In this Security Report Analysis (SRA) series I look at various security reports and pull out the main points. This doesn’t replace a complete and detailed read of these reports, but it exposes you to some of the key takeaways that you might not otherwise have seen. REPORT: The 2018 DBIR Report Key points These points are a…

The more a company can tell me about their assets the better their security is, and the more comprehensive and realtime the inventory is, the more mature they are. This has been true for me over 15 years of consulting across hundreds of organizations. Click here to listen to the audio version of this essay. But just try—either…

For a number of years I’ve been waiting to launch a project of mine called HELIOS. HELIOS actively monitors a company’s external attack surface in near-realtime and notifies you when it finds anything dangerous. I’m super excited about it, and I think it’s going to help a lot of companies. Ping me with any questions! [ HELIOS: Know…

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter. This week’s topics: It’s 2 billion users now, Liinux beep, Digital Shadows finds fail files, cloud misconfiguration, AlterEgo, AI applications, Alexa sending payments, Tech, Ideas, Recommendation, Aphorism, and more… Listen to this week’s Podcast Become a Member to Get This…

A lot of people in Information Security think security means “stopping bad things from happening”. It’s understandable, given that we’ve been practicing it that way for decades now. Basically, security has been synonymous with prevention for as long as most can remember, and that’s the way the entire industry is configured and oriented. But there’s another, far deeper…

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter. This week’s topics: Atlanta disabled, MyFitnessPal hacked, Cambridge Analytica election tampering, Drupal, Saks, DARPA drones, Cloudflare 1.1.1.1, Slack bosses, Democratic Chinese AIs, Georgia facepalm, tech, humans, ideas, and more… Listen to this week’s Podcast Read this week’s Newsletter

F5 just released a threat intel report that covered 433 breach cases spanning 12 years, 37 industries, and 27 countries. When companies release reports like these I go through them and extract nuggets for those who don’t have time to look at the full report. You will find the extraction for this report below. Applications were the initial…

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter. This week’s topics: Chinese at CanSecWest, Applebees POS, Palantir, Poisoning, TensorFlow DoD, Amazon laughing, Google 72-qbits, Amazon FinTech, Android P, and more… Listen to this week’s Podcast Become a Member to Get This Week’s Newsletter

People are becoming increasingly worried about the data that Facebook and other social media sites have on them. Luckily, the platforms make it fairly easy to download that data to see for yourself. For Facebook, here’s the process. 1. Go to any Facebook page and hit the down arrow in the corner. 3. Click “Download a Copy of…

There are myriad theories as to why software remains insecure after we’ve spend decades trying to solve the problem. Common reasons include: the lack of will to secure things the lack of vendor liability the use of insecure languages insufficient developer training not enough security products not enough security professionals etc… But there’s a far simpler and more…

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter. This week’s topics: GitHub DDoS, Celebrite Attacks, AI warnings, Palantir in New Orleans, Grub Backspace, 4G attacks, Space Corps, Amazon wins Defense Department deal, tech news, human news, discovery, notes, recommendation, aphorism, and more… Listen to this week’s Podcast Read…

In 2013, I looked briefly at how being hacked affects a company’s stock price. More people are looking at this now, and the evidence seems to show that there is often a major dip, but after 6 to 12 months it’s hard to even notice it happened. I’ve been worried for a long time that we’re getting Breach…

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter. This week’s topics: Parkland tampering, Avoid Huawei, Bongo S3, Facebook 2FA Spam, Android Cryptojacking, Spyware Hacking, Password Dating, Technology News, Human News, Trends, Ideas & Analysis, Data & Statistics, Discovery, Recommendations, Aphorism, and more… Listen to this week’s Podcast Read…

Get ready for Palantir-style, AI-based violence prediction on school campuses. There are far too many situations where it happens and basically everyone knew that person would be the perpetrator. This should be used for social work as well, but the more people who get to use it the more people get the data. If the perpetrator is often…

I'm starting to realize that many infosec people are luddites rather than technologists.Not a good look for us.We need to be the shepherds, not the crazy people belting out scripture at people on the street.— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) February 18, 2018 I just posted this on Twitter after being frustrated again by how a lot of my fellow…

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for…

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for…

Worse, even if you do create hundreds or thousands of such queries (which Amazon is trying to do with Alexa Skills), you haven’t solved the problem, since there is no way for the user to know what they can ask, nor remember what skills Alexa does and does not have. The ideal number of skills for such a…

I wrote recently about how AI’s biggest advantage in security—at least in the short term—will come from improving coverage rather than analysis quality. I was talking specifically about things like detection of threats within a SOC, or finding asteroids that might hit earth, or listening for dangerous conversations in millions of phone calls. Basically, any situation where there…

If you’ve been in InfoSec for a while you probably have significant experience with third-party security questionnaires. They’re basically the new firewall. Everyone is asking everyone else if they have one. I’ve been troubled for years by the whole charade, but I just recently put my finger on the reason. Third-party security questionnaires are the equivalent of asking…

Most people think the way AI is going to significantly impact society is by taking all our jobs or creating robots that try to kill everyone. But while we focus on all the distant or unlikely impacts of artificial intelligence we’re about to get completely blindsided by a very real and practical one. The ability to imitate anyone’s…

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for…

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for…

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for…

Many people have pinged me asking for a dead-simple explanation of the differences (and similarities) between these two attacks. Here’s an extremely basic summary: Meltdown applies to Intel and Apple processors and takes advantage of a privilege escalation flaw allowing kernel memory access from user space, meaning any secret a computer is protecting (even in the kernel) is…

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for…