john_kindervag

Author Insights

Blog

If Dr. Seuss Could Comment Upon IoT, This Is What He Might Say…

john_kindervag April 8, 2014
Things Run Amok by John Kindervag (To be read in the style of Dr. Seuss) We live in a world all interconnected But how in the world will it get all protected? Some bad boys and girls will try to infect it Making the internet all broken-neck-ed   When Timmy B-Lee created the net He […]
Blog

InfoSec, Structural Engineering, And The Security Architecture Playbook

john_kindervag November 21, 2012
Last year the country of Japan suffered a devastating disaster of unspeakable proportions. A massive earthquake on the eastern coast of the country triggered a deadly tsunami that caused the flooding of the Fukushima nuclear power plant. Three dominos fell at once, resulting in a significant and tragic loss of life and property. I visited […]
Blog

How To Survive And Thrive At #SXSW If You’re Not From Texas

john_kindervag March 9, 2012
I’ll be in Austin, TX this weekend to participate in South-by-Southwest Interactive. My panel “Big Data Smackdown on Cybersecurity” will be held Sunday, March 11 from 12:30PM – 1:30PM at the Austin Hilton Downtown. Hope to see you there. Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve […]
Blog

Lies, Damn Lies, Security Metrics, And Baseball

john_kindervag March 6, 2012
The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon […]
Blog

WikiLeaks And Stratfor Make The Case For More Data Encryption

john_kindervag February 28, 2012
Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies […]
Blog

Your Vertical Is . . .

john_kindervag May 9, 2011
Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed […]
Blog

RSA’s Acquisition Of NetWitness Validates Forrester’s NAV Concept

john_kindervag April 4, 2011
Today EMC’s security division RSA announced the acquisition of NAV (Network Analysis and Visibility) vendor NetWitness. Some pundits have suggested that this is a direct result of the recent breach of RSA, but Forrester has been aware that this acquisition was in the works long before the breach was known. In fact, the public announcement of the acquisition was […]
Blog

Go Long On Glue Manufacturers

john_kindervag August 25, 2010
FLASH TRAFFIC: This just in! The Washington Post is reporting a new wrinkle in cyberwarfare. In the article Defense official discloses cyberattack, the Post reports that “malicious code placed on the [flash] drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.” Perhaps SkyNet has become self-aware, as […]
Blog

Preview Of PCI DSS 1.3 – Oops 2.0 – Released

john_kindervag August 13, 2010
The PCI Security Standards Council released the summary of changes for the new version of PCI — 2.0.  Merchants, you can quit holding your breath as this document is a yawner — as we’ve long suspected it would be.  In fact, to call it 2.0 is a real stretch as it seems to be filled — as promised […]
Blog

Dialoging About Tokenization And Transaction Encryption

john_kindervag April 22, 2010
Last week I published two research reports on the hottest topic in PCI: Tokenization and Transaction Encryption. Part 1 was an introduction into the topic and Part 2 provided some action items for companies to consider during their evolution of these technologies. Respected security blogger, Martin McKeay, commented on Part 1. Serendipitously, Martin was also in Dallas (where […]
Blog

Stop the Madness! Payment Apps are on the iPad too soon.

john_kindervag April 7, 2010
Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN […]
Blog

Don’t Sign Here Please

john_kindervag February 10, 2010
Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card."  Wow. What this seems to signal is that Visa, and perhaps the […]
Blog

Trends in Mobile Payments Are Frightening

john_kindervag February 8, 2010
Question: Do I really want someone with an iPhone taking my credit card info? Enormous buzz lately about all of the new players trying to turn iPhones and other mobile devices into credit card swipe terminals. Very scary. Just because someone can create a website does not mean they understand payments. So many questions: Does the solution […]
Blog

Online Shopping Sites May Be Sharing Your Credit Card Data

john_kindervag February 5, 2010
The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the […]
Blog

MiFi Pwned!

john_kindervag February 3, 2010
Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi.  The cool thing is that the wireless signal can be shared with other nearby computers.  According to Josh, he has found a way that, "An attacker […]
Blog

Is 3-D Secure Insecure?

john_kindervag February 1, 2010
Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode." This could be a […]
Blog

Virtual Network Segmentation for PCI?

john_kindervag January 29, 2010
Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments.  These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or […]
Blog

More Prognostications for 2010

john_kindervag December 24, 2009
Several of my Forrester colleagues have already weighed in with their insightful 2010 predictions. I recently chatted with Shamus McGillicuddy at TechTarget where I shared my thoughts on the upcoming year. You can read the article here.   2010 is going to be an interesting year with economic concerns impacting the security business. I suspect that businesses […]
Blog

Hacking the In-Human Drone

john_kindervag December 17, 2009
A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones. The article has the catchy […]
Blog

Hacking the Human Network

john_kindervag December 7, 2009
A couple of network televisions shows have lately caught my eye.  Now I’m not a television critic but there were things in these shows that have security implications that warrant some attention.  These episodes came just as I had finished some hacking training and provide an opportunity to share some interesting new tools and attack […]
More posts