Category Archives: SecurityBlog

I was having some security conversations last week and cybersecurity insurance came up as a topic. This isn’t overly unusual as it’s a pretty popular topic, but someone said something that really got me thinking. What if the insurance covered the customers instead of the companies? Now I understand that many cybersecurity insurance policies canContinue reading “Stealing from customers”

If you pay attention to Twitter at all, you’ve probably seen people arguing about patching your enterprise after the WannaCry malware. The short story is that Microsoft fixed a very serious security flaw a few months before the malware hit. That means there are quite a few machines on the Internet that haven’t applied aContinue reading “You know how to fix enterprise patching? Please tell me more!!!”

I was reading the newspaper the other day (the real dead tree newspaper) and I came across an op-ed from my congressperson. Gallagher: Cybersecurity for small business It’s about what you’d expect but comes with some actionable advice! Well, not really. Here it is so you don’t have to read the whole thing. Businesses canContinue reading “Security like it’s 2005!”

The other day I ran across someone trying to keep their locker secured by using a combination lock. As you can see in the picture, the lock is on the handle of the locker, not on the loop that actually locks the door. When I saw this I had a good chuckle, took a picture,Continue reading “Security fail is people”

Every now and then I see something on a blog or Twitter about how you can’t replace a pen test with a bug bounty. For a long time I agreed with this, but I’ve recently changed my mind. I know this isn’t a super popular opinion (yet), and I don’t think either side of thisContinue reading “I have seen the future, and it is bug bounties”

It’s that time of year again. I don’t mean when all the government secrets are leaked onto the Internet by some unknown organization. I mean the time of year when it’s unsafe to cross streets or ride your bike. At least in the United States. It’s possible more civilized countries don’t have this problem. IContinue reading “Crawl, Walk, Drive”

One of the few themes that comes up time and time again when we talk about security is how bad people tend to be at understanding what’s actually going on. This isn’t really anyone’s fault, we’re expecting people to go against what is essentially millions of years of evolution that created our behaviors. Most securityContinue reading “The obvious answer is never the secure answer”

If you pay any attention to the security universe, you’re aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I’m not seeingContinue reading “Remember kids, if you’re going to disclose, disclose responsibly!”

I’ve started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn’t anything overly clever, it’s fun to do. And I get to make pretty graphs, which everyone likes to look at. I stuck a few of my early resultsContinue reading “Inverse Law of CVEs”

Last week there was a story about Consumer Reports doing security testing of products. Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reasonContinue reading “Security, Consumer Reports, and Failure”