A story recently began circulating about a situation in which it appears that NCIX’s customer and credit card data is being made available for sale. It reminded me of my experience when a friend and I visited NCIX‘s warehouse during their bankruptcy auction preview on February 21, 2018.
I am the author of the advisory below. As of publication, no CVE number has been issued. This post will be updated when a CVE number is issued.
This advisory describes a class of security vulnerabilities which can manifest due to choices made during HTTP API design and implementation. These vulnerabilities may be used to bypass network security policies and enable data exflitration or unauthorized API use.
As a developer writing a modern networked application, ignoring IPv6 is a mistake. It restores the internet’s capability of providing connections directly between all users & devices, which vastly simplifies building reliable and easy to use applications. Infuriating issues with port forwarding, NAT, and VPN address conflicts can be relegated to obscurity. Real world performance tests at Facebook show a 15% performance improvement. [Read more…]
In the upcoming February 2015 edition of Notices, Michael Wertheimer, director of research at the NSA, consumed approximately 2000 words expressing that it was “regrettable” that they did not choose to withdraw their support for Dual_EC_DRBG. Dual_EC_DRBG is one of the computer security standards where a paper trail demonstrates that the NSA influenced the standard under suspicious circumstances. [Read more…]
It’s 2015 and your firm has decided that it’s finally time that you stop using your primary production systems as the first place you routinely run brand new versions of your software. And, after realizing that configuration files are often just software written in a domain-specific programming language, someone on the team dove deep down the dark devops rabbit hole, and, congratulations, your infrastructure is code now! [Read more…]
A growing awareness of risks to privacy and the generally miserable state of computer security is changing how people use the internet. A recent study found that people in seemingly free western countries feel uncomfortable searching for politically sensitive topics online. A lot of common privacy advice is dangerously misleading; overestimating the level of security provided by a technology can lead people to use it in ways they later regret. Many celebrities recently discovered that they were storing photos worth hundreds of thousands of dollars using security that was penetrated for far less. [Read more…]