Adam Shostack

JANUARY 2, 2025

NCC has released a threat model for Google Cloud Platform. What can it teach us? In Threat Modelling Cloud Platform Services by Example: Google Cloud Storage Ken Wolstencroft of NCC presents a threat model for Google Cloud Storage, and Id like to take a look at it to see what we can learn. As always, and especially in these Threat Model Thursday posts, my goal is to point out interesting work in a constructive way.

Engineering 236

Engineering Authentication 236

Schneier on Security

JANUARY 2, 2025

Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy setback.

Data collection 242

Data collection 242

Schneier on Security

DECEMBER 27, 2024

The basic strategy is to place a device with a hidden camera in a position to capture normally hidden card values, which are interpreted by an accomplice off-site and fed back to the player via a hidden microphone. Miniaturization is making these devices harder to detect. Presumably AI will soon obviate the need for an accomplice.

248

248

Lohrman on Security

DECEMBER 27, 2024

Welcome to the second installment of this comprehensive annual look at global cybersecurity industry predictions, forecasts, trends and outlook reports from the top security industry vendors, technology magazines, expert thought leaders and more.

Technology 219

Technology Cybersecurity 219

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Tech Republic Security

DECEMBER 30, 2024

Microsoft advises users not to install recent security updates using physical media. The company is working on a fix.

Media 159

Media Cybersecurity 159

Penetration Testing

JANUARY 1, 2025

SafeBreach Labs revealed a zero-click vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service, dubbed LDAP Nightmare. The post PoC Exploit Released for Zero-Click Vulnerability CVE-2024-49112 in Windows appeared first on Cybersecurity News.

Cybersecurity 138

Cybersecurity 138

Schneier on Security

DECEMBER 30, 2024

The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon.

Government 223

Government Hacking 223

Adam Shostack

JANUARY 2, 2025

Lets explore the risks associated with Automated Driving. " Safety First For Automated Driving " is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how to do so.

Risk 157

Risk Architecture Manufacturing Cybersecurity 157

Adam Shostack

JANUARY 2, 2025

A new paper on 'Pandemic Scale Cyber Events Josiah Dykstra and I have a new pre-print at Arxiv, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19. The abstract is: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events.

Cyber threats 130

Cyber threats Government Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

The CSRB has released its report into an intrusion at Microsoft, and.its a doozy. The Cyber Safety Review Board has released its report into an intrusion at Microsoft, and. its a doozy. It opens: The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft. With some time to reflect on the findings, I think the report is best characterized as a well-earned rebuke to Microsoft.

Government 130

Government Risk Authentication Technology 130

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Adam Shostack

JANUARY 2, 2025

Phishing behaviors, as observed in the wild. Theres a good article on the UKs National Cyber Security Centre blog, Telling users to avoid clicking bad links still isnt working. It starts: Let's start with a basic premise: several of the established tenets in security simply dont work. One example is advising users not to click on bad links. Users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job.

Phishing 130

Phishing Accountability 130

Adam Shostack

JANUARY 2, 2025

Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK For Threat Model Thursday, lets look at Threat Modeling with ATT&CK from the Center for Threat Informed Defense at MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because Ive been teaching threat modeling with kill chains, including ATT&CK, for many years.

Risk 130

Risk Government 130

Tech Republic Security

JANUARY 1, 2025

Patch Tuesday is Microsofts monthly update day for fixing vulnerabilities. Learn its purpose, benefits, and how it enhances system security.

Software 145

Software Cybersecurity 145

Adam Shostack

JANUARY 2, 2025

How can we measure the ROI on an awareness month? As we wrap up another cybersecurity awareness month, Id like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year.

Cybersecurity 130

Cybersecurity Marketing Information Security 130

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Adam Shostack

JANUARY 2, 2025

A less busy month in appsec, AI, and regulation, but still interesting stories Im going to kick off with two interesting engineering stories. First, the Washington Post reports on how Officials studied Baltimore bridge risks but didnt prepare for ship strike that discusses the challenges of securing bridges against modern cargo ships. It turns out that additional barriers were a known tradeoff.

Engineering 130

Engineering Software Cybersecurity Risk 130

Adam Shostack

JANUARY 2, 2025

Join us for a provocative exploration on Thursday! What can Cybersecurity learn from the covid pandemic? Josiah Dykstra and I will be speaking at the Ostrom Workshop Cyber Public Health Working Group, tomorrow, Thursday the 28th at 3 Eastern. The COVID-19 pandemic forced us all to confront a widespread, deadly, and rapidly spreading biological threat.

Cybersecurity 130

Cybersecurity Cyber threats Technology 130

Adam Shostack

JANUARY 2, 2025

What should hackathon judges value? The Threat Modeling Connect team has built a hackathon thats gotten a lot of enthusiastic participation over the last few years. Today I want to discuss the design of that hackathon, talk about an effect of the design and ask if we can do something different. None of this is intended to critique the organizers, participants or judges.

Architecture 130

Architecture Technology Authentication Software 130

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. So it sent me another, this time warning me it was only going to last ten minutes. But then, after I went to reset the password, the bank emailed me a one time code.

Banking 130

Banking Passwords Password Management Authentication 130

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Adam Shostack

JANUARY 2, 2025

A busy month in appsec, AI, and regulation. Breaking: Alec Muffett reports that Ross Anderson has passed away. Ross was a giant of the field and Im shocked. Regulation The White House released a report on memory safe languages. Stop, read those words again. That the White House is involved should not be a shocker to readers of this blog, and it represents a fascinating state of the evolution of the conversation around memory safety that it would reach that level. ( Press release , technical repo

Software 130

Software Advertising Hacking 130

Adam Shostack

JANUARY 2, 2025

The SEC has important new cybersecurity rules Last week, the SEC issued new cybersecurity guidance. It includes a requirement to disclose material breaches within four days, and does not, contrary to drafts, require boards to disclose their cyber expertise. Fifteen years ago, Andrew Stewart and I published The New School of Information Security , in which we called for greater disclosure of cyber incidents and learning more from them.

Cybersecurity 130

Cybersecurity Marketing Information Security 130

Adam Shostack

JANUARY 2, 2025

A virtual feast of appsec! The PDF version of Ross Andersons Security Engineering is now freely available. Secure by Design and threat modeling Android Find My Device Has Gotten a Major Upgrade. Wired reports that Android devices that are powered off or that have dead batteries can be located for several hours after they go dark. the phone needs specialized hardware that enables a low-power Bluetooth signal to be broadcast, even if the handset itself isn't turned on.

Engineering 130

Engineering Threat Reports Software 130

Adam Shostack

JANUARY 2, 2025

Why do we call them trust boundaries, anyway? This blog post is more questions and musings than answers. Back in September, there was a fascinating Propublica article, Microsoft Chose Profit Over Security. It includes a link to Microsoft Security Servicing Criteria for Windows , which uses the term security boundary where Id normally say trust boundary.

130

130

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Shostack

JANUARY 2, 2025

If you say liability three times, it appears! Secure by Design, threat modeling and appsec Loren Kohnfelder wrote a longish, excellent post Flaunt your threat models. Weve been talking about this, and I think flaunting models at the level of the one released by Curl make so much sense its hard to see why its not standard. Google has released information on their Secure by Design commitment, including a blog and white paper.

Manufacturing 130

Manufacturing Data breaches Software Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Some thoughts on 25 years of the CVE program I saw the headline CVE Program Celebrates 25 Years of Impact! and want to congratulate everyone involved. The 25th anniversary report was a nostalgic walk down memory lane for me. I remember sitting a row or two behind Dave Mann and Steve Christey Coley at the workshop on vulnerability databases, and wondering who the heck MITRE was and why they cared?

130

130

Adam Shostack

JANUARY 2, 2025

The failure to secure boot keys should be a bigger deal. In case you missed it, Ars Technica has a story, Secure Boot is completely broken on 200+ models from 5 big device makers. The key* point is that Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway. At some level, I get it. Theres a lot of work to do in shipping a big complex system, even if that big complex system is in a small form factor.

Manufacturing 130

Manufacturing Software Marketing Encryption 130

Adam Shostack

JANUARY 2, 2025

Cyber Public Health is prompting fascinating conversations Recently I sat down with someone who had read the Cyber Public Health Workshop report. Ill call him Dan. Dan was enthusiastic about the ideas and goals, and pushed me to clarify the goals, and why people should get on board. He wasnt really satisfied with my answers, and he has a history of changing the way people think about the problems they face.

Government 130

Government CISO Advertising Engineering 130

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for May, 2024. A memorial service for Ross Anderson will be held June 22 in Cambridge. Bruce Schneier wrote an obituary for Ross at CACM. Im told there will be a way to view the service remotely, and: [link] Passcode: L3954FrrEF. Threat Modeling Ron Thompson and co-authors have released "There are rabbit holes I want to go down that I'm not allowed to go down": An Investigation of Security Expert Threat Modeling Pract

Engineering 130

Engineering Software Government 130

Adam Shostack

JANUARY 2, 2025

2024 is bringing lots of AI, and Liability, too At the start of 2024, appsec is moving through two major inflection points: liability and AI. The first has two facets: how do we secure AI systems, and how do we use AI in appsec? The second major inflection is driven by governments re-arranging liability from software operators to software makers. And as I think about where we are in 2024, Im optimistic and hopeful because of a third change, much more nascent, that lays groundwork for assessing a

Software 147

Software Government Security Awareness Passwords 147

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for June, 2024. Threat Modeling The City of London police report that a homemade mobile antenna was used to send thousands of smishing messages Ive been skeptical of phone system security, but this is both important if youre trusting the phone system, as an example of an evolving threat, and really funny.

Scams 130

Scams Mobile Engineering Software 130

Adam Shostack

JANUARY 2, 2025

Why is it hard to count lockbit infections? I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals: CISA (with other agencies) said 1,700 in Understanding Lockbit (June, 2023) Department of Justice said more than 2,500 victims in U.S.

Ransomware 130

Ransomware Cybersecurity 130

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software