Cyber Mixology

I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see…

Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could…

HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers. In the httpd.conf I add the following directives to the document…

We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy with CAS for the front-end so we could…

With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the…

Digital storage of electronic protected health information is a treacherous path for a small company to walk. The health insurance portability and accountability act enforces a number of requirements on the security controls required for the storage of such sensitive data. Unfortunately, the language used in not…