Security

There were widely circulated reports of voice cloning being used in phishing. I’ve been predicting these for a while (Threat modeling in 2018 at Blackhat, 28 minutes in), but Guillaume Ross asked some really good questions about it. A new John Locke manuscript, “The Toleration of Papists” has been discovered and published. (Short analysis in…

Read More Interesting reads

If you needed more reasons to move away from using SMS-based authentication, and treating phone companies as trusted, “AT&T employees took over $1 million in bribes to plant malware and unlock millions of smartphones: DOJ“. Abuse reporting systems are being abused. You need to threat model and play the chess game. “How Flat Earthers Nearly…

Read More Interesting Reads, August 19

Post thumbnail

There was a really interesting paper at the Workshop on the Economics of Information Security. The paper is “Valuing CyberSecurity Research Datasets.” The paper focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes the research that’s done. On its way to that valuation, a very…

Read More Valuing CyberSecurity Research Datasets

Post thumbnail

“Safety First For Automated Driving” is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how…

Read More Safety and Security in Automated Driving

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default. It’s all too common to have a new standard come out without…

Read More Passwords Advice

Post thumbnail

I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for…

Read More DNS Security

Post thumbnail

There’s a fascinating paper, “Tuning Out Security Warnings: A Longitudinal Examination Of Habituation Through Fmri, Eye Tracking, And Field Experiments.” (It came out about a year ago.) The researchers examined what happens in people’s brains when they look at warnings, and they found that: Research in the fields of information systems and human-computer interaction has…

Read More Polymorphic Warnings On My Mind