Adam Shostack

JANUARY 2, 2025

NCC has released a threat model for Google Cloud Platform. What can it teach us? In Threat Modelling Cloud Platform Services by Example: Google Cloud Storage Ken Wolstencroft of NCC presents a threat model for Google Cloud Storage, and Id like to take a look at it to see what we can learn. As always, and especially in these Threat Model Thursday posts, my goal is to point out interesting work in a constructive way.

Engineering 246

Engineering Authentication 246

Schneier on Security

JANUARY 2, 2025

Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy setback.

Data collection 280

Data collection 280

Adam Shostack

JANUARY 2, 2025

My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow. My latest article at Dark Reading is Microsoft Can Fix Ransomware Tomorrow. It starts: Recently, I was at a private event on security by design. I explained that Microsoft could fix ransomware tomorrow, and was surprised that the otherwise well-informed people I was speaking to hadn't heard about this approach.

Ransomware 225

Ransomware Encryption Software 225

Tech Republic Security

JANUARY 2, 2025

Threat actors entered Treasury Department systems through BeyondTrust. The breach may be related to the Salt Typhoon attacks reported throughout the year.

Cyber threats 185

Cyber threats Hacking Telecommunications Software 185

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Adam Shostack

JANUARY 2, 2025

Why its ok to use the Defcon wifi Many security professionals, especially on social media, have an unfortunate tendency towards what we might call performative security. Its where people broadcast their security measures to show how aware they are, and they suggest others follow their lead. Its the inverse of security theater where ineffective security is imposed on us by organizations.

Media 246

Media Authentication Malware 246

Penetration Testing

JANUARY 2, 2025

A revelation emerged from the Chaos Communication Congress (CCC) last week, shaking the foundations of Windows’ trusted BitLocker The post Patched But Still Vulnerable: Windows BitLocker Encryption Bypassed Again appeared first on Cybersecurity News.

Encryption 145

Encryption Cybersecurity 145

Adam Shostack

JANUARY 2, 2025

Lets explore the risks associated with Automated Driving. " Safety First For Automated Driving " is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how to do so.

Risk 180

Risk Architecture Manufacturing Cybersecurity 180

Adam Shostack

JANUARY 2, 2025

A new paper on 'Pandemic Scale Cyber Events Josiah Dykstra and I have a new pre-print at Arxiv, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19. The abstract is: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events.

Cyber threats 130

Cyber threats Government Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

The CSRB has released its report into an intrusion at Microsoft, and.its a doozy. The Cyber Safety Review Board has released its report into an intrusion at Microsoft, and. its a doozy. It opens: The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft. With some time to reflect on the findings, I think the report is best characterized as a well-earned rebuke to Microsoft.

Government 130

Government Risk Authentication Technology 130

Adam Shostack

JANUARY 2, 2025

Phishing behaviors, as observed in the wild. Theres a good article on the UKs National Cyber Security Centre blog, Telling users to avoid clicking bad links still isnt working. It starts: Let's start with a basic premise: several of the established tenets in security simply dont work. One example is advising users not to click on bad links. Users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job.

Phishing 130

Phishing Accountability 130

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Adam Shostack

JANUARY 2, 2025

Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK For Threat Model Thursday, lets look at Threat Modeling with ATT&CK from the Center for Threat Informed Defense at MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because Ive been teaching threat modeling with kill chains, including ATT&CK, for many years.

Risk 130

Risk Government 130

Adam Shostack

JANUARY 2, 2025

How can we measure the ROI on an awareness month? As we wrap up another cybersecurity awareness month, Id like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year.

Cybersecurity 130

Cybersecurity Marketing Information Security 130

Adam Shostack

JANUARY 2, 2025

A less busy month in appsec, AI, and regulation, but still interesting stories Im going to kick off with two interesting engineering stories. First, the Washington Post reports on how Officials studied Baltimore bridge risks but didnt prepare for ship strike that discusses the challenges of securing bridges against modern cargo ships. It turns out that additional barriers were a known tradeoff.

Engineering 130

Engineering Software Cybersecurity Risk 130

Adam Shostack

JANUARY 2, 2025

Join us for a provocative exploration on Thursday! What can Cybersecurity learn from the covid pandemic? Josiah Dykstra and I will be speaking at the Ostrom Workshop Cyber Public Health Working Group, tomorrow, Thursday the 28th at 3 Eastern. The COVID-19 pandemic forced us all to confront a widespread, deadly, and rapidly spreading biological threat.

Cybersecurity 130

Cybersecurity Cyber threats Technology 130

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Adam Shostack

JANUARY 2, 2025

What should hackathon judges value? The Threat Modeling Connect team has built a hackathon thats gotten a lot of enthusiastic participation over the last few years. Today I want to discuss the design of that hackathon, talk about an effect of the design and ask if we can do something different. None of this is intended to critique the organizers, participants or judges.

Architecture 130

Architecture Technology Authentication Software 130

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. So it sent me another, this time warning me it was only going to last ten minutes. But then, after I went to reset the password, the bank emailed me a one time code.

Banking 130

Banking Passwords Password Management Authentication 130

Adam Shostack

JANUARY 2, 2025

A busy month in appsec, AI, and regulation. Breaking: Alec Muffett reports that Ross Anderson has passed away. Ross was a giant of the field and Im shocked. Regulation The White House released a report on memory safe languages. Stop, read those words again. That the White House is involved should not be a shocker to readers of this blog, and it represents a fascinating state of the evolution of the conversation around memory safety that it would reach that level. ( Press release , technical repo

Software 130

Software Advertising Hacking 130

Adam Shostack

JANUARY 2, 2025

The SEC has important new cybersecurity rules Last week, the SEC issued new cybersecurity guidance. It includes a requirement to disclose material breaches within four days, and does not, contrary to drafts, require boards to disclose their cyber expertise. Fifteen years ago, Andrew Stewart and I published The New School of Information Security , in which we called for greater disclosure of cyber incidents and learning more from them.

Cybersecurity 130

Cybersecurity Marketing Information Security 130

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Adam Shostack

JANUARY 2, 2025

A virtual feast of appsec! The PDF version of Ross Andersons Security Engineering is now freely available. Secure by Design and threat modeling Android Find My Device Has Gotten a Major Upgrade. Wired reports that Android devices that are powered off or that have dead batteries can be located for several hours after they go dark. the phone needs specialized hardware that enables a low-power Bluetooth signal to be broadcast, even if the handset itself isn't turned on.

Engineering 130

Engineering Threat Reports Software 130

Adam Shostack

JANUARY 2, 2025

Why do we call them trust boundaries, anyway? This blog post is more questions and musings than answers. Back in September, there was a fascinating Propublica article, Microsoft Chose Profit Over Security. It includes a link to Microsoft Security Servicing Criteria for Windows , which uses the term security boundary where Id normally say trust boundary.

130

130

Adam Shostack

JANUARY 2, 2025

If you say liability three times, it appears! Secure by Design, threat modeling and appsec Loren Kohnfelder wrote a longish, excellent post Flaunt your threat models. Weve been talking about this, and I think flaunting models at the level of the one released by Curl make so much sense its hard to see why its not standard. Google has released information on their Secure by Design commitment, including a blog and white paper.

Manufacturing 130

Manufacturing Data breaches Software Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Some thoughts on 25 years of the CVE program I saw the headline CVE Program Celebrates 25 Years of Impact! and want to congratulate everyone involved. The 25th anniversary report was a nostalgic walk down memory lane for me. I remember sitting a row or two behind Dave Mann and Steve Christey Coley at the workshop on vulnerability databases, and wondering who the heck MITRE was and why they cared?

130

130

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Adam Shostack

JANUARY 2, 2025

The failure to secure boot keys should be a bigger deal. In case you missed it, Ars Technica has a story, Secure Boot is completely broken on 200+ models from 5 big device makers. The key* point is that Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway. At some level, I get it. Theres a lot of work to do in shipping a big complex system, even if that big complex system is in a small form factor.

Manufacturing 130

Manufacturing Software Marketing Encryption 130

Adam Shostack

JANUARY 2, 2025

Cyber Public Health is prompting fascinating conversations Recently I sat down with someone who had read the Cyber Public Health Workshop report. Ill call him Dan. Dan was enthusiastic about the ideas and goals, and pushed me to clarify the goals, and why people should get on board. He wasnt really satisfied with my answers, and he has a history of changing the way people think about the problems they face.

Government 130

Government CISO Advertising Engineering 130

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for May, 2024. A memorial service for Ross Anderson will be held June 22 in Cambridge. Bruce Schneier wrote an obituary for Ross at CACM. Im told there will be a way to view the service remotely, and: [link] Passcode: L3954FrrEF. Threat Modeling Ron Thompson and co-authors have released "There are rabbit holes I want to go down that I'm not allowed to go down": An Investigation of Security Expert Threat Modeling Pract

Engineering 130

Engineering Software Government 130

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for June, 2024. Threat Modeling The City of London police report that a homemade mobile antenna was used to send thousands of smishing messages Ive been skeptical of phone system security, but this is both important if youre trusting the phone system, as an example of an evolving threat, and really funny.

Scams 130

Scams Mobile Engineering Software 130

Advertisement

Explore how enterprises can enhance developer productivity and onboarding by adopting self-hosted Cloud Development Environments (CDEs). This whitepaper highlights the simplicity and flexibility of cloud-based development over traditional setups, demonstrating how large teams can leverage economies of scale to boost efficiency and developer satisfaction.

Adam Shostack

JANUARY 2, 2025

Why is it hard to count lockbit infections? I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals: CISA (with other agencies) said 1,700 in Understanding Lockbit (June, 2023) Department of Justice said more than 2,500 victims in U.S.

Ransomware 130

Ransomware Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

How to effectively threat model authentication. Recently, I wrote about threat modeling and logins , and I want to expand on that post to talk about methodologies. Before I do, I want to say the crucial step is consider What can go wrong? before implementing a defense, so that each defense is defending against a specific threat. (That implies that you need to go from consideration to keeping a list, and making sure that the list is specific and clear.

Authentication 130

Authentication Mobile 130

Adam Shostack

JANUARY 2, 2025

Threat modeling really CAN save you money, just ask Chuck! Back in April, Forrester published The Total Economic Impact Of The IriusRisk Automated Threat Modeling Platform. They looked at a composite of three organizations that moved from ad-hoc, manual threat modeling to automated threat modeling. One of the reports key findings was that cost savings from remediation avoidance was the biggest cost saving category with $4.9 million over a three-year period.

Technology 130

Technology Penetration Testing Software Mobile 130

Adam Shostack

JANUARY 2, 2025

Some inferences from layoffs in responsible AI teams Wendy Grossman asks what about all those AI ethics teams that Silicon Valley companies are disbanding? Just in the last few weeks, these teams have been axed or cut at Microsoft and Twitch. and I have a theory. My theory is informed by a conversation that I had with Michael Howard, maybe 20 years ago.

Architecture 130

Architecture Accountability Software Risk 130

Advertisement

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.

Cybersecurity