What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-02-01 22:19:00 | Incentives and Multifactor Authentication (lien direct) | It’s well known that adoption rates for multi-factor authentication are poor. For example, “Over 90 percent of Gmail users still don't use two-factor authentication.” Someone was mentioning to me that there are bonuses in games. You get access to special rooms in Star Wars Old Republic. There’s a special emote in Fortnite. (Above) How well…Continue reading → | |||
|
2019-01-31 21:25:04 | Threat Modeling: Attackers May Adapt, Respond (lien direct) | This is a really interesting post* about how many simple solutions to border security fail in the real world. Not everywhere has the infrastructure necessary to upload large datasets to the cloud Most cloud providers are in not-great jurisdictions for some threat models. Lying to border authorities, even by omission, ends badly. Fact is, the…Continue reading → | Threat | ||
|
2019-01-23 16:10:02 | Threat Modeling as Code (lien direct) | Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code. The closer threat modeling practices are to engineering practices already in place, the more it will be impactful, and the more it will be a standard part of delivery. There’s interesting work in both transforming threat modeling thinking into…Continue reading → | Threat | ||
|
2019-01-10 17:28:02 | Linkedin Learning: Producing a Video (lien direct) | My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be. Before I struck a deal with Linkedin, I talked to some of the other popular training sites. Many of them will buy you a microphone and some…Continue reading → | |||
|
2019-01-10 16:39:01 | IriusRisk 2.0 (lien direct) | I’m excited to be able to share “Announcement: IriusRisk Threat Modeling Platform 2.0 Released.” If you’re looking to scale your enterprise threat modeling program, this is worth a look. | Threat | ||
|
2019-01-06 23:35:04 | New year, new theme (lien direct) | I’ve updated the blog theme. Please let me know if I broke anything. | |||
|
2019-01-02 21:20:04 | Scaling Threat Modeling Training (lien direct) | For the last few years, I’ve been delivering in-person threat modeling training. I’ve trained groups ranging from 2 to 100 people at a time, and I’ve done classes as short as a few hours and as long as a week. That training is hands on and intense, and I’m very proud that my NPS customer … Continue reading "Scaling Threat Modeling Training" | Threat | ★★ | |
|
2018-12-24 19:59:03 | Beyond Elf on a Shelf (lien direct) | ||||
|
2018-12-21 17:04:01 | High ROI Security Advisory Boards (lien direct) | Lance Cottrell has a blog “The Why and How of High ROI Security Advisory Boards” over at the Ntrepid blog. I’m pleased to be a part of the board he’s discussing, and will quibble slightly — I don’t think it’s easy to maximize the value of the board. It’s taken effort on the part of … Continue reading "High ROI Security Advisory Boards" | |||
|
2018-12-17 15:07:03 | Pivots and Payloads (lien direct) | SANS has announced a new boardgame, “Pivots and Payloads,” that “takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker. The game helps you learn while you play. It’s also a great way to showcase to others what … Continue reading "Pivots and Payloads" | |||
|
2018-12-12 21:39:03 | Resources for Infosec Skillbuilding (lien direct) | Thanks to the kind folks Digital Guardian for including my threat modeling book in their list of “The Best Resources for InfoSec Skillbuilding.” It’s particularly gratifying to see that the work is standing the test of time. | Threat | ||
|
2018-12-11 16:00:05 | House Oversight Committee on Equifax (lien direct) | The House Oversight Committee has released a scathing report on Equifax. Through the investigation, the Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and former Equifax employees, in addition to Mandiant, the forensic firm hired to conduct an investigation … Continue reading "House Oversight Committee on Equifax" | Equifax | ||
|
2018-12-07 18:01:01 | Structures, Engineering and Security (lien direct) | J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers. Buildings don’t fall down because they’re engineered from a set of materials to meet the goals of carrying appropriate loads. Those materials … Continue reading "Structures, Engineering and Security" | |||
|
2018-11-29 16:57:03 | Gavelblocken, 2018 (lien direct) | The 2018 Gavle Goat is up and tweeting at @gavelebocken. Previously. | |||
|
2018-11-26 17:21:01 | Books which are worth your time: Q4 (lien direct) | Nonfiction The Brothers: John Foster Dulles, Allen Dulles, and Their Secret World War is a fascinating biography of the Dulles brothers, and how the world changed through their lives and actions. One ran the State department, the other the CIA. Weapons of Math Destruction by Cathy O’Neil is an interesting overview of problems with machine … Continue reading "Books which are worth your time: Q4" | |||
|
2018-11-15 19:11:00 | Threat Modeling in 2018 (video release) (lien direct) | Blackhat has released all the 2018 US conference videos. My threat modeling in 2018 video is, of course, amongst them. Slides are linked here. | Threat | ||
|
2018-11-09 22:09:03 | Change in the Weather (lien direct) | A remote Hawaiian island, East Island, was destroyed by Hurricane Walaka. East Island was 11 acres. It was also a key refuge for turtles and seals. Read more in The Guardian. Maersk has sent a ship, the Venta Maersk, through the Northern Passage. The journey and its significance were outlined by the Washington Post, with … Continue reading "Change in the Weather" | |||
|
2018-11-01 17:48:00 | Airline Safety (lien direct) | There’s an interesting article in the CBC, where journalists took a set of flights, swabbed surfaces, and worked with a microbiologist to culture their samples. What they found will shock you! Well, airplanes are filthy. Not really shocking. What was surprising to me was that the dirtiest of the surfaces they tested was the headrest. … Continue reading "Airline Safety" | |||
|
2018-10-29 15:43:00 | Podcast with Ron Woerner (lien direct) | Ron Woerner had me on as a guest in his business of security podcast series. It was fun to tease out some of the business justifications for threat modeling, and the podcast is now live at itunes. You can learn more about the series at Business of Security Podcast Series. | Threat | ||
|
2018-10-17 16:54:03 | Privacy Extension to Elevation of Privilege game (lien direct) | The fine folks at Logmein have released a version of Elevation of Privilege that adds privacy! Check out the fine work by Mark Vinkovits at their blog, by Mark Vinkovits. | |||
|
2018-10-16 21:19:00 | Measuring ROI for DMARC (lien direct) | I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis of It shows the 1,046 domains that have successfully activated strong protection with GCA's DMARC … Continue reading "Measuring ROI for DMARC" | Threat | ||
|
2018-10-12 20:43:01 | GAO Report on Equifax (lien direct) | I have regularly asked why we don’t know more about the Equifax breach, including in comments in “That Was Close! Reward Reporting of Cybersecurity ‘Near Misses’.” These questions are not intended to attack Equifax. Rather, we can use their breach as a mirror to reflect, and ask questions about how defenses work, and learn things … Continue reading "GAO Report on Equifax" | Equifax | ||
|
2018-10-09 22:12:04 | Does PCI Matter? (lien direct) | There’s an interesting article at the CBC, about how in Canada, “More than a dozen federal departments flunked a credit card security test:” Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date. … Continue reading "Does PCI Matter?" | |||
|
2018-10-04 17:49:00 | The Architectural Mirror (Threat Model Thursdays) (lien direct) | A few weeks ago, I talked about “reflective practice in threat modeling“, thinking about how we approach the problems we face, and asking if our approaches are the best we can do. Sometimes it’s hard to reflect. It’s hard to face the mirror and say ‘could I have done that better?’ That’s human nature. Sometimes, … Continue reading "The Architectural Mirror (Threat Model Thursdays)" | Threat | ||
|
2018-10-02 16:18:05 | CVE Funding and Process (lien direct) | I had not seen this interesting letter (August 27, 2018) from the House Energy and Commerce Committee to DHS about the nature of funding and support for the CVE. This is the sort of thoughtful work that we hope and expect government departments do, and kudos to everyone involved in thinking about how CVE should … Continue reading "CVE Funding and Process" | |||
|
2018-09-25 20:30:05 | Space Elevator Test (lien direct) | So cool! STARS-Me (or Space Tethered Autonomous Robotic Satellite – Mini elevator), built by engineers at Shizuoka University in Japan, is comprised of two 10-centimeter cubic satellites connected by a 10-meter-long tether. A small robot representing an elevator car, about 3 centimeters across and 6 centimeters tall, will move up and down the cable using … Continue reading "Space Elevator Test" | |||
|
2018-09-14 11:34:02 | Reflective Practice and Threat Modeling (Threat Model Thursday) (lien direct) | Lately, I’ve been asking what takes threat modeling from a practice to a mission. If you’re reading this blog, you may have seen that some people are nearly mad about threat modeling. The ones who say “you’re never done threat modeling.” The ones who’ve made it the center of their work practice. What distinguishes those … Continue reading "Reflective Practice and Threat Modeling (Threat Model Thursday)" | Threat | ||
|
2018-08-23 22:55:05 | Threat Model Thursday: Legible Architecture (lien direct) | The image above is the frequency with which streets travel a certain orientation, and it’s a nifty data visualization by Geoff Boeing. What caught my attention was not just the streets of Boston and Charlotte, but the lack of variability shown for Seattle, which is a city with two grids. But then there was this … Continue reading "Threat Model Thursday: Legible Architecture" | Threat | ||
|
2018-08-21 15:06:00 | Toolbox: After a Conference (lien direct) | Wow. Blackhat, Defcon, I didn’t even make the other conferences going on in Vegas. And coming back it seems like there’s a sea of things to follow up on. I think a little bit of organization is helping me manage better this year, and so I thought I’d share what’s in my post-conference toolbox. I’m … Continue reading "Toolbox: After a Conference" | |||
|
2018-08-13 21:30:05 | Aretha Franklin (lien direct) | I remember an interview I read with Ahmet Ertegün, the founder of Atlantic Records. He was talking about Aretha, and he said that one of his producers came in, saying that she wasn’t measuring up. He asked the producer what was up, and was told that they were trying to get her to sing like … Continue reading "Aretha Franklin" | |||
|
2018-08-13 17:11:04 | Threat Modeling in 2018: Attacks, Impacts and Other Updates (lien direct) | The slides from my Blackhat talk, “Threat Modeling in 2018: Attacks, Impacts and Other Updates” are now available either as a PDF or online viewer. | Threat | ||
|
2018-08-06 14:52:03 | CSO on AppSec at the Speed of Devops (lien direct) | “20 Ways to Make AppSec Move at the Speed of DevOps” is in CSO. It’s a good collection, and I’m quoted. | |||
|
2018-08-06 00:18:01 | CyberSecurity Hall of Fame (lien direct) | Congratulations to the 2016 winners! Dan Geer, Chief Information Security Officer at In-Q-Tel; Lance J. Hoffman, Distinguished Research Professor of Computer Science, The George Washington University; Horst Feistel, Cryptographer and Inventor of the United States Data Encryption Standard (DES); Paul Karger, High Assurance Architect, Prolific Writer and Creative Inventor; Butler Lampson, Adjunct Professor at MIT, … Continue reading "CyberSecurity Hall of Fame" | |||
|
2018-07-31 15:56:03 | Summer Reading List (lien direct) | I’m honored to have my threat modeling book on this short list with Daniel Kahneman, Tony Hsieh, Nicole Forsgren, and Tom DeMarco: “Summer Reading List: Top Recommendations from our Engineers.” | Threat | ||
|
2018-07-30 18:17:05 | CyberSecurity 2.0 Humble Bundle (lien direct) | Cybersecurity 2.0 is a new promo from Humble Bundle. Nearly $800 worth of books, including my Threat Modeling, Schneier’s Secrets and Lies, and a whole lot more! | Threat | ||
|
2018-07-24 23:23:01 | Half the US population will live in 8 states (lien direct) | That’s the subject of a thought-provoking Washington Post article, “In about 20 years, half the population will live in eight states,” and 70% of Americans will live in 15 states. “Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent.” Of course, as … Continue reading "Half the US population will live in 8 states" | |||
|
2018-07-20 21:10:05 | Hey, this movie looks pretty interesting! (lien direct) | ||||
|
2018-07-17 16:21:00 | Keeping the Internet Secure (lien direct) | Today, a global coalition led by civil society and technology experts sent a letter asking the government of Australia to abandon plans to introduce legislation that would undermine strong encryption. The letter calls on government officials to become proponents of digital security and work collaboratively to help law enforcement adapt to the digital era. In … Continue reading "Keeping the Internet Secure" | |||
|
2018-07-16 21:22:01 | Games and Cards (lien direct) | Emergynt has created the Emergynt Risk Deck, a set of 51 cards, representing actors, vulnerabilities, targets, consequences and risks. It’s more a discussion tool than a game, but I have a weakness for the word “emergent,” and I’ve added it to my list of security games Also, Lancaster University has created an Agile Security Game. | Tool | ||
|
2018-07-13 16:36:02 | Friday Star Wars (lien direct) | Oddly, I am unable to find this on Etsy. Perhaps the Disney Corporation, new owners of Star Wars, doesn’t like mousetraps? | |||
|
2018-07-12 21:52:02 | Threat Modeling Thursday: 2018 (lien direct) | So this week’s threat model Thursday is simply two requests: What would you like to see in the series? What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?” “Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important … Continue reading "Threat Modeling Thursday: 2018" | Threat | ||
|
2018-07-09 15:51:03 | Automotive Privacy (lien direct) | I had missed the story “Big Brother on wheels: Why your car company may know more about you than your spouse.” There are surprising details, including that you might be able to shut it off, and the phrase “If a customer declines, we do not collect any data from the vehicle.” I do wonder how … Continue reading "Automotive Privacy" | |||
|
2018-07-05 17:10:01 | Threat Model Thursdays: Crispin Cowan (lien direct) | Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working on? One of the places where Crispin goes deeper is definitional. He’s very precise about … Continue reading "Threat Model Thursdays: Crispin Cowan" | Threat Industrial | APT 40 | |
|
2018-06-28 19:52:04 | Continuum Interview (lien direct) | Continuum has released a video of me and Stuart Winter-Tear in conversation at the Open Security Summit: “At the recent Open Security Summit we had the great pleasure of interviewing Adam Shostack about his keynote presentation “A seat at the table” and the challenge of getting security involved in product and application design. We covered … Continue reading "Continuum Interview" | |||
|
2018-06-25 15:17:05 | Carpenter! (lien direct) | The decision in Carpenter v. United States is an unusually positive one for privacy. The Supreme Court ruled that the government generally can't access historical cell-site location records without a warrant. (SCOTUS Blog links to court documents. The court put limits on the “third party” doctrine, and it will be fascinating to see how those … Continue reading "Carpenter!" | |||
|
2018-06-21 16:21:02 | Threat Model Thursday: Architectural Review and Threat Modeling (lien direct) | For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free. Seattle has a housing and homelessness crisis. The cost of … Continue reading "Threat Model Thursday: Architectural Review and Threat Modeling" | Threat | ||
|
2018-06-14 22:32:05 | Threat Model Thursday: Chromium Post-Spectre (lien direct) | Today’s Threat Model Thursday is a look at “Post-Spectre Threat Model Re-Think,” from a dozen or so folks at Google. As always, I’m looking at this from a perspective of what can we learn and to encourage dialogue around what makes for a good threat model. What are we working on? From the title, I’d … Continue reading "Threat Model Thursday: Chromium Post-Spectre" | |||
|
2018-06-11 15:25:02 | \'EFAIL\' Is Why We Can\'t Have Golden Keys (lien direct) | I have a new essay at Dark Reading, “‘EFAIL’ Is Why We Can't Have Golden Keys.” It starts: There’s a newly announced set of issues labeled the “EFAIL encryption flaw” that reduces the security of PGP and S/MIME emails. Some of the issues are about HTML email parsing, others are about the use of CBC … Continue reading "‘EFAIL’ Is Why We Can't Have Golden Keys" | |||
|
2018-06-10 16:29:03 | Eagle vs Fox (lien direct) | Kevin Ebi captured an amazing set of images of an eagle and a fox fighting over a rabbit. Check them out and read the story at his site. | |||
|
2018-06-06 06:54:03 | Conway\'s Law and Software Security (lien direct) | In “Conway’s Law: does your organization's structure make software security even harder?,” Steve Lipner mixes history and wisdom: As a result, the developers understood pretty quickly that product security was their job rather than ours. And instead of having twenty or thirty security engineers trying to “inspect (or test) security in” to the code, we … Continue reading "Conway’s Law and Software Security" |
To see everything:
Our RSS (filtrered)
