Author Archives: Tom

Introducing the Shared Security Weekly Blaze Podcast

0
Filed under Podcast
Tagged as ,

As many of you may know, I’ve been co-hosting the Shared Security Podcast (formally known as the Social Media Security Podcast) with my fabulous co-host Scott Wright from Security Perspectives Inc. We’ve been recording this podcast every month (mostly) since 2009 and over the years we’ve had feedback from many of our listeners that they’ve always wanted us to offer a weekly podcast. So this year we’ve decided to step up our podcasting game and release a weekly episode with a brand new format.

This new weekly podcast is called the Shared Security Weekly Blaze. In this podcast we’ll be covering the top 3 privacy and security news topics from the previous week. This new format is designed to give you fast and consumable security and privacy “news that you can use”. In addition, we’ve added transcripts to the weekly podcast, available with each episode blog post, as this was also another listener request we’ve had in the past.  The weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. We’ll also be booking more frequent interviews and guests for the monthly podcasts in 2018.

You can listen to the first episode of the Weekly Blaze right now from our regular podcast feed or directly from our website. If you haven’t subscribed to the podcast yet, you can do so through your favorite podcast listening application: iTunes, AndroidGoogle Play, Stitcher or on your Amazon Echo device via TuneIn. You can also listen directly from our website where we post all past episodes of the podcast.

Lastly, you can now follow our podcast on Instagram where we’ll be posting additional content including videos, stories and more to supplement the podcast. A huge thanks to all of you for listening and supporting the podcast over the years. 2018 looks to be our best year yet!

Using Technology to Defend Digital Privacy & Human Rights – Presentation Notes

0
Filed under Presentation Notes, Privacy, Privacy on the Internetz
Tagged as , , , , , ,

If you attended my talk “Using Technology to Defend Digital Privacy & Human Rights”, thank you! Here’s a list of supplemental material discussed during the presentation as well as where you can find out additional information about the topics covered. I’m happy to answer any questions that you might have via Twitter, Facebook or LinkedIn.

Targeted attacks in Egypt
https://theintercept.com/2017/02/02/egyptian-rights-activists-are-targeted-by-sophisticated-hacking-attacks/

Mexico and targeted Spyware
https://www.npr.org/sections/parallels/2017/06/20/533682738/mexicos-government-is-accused-of-targeting-journalists-and-activists-with-spywar
https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/

UAE – Mansoor Discussion
http://www.abc.net.au/news/2017-11-12/the-forgotten-story-of-ahmed-mansoor/9142004
https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/UAE_Five

Information about Pegasus Spyware
https://www.kaspersky.com/blog/pegasus-spyware/14604/

Russia Banning the Use of VPNs
https://www.reuters.com/article/us-russia-internet/putin-bans-vpns-to-stop-russians-accessing-prohibited-websites-idUSKBN1AF0QI
https://themoscowtimes.com/news/russian-law-banning-anonymous-online-surfing-comes-into-effect-59434
http://www.bbc.com/news/technology-41829726

China’s Great Firewall blocking VPN apps and Skype
https://www.thestreet.com/story/14399729/1/skype-vanishes-from-app-stores-in-china.html

Mass Surveillance in the United States
https://www.hrw.org/news/2017/10/25/us-new-evidence-suggests-monitoring-americans

Educating yourself on Social Engineering and Phishing (social-engineer.org is a great resource)
https://www.social-engineer.org/resources/social-engineering-infographic/

Signal
How Signal’s Censorship Circumvention Works
https://signal.org/blog/doodles-stickers-censorship/

More information about Tor and to download Tor Browser
https://www.torproject.org/
https://www.torproject.org/projects/torbrowser.html.en

How to use Pluggable Transports to bypass censorship in Tor
https://www.torproject.org/docs/pluggable-transports.html.en

TAILS USB and Virtual Machine
https://tails.boum.org/

Whonix Virtual Machine
https://www.whonix.org/

My Recommended VPN Provider
https://www.privateinternetaccess.com

My Recommended Secure Email Provider
https://protonmail.com

Good list of “burner” mobile phones
https://www.wired.com/2017/02/7-great-burner-phones/

Mobile Security Guide for Activists and Journalists
https://freedom.press/training/mobile-security-for-activists-and-journalists/

Mobile Device Security
https://www.vice.com/da/article/dp9zvq/how-to-avoid-self-incrimination-via-smartphone
http://www.slate.com/blogs/future_tense/2017/08/18/the_new_iphone_update_will_help_prevent_cops_from_searching_your_locked.html

EFFs (Electronic Frontier Foundation) – Surveillance Self-Defense Portal
https://ssd.eff.org/

If you missed this Jolt I’ll be presenting this talk again at other venues in the near future. Be sure to follow me on social media for upcoming dates.

Top 5 Attack Vectors Report: Defend It Before You Hack It

0
Filed under Defense
Tagged as , , , , , , ,

robot-with-sheild-300x287Each year my team conducts hundreds of Penetration Tests in a wide variety of industries, ranging from Healthcare to Retail, Finance to Manufacturing, and many more. The team analyzed data collected from each of our penetration tests at SecureState since 2011 and found common themes in the methods of compromise utilized to break into organizations and compromise sensitive information. As a result, SecureState has issued a new report that expands on the attack vectors identified and suggests ways organizations can defend themselves against such attack vectors. SecureState’s 2014 Attack Vectors Report revealed the following Top 5 methods of compromise:

  1. Weak Passwords
  2. Web Management Consoles
  3. Missing Patches and System Misconfigurations
  4. Application Vulnerabilities
  5. Social Engineering

The full report is available for download on the SecureState website. I also presented a webinar (watch the replay here) with Defense team lead Robert Miller, expanding on the report’s findings and offering additional advice to organizations on how to defend against these attack vectors. I highly recommend you download this report to see where your organization stands in regards to these attack vectors.

What’s the bottom line?
The current mindset of many organizations is to only react after an attack or breach has already occurred. However, based on our findings and what the current onslaught of recent breaches have shown us, it’s clear that organizations face the same attacks month after month. Rather than be reactive, the defensive mindset needs to change to a proactive one. Consider focusing time, money and resources on your defensive controls before a penetration test occurs.

A penetration test should be your final step to ensure your defense can withstand an attack and to adjust your defenses if necessary. We’ve seen it time and time again where organizations only conduct an annual penetration test and expect that remediating tactical issues from the penetration test will improve their security posture. This needs to stop! Build and test your defensive controls first, then test to see how these controls hold up. Most of these controls are a mix of tactical and strategic, but reactively focused. By taking a proactive stance on defense, your organization will become much more secure and the time, money and resources spent will provide much more value to the business.

Defend it before you hack it.

Cross-posted from the SecureState Blog