Adam Shostack
JANUARY 2, 2025
My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow. My latest article at Dark Reading is Microsoft Can Fix Ransomware Tomorrow. It starts: Recently, I was at a private event on security by design. I explained that Microsoft could fix ransomware tomorrow, and was surprised that the otherwise well-informed people I was speaking to hadn't heard about this approach.
Security Affairs
JANUARY 2, 2025
The “DoubleClickjacking” exploit bypasses protections on major websites, using a double-click sequence for clickjacking and account takeover attacks. DoubleClickjackingis a technique that allows attackers to bypass protections on major websites by leveraging a double-click sequence. Attackers can exploit the technique to facilitate clickjacking attacks and account takeovers on almost all major websites.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Adam Shostack
JANUARY 2, 2025
NCC has released a threat model for Google Cloud Platform. What can it teach us? In Threat Modelling Cloud Platform Services by Example: Google Cloud Storage Ken Wolstencroft of NCC presents a threat model for Google Cloud Storage, and Id like to take a look at it to see what we can learn. As always, and especially in these Threat Model Thursday posts, my goal is to point out interesting work in a constructive way.
Schneier on Security
JANUARY 2, 2025
Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy setback.
Advertisement
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
Adam Shostack
JANUARY 2, 2025
Lets explore the risks associated with Automated Driving. " Safety First For Automated Driving " is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how to do so.
Security Boulevard
JANUARY 2, 2025
In a recent podcast interview with Cybercrime Magazine's host, Charlie Osborne, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, discusses the recent cyberattack on Blue Yonder, including how the incident impacted supply chains, effective steps an organization can take after a ransomware attack, and more.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
|
Tech Republic Security
JANUARY 2, 2025
Threat actors entered Treasury Department systems through BeyondTrust. The breach may be related to the Salt Typhoon attacks reported throughout the year.
Adam Shostack
JANUARY 2, 2025
The CSRB has released its report into an intrusion at Microsoft, and.its a doozy. The Cyber Safety Review Board has released its report into an intrusion at Microsoft, and. its a doozy. It opens: The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft. With some time to reflect on the findings, I think the report is best characterized as a well-earned rebuke to Microsoft.
Security Boulevard
JANUARY 2, 2025
Following the publication of our in-depth analysis on the National Public Data (NPD) breach last week, Constella Intelligence received several inquiries about how to safeguard against identity attacks using the exposed SSNs. The recent National Public Data (NPD) breach stands as the largest social security number (SSN) exposures in history. With 292 million individuals exposed, The post Best of 2024: National Public Data (NPD) Breach: Essential Guide to Protecting Your Identity appeared first o
Adam Shostack
JANUARY 2, 2025
Phishing behaviors, as observed in the wild. Theres a good article on the UKs National Cyber Security Centre blog, Telling users to avoid clicking bad links still isnt working. It starts: Let's start with a basic premise: several of the established tenets in security simply dont work. One example is advising users not to click on bad links. Users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job.
Advertisement
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
Security Boulevard
JANUARY 2, 2025
Its been more than a year since the U.S. Securities and Exchange Commission adopted new rules to enhance the annual reporting of cybersecurity measures practiced by SEC registrants. These requirements are in addition to those about the timely disclosure of material cybersecurity incidents that these companies experience. This tougher stance from the SEC has prompted executives and boards of directors to look at cybersecurity, not as an afterthought, but as a business-critical priority.
Adam Shostack
JANUARY 2, 2025
Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK For Threat Model Thursday, lets look at Threat Modeling with ATT&CK from the Center for Threat Informed Defense at MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because Ive been teaching threat modeling with kill chains, including ATT&CK, for many years.
Security Boulevard
JANUARY 2, 2025
Let me start by wishing everyone Happy Holidays and a great new 2025 ahead. As we exit 2024, I am equally hopeful and worried about the year ahead. While I am concerned that even increased spending on cybersecurity has not slowed down cyberattacks, with increased interest in breach readiness and cyber defense, I am hopeful [] The post How Breach Readiness Will Shape Cyber Defense in 2025 appeared first on ColorTokens.
Adam Shostack
JANUARY 2, 2025
How can we measure the ROI on an awareness month? As we wrap up another cybersecurity awareness month, Id like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year.
Advertisement
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
Penetration Testing
JANUARY 2, 2025
A revelation emerged from the Chaos Communication Congress (CCC) last week, shaking the foundations of Windows’ trusted BitLocker The post Patched But Still Vulnerable: Windows BitLocker Encryption Bypassed Again appeared first on Cybersecurity News.
Adam Shostack
JANUARY 2, 2025
A less busy month in appsec, AI, and regulation, but still interesting stories Im going to kick off with two interesting engineering stories. First, the Washington Post reports on how Officials studied Baltimore bridge risks but didnt prepare for ship strike that discusses the challenges of securing bridges against modern cargo ships. It turns out that additional barriers were a known tradeoff.
Centraleyes
JANUARY 2, 2025
If youve ever been on the receiving end of endless security questionnaires or found yourself explaining the same security measures over and over to different parties, youll understand why trust centers have become such a popular tool. In a digital-first world where transparency and security go hand in hand, trust centers have emerged as a vital tool for building confidence with customers, partners, and stakeholders.
Adam Shostack
JANUARY 2, 2025
Join us for a provocative exploration on Thursday! What can Cybersecurity learn from the covid pandemic? Josiah Dykstra and I will be speaking at the Ostrom Workshop Cyber Public Health Working Group, tomorrow, Thursday the 28th at 3 Eastern. The COVID-19 pandemic forced us all to confront a widespread, deadly, and rapidly spreading biological threat.
Advertisement
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
Tech Republic Security
JANUARY 2, 2025
Compare TotalAV VPN and Surfshark to find the best fit for your online security needs. Discover more and make an informed choice today.
Adam Shostack
JANUARY 2, 2025
Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. So it sent me another, this time warning me it was only going to last ten minutes. But then, after I went to reset the password, the bank emailed me a one time code.
The Hacker News
JANUARY 2, 2025
Apple has agreed to pay $95 million to settle a proposed class action lawsuit that accused the iPhone maker of invading users' privacy using its voice-activated Siri assistant. The development was first reported by Reuters. The settlement applies to U.S.
Adam Shostack
JANUARY 2, 2025
A busy month in appsec, AI, and regulation. Breaking: Alec Muffett reports that Ross Anderson has passed away. Ross was a giant of the field and Im shocked. Regulation The White House released a report on memory safe languages. Stop, read those words again. That the White House is involved should not be a shocker to readers of this blog, and it represents a fascinating state of the evolution of the conversation around memory safety that it would reach that level. ( Press release , technical repo
Advertisement
After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!
Adam Shostack
JANUARY 2, 2025
A virtual feast of appsec! The PDF version of Ross Andersons Security Engineering is now freely available. Secure by Design and threat modeling Android Find My Device Has Gotten a Major Upgrade. Wired reports that Android devices that are powered off or that have dead batteries can be located for several hours after they go dark. the phone needs specialized hardware that enables a low-power Bluetooth signal to be broadcast, even if the handset itself isn't turned on.
Adam Shostack
JANUARY 2, 2025
Some thoughts on 25 years of the CVE program I saw the headline CVE Program Celebrates 25 Years of Impact! and want to congratulate everyone involved. The 25th anniversary report was a nostalgic walk down memory lane for me. I remember sitting a row or two behind Dave Mann and Steve Christey Coley at the workshop on vulnerability databases, and wondering who the heck MITRE was and why they cared?
Adam Shostack
JANUARY 2, 2025
Cyber Public Health is prompting fascinating conversations Recently I sat down with someone who had read the Cyber Public Health Workshop report. Ill call him Dan. Dan was enthusiastic about the ideas and goals, and pushed me to clarify the goals, and why people should get on board. He wasnt really satisfied with my answers, and he has a history of changing the way people think about the problems they face.
Adam Shostack
JANUARY 2, 2025
The most important stories around threat modeling, appsec and secure by design for June, 2024. Threat Modeling The City of London police report that a homemade mobile antenna was used to send thousands of smishing messages Ive been skeptical of phone system security, but this is both important if youre trusting the phone system, as an example of an evolving threat, and really funny.
Advertisement
Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.
Adam Shostack
JANUARY 2, 2025
Why is it hard to count lockbit infections? I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals: CISA (with other agencies) said 1,700 in Understanding Lockbit (June, 2023) Department of Justice said more than 2,500 victims in U.S.
Adam Shostack
JANUARY 2, 2025
How to effectively threat model authentication. Recently, I wrote about threat modeling and logins , and I want to expand on that post to talk about methodologies. Before I do, I want to say the crucial step is consider What can go wrong? before implementing a defense, so that each defense is defending against a specific threat. (That implies that you need to go from consideration to keeping a list, and making sure that the list is specific and clear.
Adam Shostack
JANUARY 2, 2025
Threat modeling really CAN save you money, just ask Chuck! Back in April, Forrester published The Total Economic Impact Of The IriusRisk Automated Threat Modeling Platform. They looked at a composite of three organizations that moved from ad-hoc, manual threat modeling to automated threat modeling. One of the reports key findings was that cost savings from remediation avoidance was the biggest cost saving category with $4.9 million over a three-year period.
Adam Shostack
JANUARY 2, 2025
Tarah Wheeler and Adam write in CFR The Council on Foreign Relations has published an essay by Tarah Wheeler and myself, The Cyber Safety Review Board Should Investigate Major Historical Incidents. It starts: The U.S. Cyber Safety Review Board (CSRB) was established on February 3, 2022 after the major cyber incident known as SolarWinds. This board was intended to investigate and report on significant cyber incidents, following the example of the U.S.
Advertisement
Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!
Expert insights. Personalized for you.
246 
Let's personalize your content