How I spent my Valentines Day: Alcatraz Island. How one criminal gang spent their Valentines Day: 275 Gbps DDoS attack over 21 hours. Ouch! Here's what to do if it happens to you.

What's in it for the financially motivated criminal hackers? Money. Can we reduce the money, their reward, their return? Some thoughts on making our organizations less of a target.

So we did an analysis. Now it is time to report. Here's how to roll up findings into themes. And here's how to drill down from themes to specifics.

Starting with AGUDLP (account, global, universal, domain local, permission) and then moving up to change management and change detection, let's look at Windows file share permissions.

The recent vulnerability in Samba (CIFS/SMB for Linux) and what it means for HD Moore's law and the Open Source "Many Eyeballs" rule.

Never underestimate the power of incremental improvements over iterative practices. Do the thing. Do it repeatedly. Make small improvements. And use these tips to mold the security program around the…

Spinning up a full IR program is time consuming and expensive. Here's how to build a minimum viable program, dedicating 10-15 days a year.

The first and second CIS Critical Security Controls are knowing what hardware and software we're running. Here's a story about a firm that didn't and now isn't.

Hacker controls? Prevention and deception get all the buzz. Here's how and why to start with detection and work our way up.

One of the mirrored download sites for Handbrake was compromised, and the update ended up distributing Proton malware. Here's a couple tips on how to avoid falling for this kind of attack.

Communication must be clear. For example, don't say a couple minutes when it's four. Or don't say stuck in traffic when in a hotel room. Things like that. And use techniques to simplify…

Let's re-envision the standard 40-hour classroom training. If we were to take the same material, leveraging what we know about human attention and memory, how could we deliver it to maximize the…

The flash ransom WannaCry crippled a quarter million computers. It could have been much worse. Some 20 million Windows XP computers are still in use. So why wasn't WannaCry worse? Here's the story, a…

When the flash ransom hit on May 12, 2017, many said "just patch." But we have old equipment. "Just upgrade," they said. Sure. Maybe. But have you seen the IT that powers our…

A quarter of a million computers were flash ransomed last Friday, May 12, 2017. It's the WannaCry malware (or WannaCrypt, or WanaCrypt0r, or Wanna Decryptor) and it's now so infamous it already has…

Hijack the software update process to install malware? Well. That's plain evil.

Thoughts on FedRAMP and the requirements around testing specific attack scenarios.

Phishing for app tokens? Sure, why not. The recent Google Docs phishing campaign may be the harbinger of things to come

Few things feel quite as cyberpunk as hacking drones and flying robots. So I was excited when a security warning was posted about the DBPOWER U818A WIFI drone. Turns out, this offers us a good lesson…

A few things to consider when selecting a CyberSecurity insurance policy.

The new version of Kali is out, with a few new enhancements including AWS and Azure instances. This begs the question: are we securing our red team tools? Couple stories today about the red team being…

DMZs, demilitarized zones, screened subnets, bastions networks, whatever you call it. We have two firewalls, one Internet facing and the other internal facing. How do hackers bypass this secure setup?

US-CERT released an alert on an ongoing attack with roots as far back as May 2016. With a command-and-control shared with Stone Panda and a backdoor malware called RedLeaves, the attack was on a…

Designing level 1 and level 2 position for employee engagement in the security operations center.

Security begins with an inventory. Our organization uses a thousand cloud apps. Our CIO thinks we use fifty. So that's a thing.

Suppose we engage a vendor in a proof of concept. It's for anti-spam, perhaps, or for intrusion detection. We put it in-line with our existing solution. And, shock! It finds something risky. Always.…

Take two of everything. But still. The criminals break in. Why? Because defense in depth isn't geared towards the criminal's objectives and tactics.

A case study in phishing, using fake emails from Delta, fake receipts in Word documents with Macros, PowerShell exploits, and keylogging money-stealing malware.

Paintball without bullets is a lot like securing IT without products. There's things we can do to succeed.

Securing the Sphere of Influence

When and how to define security requirements for logging.

The Columbia Sportswear security incident surprises hackers and hikers alike. Today, we'll talk thru the attack path. Monitoring and alerting on non-owner mailbox access, the way to detect this…

If a cloud service is spun up and pulled down before an annual audit, does it make a sound? Today, time of check and time of use in the age of ephemeral services.

There are three ways to slice and dice and define security for web apps. Wait. I mean four. There are four ways. Maybe more. But let's start here.

The Appalachian Trail begins with an approach that includes six flights of stairs up the largest US waterfall east of the Mississippi. 602 steps. If you can't climb it, you're not ready for the Trail.…

The things we can learn from martial arts and dance lessons, for growing the next generation of hackers

The overlap of Digital Rights Management (DRM) and file-level encryption, explored.

Are our security controls still valid? Do they still work for the current threats? And if not, why are we still maintaining them!?

Three reasons runbooks help senior people, junior people, and our overall security program

Intelligent threat intelligence for actionable actions. Or something.

Microsoft Docs.com ends up leaking sensitive information: social security numbers, court documents, passwords in spreadsheets. One suggestion? File-level encryption.

Criminals are using Outlook rules to create email box proxies, effectively gaining persistence and stealth. Here's how.

Hard to patch software, hard to use patch management, and the use of Freecell as a detective control.

At the same time frame, password managers and anti-malware tools get exploited. New vulnerabilities leads to the old question: is it worth running security tools?

Performing Web application security scans on REST APIs? It takes Swagger.

Suppose I have a multi-tenant cloud application. Suppose you are one of my users. Suppose I need to login as you for support. What are some ways I can setup security so you know I'm me?

A quick run down of security options for SOAP and REST Web services and APIs.

When it comes to IT security, what tasks are core versus what are commodity? It depends.

How we steal credentials to Windows, Facebook, and LinkedIn using Beef, rules, and Pretty Theft.

What happens when BCP/DRP budgets mean limited security controls? Well. Nothing good.

A white rhino was poached from a Paris wildlife reserve. The reason shines a light on an oft overlooked aspect of risk management: criminal motivation.

Pros and cons of baking in security and bolting on security.

You're relying on "deep knowledge of all of your systems and their exposure"? You've already lost. Don't be Sisyphus.

IO Active found vulnerabilities in Confide's secure messaging. Here's what we can learn about how encryption gets broken, by looking at Confide.

Flow like the water. Log like the breeze.

Limiting SQL Injection attacks using stored procedures and application database IDs.

Measuring the effectiveness of phishing exercises. If people are our human intrusion detection system, where do we measure the effectiveness?

The how and the why of creating documented guidelines for secure code.

When leaked source code plus authentication flaws combines with cookie and user-agent forging, back things happen. Like, billions of user accounts stolen.

The outage at Amazon S3 illustrates the need for utility computing recovery and continuity strategies.

The effects of vendor risk management and security by spreadsheet on the software development ecosystem.

Git and Svn both use SHA-1 for identifying submissions to source code repositories. But SHA-1 was shattered. So now what?

Did I do the thing? "Sure." Did I put in a ticket demonstrating we did the thing? "Well..." Today, ways to automate and streamline ticket tracking for compliance.

MD5 was broken with a stack of Playstations. SHA1 was broken with a cluster of Amazon EC2 instances. Doesn't seem as much fun, right? But either way, it's time to update our encryption settings.

A breach at Boeing was caused by one spreadsheet emailed, exposing some 36 thousand employees to identity theft. Here are a few controls that could have prevented this scenario.

Assuming some employee does copy thousands of documents, how would you know? One way is to plant a document with a Web bug that alerts you when it's opened. Hello, roll-your-own honey token.

A Ticketmaster executive reportedly left CrowdSurge with his network credentials and 85,000 documents. Reportedly. The executive then accessed CrowdSurge's computers for trade secrets. Reportedly. A…

Whenever new news comes out, it's imperative to analyze the actual attack vector and, if it's applicable to our environment, threat model. This analysis is the first step in avoiding hype and FUD. For…

"Threat is the new Risk." Or, not. Back to basics in this morning's video.

The use of FSRM on Windows for File Screening Management, and what that means for attacks like ransomware.

What the Jolly Roger Telephone Company and the LaBrea honeypot can teach us about designing security controls.

"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." It's an immutable law of security. The defensive trick is in the word is…

Weakening one control in a penetration test so that we can evaluate the redundancy of controls along the attack path.

Firewalls, routers, and switches. Oh my! Adding some automation to baselining.

So, my computer was locked and my office was locked. Was.

Couple questions and answers on how to build a security program and on what products to use. Spoiler alert: I don't recommend what products you should buy.

A brief overview of out-of-band attacks that target and comprise Web systems administrators.

A good security program blends people and machines. And machines are faster than people, at least at auditing settings.

"Why don't these companies update their certificates?" The young tech wizard asked. "It's just click, click, next." Well, there is just a bit more to it.

Hacking back rarely goes well. Here's a historical anecdote from back in the day, when Recourse Mantrap and Manhunt were a thing.

A good cyber security leader builds intuition within his team and organization by taming, rather than fighting, the human animal.

Vendor risk management goes up in importance as more business units use Software-as-a-Service. But there's a problem. We're really slow at vendor risk management.

Family ancestry websites, like www.FamilyTreenow.com, provide a wealth of social engineering information. Pair that with password reset questions and, as today's story will tell, things get a little…

A quick introduction to malware hunting with YARA rules.

Two stories of researchers reporting security vulnerabilities and getting stuck in help desk hell. It begs the question: are we monitoring our customer service queue for vulns?

MD5 hashing, due to the avalanche effect, is a really easy detective control to bypass. (Other algorithms exist, like ssdeep, that are a bit harder but not widely used.) So, then, why don't many…

An overview of the malicious activity seen taken against critical infrastructure in the US.

Business continuity is strategy. Disaster recovery is tactics. And it is snowing in Detroit.

Structuring work for junior and mid level folks so that they can grow and develop as professionals.

A summary of AWS controls around security groups and the thinking behind redundant controls for state and activity.

Sussing out the recent attack widely trumpeted by the media as Russians hacking the US power grid. Spoiler alert: it wasn't.

Building a password reset function? Skip the security questions. Implement 2FA with phones. Here's why

The assumption that we're vulnerable is just as dangerous as the assumption that no one wants to hack us.

Episode 2: Defending the Empire. If Star Wars: A New Hope is a parable of incident management, as Kellman Meghu demonstrated, then Star Wars: Rogue One is a lesson in a security breach. But, hey, it…

If Star Wars: A New Hope is a parable of incident management, as Kellman Meghu demonstrated, then Star Wars: Rogue One is a lesson in a security breach. Here's what the Empire missed.

A finding is just a finding. But a finding that enables a realistic threat? Now there's something to care about.

An example in threat modeling and creating controls for a specific tactic attackers use to break into Websites.

New ransomware learns old tricks, exploiting trust.

Whether you're pushing a car out of a snow bank or stopping a security breach, there are two things to always keep in mind.

Dissecting the Stegano malware that used ad networks and steganographic images to infect unpatched Internet Explorer browsers.

Guessing passwords and credit card numbers without being detected by spreading out the attempts.

Web attack tools well known user agent strings. And attackers don't always change them. Might be a good idea to monitor the logs for these strings.

Preparing for an security audit by preparing for what comes after.

How did the San Francisco Metropolitan Transit Agency get held up for ransom? Same old story, just in time for 2017 predictions.

When we build something new, we should utilize new ways of protecting the new thing. Sadly, this isn't the case with "Composable Infrastructure."

If your control for ransomware is backups, what dependencies does your backups have?

Creating an attack path for criminals distributing malware over FaceBook with SVGs, and assigning controls along the path.

After the security gap assessment, there's a backlog of items to fix and improve. These all go on the roadmap. However, we need to think of the roadmap as a flexible document that's updated as our…

Website whitelisting is a great control. But it means the attacker will move to Websites on the list, like Facebook. Add to that, using SVG images to deliver malware. Suddenly, we have a failure in…

We've come a long way since the days of dial-up email, like Juno. Email is now equally a vector for communications and accidental disclosures. Here are some ways to add protections.

Linux is broken. Everyone panic! Or, not. Two stories, two security principles, and a gentle reminder for risk management, in today's video.

Today, we look at the impact of things that didn't actually happen. Just because it was not a breach, doesn't mean there was not an impact.

Applying the threshold model of collective behavior to security culture. It can be hard to get a large group of people to change. An easier starting point is to change the first couple people.

There are four phases in a project destined for the product graveyard. If we recognize this, the life we save just might be our own security product.

Know the bad guys: Dracula, the Mummy, the Invisible Man. Wait. Back up and start over. Script kiddies, insider threats, hackivists, organized crime, and nation states.

Sometimes honeypots are corporate ready. Other times, honeypots are just for fun. We'll talk through what's what and introduce MTPot, the honeypot for the Mirai botnet.

Predicting the future of ransomware by looking at its past. History and sociology is a way to evaluate our security controls.

Stephen Covey has the circles of concern and circles of influence. Daniel Kahneman has fast and slow thinking. And I have a headache from staying up too late watching the election results. Today,…

When most of our apps are in the cloud, we can't do penetration testing. I mean, we could. But it would violate the Software-as-a-Service terms of service at a minimum. We need to turn to vendor risk…

At Black Hat Europe, researchers announced an undetectable rootkit for PLCs (Programmable Logic Controllers). You should read up on it. But this morning's thoughts isn't on that. It's on how to detect…

Today's denial of service attacks are multi-vector. And so while Miria is getting all the attention, it's important to consider the plan Bs and plan Cs for DDoS. Take, for example, open redirects in…

Microsoft Exchange and Outlook Web Access feature two-factor authentication. A password. A token. But turns out, the Web Services doesn't. And this means we can bypass 2FA. Here's the attack and…

Rand releases a study: Examining the costs and causes of cyber incidents. It estimates the impact of security incidents as a percentage of an organization's revenue. Some thoughts.

"Culture eats strategy for breakfast," Peter Drucker once opined. In this video, I said "lunch". We all know yogurt is what you eat for breakfast. Anyways, let's cover the line…

The insider threat: employees who maliciously or accidentally open the organization up to security breaches. Here's how to communicate, detect, and prevent insider threat. It's all about being aware…

What happens when data bleeds out from databases? Sensitive data gets stores in clear text. Now toss in insecure backups. The result? Well, as the Red Cross can tell you, significant data breaches.

No, not dancing. Today, we look at step up authentication design patterns.

Amnesty International evaluated messaging from eleven companies. It's a good time to consider what products we use in our personal and professional lives. Also, the criteria used reminds us that…

Recapping lessons from Tactical Edge on prioritizing security efforts and spends.

Where were you during The Great Twitter Outage of 2016? A botnet of Internet-of-Things, likely based on Mirai, took down DNS services provided by Dyn. No Twitter. No Spotify. No GitHub. And where was…

Word Macros are a common way to embed malicious code into documents. The Nitol botnet uses these. Nitol also has new evasion techniques to avoid detection. The one thing Nitol doesn't have? Cool…

The risks and benefits of using open source software in our enterprise environments.

Persistence is a stage in an attack lifecycle. Once in, stay in. One way we're seeing persistence done is with Active Directory Group Policy. Here's how to do it, and how to detect it.

How many threat models can our hunt team reasonably support? How many use cases can our operations team reasonably check for?

A case study on Modern Business Solutions, todays multi-million records breach. Personally identifiable information for subscribers was stolen from their MongoDB.

Static application security testing (SAST) can ensure clean code. But that is not the same as ensuring secure applications. Here's a cautionary tale.

Announcing Converge Detroit next April 13-14, 2017. BSides Detroit will be Saturday, April 15. So log off the video games, sign off of the virtual worlds, and come hang out. Oh, also, between now and…

An incident response lifecycle contains stages like preparation, identification, containment, eradication, and recovery. Don't make these common mistakes when recovering after a security incident.

Today, we cover an example attack on a manufacturing company and describe how to design security countermeasures.

A quick summary of the talk, "How to Implement Crypto Poorly," by Sean Cassidy. What does it mean when developers roll their own solution, instead of following secure practices? And what…

What traits do we look for in mentors?

Security awareness and culture shifts start by changing behaviors. Here's a simple model for doing just that.

Source code for the Mirai botnet has been released. Mirai was behind the denial of service attack against KrebsOnSecurity, which blasted Krebs with 665 Gigabits per second from the Internet of Things.…

This weekend I noticed, we get more information from a pet shelter when adopting kittens than we get from an IT team when acquiring companies.

No one ever reads the documents. And reality never matches the standards. So how do you handle the delta? Here are four ways.

Whitebox fuzzing combines the code review of whitebox static analysis with the brute forcing inputs of fuzzing. Microsoft just announced Project Springfield, which is a service providing whitebox…

Two approaches to whitelisting, on two sides of the spectrum.

When i-Dressup is breached and passwords, clear text passwords, get siphoned off through SQL injection, people notice. Ars Technica notices. Troy Hunt notices. And Ars and Troy try to contact…

We have some equipment that needs vendor support. We're definitely not going to fly someone out for support every time. So, that means remote. But how do we handle concerns over giving a third party…

A correction video, with a shout out to Stephen Harris for catching two of my mistakes, and a broader thought on the importance of quickly identifying and correcting mistakes. DomainKeys Identified…

Leaking sensitive information in documentation happens to just about everyone. For today's video, let's use Microsoft's MSDN and the GPO AES private key leak (MS14-025). One slip in documentation and…

When my daughter's teachers ask her to tweet that she goes to their high school, it occurs to me, we need to educate the educators on privacy and security matters.

Where to deploy SPF with email, how to bypass SPF when phishing, and why we still need security culture.

Microsoft releases a patch that stops AdGholas's primary vulnerability. It only took two years. It only affected 5 million people. A day, 5 million a day. And this tells us a lot about the need for…

Velocity isn't about how hard you hold down the throttle, but how fast you run the laps. It's about results, quality results. In DevOps, this takes three things. In racing, it takes someone other than…

Some say typical attacks are 20% low level hacktivists and such, 70% mid-level crimes, and 10% advanced nation state. Is that number right for our organization? And what do trends in crime mean for…

Amazon Web Services announced its adoption of and compliance with the PCI Data Security Standard, PCI DSS 3.2. A cardholder environment in the cloud? Sure. Now you can have one.

Troubleshooting and improving call trees for IT operations, incident response, and disaster recovery.

Do decision makers have an apathy problem? Or do we have a context and communication problem? Here's my thought, using a vulnerable Web server as an example.

The idea behind public/private key encryption is the private key is kept private and belongs to only one device. It's meant to be a unique identifier. But what happens when people image multiple…

Many troubles teams face, from firefighting to technical debt, are symptoms of the lack of slack time. It's all about making time to think long term. In this video, fresh from vacation, I cover why…

What separates a good honey pot from a bad honey pot?

OneLogin's security breach revealed their Secure Notes were unencrypted in OneLogin's logs. Here's some things to think about when using similar products, and when building encryption and logging…

Media like television and movies inspires a certain set of criminals. Take, for example, the ransomware variant based on EDA2 and sporting the FSociety logo.

Using Realtime Application Security Protection, or RASP, in conjunction with Web Application Firewalls for virtual patching until developers can fix the problem.

They say never trust anyone over thirty. I said never trust any domain name younger than thirty. Well, thirty days, anyways. Here's why.

Being careful with what we post online, and our employees post online. Also, guidance on security awareness training.

What are the attributes of great business continuity exercises?

Automating security tasks using If This Then That (IFTTT) along with Python or Bash scripts.

Stopping distributed denial of service attacks with load balancers, its more than simply stacking on more Web servers.

IT security communities: join one, or build one. Don't go it alone.

Research out of John Hopkins University on Apple iMessage gives us some lessons on implementing encryption systems.

We all get those emails. "Have you looked at product x?" And we all have had to explain why the Gizmo 9000 isn't what our team needs right now. We already have the capabilities. Or perhaps,…

Researchers are exfiltrating data by hard drive music (like, https://m.youtube.com/channel/UCHsrkH...). We must stop this James Bond level threat! Or, well, must we?

So cloud IT is a bit like a rental car, at least, that's to say we're reliant upon others for safety and security.

Microsoft Edge is falling for the old malformed PDF trick. And that has me wondering, why do we keep making the same security mistakes in product after product?

Legal requirements. Industry standards. Contractual obligations. Best practices. Tracked separately, its a mess. Tracked centrally, its manageable. Here's how.

Fresh off a Delta flight, while the airline scrambles to recover from a power outage, a reminder to test your controls.

Here's three common misunderstandings teams make when self assessing their payment systems for PCI DSS.

The National Restaurant Association put out guidance on PCI and the Council's Small Merchant Task Force. Turns out, small businesses are prime targets for thieves targeting payment data.

If a disgruntled network administrator can take down Citibank, imagine what one could do in our networks.

Glow, a women's health app, has personal and sensitive information at a different level of personal and sensitive. When Glow discovered a security vulnerability that could expose women's information,…

I caught the new Ghostbusters movie. It made me realize. I need a Jillian Holtzmann on my team. And perhaps we all do. When its us and our tools against the world, toolmakers are invaluable.

Three considerations for introducing and integrating security with application development: audience (internal or customers); platforms and tooling; development lifecycle and workflows.

Least privilege is still a privilege. Here's two ways criminals can escalate permissions in Windows 10. The bottom line: monitor domain admins closely, but don't ignore domain users.

The eight and final TSA master key has been copied and released as a 3D printable. It's what is on my mind as I sit on this airplane. And it is a good time to remind folks to check their key escrow…

Panera is suing Papa John's and Panera's former vice president of IT architecture. The charge is the VP made off with IP on a USB. Good time to ask, would we catch an employee stealing our…

So you're firm is going through a merger. Are you prepared to connect their potentially compromised network to yours? And what if your network is the one that's infected?

Dave Schwartzberg gives an update on mobile security. How real are threats from phones and tablets? What works for BYOD management?

AWS (Amazon Web Services) S3 (Simple Storage Services) supports AES (Advanced Encryption Standard) and other TLAs. This gives us a great example of a setting up controls to ensure controls are set.…

An overview of Responder and HoneyCreds, as demonstrated by Ben0xA in his Converge Detroit keynote.

Dave Schwartzberg hops in the car with me to describe getting kids involved with hacking, robotics, and coding. He's running Hak4Kidz at conferences across the globe, including BSidesDetroit.

Yesterday at Converge, Joel Cardella presented "Welcome to The World of Yesterday, Tomorrow!" The topic was what we can learn from the Challenger disaster. Here's my take on flight rate and…

Edgy. Our security environments are edgy. And at that edge, we need to see what's coming and going. Ans that's where encryption is both good and bad for security.

If you're developing collaboration software, watch your approval workflow. And if you're running Medium, patch your software.

Using shard to detect shared passwords, and how it might be used in an employee security awareness program. More here: https://github.com/philwantsfish/shard

Today, balloon tower defense-in-depth style, we cover the attack path for ransomware. Eight controls are detailed, each one with a varying degree of effectiveness, that can keep your organization from…

Tennessee says we no longer get a pass on stolen encrypted devices. And Android phones with Qualcomm ARM processors have a new attack vector for stealing encryption keys and brute forcing…

98 tasks for security on the wall. 98 security tasks. Instead of taking one down and passing it around, how about finding a better way? Say, by bundling it with active and planned projects?

Think of an attack path (or kill chain) as one of those kids toys where you rotate animals. Heads, bodies, tails. Intrusions, compromises, exfiltrations. Which part is easiest to detect and why?

A new study finds 78% of used computers have personal and corporate data from their previous owners. Time to check your endpoint data controls. Time, too, to share the story with your employees so…

Nobody likes an IT cowboy. Nobody. Then again, everybody needs a hero sometime. Somebody quick on the trigger. Somebody who knows what's what. So I ask, who's your cowboy?

Recent attacks on GoToMyPC and Team Viewer shine a spotlight on remote access risks. If someone were compromised by these, would we know? And what subsequent controls would protect our sensitive data?

The new version of the Social Engineering Toolkit (SET) can deliver malicious payloads with the Windows HTML Application (HTA) files. Let's talk defense.

154 million voter records were recently exposed. The records included names, addresses, Facebook profiles, gun ownership, and so on. And this highlights the need to check configurations as part of…

Involve people in the creation of security procedures and controls to trigger the IKEA Effect and get buy-in.

You know your FICO credit score? Yeah. Now apply that to cyber security. That's what QuadMetrics has developed for FICO. It's coming to a cyber insurance policy near you. Is your organization ready?

Rebecca Marquis tweeted out that she was doing housework while listening to these videos. And that made me think. IT security is a lot like cleaning. For example, it works better with a dedicated team…

Everybody's passwords have been stolen. Now criminals are reusing passwords on other sites. Github responds. LinkedIn responds. Could we?

I miss the good old days, when ransomware was left to the professionals and only encrypted data files. Not like BadBlock and these newer round of malware. Those were simpler times.

Someone called the help desk with a phish? Laugh at them for falling for it. Some firm got breached? Post it to Facebook and enjoy the schadenfreude. That's often how the IT security community and…

When work looks like work, work gets done. Good news for the IT security team. But what if the work is criminal? Today, a story from 0ddJ0bb on how fraudsters used the principle to steal bitcoin.

Rapid7 scans the Internet and find millions of unencrypted services. Telnet, databases, printers, and file shares. Welcome to the 1990's internet, today.

We encrypted the Web traffic. And then decrypted it across the firewalls. We encrypted the files. And then decrypted them to load databases. We encrypted the disks. Wait. But we decrypted on boot. And…

A new version of Angler, used for ransomware, is taking advantage of Flash and Silverlight to bypass EMET's memory protection. So should we abandon EMET altogether or what?

Setting up rights management and loss prevention for secure file exchange. Hardening the circadian rhythms of our organizations.

Thoughts on the "Penetration Tests and Red Team Exercises", the "Application Software Security", and the "Email and Web Browser Protections" controls in the CIS Critical…

The human readable / machine enforceable theory for IT security policies.

To everything, a season. To every security control, an amount of time. To every security architecture, a set lifespan. Assessing and planning for these cycles, today while stuck in traffic.

Gesture authentication, the "Robotic Robbery in the Touch Screen" paper, and the cool hand gesture lady. Nothing is safe.

Lessons from the TSA we can avoid. Lessons from the cloud aaS we can adopt. And an idea for how to make security a product consumers want.

Quick primer on Local File Inclusion (LFI) vulnerabilities in Web apps.

A hundred years ago, the Red Baron ruled the skies. A few years before that, however, he was a simple cavalryman. So what lessons can we learn about going from the help desk to the SOC from a guy who…

Image Magic is vulnerable. Don't just patch. This is an opportunity to evaluate all the controls on the attack path. Done right, we will have 0-day protection.

At a keynote, I pulled out a safe cracker and demonstrated brute forcing. Safes are excellent metaphors for security controls. Take, for example, the TL rating for a given intensity of an attack and a…

What can we learn from OK Cupid being scrapped and its users' information being released? Well, for one, we can make sure our Web sites do not get scrapped.

There are our business processes. There are our work flows. And then there are third party apps, facilities, and cloud hosting. So how do you do a risk and controls assessment?

One time, during heart surgery, the Merge Hemo app locked up. Why? Because of an anti-virus scan. It's an example of what happens when we focus solely on securing technology.

Applying the "Swiss Cheese Model" to after action reports to beat the odds with incident response.

A four step process for creating a defensible security architecture.

Red Team tools exist for PowerShell. Older ones, like PoshSec and PowerSploit, and newer ones like PowerShell Empire. Meantime, criminals weaponized PowerShell scripts with malware like PowerSniff and…

Someone infiltrated the Locky network and disabled the ransomeware. We've seen this happen before. Turns out, the criminals make as many mistakes as we do. And this means we have a fighting chance.

If data is the life blood of the organization, then data exchange is the steady heartbeat. Data in, data out (beat). Data in, data out (beat). And encryption protects that flow.

PDCA, Plan-Do-Check-Act, is all fine and good. The trouble is delaying feedback. So here's some ways to get implementation and assessment teams closer to tighten the feedback loop.

Content management systems are an oft used system for criminals. A toy manufacturer provides a recent example, as their unpatched Joomla system was hijacked to distribute ransomeware with Angler.

After last week's video on phishing response metrics, a question came in. How does IT respond and clean up phishing emails?

If the end result is the response to an attack, why don't more metrics measure the response? Take phishing. We need to track the time it takes for IT to investigate and blackhole a phish. That's what…

Flexibility gives the defense an advantage. Reusable and repurposable systems, particularly for disaster recovery, are a good place to begin building that flexibility. Also, seriously, twelve people…

Start small. Start some where. Start iterating and improving. From frameworks like ISO 27001 to maturity models like BSIMM, we can make a minimum version which reduces risk with a reasonable amount of…

A million downloads can't be wrong. Except, of course, when the mobile apps access excessive amounts of personal data. Oh, and, except when the data is transmitted in clear text. Leave it to the…

Rogue wireless access points, those WiFi networks that our organization didn't authorize, are another path for criminals and malicious insiders. We can block rogue WiFi two ways: at the signal and on…

Each IT security control is a balancing act between several factors. Ease of use, difficulty of abuse, performance, and others all play a part. To demonstrate this, let's look at Windows built-in…

Shiny new red blinking boxes. It's just what we always wanted. Excellent. Next question: how do we phase in these new firewalls?

Phishing and other social engineering tactics used to hijack DNS.

The criminals adopt PTES, holiday pay, org charts, call escalations, and other corporate best practices. It's us against them, practices against practices, in an arms race to protect our…

Years ago, an API address company made a decision on the default. This has led to years of attribution to Kansas. A small farmhouse in Kansas, to be exact. This is their story.

Researchers from Cornell found Google's Map URLs contain all sorts of personal data. Microsoft's shortened URLs do, too. The short answer: take care to secure simple services.

Application and database decisions that impact performance when using data and database encryption. It's easy. (It's not easy.)

So, what's the best way to do enterprise disk encryption? Software like Bitlocker or PKware? Hardware with the Dell, EMC, or whomever? A combination using HP Atalla? Well. It depends.

Responding to the news cycle by tying hype back to our IT security program. Take, for example, BadLock. Are we prepared?

Inserting wormable malware in packages in general and, specifically, Sam Saccone's warnings about the Node.js Package Manager (npm).

The ciso's journey for assessments: no testing; testing but no remediation; testing with remediation projects; lots of testing and lots of projects; centralized remediation program for all findings.…

University of Illinois researchers drop some 297 USB drives on campus. 48% of the drives get opened and browsed. The scare is that these could have been malicious drives with malware. So, what should…

We can do months long cyber war games. We can do weeks of incident response exercises. Or, hey, we can do a couple days. Today, we talk about how to choose which is right, and how to know it's time to…

BYOD? Meh. Shadow IT? Pfft. Family and friends borrowing tech that accesses our corporate systems? Wait. Now that is scary.

Four things that make KeRanger unique: targeted a Mac, embedded in a signed app, delayed attack execution, and code for disrupting Time Capsule backups.

Encrypting the password for decrypting the secret key that's unencrypting the API. Keeping secrets in applications is hard, especially in android apps.

The tug-of-war between point solutions and holistic approaches, between quick wins and sustainable programs, between tactical and strategic. In other words, a brief recap of the easy and of the hard.

There is the area we are concerned about protecting. There is the area criminals profit from compromising. The action lies at the center of the Venn. A good defense raises the criminal's costs and/or…

Take-aways from a weekend watching the FIRST Robotics Competition, and what security teams can learn from the 4-H MooBotics (@FRC5926) rookies. Coordination and collaboration trumps technology.