 1 was an introduction into the topic and Part 2 provided some action items for companies to consider during their evolution of these technologies. Respected security blogger, Martin McKeay, commented on Part 1. Serendipitously, Martin was also in Dallas (where […]
Blog
Stop the Madness! Payment Apps are on the iPad too soon.
Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN […]
Blog
Don’t Sign Here Please
Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card." Wow. What this seems to signal is that Visa, and perhaps the […]
Blog
Trends in Mobile Payments Are Frightening
Question: Do I really want someone with an iPhone taking my credit card info? Enormous buzz lately about all of the new players trying to turn iPhones and other mobile devices into credit card swipe terminals. Very scary. Just because someone can create a website does not mean they understand payments. So many questions: Does the solution […]
Blog
Online Shopping Sites May Be Sharing Your Credit Card Data
The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the […]
Blog
MiFi Pwned!
Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi. The cool thing is that the wireless signal can be shared with other nearby computers. According to Josh, he has found a way that, "An attacker […]
Blog
Is 3-D Secure Insecure?
Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode." This could be a […]
Blog
Virtual Network Segmentation for PCI?
Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments. These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or […]
Blog
More Prognostications for 2010
Several of my Forrester colleagues have already weighed in with their insightful 2010 predictions. I recently chatted with Shamus McGillicuddy at TechTarget where I shared my thoughts on the upcoming year. You can read the article here. 2010 is going to be an interesting year with economic concerns impacting the security business. I suspect that businesses […]
Blog
Hacking the In-Human Drone
A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones. The article has the catchy […]
Blog
Hacking the Human Network
A couple of network televisions shows have lately caught my eye. Now I’m not a television critic but there were things in these shows that have security implications that warrant some attention. These episodes came just as I had finished some hacking training and provide an opportunity to share some interesting new tools and attack […]
More posts