Articles tagged with "Hackers"
Credit: Joe Basirico (cc attribution)
Every Application Fails in Unique but Predictable Ways: A Study in Zoom
Zoom is an interesting case study in the various ways that software can fail. The Zoom team has had to learn a lot of lessons quickly, including the pitfalls of reusing components, figuring out how to make security engineering improvements to their SDLC and DevOps processes, and the need for a CISO leadership team. In this article I want to walk you through some of the issues that were recently publicized. I’ll break them into categories to understand the mistakes made and the subsequent decisions that were necessary. There has been a bit of a pile-on with security professionals each taking their turn to tell Zoom how they could have done better. Some of the issues that were uncovered are truly concerning, while others are natural tradeoffs between security and usability. In some cases, Zoom was actually following best practices (like reusing components), but got bitten anyway.
Read more >>
Credit: Smithsonian American Art Museum and its Renwick Gallery
Exploring the Darkweb
The best way to understand attacker tools, data breaches, and the underground marketplaces is to go to the source and learn what we can. Join me on a tour of the Darkweb. Warning: the following action should be performed by trained professionals only. Do not attempt this at home. One of the great benefits of large scale network connected computers is that it allows likeminded people to build communities in order to share ideas, techniques, tools, and software. These capabilities have been a powerful instrument in effecting political and social change. In the same way, though, it can be used to help illegal or problematic groups to organize. Once connected, members can undertake some of society’s worst activities, including buying and selling stolen data, illicit goods, and coordinating illegal real-world activities such as human trafficking.
Read more >>
Defending Against a Potential for Iranian Cyber Response
I recently had the opportunity to sit in on a conference call with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and got a chance to hear how they’re thinking about protecting against cyber threats after escalating tensions between the US and Iran. I’d like to summarize what I heard and reference a few useful supporting cybersecurity guidelines. On the call CISA made it clear that although they’ve prepared a National Cyber Awareness System Alert and a CISA Insights document specific to the increased geopolitical tensions and threats, they have yet not seen an increase in attacks from Iran.
Read more >>
A Hacker’s Manifesto and 2TB Data Breach From Cayman National Bank and Trust
On Saturday a transparency collective named “Distributed Denial of Secrets” tweeted that they have released a massive data set from a recent breach. Over 2 terabytes of data has been released and is hosted by DDoS and on Torrents. In addition to the data that was released the hacker published a manifesto and hacking guide called “HackBack - A DIY Guide to rob banks" alongside the data dump. The hacker, who goes by Phineas Fisher, originally wrote the HackBack guide in Spanish, however, this morning I found a translated copy. Unfortunately it’s been removed from PasteBin as of this writing, but the Spanish version is still available on DDoS’s site.
Read more >>
Deconstructing a Sexploitation Attack
Imagine receiving an email with your username and password as the subject line. Inside the email there is a PDF that has been encrypted with a password provided in the body of the email. What do you do? Whoever sent the email has already proven they know who you are, and you probably want to know what else they have and what they’re asking for, right?The Next Wave of Cyber Attack
Read more >>
You Are Spending Too Much on Security
… or not enough, but you certainly don’t have it right. Security takes commitment, but it’s not as simple as all or nothing. Knowing how much to commit for your level of risk tolerance is critical. The first thing you need to do when improving your security program is set honest goals about what you want to achieve. Ideal security investment means, do what is necessary and nothing more. Every dollar you spend to secure something that isn’t going to be attacked is a dollar that isn’t used to lead the market, build new features, or sell and market your solutions.
Read more >>
Security Takes Commitment
In my last post , I talked about the fact that none of us knows how to solve the problem of cybersecurity. It’s a tautology, so it shouldn’t be surprising. If we knew how to solve the problem, the problem would be solved. Therefore we don’t know how to solve the problem. But it is surprising, and so it feels like a ‘hard truth’ rather than ‘the truth’. When confronted with a long-standing problem (like cybersecurity), it is typical to assume that if we had more will, more resources, more intelligence, or perhaps more of all of the above, we could solve the problem. We don’t stop to think about the fact that if what we are doing isn’t working, doing more of that same thing probably isn’t going to change the situation. It can be tough to admit when we don’t know what we are doing.
Read more >>
None of Us Knows What We Are Doing
I want to let you in on a little secret. Nobody in the security profession, especially those of us in the software security profession, truly knows what we are doing. You’d never know it talking to security vendors. If you attend a security conference you can walk the booths and talk to hundreds of security professionals selling solutions that cost tens or hundreds of thousands of dollars, each promising that they will solve your security problems with their technology platform, their professional services, and most importantly with their new deep learning, AI algorithms.
Read more >>