CISO-in-a-Box

CISO-in-a-Box (38)

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium. 

Zoom, Zoom

What's one company that prospered hugely, almost unmanageably, off of the sudden work-from-home blast of early 2020? Zoom. And what's one company telling its employees to come back to the office now? If you're guessing, Zoom, you are correct. The whole conversation around returning to…

Continue reading...

Use MFA, Dammit!

I could say, "That's it.  That's the post."  But I won't leave it at that.  I will elaborate, because I feel I owe everyone a logical explanation of what MFA is, why it's so important, and how to do it right.   MFA stands for Multi-Factor…

Continue reading...

Safer Computing Returns Soon

The information security blog you know and love is on the way back! The older posts may take a while - they have to be recovered from an imperfect backup one at a time, by hand :/ 

Continue reading...

IoT Attack, Incident Response

I missed an installment on Friday, and maybe I'm a little tired of blogging about What's Wrong With the World. So here's a taste of something else. About a month ago, I had what I believe was a ransomware attack on my home infrastructure. I…

Continue reading...

Honesty

Wouldn't it be good if all applications and websites let you know this? Because it's true for almost all. Password storage is where many companies do not do all the right things, and do not do all the things right. There are many ways to…

Continue reading...

Risk Analysis at the AT&T Store

Smartphone shopping. More fun than a root canal, isn't it? I needed a new phone to bring to my employer's BYOD program. I decided not to use my personal phone number with that, so my existing device was not under consideration. Also our BYOD program…

Continue reading...

Over/Under

Click Through for The Register Story Starting Friday, Salesforce.Com had a fifteen-hour outage due to their having to "pull the plug" after a script went rogue and gave all comers full access to the database. Anyone logged in could do anything to anyone's data. Not…

Continue reading...

Ransomware

You have probably seen news of businesses and institutions being attacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, Fusob and WannaCry have floated by. But, what is ransomware? How does it work? How…

Continue reading...

Ads Just Keep Getting Worse

"Relevant" is the ad industry's current excuse for all the spying, tracking and intruding on our lives that they are currently tormenting us with. https://www.nytimes.com/2018/12/24/business/media/data-sharing-deals-privacy.html They "need" to suck down every aspect of our personal lives and habits and idle thoughts... so they can show…

Continue reading...

Breaches

Not Beaches! BReaches! Ah yes, breaches. Not really a much better movie, I'm afraid, yet we keep seeing it over and over. Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses…

Continue reading...

IT v. Security

One of my best friends is an IT guy, with about the same amount of career experience as I have. (We're old, get it?) When we get together, I notice that we each show the distinctive mindset of our specialties: he's always thinking, How can…

Continue reading...

Uptime 3: Climate Change

Data centers with thousands of computers in concentrated amounts of floor space do have to expend enormous amounts of energy keeping things cool. Your home data center can almost entirely ignore this issue, except where your computers have to be enclosed. At some point, you…

Continue reading...

Uptime 2: The Power

Your home is your data center. Maybe this sounds like a stretch but, unless you live a very low-tech existence (like this guy, perhaps?), this is how we all live now in the 21st century. Oh sure, you are not going to have to have raised…

Continue reading...

Uptime

Every one of us has a data center to care for. Not everyone takes it as seriously as some do. The mouseover text for this one reads: The weird sense of duty really good sysadmins have can border on the sociopathic, but it's nice to…

Continue reading...

Digital Assistants

AKA permanent spyware You must assume: if they can hear you ever, they can hear you always. Amazon is offering bedside units with cameras. What could possibly go wrong? In 1984, Orwell speculated the state would force us all to have in-home surveillance. We did…

Continue reading...

April Fool?

It's an established fact that any headline in the form of a yes/no question can safely be answered, "no." And so it is with today's post, as you will see. One of the things we humans have to watch out for is, who can use…

Continue reading...

The Wirecutter on 3-2-1 Backups

3-2-1 is the watchword for how to do backups. I have written about this a lot, as I consider it the most basic of security basics. If your data is backed up offsite, ransomware can't get to it, fire and flood can't get to it.

Continue reading...

Whose Net? Our Net!

On Dec 14 the FCC carried out its corporate masters' plan to gut net neutrality, responding to millions of astroturfed "comments" from dead people, etc. This action made the work of the Electronic Frontier Foundation all the more critical. On Feb 7, one of the…

Continue reading...

Again, 10?

Back in 2016, I swore off Windows completely and especially Windows 10. One of the reasons was a "feature" called Telemetry, that basically amounts to "Windows 10 is 100% spyware." It was widely reported at the time, along with an elaborate hokey-pokey you could dance…

Continue reading...

Nukes Inbound to Hawaii! NOT!

The word on why we got treated to a false alarm about missiles heading for Hawaii is this: (over-simplification alert!) They clicked Yes. There's a security lesson here. Stop and take a breath and read all these prompts. Clicking OK automatically is the road to…

Continue reading...

Scam Busting

Email scams have been a problem almost as long as there has been email. Today's joint is not about the basics of that, I have dealt with those before. Scambusters is a great source of detailed information about these scams, and how to avoid being…

Continue reading...

OMC: Oh MyCloud!

In a revelation that should surprise exactly nobody, security researchers have revealed that Western Digital MyCloud drives have a built-in backdoor. A hard-coded username and password give privileged command line access to the device, which may then be compromised however the attacker sees fit. This…

Continue reading...

Have a Random New Year

Randomness is important. You use it in the physical world when you shuffle a deck for a game of cards or roll a D12 for a result in Dungeons & Dragons. But you need it even more in the digital world, and it's more difficult…

Continue reading...

Safer Social Media

We live in the age of social media, that’s for sure. Facebook claims over 2 billion people as its users. Twitter is how we first get breaking news, how we know it’s time to turn on CNN or MSNBC to see what happened when the…

Continue reading...

Told Ya

[ missing picture: Lisa lost her computer to theft, is now posting notices begging the thief to burn the files to a CD and send them to her] Maybe this is churlish, but I told ya. And told ya some more. I struggle to empathize…

Continue reading...

Safer Email

Today let's think about how to be safer using the oldest internet application still in common use: email. Email predates the Web by about twenty years. So when young people accuse it of being “for old folks” (meaning, people like me) I have to admit…

Continue reading...

Modeling Job for You

Motherboard, a part of Vice magazine, has published a very good Guide to Not Getting Hacked. It's also available as a PDF. One of my favorite sections draws from the EFF Surveillance Self-Defense page. "Threat modeling" may sound like something a management consultant would explain to you…

Continue reading...

What's Missing?

What's missing from this pretty-good article? Give it a read, but the TL;DR is that a NY Times cyber-security writer tells us what she does to make herself safer online. It includes everything I do, and a few things I don't. But there's one crucial…

Continue reading...

Internet of Crap

Welcome to the wonderful world of the Internet of Things. You’ve probably seen this term in the news a bit lately. Perhaps you read about it in connection with a massive botnet called Mirai, or it's even more potent descendant, IoT_reaper. The term Internet of…

Continue reading...

Hacker ≠ Criminal!

Whenever a news story breaks about information security (usually a radically bad FAILURE thereof) then "security researchers" or "consultants" get trotted out by the media to give expert soundbites. David Kennedy was a keynote speaker at the recently-concluded Rochester Security Summit, so he'll do for…

Continue reading...

Why I Block Ads. Everywhere.

Advertising supports a lot of the content you enjoy on the Internet. The economics of it should be simple. An advertiser pays a certain amount to get a commercial message in front of many readers or viewers. Some percentage of those viewers make a purchase.

Continue reading...

3-2-1 Backup

Backup is the most basic information security measure. Whatever else happens, your worst-case, baseline fall back is: restore from a backup and get back to work. So you always want to make sure your backups are rock-solid. A rule of thumb for how to ensure…

Continue reading...

Cloudy With a Chance of Information Security

The Cloud! It sounds so… ethereal. We’re all going to have computers floating around in the air? What’s going on here, really? Today, let's look at data storage "in the cloud" and how we can use it more safely. A sticker on my laptop says,…

Continue reading...

Your Passwords Suck

So do mine. What can you say? Maybe I should write that, p@5SW0rdz? It doesn’t matter. We all use passwords. It’s the simplest and most popular method systems and sites have to authenticate us. But let’s face it, passwords suck. There are lots of problems…

Continue reading...

Death and Taxes

Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die[*]. While we each have a will to cover our possessions…

Continue reading...

The Most Basic of Basics

There are three elements of safer computing: Everything I am going to suggest to you in these pages supports at least one of these elements. There are a lot of things to talk about, and some of them need a pretty detailed discussion. But to…

Continue reading...

Hello, World

I call this blog “Safer Computing” because I want to evoke some of the same ideas we think about when we talk about “safer sex.” We know sex with others can’t ever be 100% absolutely safe. So we are being clear-eyed about those risks when…

Continue reading...

Horse Battery Staple is Correct After All

The password advice we all hate - upper and lower case, numerals and punctuation, change it frequently - is wrong. We knew this in our guts, but now Bill Burr, the original author of the NIST report that started it all in 2003, has recanted. So…

Continue reading...