After a week in Vegas for Blackhat, and then a week’s vacation, I’m back with your favourite dose of security roundup. Giving you the security news and views you deserve, not need.
So, let’s just jump into it and make up for lost time.
Adventures in Vulnerability Reporting
Discovering vulnerabilities and getting rewarded for bugs is the new hotness. Being new, there are many teething problems as organisations and researchers struggle to get on common grounds as to how to best disclose them.
Natalie Silvanovich of Google’s Project Zero has documented her adventures and an example of a particularly poorly conceived vulnerability disclosure process in this blog:
- Adventures in vulnerability reporting | Project Zero
Natalie raises some very valid points in her post about how researchers will sometimes abandon the disclosure process altogether if it becomes frustrating. As we saw when a Microsoft Windows 0day was disclosed unceremoniously through Twitter.
And while we’re on the topic of vulnerabilities, Adrian Sanabria drops the truth (with stats) on patching. You should always patch when you can, but when you can’t, you need a plan B.
- Another Year, Another Critical Struts Flaw | Nopsec
Twitter bots are spoken about frequently, usually in the same breath as fake news or disinformation. But how big a problem are bots, and do they actually influence public opinion or are they merely trolls?
The good folk over at SafeGuard cyber may be able to shed some light on it with a detailed report that looked at over 300k bots and tracked their behaviour and tactics - providing an analysis of how bots are deployed to reshape public perception.
- How Russian Twitter Bots Weaponize Social Media | SafeGuard Cyber
A True Password Manager Story
I can neither confirm nor deny that I’ve ever blamed Graham Cluley for anything… but this is a good post by Stuart on the trials and tribulations of adopting a password manager.
- I’m OK, but Graham Cluley made me do it | Hidden Text
While we’re discussing passwords, a different Stuart has written a very open and honest discussion on the use of two-factor authentication. It’s well worth a read.
- Before You Turn On Two-Factor Authentication… | Stuart Schechter, Medium
Probably The Best Tech Keynote in the World
I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University.
I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never.
It’s well worth carving out 50 minutes out of your day to watch his keynote entitled,
Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?
A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models
The Importance of Wellbeing
Working in any career can take its toll. Technology jobs in particular have a habit of following you around wherever you may go via your connected device. Mo Amin shares a personal account, with some good tips on how one can bring about balance to their lives in the busy times we live in.
Oh, No, Not Another Security Product
“The industry doesn't need more products, companies, or marketing hype. We need an overhaul of the whole approach to security solutions, not an improvement of components. Security should be built on platforms with a plug-and-play infrastructure that better supports buyers, connecting products in a way that isn't currently possible.”
- Oh, No, Not Another Security Product | Dark Reading