Adam Shostack

JANUARY 2, 2025

NCC has released a threat model for Google Cloud Platform. What can it teach us? In Threat Modelling Cloud Platform Services by Example: Google Cloud Storage Ken Wolstencroft of NCC presents a threat model for Google Cloud Storage, and Id like to take a look at it to see what we can learn. As always, and especially in these Threat Model Thursday posts, my goal is to point out interesting work in a constructive way.

Engineering 246

Engineering Authentication 246

Schneier on Security

JANUARY 2, 2025

Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy setback.

Data collection 280

Data collection 280

Tech Republic Security

JANUARY 1, 2025

Patch Tuesday is Microsofts monthly update day for fixing vulnerabilities. Learn its purpose, benefits, and how it enhances system security.

Software 152

Software Cybersecurity 152

Adam Shostack

JANUARY 2, 2025

A new paper on 'Pandemic Scale Cyber Events Josiah Dykstra and I have a new pre-print at Arxiv, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19. The abstract is: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events.

Cyber threats 130

Cyber threats Government Cybersecurity 130

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Adam Shostack

JANUARY 2, 2025

How can we measure the ROI on an awareness month? As we wrap up another cybersecurity awareness month, Id like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year.

Cybersecurity 130

Cybersecurity Marketing Information Security 130

Schneier on Security

DECEMBER 30, 2024

The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon.

Government 251

Government Hacking 251

Security Affairs

JANUARY 3, 2025

Experts warn of a new PoC exploit, LDAPNightmare, that targets a Windows LDAP flaw (CVE-2024-49113), causing crashes & reboots. The vulnerability CVE-2024-49113 (CVSS score of 7.5), namedLDAPNightmare, is a Windows Lightweight Directory Access Protocol (LDAP) Denial of Service flaw that was discovered by the researcher Yuki Chen. An attacker can exploit the now-patched vulnerability to trigger a denial of service condition.

DNS 132

DNS Internet Internet Hacking 132

Adam Shostack

JANUARY 2, 2025

My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow. My latest article at Dark Reading is Microsoft Can Fix Ransomware Tomorrow. It starts: Recently, I was at a private event on security by design. I explained that Microsoft could fix ransomware tomorrow, and was surprised that the otherwise well-informed people I was speaking to hadn't heard about this approach.

Ransomware 225

Ransomware Encryption Software 225

Schneier on Security

JANUARY 3, 2025

ShredOS is a stripped-down operating system designed to destroy data. GitHub page here.

230

230

Tech Republic Security

DECEMBER 30, 2024

Microsoft advises users not to install recent security updates using physical media. The company is working on a fix.

Media 178

Media Cybersecurity 178

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Security Affairs

DECEMBER 28, 2024

Pro-Russia group NoName057 targets Italian sites, including Malpensa and Linate airports, in a new DDoS campaign amid rising geopolitical tensions. The pro-Russia group NoName57 continues its campaign of DDoS attacks against Italian infrastructure. This time, the group of alleged hacktivists targeted multiple websites, include the sites of Malpensa and Linate airports, as well as the site of the Ministry of Foreign Affairs (Farnesina) and the Turin Transport Group (GTT).

DDOS 136

DDOS Artificial Intelligence Government Cybercrime 136

Adam Shostack

JANUARY 2, 2025

2024 is bringing lots of AI, and Liability, too At the start of 2024, appsec is moving through two major inflection points: liability and AI. The first has two facets: how do we secure AI systems, and how do we use AI in appsec? The second major inflection is driven by governments re-arranging liability from software operators to software makers. And as I think about where we are in 2024, Im optimistic and hopeful because of a third change, much more nascent, that lays groundwork for assessing a

Software 227

Software Government Security Awareness Passwords 227

Penetration Testing

JANUARY 3, 2025

EditThisCookie, a browser extension with over 3 million downloads, primarily used for editing local cookie files, has been The post Beware! Fake EditThisCookie Extension Steals User Data appeared first on Cybersecurity News.

Cybersecurity 145

Cybersecurity Malware 145

Tech Republic Security

JANUARY 3, 2025

Here's how to use the secure copy command, in conjunction with ssh key authentication, for an even more secure means of copying files to your remote Linux servers.

Authentication 157

Authentication 157

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Security Affairs

DECEMBER 30, 2024

Cisco confirmed the authenticity of the 4GB of leaked data, the data was compromised in a recent security breach, marking the second leak in the incident. Cisco confirmed the authenticity of the 4GB of leaked data, which was compromised in a recent security breach, marking it as the second leak in the incident. “We are aware of some recent social media posts made by the actor.

Data breaches 135

Data breaches Cybercrime Authentication Technology 135

Adam Shostack

JANUARY 2, 2025

Why its ok to use the Defcon wifi Many security professionals, especially on social media, have an unfortunate tendency towards what we might call performative security. Its where people broadcast their security measures to show how aware they are, and they suggest others follow their lead. Its the inverse of security theater where ineffective security is imposed on us by organizations.

Media 246

Media Authentication Malware 246

Penetration Testing

JANUARY 2, 2025

A revelation emerged from the Chaos Communication Congress (CCC) last week, shaking the foundations of Windows’ trusted BitLocker The post Patched But Still Vulnerable: Windows BitLocker Encryption Bypassed Again appeared first on Cybersecurity News.

Encryption 145

Encryption Cybersecurity 145

WIRED Threat Level

JANUARY 3, 2025

A network of Facebook pages has been advertising fuel filters that are actually meant to be used as silencers, which are heavily regulated by US law. Even US military officials are concerned.

Advertising 136

Advertising Media 136

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Zero Day

JANUARY 3, 2025

Cache and cookies can clog your browser and slow down your iPhone, but there's a simple way to bring your device back up to speed and give it a performance boost for the new year. Here's how.

130

130

Adam Shostack

JANUARY 2, 2025

Lets explore the risks associated with Automated Driving. " Safety First For Automated Driving " is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how to do so.

Risk 180

Risk Architecture Manufacturing Cybersecurity 180

Penetration Testing

JANUARY 1, 2025

SafeBreach Labs revealed a zero-click vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service, dubbed LDAP Nightmare. The post PoC Exploit Released for Zero-Click Vulnerability CVE-2024-49112 in Windows appeared first on Cybersecurity News.

Cybersecurity 145

Cybersecurity 145

Tech Republic Security

DECEMBER 30, 2024

VyprVPN is known for strong performance with top-notch security and speed. Discover if it remains a reliable choice for privacy and streaming this year and beyond.

VPN 140

VPN 140

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Shostack

JANUARY 2, 2025

The CSRB has released its report into an intrusion at Microsoft, and.its a doozy. The Cyber Safety Review Board has released its report into an intrusion at Microsoft, and. its a doozy. It opens: The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft. With some time to reflect on the findings, I think the report is best characterized as a well-earned rebuke to Microsoft.

Government 130

Government Risk Authentication Technology 130

Adam Shostack

JANUARY 2, 2025

Phishing behaviors, as observed in the wild. Theres a good article on the UKs National Cyber Security Centre blog, Telling users to avoid clicking bad links still isnt working. It starts: Let's start with a basic premise: several of the established tenets in security simply dont work. One example is advising users not to click on bad links. Users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job.

Phishing 130

Phishing Accountability 130

Adam Shostack

JANUARY 2, 2025

Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK For Threat Model Thursday, lets look at Threat Modeling with ATT&CK from the Center for Threat Informed Defense at MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because Ive been teaching threat modeling with kill chains, including ATT&CK, for many years.

Risk 130

Risk Government 130

Adam Shostack

JANUARY 2, 2025

A less busy month in appsec, AI, and regulation, but still interesting stories Im going to kick off with two interesting engineering stories. First, the Washington Post reports on how Officials studied Baltimore bridge risks but didnt prepare for ship strike that discusses the challenges of securing bridges against modern cargo ships. It turns out that additional barriers were a known tradeoff.

Engineering 130

Engineering Software Cybersecurity Risk 130

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Adam Shostack

JANUARY 2, 2025

Join us for a provocative exploration on Thursday! What can Cybersecurity learn from the covid pandemic? Josiah Dykstra and I will be speaking at the Ostrom Workshop Cyber Public Health Working Group, tomorrow, Thursday the 28th at 3 Eastern. The COVID-19 pandemic forced us all to confront a widespread, deadly, and rapidly spreading biological threat.

Cybersecurity 130

Cybersecurity Cyber threats Technology 130

Adam Shostack

JANUARY 2, 2025

What should hackathon judges value? The Threat Modeling Connect team has built a hackathon thats gotten a lot of enthusiastic participation over the last few years. Today I want to discuss the design of that hackathon, talk about an effect of the design and ask if we can do something different. None of this is intended to critique the organizers, participants or judges.

Architecture 130

Architecture Technology Authentication Software 130

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. So it sent me another, this time warning me it was only going to last ten minutes. But then, after I went to reset the password, the bank emailed me a one time code.

Banking 130

Banking Passwords Password Management Authentication 130

Adam Shostack

JANUARY 2, 2025

A busy month in appsec, AI, and regulation. Breaking: Alec Muffett reports that Ross Anderson has passed away. Ross was a giant of the field and Im shocked. Regulation The White House released a report on memory safe languages. Stop, read those words again. That the White House is involved should not be a shocker to readers of this blog, and it represents a fascinating state of the evolution of the conversation around memory safety that it would reach that level. ( Press release , technical repo

Software 130

Software Advertising Hacking 130

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software