February 28, 2016

…But our iOS passwords go to 'Eleven'

If you haven't been following the controversy around Apple and the FBI, maybe all you need to know is that you should probably have an 11 character, random alpha-numeric passcode on your iPhone. This will probably be good enough to protect your iPhone from being cracked open by a brute force attack, no matter what Apple is forced to do for law enforcement.
February 29, 2016

Remind yourself how smart thieves are

These stories about how thieves have used GPS, texting and our lax security habits have been circulating in insurance newsletters and blogs for a while. But […]
February 29, 2016

Try using due diligence risk to justify security

For the past several years, I've talked about how "fear or compliance" are often the best ways to help justify the need for security. It's not that I'm trying to convince my readers that security investment is needed in their organization by scaring them or threatening them... They know it is needed. The problem is that they have a hard time articulating the need to executives who have limited time to listen, a whole different mentality around risk and a need to watch the bottom line in the short term. Sometimes pointing out the worst case impacts (e.g. fear) or pointing to regulations (e.g. threats of penalties from non-compliance) are needed, but sometimes they aren't effective or appropriate. I recently had a conversation with an executive that gave me this idea, to focus on what I call Due Diligence Risk.
April 1, 2016

Hospital ransomware attacks are just a stepping stone to your industry

This week, hospital chain Medstar Health in Washington, D.C. was hit with a crippling ransomware attack that encrypted file systems on computers throughout the organization’s network. […]
April 1, 2016

Data Breach Stats: 70-90 percent of malware attacks on businesses are unique to the organization

If you're wondering why malware is still such a problem for security software companies to detect, it seems to be because attackers literally change the signature for almost every organization they target with malicious code. It doesn't mean they have to build it from scratch, though. They only have to change it enough to make it look different to the scanning software. Here are a couple of other interesting things about the state of enterprise data breaches that I learned from the 2015 Verizon Data Breach Investigations Report.
April 1, 2016

The security fairy isn't going to close your open vulnerabilities

If you have a feeling you should one day do some kind of check to see if you have anything from your network exposed on the Internet, you’re probably right. In fact, nobody else – including the security fairy – is going to do it for you. This goes for both home networks and businesses, although it’s probably a little more likely that employees of businesses may have installed things with severe vulnerabilities that management or the IT group doesn’t know about than people at home. But it does happen everywhere. In a recently documented case, the simple exposure of printer ports to the Internet led to a white supremacist being able to send racist messages to be printed on thousands of exposed printers over the Internet.
April 1, 2016

Three dumb routers are coming to a home network near you

If you're keen to use all the cool new gadgets that are coming on the market, but are wondering how you can protect your network from their inevitable vulnerabilities, I have a suggestion for you: Three Dumb Routers. First, I'll explain, in simple terms, what it takes to set this configuration up, and then I'll try to briefly explain why it is a good approach to protecting your network from the Internet of Things, assuming you really have your heart set on playing with these things, or at least showing them off.
April 29, 2016

Don't be too quick to pay extortion fees based on the threat of an attack

If you or your employer receives a threatening email saying that your website will be targeted with a Denial of Service Attack, don't be too quick to pay them to preempt the attack. A recent report by security firm CloudFlare disclosed that targeted victims appear to have paid as much as $100,000 USD based only on an email threat that was not credible, upon close analysis. It can be scary to receive such an email, but there are some clues that could help you determine if the threat is real or not.
April 30, 2016

WhatsApp helps you prove you may not have done it

While many people just think of WhatsApp as a convenient way to send messages from mobile devices, the company has taken serious steps to respond to recent concerns over global tracking and surveillance of mobile messages. In fact, WhatsApp now supports something called repudiation, which means that you could deny being the person who sent a particular message. Why would you want to do deny sending a message, and why would WhatsApp want to let you do that?
April 30, 2016

Sorry, we're turning your connected device into a brick now

It seems unbelievable, but we are starting to see real incidents of connected products that are being abandoned by their manufacturers well before their end of life, leaving buyers with unusable hardware. The case of the Revolv hub sets an ominous precedent that should give us all pause for thought when buying any new hardware devices in the future. Essentially, they've decided to turn the products that people bought from them into bricks. Anything we might buy in the future, from light bulbs to cars, can (and probably will be) connected to the Internet. This fact, in itself, presents some risks that many security experts are trying to understand and communicate to people. But a more fundamental risk we all need to start considering is what happens if the manufacturer or vendor goes out of business, gets purchased by another company, or just decides to stop supporting the devices? You could be stuck with a brick, or at least a less useful version of what you thought you were buying. It might even cause more serious impacts.