Search
10.12.2021 | 5'' read
Beware of shady VPN corporate ownership
For years, security pros (myself included) have urged the use of VPNs as a data and privacy protection utility. Today, this is slowly becoming bad advice and there are new signs that the entire cottage industry of consumer VPN software needs to be killed off as a matter of urgency.
Read09.21.2021 | 6'' read
Stop legitimizing parasite 0day companies
It's not too late to stop legitimizing these private sector offensive actors supplying zero-days to apex predators. These aren't cybersecurity companies helping to solve security problems. These are parasites cashing in on an unregulated space, making things worse for the rest of us.
Read09.14.2021 | 5'' read
Legal trouble for ex-NSA mercenary hackers
According to publicly available data, there have been 66 documented zero-day attacks so far in 2021. The bulk of those target code from Microsoft, Google and Apple. Plus, ex-NSA mercenary hackers in legal crosshairs for security work in Dubai.
Read07.20.2021 | 8'' read
Exposing the zero-day exploit suppliers
Israeli vendors Candiru and NSO Group are caught in the crosshairs of global investigations into the secretive world of zero-days and point-and-click mobile hacking tools to .gov customers. Plus, the fallout from China's clampdown on vulnerability data sharing.
Read07.06.2021 | 4'' read
Microsoft Print Spooler, Kesaya ransomware mega-hack
While Microsoft Windows fleet admins scramble to apply the 'PrintNightmare' patch, the evidence is clear that Microsoft has a severe patch-quality problem that's now being compounded by poor communications, lack of transparency, and festering feuds with prominent white-hat hackers.
Read06.30.2021 | 7'' read
PrintNightmare exposes Microsoft patch problems
Microsoft misdiagnoses the severity of a Print Spooler security update, calling into question the quality of the company's patches. Plus, some movement on defining "critical software" and advances in SBOM requirements.
Read06.16.2021 | 5'' read
WebKit and the soft underbelly of iOS security
A little known fact: When you use Chrome on iOS, you aren't really using Google Chrome. You're using a Chrome UI/shell around WebKit/Safari because Apple forbids any third party rendering engine. This is a major soft spot in the iOS security model and the surge in zero-day attacks is reason for major concern.
Read04.26.2021 | 5'' read
Remembering Dan Kaminsky (1979-2021)
I share some memories of the late Dan Kaminsky, including his generosity to the hacker community and an insistence on empathy for the end user. Plus, some supply chain pain points.
Read04.07.2021 | 4'' read
The return of in-person security events
This week, we respond to news that Solarwinds CEO will do a keynote (fireside chat) at next month's RSA Conference and how Black Hat is shaping up as the official return to in-person security events. Plus, three new podcast episodes on a variety of topics.
Read03.15.2021 | 5'' read
Chrome, monoculture and the boll weevil
Chromium is a monoculture in browsers and the risks are being amplified via a surge in zero-day Chrome attacks. Have we learned enough from the lessons of the boll weevil? Plus, Microsoft's business ambitions are starting to clash with assurance realities.
Read