And PHP Upgrade Breaks Things 2021-04-18 I use PHP+Wordpress for a security blog, yes there is irony here. I mostly do this because I’m too lazy to use other mechanisms and this maintenance also helps me to learn about technologies so that I can help others. And now it’s time to update PHP because, you know, security issues. And of course… Read More
Installing ExFAT on QNAP 2020-03-28 I’m still going strong with my QNAP TS-653A NAS Drive to hold my photos, TimeMachines, iTunes, and more. But in the three years since I wrote my last set of directions for installing ExFAT on Qnap, things have changed. Qnap’s firmware is at version 4.4.1 and older versions of the Ubuntu FUSE binaries no longer… Read More
Version 1.1 of Image Location and Privacy Scanner 2020-02-25 After a bit of insomnia, I released the Image Location and Privacy Scanner version 1.1, my passive HTTP scanning plug-in for PortSwigger Burp Pro and OWASP ZAP. It contains a few minor updates, speed ups, and new hidden location tag detection compared to the previous version. More importantly, it has better documentation which might lead… Read More
Useful HTTP Security Headers 2020-02-18 In a previous blog post, I wrote about a whole bunch of HTTP headers which compromise your security and how to disable them all on many different types of servers. This time, I discuss “good” headers and give instructions for enabling. I also delve into “possibly good” headers including when you might need them and… Read More
HTTP Headers: Good, Bad, & Ugly 2020-02-18 Welcome to the Veggiespam’s Secure HTTP Headers page where I provide my whitepapers showing how to secure the headers on your website. The content here is updated as technology, standards, and best practices change over time.… Read More
RSA and Re:Invent Conferences 2019-02-23 I spoke at AWS Re:Invent in November for two sessions and that I’ll also be presenting at RSA in 10 days.… Read More
Swinging the Compliance Hammer at Obsolete Crypto 2018-11-12 Abstract Many applications still utilize older cryptographic technologies, even though security professionals warned that these are obsolete and unsafe to use. Some implementations can easily be upgraded to current encryption and contain a graceful fall-back for situations where it’s required, such as when a remote party only supports legacy technologies (e.g., TLS downgraded connections). Other… Read More
Updated AWS S3 Bucket Auto-Encryptor Released 2018-11-04 A vastly updated version of my AWS S3 Bucket Auto-Encryptor has been released! Zocdoc‘s ZocSec.SecurityAsCode initiative focuses on delivering Security by automating detection and remediation of security issues across an AWS environment. With our Security as Code techniques, you can greatly reduce time from detection to resolution and minimize impact to the business. ZocSec is… Read More
Linked In Got Hacked! 2018-09-19 Somewhere in my spam folder today, I noticed this pathetic email, containing my old and no longer valid Linked-In password: I am aware {$Linked-In-Password$} one of your pass word. Lets get directly to the point. You do not know me and you are most likely wondering why you’re getting this mail? No one has compensated… Read More
Image Location & Privacy Scanner, Official Release, v1.0 2018-02-20 It’s Here, Version 1.0 The Official v1.0 release of the Image Location & Privacy Scanner has arrived! This security tool plugin for Burp or OWASP ZAP security proxy tools will scan images for privacy exposure including GPS locations, camera serial numbers, even facial recognition tags. See my presentation about this software at this link. Version… Read More