Category Archives: security

SiliconANGLE: ‘Zero trust’ was supposed to revolutionize cybersecurity. Here’s why that hasn’t happened yet.

Posted on by
Reply

Despite more than a decade of talk, the seminal concept in cybersecurity of zero trust — the assumption that no user or device on a computer network can be trusted — hasn’t been implemented nearly as widely as one might expect from all of the attention.

The problems include numerous practical and perceptual obstacles, coupled with a complex collection of products that need careful coordination to deliver on its promises. The upshot: Zero trust won’t be a silver bullet for ever-growing cybersecurity woes anytime soon. Read my report for SiliconANGLE here to learn more.

Scott Helme and Probely join forces on SecurityHeaders.com

Posted on by
Reply

A well-known security tool, SecurityHeaders.com, is now part of many services that Probely offers. The company has a full range of web application and API vulnerability scanning solutions. That news story hides the history and importance of the union and its principal, Scott Helme. I had an opportunity to talk to him directly and find out what led to the change.

For those of you that aren’t familiar with Security Headers, it is a free website that can test your own site for weaknesses in various HTTP protocol and web policy implementations. Helme launched the site in 2015 after an experience testing his own home broadband router that could result in a compromised network. “I was just a guy with a hobby doing security research,” he told me recently. That led to a series of well-publicized other hacks, such as on the computers onboard the Nissan Leaf cars that he investigated with Troy Hunt. He also did some live hacks on TV of audience members’ equipment.

Since it was launched, the site has done 250M website scans.

Helme has worked with Probely since the company became a sponsor two years ago. “By joining forces with Probely, I’m incredibly happy that Security Headers will remain stable and viable for years to come!” said Helme. The union was designed for the site to be more sustainable and to leverage more resources, since until now it has been solely his own labors.

Helme’s goal with Security Headers was to make information security more comprehensible and actionable for the average person. That is why the site, and other tools that he offers, are all free and open. That will continue under the new regime at Probely. “I’ve put so much thought into it, working with these people, what they do, how they do it, and how they align with what I do,” he said.  “We have a lot in common.”

So I decided to try it out for myself, and I was quite surprised. I have had a website for almost 30 years, and while I knew about the Security Headers site never actually did a scan. Here are my results:

Pretty miserable, right? I basically failed every one of Helme’s six tests. But I was in good (or bad) company: about half of those 250M scans also resulted in an “F” grade.

So — I have a lot of work to do. The results page doesn’t just show the failures, but also provides links to content from Helme on how to learn more about these protocols and policies and what I need to do to fix them to get a better grade — and improve my site’s security. For example, the page links to improvements in hardening my response headers, doing a better job of defining my content security policies and implementing strict transport security protocols. The content is based on numerous talks that Helme has given (and will continue to give) over the years and is written clearly with copious code examples too.

But here is my dirty not-so-secret: I have zero experience with setting up website header parameters. This is probably the reason why my site received a failing grade. After years — decades — of experience setting up various web servers, I have never touched the header configurations of any of my servers. Back in the early days of the web, these parameters didn’t exist. So I can cut myself a little slack. But really, I should have known better, after all the stuff that I write about infosec down through the years. But that is one of the reasons why I try to be as hands-on as I can, and now I have some work to do and things to learn.

That is the essence of what he and Probely are trying to do — to teach us all how to have more secure sites.

(Note: this post is sponsored by Probely but is independent editorial content.)

SiliconANGLE: DNS is once again front and center for exploits and security policy

Posted on by
Reply

Two recent events are once again bringing the internet’s foundational Domain Name System into the news, and not in a good way.

The first event involving the DNS last week was a warning from the Cybersecurity Infrastructure and Security Agency issued on Friday for version 9 of the Berkeley Internet Name Domain, or BIND.

The second news item relevant to DNS concerns an open letter issued Friday by Vint Cerf, Stephen Crocker, Carl Landwehr and several others, entitled “Concerns over DNS Blocking.”

More specifics can be found in my story for SiliconANGLE here.

SiliconANGLE: The top five cloud cybersecurity threats – and what to do about them

Posted on by
Reply

Cybersecurity threats continue to plague cloud infrastructures, and sadly these threats are still mostly the same from years’ past.

But just because these threats continue doesn’t mean that cloud security, taken as a whole tapestry, isn’t as secure as on-premises equipment. That debate — which seems to have spanned a decade or more — should be put to rest forever. Two things many information technology managers have learned are that data center technology doesn’t age well, and it also accumulates tremendous technical debt, the implied cost of future reworking required when problems need to be fixed or approaches become less useful over time.

In this special report for SiliconANGLE, I review the top five threats and what you can do to fix them.

The nasty world of malware keeps getting worse

Posted on by
Reply

A couple of posts this week have crossed my virtual desk that shows the state of internet hacking continues to reach new depths. The first one is from Microsoft Research, the second is from a little-known security outfit called VulnCheck.

The Microsoft report found what it calls a multi-stage adversary-in-the-middle. Back in the day, we had man-in-the-middle and browser-in-the-middle exploits that involved ways to phish a target and then trick someone into giving up their account credentials. As we got better credentials, such as using multi-factor authentication (MFA), the crooks got more sophisticated at prying the additional factors out of us by putting up fake websites.

The new attacks take things to a more complicated level, and indeed, you need a diagram to show the various logic flows as a compromised email account is used to launch a new email campaign, which launches several new campaigns that target new organizations. All of them use what is called indirect proxies so the attackers can control the phishing pages you see, steal web session cookies, make changes to MFA methods, and other trickery. One thing that makes this attack harder to figure out is that unlike typical phishing attacks, no web traffic actually occurs between the target and the actual website that is being faked. The complete details are at the above link.

Russia cyber aggression fuels tensions with west | Financial TimesThe other post from VulnCheck describes research they uncovered recently. This attack impersonated security researchers by copying pictures of actual analysts and attaching them to fake names and social media accounts and GitHub projects, with each project claiming to have a zero-day attack as a lure. Try as they may, the VulnCheck folks would find and neutralize one fake GitHub account only to have it popup a few hours later. All of the claims are phony, and instead contained malware that the attackers try to download to their targets and further compromise things. All of the phonies had one thing in common — they all worked for the High Sierra Cyber Security company, which as you might guess, doesn’t exist. But give them props for all the effort involved in setting this up. If this sounds familiar, the same scenario was used during the Russia attempts on our 2016 election.

SiliconANGLE: News from Google and Amazon cloud announcements this week

Posted on by
Reply

I posted two stories on SiliconANGLE about lots of news coming from new security services on Google Cloud and similar news from AWS. Both are showing that we are at watershed events — AWS is making architectural changes and adding new depth with programming languages such as Cedar.  Google is finally building some solid tools into its Chronicle platform that has been available for four or so years now. Both are also paying attention to LLMs/Generative AI methods to provide threat intelligence.

Both vendors are trying to consolidate their services with their channel partners large and small.

SiliconANGLE: There’s a lot of enterprise-grade secure browsers out there, but are they ready for prime time?

Posted on by
Reply

The quick answer, in my piece for SiliconANGLE, is no, not quite yet. Certainly IT managers want to secure their entire collection of web browsers across an enterprise. This has been a sleeper product category for many years, but it’s now heating up thanks to better management tools and an increasing awareness of threats such as phishing and email compromises.