Lesley Carhart leads a virtual roundtable discussion: Is Digital Privacy a Privilege Of The Wealthy?
Fillippo Varsorda’s account of his discovery of Ticketbleed (CVE-2016-9244) is a great account of chasing a bug report down to the root cause, which turned out to be a fairly serious security vulnerability in some F5 products.
Ben Elijah writes about an approach to using threat modelling for personal security .
- Insider threats: lately I’ve been doing a bit of research into insider threats (e.g. “rogue IT person stealing documents”, “disgruntled accountant stealing money”, etc), and how organizations can defend against them. Some resources I found useful:
- Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector [PDF] - a study of 80 insider fraud cases between 2005-2012, funded by DHS. Good data on what motivates, prevents, and detects insider fraud.
- Best Practices for Managing Insider Security Threats, 2016 Update - a Gartner report with some good concrete recommendations.
- Monetizing the Insider [PDF] - a report on a growing trend: recruitment of insiders for financial gain. I’m skeptical that this is that big of a trend, but it’s a reasonable threat model to think about.
- Combating the Insider Threat [PDF] - advice from NCIC on insider threats. Be careful of this one; I find the behavior analysis parts of this rather dangerous (it’s never a good idea to empower armchair psycology in this way).
gophish is an open-source phishing simulator, like a free PhishMe.
Mozilla’s Minion is a security testing framework that makes running security scanners easy (supports ZAP, NMap, Skipfish, SSLyze, and more).
Netflix Stethoscope is a novel approach to endpoint security: instead of locking down and enforcing policy, give users visibility into their own compliance and ask them to take the proper steps themselves.
This is a weekly roundup of interesting infosec related links, inspired by Geek Feminism’s linkspam tradition.
If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.