I did some work related to certificates exactly one year ago. Today I had to repeat some of what I did in order to generate a new cert, and I’d forgotten some of the details in the process. I wrote a little about it here last year, but clearly I’d left out one step: How to generate a signing request which you can then submit to a third party for signing. Luckily I was able to recall the details after messing around with the files from last year. The following is a simple guide to save more time next time.
Continue readingInformation Security
Security Champion
I’ve been interested in all things related to cyber security for many years. In private I’ve played around with things like Wireshark and Burp Suite, explored a few CTF’s, and taken various courses from among other sources, Pluralsight and Cybrary (I’ve even contributed some written material as a paid training assistant for the latter). I’ve also been listening to security-related podcasts on and off for years (“Risky Business” anyone?), and tried to keep up with at least the biggest headlines in the field. For whatever reason though, I’ve never really worked with security in my professional career – at least not beyond dealing with a few things like security certificates and basic authentication and authorization solutions while coding.
A few weeks ago I was given the role of “Security Champion” for the team I’m currently working on, which means I’ll have an excuse for a little extra responsibility for making sure the teams maintains a good security posture.
So what does that mean? Well, it means I get to spend some time thinking not only about how we can make our products more secure, but also about how we can be prepared in case something does go wrong. Hopefully I will get to work on everything from threat modelling and pen-testing up to planning for disaster recovery, and fiddle around with a couple of interesting tools and frameworks along the way. I’ve consumed a substantial amount of theory about security of the last few years, so it will be nice if I can actually apply some of it in my daily work.
I’m really looking forward to this, and I hope I can find the time and inspiration to write a little more about it here as I go along.
We’ll see how it goes…
Cheers!
HSTS preload list: Pending Submission
So I finally got around to setting up headers for a 301 redirect HSTS for my site. What does that mean? It means that hopefully some time soon, chronology.no will be added to Chrome’s HTTP Strict Transport Security (HSTS) preload list, i.e. it will be hardcoded into Chrome as being an HTTPS only site.
In simpler terms: From now on, you’ll only be able to access any resources under the domain chronology.no using https, i.e. with encryption and authentication.
Great! Now all I need is a little more content on my site!
PS: You can check if the submission has been accepted here.
MasterCard’s new biometric security
I came across this announcement today. Apparently Master Card is applying biometrics in an attempt to make online shopping faster and safer. My impression of the current state of biometrics is that it is not great. Some technology may be considered reliable (a relative term in any case), but it is generally expensive, and typically consists of invasive things like retina scanning, which requires a person to physically lean close or right up to a specialized piece of equipment. General consumer technology like the fingerprint scanners on phones and the like are easily fooled, and may give a false sense of security.
So what is Master Card using? Well according to articles from biometricupdate.com and mobileworldlive, they’re experimenting with fingerprint scans and short video shots of faces (facial recognition) as replacements for passwords when authenticating payments. CNN Money has this video demonstrating the facial recognition solution.
The motivation behind this is to make security less of a hassle for customers, to keep them from abandoning purchases at the final step. I think this is an interesting and admirable effort, and the solutions seem pretty cool. A number of questions come to mind though:
Getting into InfoSec
Over the last year or so, I’ve grown more interested in information security, both technical aspects like cryptography and pen testing, and more organizational issues, like governance, risk management and compliance.
This is obviously a huge field with lots of challenges, and one in which come constantly and quickly. I’m adding this category to my site as a place to muse over and share some of the things I read and learn along the way.