SiliconANGLE: Will passkeys finally come to pass? A progress report

Posted on by
Reply

We’re finally inching closer to curing our addiction to passwords.

This week the FIDO Alliance put together an online event and posted a series of white papers to try to help businesses that want to move forward with passkeys — digital credentials that don’t require usernames and passwords — to host their first 12-step programs for ridding themselves of the scourge that results in huge holes in cloud cybersecurity protection.

“Passkeys are a superior password replacement,” said Tom Sheffield, senior director of cybersecurity for Target Corp. “And you shouldn’t wait to implement them in your business.” Read more of my analysis for SiliconANGLE here.

 

SiliconANGLE: Polymorphic malware and the rise of new ‘moving target’ defensive security

Posted on by
Reply

An old security technology that has gotten little attention is finally ready for a new closeup.

It goes by the name polymorphic code — or alternatively, automated moving target defense or AMTD — and it has been around for nearly a decade. It came into its own around 2017 when was popularized by both malware writers and defenders.

And once again, security professionals are playing another cat-and-mouse game, but this time the stakes are a lot higher thanks to better tools on both sides.

On the malware side, the term describes code that can adapt to conditions and change its behavior to try to avoid detection. It cuts across a wide swath of computing circumstances, including the ability to attack runtime memory, file systems, credentials, virtual machines, workloads, containers and network connections.

You can learn more about this technology and both its uses for good and evil in this post for SiliconANGLE.

Red Cross profile: How Jason Ramlow links service members in times of emergeny

Posted on by
Reply

When members of our armed services are on active duty, they are by definition almost always away from home. What happens when there is an emergency, either with them or their family members? That is where the American Red Cross comes into play with the Emergency communications program, under the umbrella of the Hero Care Network. The person responsible for providing management oversight of this service, in partnership with two casework volunteer leads, in the Missouri Arkansas region is Jason Ramlow, who is a Service to the Armed Forces and International Services Regional Program Manager. He has been working for ARC for close to 23 years. “The program is for family emergency communications, such as a serious illness or family death or birth.”

You can read more in my profile of Jason here.

SiliconANGLE: ‘Zero trust’ was supposed to revolutionize cybersecurity. Here’s why that hasn’t happened yet.

Posted on by
Reply

Despite more than a decade of talk, the seminal concept in cybersecurity of zero trust — the assumption that no user or device on a computer network can be trusted — hasn’t been implemented nearly as widely as one might expect from all of the attention.

The problems include numerous practical and perceptual obstacles, coupled with a complex collection of products that need careful coordination to deliver on its promises. The upshot: Zero trust won’t be a silver bullet for ever-growing cybersecurity woes anytime soon. Read my report for SiliconANGLE here to learn more.

Scott Helme and Probely join forces on SecurityHeaders.com

Posted on by
Reply

A well-known security tool, SecurityHeaders.com, is now part of many services that Probely offers. The company has a full range of web application and API vulnerability scanning solutions. That news story hides the history and importance of the union and its principal, Scott Helme. I had an opportunity to talk to him directly and find out what led to the change.

For those of you that aren’t familiar with Security Headers, it is a free website that can test your own site for weaknesses in various HTTP protocol and web policy implementations. Helme launched the site in 2015 after an experience testing his own home broadband router that could result in a compromised network. “I was just a guy with a hobby doing security research,” he told me recently. That led to a series of well-publicized other hacks, such as on the computers onboard the Nissan Leaf cars that he investigated with Troy Hunt. He also did some live hacks on TV of audience members’ equipment.

Since it was launched, the site has done 250M website scans.

Helme has worked with Probely since the company became a sponsor two years ago. “By joining forces with Probely, I’m incredibly happy that Security Headers will remain stable and viable for years to come!” said Helme. The union was designed for the site to be more sustainable and to leverage more resources, since until now it has been solely his own labors.

Helme’s goal with Security Headers was to make information security more comprehensible and actionable for the average person. That is why the site, and other tools that he offers, are all free and open. That will continue under the new regime at Probely. “I’ve put so much thought into it, working with these people, what they do, how they do it, and how they align with what I do,” he said.  “We have a lot in common.”

So I decided to try it out for myself, and I was quite surprised. I have had a website for almost 30 years, and while I knew about the Security Headers site never actually did a scan. Here are my results:

Pretty miserable, right? I basically failed every one of Helme’s six tests. But I was in good (or bad) company: about half of those 250M scans also resulted in an “F” grade.

So — I have a lot of work to do. The results page doesn’t just show the failures, but also provides links to content from Helme on how to learn more about these protocols and policies and what I need to do to fix them to get a better grade — and improve my site’s security. For example, the page links to improvements in hardening my response headers, doing a better job of defining my content security policies and implementing strict transport security protocols. The content is based on numerous talks that Helme has given (and will continue to give) over the years and is written clearly with copious code examples too.

But here is my dirty not-so-secret: I have zero experience with setting up website header parameters. This is probably the reason why my site received a failing grade. After years — decades — of experience setting up various web servers, I have never touched the header configurations of any of my servers. Back in the early days of the web, these parameters didn’t exist. So I can cut myself a little slack. But really, I should have known better, after all the stuff that I write about infosec down through the years. But that is one of the reasons why I try to be as hands-on as I can, and now I have some work to do and things to learn.

That is the essence of what he and Probely are trying to do — to teach us all how to have more secure sites.

(Note: this post is sponsored by Probely but is independent editorial content.)

SiliconANGLE: DNS is once again front and center for exploits and security policy

Posted on by
Reply

Two recent events are once again bringing the internet’s foundational Domain Name System into the news, and not in a good way.

The first event involving the DNS last week was a warning from the Cybersecurity Infrastructure and Security Agency issued on Friday for version 9 of the Berkeley Internet Name Domain, or BIND.

The second news item relevant to DNS concerns an open letter issued Friday by Vint Cerf, Stephen Crocker, Carl Landwehr and several others, entitled “Concerns over DNS Blocking.”

More specifics can be found in my story for SiliconANGLE here.

Book review: The edge of sleep

Posted on by
Reply

The Edge of Sleep: A Novel by [Jake Emanuel, Willie Block]This book is based on the podcast/TV series of the same name which has been out for several years. The thesis is that a worldwide plague hits when people go to sleep, so the obvious conceit is to stay awake to try to fight it and figure out an antidote. So we have the real-life pandemic to compare with the fictionalized version, and that may or may not sit well with some readers. We touch on several different groups of people in everyday situations around the world as they try to cope with the calamity, which I think works better in a TV version than trying to keep track of them throughout the novel. Think of it as a zombie apocalypse without the zombies, which has never been a favorite genre for me. The novel has some terrific descriptions and the plot takes us to some interesting places. In place of the hyper-science and politics of Covid, we have just ordinary folks who are trying to live their lives and cope with staying awake. Read on Amazon here.

SiliconANGLE: That next computer in the cloud could be an IBM mainframe

Posted on by
Reply

A small Minneapolis mainframe computer software startup is poised to change the way enterprises use and share data across the cloud.

Virtual Z Computing Inc. claims to be the first and only women-founded and women-led mainframe systems integrator in history. That is a bold position, but perhaps more important is its pair of revolutionary software applications called Lozen and Zaac that connect native mainframe data with various third-party distributed, cloud-based applications.

I explain how the company’s products fit into the future of cloud computing in this story for SiliconANGLE here. 

SiliconANGLE: The top five cloud cybersecurity threats – and what to do about them

Posted on by
Reply

Cybersecurity threats continue to plague cloud infrastructures, and sadly these threats are still mostly the same from years’ past.

But just because these threats continue doesn’t mean that cloud security, taken as a whole tapestry, isn’t as secure as on-premises equipment. That debate — which seems to have spanned a decade or more — should be put to rest forever. Two things many information technology managers have learned are that data center technology doesn’t age well, and it also accumulates tremendous technical debt, the implied cost of future reworking required when problems need to be fixed or approaches become less useful over time.

In this special report for SiliconANGLE, I review the top five threats and what you can do to fix them.