Joe Basirico

When we started this newsletter and blog our goal was to give you the best security insights out there without a hint of sales or marketing spin. No BS, just good information to help you be successful. We want to deliver this newsletter to people who really want to read it, I couldn’t be happier that you’ve joined us and continue to participate.

ReThink Mini-Articles

Reducing vulnerability classes to near zero through secure defaults and good choices.

“If you could wave a magic wand and do anything to reduce vulnerabilities, what would you do?”

The second side of the successful phishing attack is the software and technology side. There are many techniques that companies can employ to make it easier for their users to identify fraudulent emails and there are some great security features that can be developed in your application and website to help protect users from the damaging effects if they do mistake a phishing email for a real one.

Some common answers are things like training and education, forcing penetration testing, better tools, and smarter users, but none of these things really strike at the core of the issue. Where is the vulnerability garden? Where are those vulnerabilities planted? Can we make that soil hostile to vulnerabilities and rich for good coding practices?

In this article I want to walk you through some of the issues that were recently publicized. I’ll break them into categories to understand the mistakes made and the subsequent decisions that were necessary. There has been a bit of a pile-on with security professionals each taking their turn to tell Zoom how they could have done better. Some of the issues that were uncovered are truly concerning, while others are natural tradeoffs between security and usability. In some cases, Zoom was actually following best practices (like reusing components), but got bitten anyway.

Building Inspectors are bureaucrats. They tell us how to safely build and remodel while mitigating unforeseen threats that may never come.

But who has saved more lives and property?

It’s difficult to determine how many disasters have been averted by building codes or by the recommendations and requirements from building inspectors, but I suspect a lot more disasters are averted through their careful building plans, processes, and procedures than by firefighters responding to a fire.

Warning: the following action should be performed by trained professionals only. Do not attempt this at home.

One of the great benefits of large scale network connected computers is that it allows likeminded people to build communities in order to share ideas, techniques, tools, and software. These capabilities have been a powerful instrument in effecting political and social change. In the same way, though, it can be used to help illegal or problematic groups to organize. Once connected, members can undertake some of society’s worst activities, including buying and selling stolen data, illicit goods, and coordinating illegal real-world activities such as human trafficking.

Me being me, this got me thinking about some of the things that I could’ve done to mitigate the injury before it happened. It struck me that the threat modeling I was doing for my own physical safety, is analogous to a lot of the recommendations and guidance that I give companies for software security. In my case, my recommendations to myself boil down to the importance of focus while performing monotonous tasks, and the necessity for defense in depth.

Something is going to go wrong. It’s not a matter of if, it’s when. When that bad thing goes wrong everything hinges on how you detect and respond to it.

As consultants so much of our job is focused on reducing risk for our clients, but that’s all we can do. We reduce the risk, we can’t take it all away. That means that no matter what we do, or what our clients do, there will always be some risk. On a long enough timescale there is guaranteed to be a breach, data loss, a denial of service, or some other security incident.

Imagine receiving an email with your username and password as the subject line. Inside the email there is a PDF that has been encrypted with a password provided in the body of the email. What do you do? Whoever sent the email has already proven they know who you are, and you probably want to know what else they have and what they’re asking for, right?

Security takes commitment, but it’s not as simple as all or nothing. Knowing how much to commit for your level of risk tolerance is critical. The first thing you need to do when improving your security program is set honest goals about what you want to achieve.

Ideal security investment means, do what is necessary and nothing more. Every dollar you spend to secure something that isn’t going to be attacked is a dollar that isn’t used to lead the market, build new features, or sell and market your solutions.

Because it was there.

If news headlines, global trends, and tech reports tell us anything about cyber security in Industrial Control and SCADA systems in the past few years, it’s that we are currently in cyber cold war, and a full on cyber war could follow in short order. Read on to see how I’ve come to this conclusion and how the controls currently protecting us are not durable beyond the short term.

I love the perfectly white surface, as well as the beveled etching of the Apple and MasterCard logos. Even the chip connector is remade to be symmetric and balanced. 

It is gorgeous. It is a failure of engineering.

Apple struggles with form over function with almost every product it releases. The company’s obsession with shiny, reflective, and thin objects leads to scratches, glare, and bendy iPhones. Granted, the products are also marvels of engineering. The camera in my iPhone has all but replaced my DSLR, my Apple Watch hasn’t left my wrist in years, and I have yet to find a pair of wireless headphones that compare to the AirPods. 

Ransomware (like Cryptowall, Wannacry or Petya) is a type of malware that works by encrypting each personal document it finds and then deleting the original. It sends the key to its home servers and destroys the original local copy of the key. This leaves the victim with a bootable computer and a hard drive full of inaccessible files. A “ransom note” is left on the computer requesting bitcoin to be sent to an anonymous address. As nefarious as this seems, the customer service department of ransomware operations is quite good - I’ve talked to many people who paid the ransom and then were able to restore their file. The ransomware business model, ironically, supports better customer service than your local cable or internet provider.

Each year I speak at, or attend, a handful of security conferences. These range from the massive RSA Conference, where you can find hundreds of security vendors spending hundreds of thousand of dollars to hawk their latest security appliances, to small locally run, open source conferences that are run by engineers for engineers.

Against all these odds we put the responsibility of account security squarely on the shoulders of our users. We give them tools that will make them more secure, but are difficult to use like Multi-Factor Authentication and Password Managers. But then we layer on the complexity with each new technology. For example, is is SIM card cloning as easy, or as bad as some security professionals may have you believe?

The problematic component of this means that we could end up with a two tier privacy model whereby an individual can maintain the privacy of their data and self only if they are able to pay for it. This means privacy is only accessible to well-off or well-educated individuals who have the means to control their data. This is problematic, to be sure, but it’s a step in the right direction and better than a world in which no-one has a choice about being tracked at all.

As we kickoff this new newsletter and website I find myself asking the same question. Where to begin.

When I work with our clients my first questions we gravitate toward is to understand their goals. Goals for their Application Security Program, goals for this specific project, goals to understand what “secure” looks like for them, or goals for what software development looks like in the longer term.