Branden R. Williams, Business Security Specialist

2nd of November, 2020
In: Consumer Security, Enterprise Security
0
0

Proofpoint Patches URL Sandbox Bypass Bug standard

Or, how a travel website’s newsletter clued me in to a huge security gap in a popular email protection service. tl;dr: I discovered URLs of sufficient length (over 770 characters) would bypass Proofpoint’s URLDefense service leaving the original link untouched, allowing malicious links directly into users’ email inboxes. Proofpoint let me know this week that they finally have patched all the instances of their service that had this particular bug, so it’s time to disclose how I discovered it. Many of you know I switched my personal email protection away from Postini/Google Apps for Business to modusCloud by Vircom. My users and I are 100% satisfied with the service! One of the technologies powering Vircom is Proofpoint Essentials, and one ...

Introducing Where To Now standard

When I want to learn a new programming language, my typical method of doing this is to either take an existing small project and port it over to the new language, or come up with a small, yet practical problem to solve. I’m kinda like Johnny Five, in that I need input! I’ve been playing with Go for a little bit, but nothing very serious. I’ve also been playing around with Docker and Kubernetes, so I decided to kill two birds with one stone by building an application in Go as well as learning how to package it up in a Docker container. Introducing Where To Now. It’s designed to vary the webpage that might show up when a user ...

Improve Outbound Email with SPF, DKIM, and DMARC standard

“Oh sorry, I missed your email. It got dropped into my SPAM folder for some reason.” Isn’t that frustrating? All you did was send over a proposal and it got dropped into the SPAM folder. Perhaps it was word choice, perhaps you ended up on a list somewhere, or perhaps you are not doing your part to elevate the confidence of your emails leveraging the tripod of email security frameworks known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). I started experimenting with these years ago noting that there are several vendors who will happily do this for you—and by the way, their products are pretty awesome. Given that I’m running ...

Life after G-Suite/Postini standard

Postini was a technology darling in the mid-2000s that sold email filtering technology as a service to companies struggling to combat the onslaught of SPAM and malicious emails that were sprayed at corporate inboxes. For small companies or small footprints, the price was right as well. $1/user/month translated to super cheap filtering with a nice web interface to boot. Google thought so highly of the technology that they paid $625M in cash in 2007 for the company, which was absorbed into Google Apps over time. Those of us legacy Postini users were drug along for a time as the service continued to dwindle in quality and usability, culminating in a complete shutdown and forced migration in December. Google handled the ...

The Breach Research We Need standard

I’m not afraid to point out misleading or questionable research findings funded by marketing groups strictly to gain headlines. Studies like the cost per record or cost per breach white papers come to mind here that give us excellent, attention grabbing headlines supported by a house of cards (specifically the cost per record studies). The information presented is unusable for risk management purposes, and is a quick way to get laughed out of a room if you quote these studies. What risk managers need is something that is comparable to their companies when trying to think about costs. Simply taking an average cost per record or an average cost per breach is not concrete enough to make risk management decisions. ...

Pushing Vendors to Abandon SMS standard

SMS-based authentication continues to be a great way to placate a user into thinking they are safe while creating an avenue for attackers to gain access to their accounts. Fabio Assolini and Andre Tenreiro from Kaspersky published some research that puts numbers in fraud losses to these threats. SIM Swaps cost criminals $10-15/SIM with gains from fraud being over $1,000. That’s a good return on investment. It’s why I’ve become a huge fan of U2F and other non-SMS authenticators (see my guide here). Companies like Yubico have made real multi-factor authentication doable for the masses with zero client-side infrastructure. Major companies like Google and Facebook are leading the charge to remove SMS-based authentication and account recovery options by allowing users ...

Ditch SMS for True Second Factor Authentication standard

At one point, getting a text message with a code seemed like a great way to provide more identity and authentication assurance. Phone networks are out of band from email, the cost of sending the message is relatively inexpensive, and few people are without a cell phone these days. As it gained popularity, SMS-based authentication got the attention of cyber criminals and they soon exposed a number of high- and low-tech attacks that make SMS authentication unreliable. I’ve been on a kick to turn on any 2nd-factor authentication option possible in every site/service that I use. Lately, however, I’m switching to real 2nd-factor options that include apps, U2F, or other methods. To that end, I recently published an article that ...

Brando’s Rules for Success standard

I’ve had a few folks ask me if I could attribute any big life lessons that have helped me get to where I am. Things like the Golden Rule or an extremely healthy amount of respect for karma (both of which would be true for me) came to mind, but I was able to distill my guiding principles into this: Show up. Don’t be a dick. End of list. Let’s dive deeper. Show up. This rule can mean a lot of things, which is why I love it. It’s extremely versatile. Be physically present and on time to appointments when required. Don’t be a flake. Fulfill your commitments (and communicate EARLY if you need to adjust them, bad news does ...

PCI Council Loses $600K in Revenue, PO Population on the Decline standard

Last year I released a blog post and a GitHub repository with some code to calculate how much money the PCI Council brings in annually, with an estimation of lifetime revenue. There are some MAJOR assumptions in there that can swing the revenue in either direction. And, of course, there are already new programs that the Council will happily charge for that have been released since my initial commit (3DS Assessors, 25 of those with each individual consultant paying $1,400 per exam). I’ll work on that soon. I was meeting with some industry people this week and thought I’d check up on the old numbers to give the package a refresh. As it turns out, the number of Participating Organizations ...

No Need to Sign standard

If you went shopping on Sunday and happened to notice that a signature was not required for your credit card purchase, that wasn’t an April Fools joke. Back in December & January, the major payment networks all announced they were dropping the signature requirement. Even MORE time saved when paying for things! I’m sure many of you are like me in that you didn’t even put your actual signature on those papers or electronic signature capture devices. The only time I have been serious about it is when I travel abroad. Those cashiers are very good at matching your signature to what is signed on the back of the card. Possibly Related Posts: Proofpoint Patches URL Sandbox Bypass Bug Ditch ...