Instead of a full fledged long-form article or two I decided to write a couple of mini-articles, these are small ideas that I’ve been kicking around for a while, but haven’t made into full fledged articles yet. I’ve included these here and will publish them on the blog as well. Of course, I’ve also included lots of security articles from around the web as usual.
Reducing vulnerability classes to near zero through secure defaults and good choices.
“If you could wave a magic wand and do anything to reduce vulnerabilities, what would you do?”
Some common answers are things like training and education, forcing penetration testing, better tools, and smarter users, but none of these things really strike at the core of the issue. Where is the vulnerability garden? Where are those vulnerabilities planted? Can we make that soil hostile to vulnerabilities and rich for good coding practices?
We can. The answer is to make it as hard as possible to introduce vulnerabilities in the first place. The best way to accomplish that is to provide developers libraries, frameworks, defaults, and wrappers so that every developer finds it easy to Fall Into The Pit of Success .
Choosing better frameworks that have good ORMs (fewer SQLi), templating engines (fewer XSS), authentication systems, and other security controls can massively reduce the likelihood of a vulnerability. You can mitigate entire classes of vulnerabilities through these good choices.
A security team can take this to the next level by selecting great libraries that are secure by default, by setting secure defaults through settings or policy, and by creating wrappers for existing libraries to instill security best practices into existing libraries.
The critical point to this, though, is that you must make it easier to do the secure thing than the insecure thing. If you ask developers to meet you half way or to adopt a new way that takes more time, you will fail. Developers want to build secure software, but they have massive pressure to deliver on features and hit deadlines. The pressure to ship and generate revenue will almost always win out over spending the time and money necessary to create more secure software. This is the real world after all.
Make it easy, let them fall into the pit of success.
This mini-post was partially inspired by this article from Clint Gibler, who has an excellent blog and newsletter at tldrsec.com What I Learned Watching All 44 AppSec Cali 2019 Talks - tl;dr sec
Stop acting like Phishers
There are two sides to preventing a successful phishing attack. The first side is focusing on the user; trying to train users to identify phishing attacks and to protect themselves from these types of attacks. Training is important, but there’s a responsibility on the company to act in a way that does not emulate common phishing techniques and set your users up for failure.
The second side of the successful phishing attack is the software and technology side. There are many techniques that companies can employ to make it easier for their users to identify fraudulent emails and there are some great security features that can be developed in your application and website to help protect users from the damaging effects if they do mistake a phishing email for a real one.
The optimal solution uses clear messaging and training for the user and a clear policy from the company.
This means as a company you must define how you will communicate with your customers, what you will ask for over each medium, explain the reasons to your customers, and adhere to those policies 100% of the time. You should support these choices by also providing your users a link to a clear policy about these choices and ways to verify the messages you send. Finally, train your employees to understand and identify concerned users and to help them in a safe way.
Also, if you’re using SiteKeys, stop. They’re an ineffective mutual authentication measure and a usability nightmare.
Here are a few examples of companies getting this wrong or when scammers have gone above and beyond to attack users.
- Valid email sent in a very phishy way
- An exceptional multi-phase phishing scam
- Would You Have Fallen for This Phone Scam? — Krebs on Security
More Security Headlines
Security activism exists on a spectrum. Perfectly moral security researchers who only responsibly disclose vulnerabilities help minimize the impact of the vulnerabilities they find, but massive bad actor breaches and data loss like the Meow attack make headlines and get organizations to act. It’s scary to think that it might take some real data loss or a massive breach to get a company to take action, but that’s the environment we’re in. If you head up a security team, please take action now! New ‘Meow’ attack has deleted almost 4,000 unsecured databases
If you haven’t seen LeakIX, it’s time to check it out. It’s like a focused, lightweight Shodan.io . LeakIX focuses on vulnerable and compromised services and does some great, real-time, analysis on the services. Take a quick search here for your servers. LeakIX
The use of nearly every new device and service, whether Facebook or the DMV or now even Headphones, seem to come with an opportunity to collect, sell or lose PII. In my earlier article, We all have an obligation to fight for privacy , I give some guidelines on how to best start this process. Headphones are collecting too much personal data - SoundGuys
A lot of runners panicked when they realized their exercise wouldn’t be counted when Garmin fell victim to a Ransomware Attack. Remember if it’s not tracked and shared with your friends on the internet your exercise doesn’t count. Smartwatch Maker Garmin Shuts Down Services After Ransomware Attack
Troy Hunt has decided to Open Source the Have I Been Pwned codebase. He was trying to get HIBP acquired and taken over by a larger organization that could handle the influx of data breaches but that failed earlier this year. I think this will ultimately be a benefit to the community. HIBP is a great service that can help a lot of organizations improve their authentication components and to detect data breaches. Troy Hunt: I’m Open Sourcing the Have I Been Pwned Code Base
Ever want to hack a satellite? Here’s your chance! This guide gives you all the info you need to communicate and hack an orbiting satellite. Hack a Sat
If lost in a massive breach your PII is worth 80 cents, at least that’s what a court decided in a 2019 Capital One data breach. That information is worth 5-20 times that much on the darkweb. The US Treasury said that Capital One’s security practices were woefully insufficient and that they failed to take effective actions to hold management accountable. As long as your data is worth more on the darkweb than it is to the companies storing your data, it will not be safe. Capital One ordered to pay $80 million penalty for its role in a 2019 data breach - The Verge
Knowing when to fix a vulnerability can be a difficult game to play. There were many divisive comments in threads around the internet when Microsoft decided to patch this 2 year old vulnerability; was it poorly triaged, was MS simply lazy in not patching it, or was it a collaboration with the government allowing them to spy on key targets. My gut tells me it simply never met the bug bar for a fix. One of the hardest calls for a security leader to make is when to pass on fixing a vulnerability. Microsoft Put Off Fixing Zero Day for 2 Years — Krebs on Security
This in-depth report analyzes Drovorub, a piece of malware previously attributed to Fancy Bear and APT28, which is now known to be deployed by the Russian Intelligence community. Malware attribution is very difficult, often times having been funded by a government entity to be developed and operated offsite. The analysis in this paper is great and although detection is difficult there is guidance on detection in the paper. Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
John Masserini has a great blog called Chronicles of a CISO where he gives pragmatic advice for the CISO as well as good advice for those who wish to talk to one. He just released a new resource that I find very useful, it’sa collection of industry statistical metrics and reports. In this collection you can browse a list of 100 different reports. Great for that next board funding meeting to help you hammer home the need for a higher security spend. Industry Statistical & Metrics Reports