8 December 2023

Wisdom: Not AI’s Strongest Attribute In my teaching as an Adjunct Professor, I have adapted my exams to require Chat GPT. I’ve always given essay-based exams but I now have the students use Chat GPT as part of the exam. Typically, this takes the form of questions that the students...

17 November 2023

Overview: Legal and ethical limitations of AI        Even though Artificial Intelligence (AI) is nothing new, it seems that it is increasing by the day in various fields, such as healthcare, financial, legal, and many more. The increasing role of AI across industries is making it more accessible and prevalent...

10 November 2023

As cybersecurity dynamics keep moving, concerns with security have been put on to be mainly an IT department issue, just because they are the ones dealing with network responsibilities and contingencies1, but the reality is that digital asset protection should be a business concern- one equally divided along across departments...

6 November 2023

Morris Worm November 2nd marked the 35th anniversary of the Morris Worm, developed by Cornell University graduate student Robert Tappan Morris. The Morris Worm launched on November 2, 1988, and caught the nascent internet (which had only existed in its current form since January 1, 1983) by surprise. It was...

27 October 2023

1 How to Trick a Human Humans learn how to distinguish certain things about their environment through repeated analysis of information from their eyes, nose, ears, touch, and taste. From a young age, we learn what different inputs from these senses may indicate in terms of future events. The painful...

20 October 2023

This is the final article in the Ghidra Tutorial series. In this tutorial, we will make use of Ghidra to solve an actual CTF challenge. We will analyse the binary provided for the CTF challenge in Ghidra and then obtain the flag from it which we need to submit to...

13 October 2023

Compliance is important for many reasons including legal, regulatory, and insurance-related requirements. Compliance can also be helpful in establishing certain baselines for securing an organization’s digital infrastructure. However, by its very standardized nature, compliance is almost always very general, very broad, and very static. True cybersecurity resilience requires specific, tailored,...

6 October 2023

This is a continuation of the Ghidra Tutorial series. In the previous article, we discussed what Ghidra is and what it is used for. We went over installing Ghidra, doing the initial setup and then using Ghidra to analyse a simple Hello World program that we wrote and compiled ourselves....

29 September 2023

Artificial Intelligence (AI), as defined by Stanford University, is a mechanism designed to emulate human intelligence through computer systems. It is not the humanoid robot one may initially consider, but rather a compilation of technologies that let the computer reason, sense, learn, and act. AI can be further subdivided into...

22 September 2023

This is a tutorial to get you started with setting up Ghidra and then using it to analyze a simple binary. In later articles, we will go over analyzing programs with more complexity and even finding a vulnerability in a program using Ghidra. What is Ghidra Ghidra is a reverse...

15 September 2023

What does it mean for something to be “secure”in cybersecurity? Presumably, it means that a system is protected from 100% of the bad things that can happen to it. Is 100% protection realistic? Is it even possible? Unfortunately, the only way to prevent 100% of the bad stuff is to...

9 March 2023

Task 9 - The End of the Road - (Cryptanalysis, Software Development) Points: 5000 Description: Unfortunately, looks like the ransomware site suffered some data loss, and doesn’t have the victim’s key to give back! I guess they weren’t planning on returning the victims’ files, even if they paid up. There’s...

8 March 2023

Task 8 - Raiding the Vault - (Reverse Engineering, [redacted]) Points: 2000 Description: You’re an administrator! Congratulations! It still doesn’t look like we’re able to find the key to recover the victim’s files, though. Time to look at how the site stores the keys used to encrypt victim’s files. You’ll...

7 March 2023

Task 7 - Privilege Escalation - (Web Hacking, [redacted]) Points: 300 Description: With access to the site, you can access most of the functionality. But there’s still that admin area that’s locked off. Generate a new token value which will allow you to access the ransomware site as an administrator....

6 March 2023

Task 6 - Gaining Access - (Web Hacking, [redacted]) Points: 150 Description: We’ve found the login page on the ransomware site, but we don’t know anyone’s username or password. Luckily, the file you recovered from the attacker’s computer looks like it could be helpful. Generate a new token value which...

5 March 2023

Task 5 - Core Dumped - (Reverse Engineering, Cryptography) Points: 500 Description: The FBI knew who that was, and got a warrant to seize their laptop. It looks like they had an encrypted file, which may be of use to your investigation. We believe that the attacker may have been...

4 March 2023

Task B2 - Getting Deeper - (Web Hacking, [redacted]) Points: 100 Description: It looks like the backend site you discovered has some security features to prevent you from snooping. They must have hidden the login page away somewhere hard to guess. Analyze the backend site, and find the URL to...

3 March 2023

Task B1 - Information Gathering - (Reverse Engineering, Web Analysis) Points: 10 Description: The attacker left a file with a ransom demand, which points to a site where they’re demanding payment to release the victim’s files. We suspect that the attacker may not have been acting entirely on their own....

2 March 2023

Task A2 - Identifying the attacker - (Computer Forensics, Packet Analysis) Points: 40 Description: Using the timestamp and IP address information from the VPN log, the FBI was able to identify a virtual server that the attacker used for staging their attack. They were able to obtain a warrant to...

1 March 2023

Task A1 - Initial access - (Log analysis) Points: 10 Description: We believe that the attacker may have gained access to the victim’s network by phishing a legitimate users credentials and connecting over the company’s VPN. The FBI has obtained a copy of the company’s VPN server log for the...

30 May 2020

June 10, 2020 - The last few weeks have seen caution and uncertainty as areas around the globe move to lift coronavirus-related lockdown restrictions. Restrictions have varied between regions, and reopening measures are carefully crafted to include safety measure meant to reduce the risk of infection. For example, many grocery...

15 May 2020

May 15, 2020 - CISA, the FBI, and the broader US Government released guidance along with their findings from a study into exploits seen in the wild. At Crimson Vista, we were interested to see that the most exploited technology is still vulnerable from an 8 year old CVE. Although...

20 March 2020

February 28, 2020 - We hope this post finds everyone safe and healthy. As is the case for many of you, our plans for the next few months have shifted. Although we are bummed to not be teaching workshops at upcoming conferences as planned, we are ready to focus extra...

28 February 2020

February 28, 2020 - From March 22-27, 2020, over 1,000 data professionals will gather in San Diego, CA for one of the most comprehensive conferences on Data Management in the world. Crimson Vista’s founder and Chief Scientist, Dr. Seth Nielson will be leading a workshop entitled “Securing Your Data Assets”...

12 February 2020

February 12, 2020 - This week, the Space Foundation hosted their annual State of Space event. I haven’t attended previously, but was able to register for a seat thanks to the recommendation of a business connection that loves Space. The event was hosted at The National Press Club in Washington,...

6 February 2020

February 6, 2020 - Last week, George Mason’s Antonin Scalia Law School’s Center for Law and Economics hosted a panel on Captiol Hill called The Future of Data Breach Litigation. During the event, the panelists spoke about emerging trends such as GDPR in Europe and state privacy laws in the...

27 January 2020

January 27, 2020 - Tomorrow is Data Privacy Day! There are lots of events and learning opportunities going on, and one platform hosting many free learning opportunities is BrightTalk.com. BrightTalk hosts webinars on various topics and is a great place to go to keep up with technology trends. For Data...

22 January 2020

January 22, 2020 - Earlier this month, the Real World Crypto(graphy) conference took place at Colombia University in New York City. The RWC conference is a collection of presentations where cryptography meets industry, so much of the content is tangible and attracts engineers as much as it does researchers. This...

9 December 2019

December 9 2019 - Last month, we received an email at our info@crimsonvista.com address offering to help us with our password strength. We get lots of emails, some spam, some not, but most require a little investigation before we decide to engage or not. Any guesses as to whether this...

19 August 2019

UPDATED August 19, 2019. Please note this post has been updated to change the phone number. July 1 2019 - Crimson Vista, Inc., is pleased to announce that it has relocated from Baltimore, Maryland to Austin, Texas. Austin is already an energetic hub of technology and is still rapidly growing....

27 July 2018

July 27 2018 - Crimson Vista, a Baltimore-based computer security consulting firm, announced today that the company’s founder and chief scientist, Seth James Nielson, will be speaking at the Workshop on Defensive Deception and Trust in Autonomy being held on August 13-14 in San Diego, CA. Dr. Nielson will be...

25 July 2018

July 25, 2018 - Crimson Vista, a security consulting company, announced today that Caroline Dikibo, associate scientist(in training), will be speaking at the 2018 React Rally. Caroline will present “React(ing) in a Crisis” at the conference, which takes place on August 16-17, 2018 at the Sheraton Salt Lake City Hotel...

20 July 2018

July 20, 2018 - Crimson Vista, a high-tech consulting company, announced today that the company’s founder and chief scientist, Seth James Nielson, will be speaking at the 2018 Data Architecture Summer (DAS). Dr. Nielson will present “A Gentle Introduction to Blockchain” at the conference, which takes place on October 8-11,...

17 October 2016

In two previous posts, I have been discussing the possibility that although true computer security may not be possible in the most general and widest cases, it could be significantly better with relatively simple solutions. In particular, I propose that we could see massive reduction in computer vulnerabilities by correcting “The...

10 October 2016

In a previous post, I discussed the possibility that, even though there are some seemingly insurmountable problems with computer security in contemporary systems, perhaps the overall state of computer security could be vastly improved by fixing certain simple problems. Maybe there’s no way to efficiently create software that has no...

26 September 2016

I worry about the future of Computer Security. One of the reasons I worry so much is that the deck always seems to be stacked. The bad guys have a much easier job: they have to find one bug and we have to find them all. They have to figure out...

6 September 2016

I really enjoy teaching the Network Security course at Johns Hopkins University. It’s a privilege to work with the students and to spend time thinking about the fundamental principles behind my profession. The best reward of all, though, is when former students send me an email about applying lessons from...

29 August 2016

It is well understood that there is generally an inverse relationship between system complexity and system security. That is, as system complexity increases, system security generally decreases. Complexity manifests itself in a variety of ways, and each introduces its own set of challenges and risks. Consider these three examples. First,...

8 August 2016

On August 1st, 2016, Brian Krebs posted an article on his blog about The Social Security Administration (SSA) and their new “two factor” authentication system. It’s definitely worth reading, but I’m going to summarize a few points: The SSA is requiring cell-phone based two-factor authentication on all existing accounts on...

1 August 2016

Frédéric Bastiat is famous for his assertion about the difference between good and bad economists. One translation reads: Between a good and a bad economist this constitutes the whole difference - the one takes account of the visible effect; the other takes account both of the effects which are seen,...

25 July 2016

Apparently security researchers at Sophos have started using the term BWAIN, or “Bug With An Impressive Name,” to describe bugs that show up in the media with clever handles. For some reason, they believe that the security bugs named “Heartbleed”, “POODLE”, and “LOGAM” represent a new publicity trend. Maybe they do,...

18 July 2016

Have you ever wondered how many social media accounts the average person has? As of early 2015, the answer was 5.5. It may be slightly more now, but 5.5 is probably close. Think about the inefficiency of this for a minute. The average person believes they need more than five...

11 July 2016

Did you know that the average user has 19 passwords? The number is probably higher. The cited source is two years old, and the number of online services continues to grow. Moreover, most users have at least one or two devices with default passwords including their routers, entertainment devices, and so...

5 July 2016

What will computing look like in 100 years? Of all the questions that perplex me, the one that concerns me the most is how much of our future computing resources must be wasted on matters of security. And yes, I mean wasted. Consider how much energy goes into not producing or...

25 June 2016

Security Theater is almost universally connoted as a negative term. As used by Bruce Schneier, a premier security expert, Security Theater are measures taken that make people feel more secure without actually improving security. He describes, for example, many post 9/11 security measures enforced by the TSA and others in...

20 June 2016

Trying to create a secure computer system is a terrible headache. For both theoretical and practical reasons, the odds are rarely in favor of the good guys. As an example of an unhappy theoretical dilemma, it has been known since the 80’s, based on the well-known Halting Problem, that it is...

13 June 2016

The real problem is not whether machines think but whether men do. The quotation above, from B. F. Skinner, is one of my favorites1. Within this pithy line lies a universe of questions, debates, and perhaps even unexplored philosophies. For my part, I believe that it also gets to the core...

2 June 2016

In my previous blog post, I mused about the concept of a Philosophical Zombie (P-Zombie) in the world of Computer Security. A P-Zombie looks and acts human, but is behaving without intention or sentience. The behavior may be complex, but it lacks free-will. In the security space, where errors are...

23 May 2016

Sometimes I wish I would have studied Philosophy in college. Philosophers get to study, discuss, and debate cool things like free will, intention, and Zombies. Wait… What? The so-called Philosophical Zombie (P-Zombie) is a hypothetical construct used in certain thought experiments. The basic concept is that the P-Zombie can look and behave...

3 May 2016

Predicting the future of technology is notoriously difficult. But that doesn’t stop us. No matter how many times our soothsayers are wrong, I predict that we will be reading a good number of “Top 10 [fill in the blank] to expect in 2017.” Predicting prediction is a pretty safe bet....

26 April 2016

Author’s Note: This post goes into more technical “guts” than I usually prefer. For those readers less familiar with computer programming, please skim the first half. Hopefully the punchline at the end will still make sense   I love programming languages. I’ve been studying them for over a decade, and...

11 April 2016

It is with no small sense of pleasure that I introduce Crimson Vista Inc., a consulting firm with specialties in computer security, computer networking, and programming languages. Although Crimson has been operational for over a month, we’ve been too busy with clients and projects to get the website up and running....