Tuesday, June 16, 2015

Protonmail Open For All

I've been a huge fan of Protonmail since first reading about what they were trying to accomplish last year. In short, they're looking to create free, encrypted email that doesn't leave the encryption keys out of your control. So many encrypted email providers have been bullied by governments to give up their keys or shut down, but it's impossible for this to occur with Protonmail, because they don't keep both keys. Brilliant!!

The biggest problem with Protonmail was the enrollment process. Which took me multiple months to be assigned an account on their system. This was most likely due to limited resources and funds, so you can imagine my excitement when I received the below email from Protonmail. If you haven't already signed up for an account, what are you waiting for!! GO FOR IT!!

To celebrate our 1 year anniversary, we are upgrading all accounts created by June 17th, 2015 to 1GB of free storage! Many of you have also asked for a way to share ProtonMail with friends and family. To do that, we have created a special link that allows instant account creation: 
https://protonmail.ch/privacyforall 

You can send this link to friends and family and they will be able to get a ProtonMail account instantly. As our server capacity is still limited, we will only keep this link active until June 17th, 2015 (or until we hit capacity limit). Also after June 17th, all new accounts will default to 500MB of free storage. 

Over the past year, ProtonMail has proven to be reliable with less than 12 hours of total downtime (mostly scheduled maintenance), no incidents of permanent data loss, and no reports of user data compromise. Over that same period, the ProtonMail user community has grown from 10,000 to 500,000 people. 

As you know, we respect your privacy and do not track detailed user activity. Therefore, to continue to improve ProtonMail, we need to rely on direct feedback from you and would love to hear your suggestions or criticisms in the following survey: 
https://blog.protonmail.ch/feedback 

Many of the improvements mentioned in the survey will be coming soon. In the past few months alone, we have added new features like folders/labels, encrypted attachments, the protonmail.com domain, and more: https://blog.protonmail.ch/protonmails-new-features-guide 

We look forward to continuing this exciting journey with you! 

Best regards, 
The ProtonMail Team 

We believe privacy is a fundamental human right which is why we are supported by donations instead of advertisements. If you would like to support us, please visit:https://protonmail.ch/donate 


Tuesday, June 2, 2015

Ten Guaranteed Ways NOT to Think Securely


We've gone over this subject a few times, but not it great detail. It's for this reason I'm going to dedicate an entire article to the subject. If you're following compliance only, you're not doing your job. There you have it, I said it. This is a blunt way of saying, be security minded, before following compliance and just hoping for the best. Now I know there are many people out there who want to follow security first, but aren't allowed to. This article isn't for you. This is for the people that look at compliance as their only means of protection. There are plenty of businesses doing this now with security minded people grudgingly attempting to push them through the muck and mire of the compliance-only ideology. The next ten, tongue in cheek, warnings are for those who are stuck in a compliance-only frame of mind. So for those that don't want to move forward and understand that compliance will not protect you when the attackers come calling, here are ten ways to cement your position as a compliance-only, non-security minded practitioner.

  1. Don't ever look past the compliance standard – When you ask a question to an auditor about why something needs to be done a certain way, take their word for it. Never ask why, or if you can be creative about your architecture. Follow their every word and wait on them with baited breath. They’re professionals after all, and you're paying them good money. How could they be wrong?
  1. Believe you are secure with only compliance – Only malicious and nefarious attacks happen to large companies. You're not on their radar right now, so you'll most likely skate free without being noticed. What are the odds? These things only happen to ultra-large organizations anyway; you're safe to sleep well at night. 
  1. Never use compliance as a way to increase security awareness – Just because you have the ability use compliance to put your security program on the map, doesn't mean you should take advantage of this. Make sure no one outside your team is aware of what you are doing and keep these things to your self. 
  1. Make sure you select easy assessors – We know that not all assessors are created equal. Make sure you do your due diligence and select the vendor that's going to give you your corporate compliance the quickest. Don't have assessors come in that will challenge the status quo, which could push you into a security mindset. You wouldn't like that. And above all things make sure the assessor brings their rubber stamp. 
  1. Always use the same assessors every year – The best way to quickly pass compliance is to have the same set of eyes on your environment every year. This will increase the speed that you receive your precious compliance, since your habitual assessor has already beaten this path, and it will make the process ever so much easier.
  1. Be content with checking the boxes – Once you have every check box securely filled in, you can be almost absolutely sure that you're safe from attack. The assessors’ job is to make sure you're hacker proof and they're normal never wrong. Make sure you put full faith in the compliance standard, as well as the assessor in place to bring you into their compliant beliefs. 
  1. Don't worry about security unless an audit is underway – Security all year is hard. Make sure you only become interested in it while an assessment is underway. Since you're using the same assessor that was chosen for looseness, it shouldn't be hard to pass an assessment even while only being concerned for a few weeks out of the year. No one has time to be secure all year round, so don't be too hard on yourself. 
  1. Never include out-of-scope systems into your thinking – Make sure you're only concerned with systems that are being audited, because that's really all that matters. The systems that are out of scope are just that, out of scope. They're not important and even if an attacker somehow got through your assessor-approved bulletproof architecture, they wouldn't care anyway. All the juicy systems are in scope and those are the only one's that should be protected. The rest are just hangers-on and should be dealt with when you have time, but it's not urgent. 
  1. By all means, don't be proactive – Being proactive with your thinking will eventually bleed over to being secure, which after all, is what we're trying to avoid. Pushing for new technology and procedure could quickly get out of control. If you start being proactive it's going to affect all your systems; and we only want in-scope systems, remember? Do only as you're told and don't look for ways to improve.
  1. Make sure management knows compliance is most important – You're management is ultimately in control of what happens to your program, so don't bring up risks outside of those that might effect your ability to comply with the standard. They shouldn't be consulted or told about other risks to the environment. They're so very busy anyway, so why even bother them. Make sure that they are effectively lulled into a compliant mindset so that they're not awakened into worrying about security. This could ruin the compliant-only program you've worked so hard to achieve.

By following these ten sure-fire steps you'll become the best compliant-minded practitioner on the face of the planet. Follow them well and treat them like the compliance standard itself, but be very careful. If you feel yourself asking questions, or even having doubts about these ten steps, you're on your way towards being security minded. And for someone that's stuck in a compliance-only mindset this can be very dangerous. It will have you start thinking outside the box and worrying about the security of your entire infrastructure. Be careful, stay the course.

Friday, May 29, 2015

Third Party Vendors Are Your Weakest Links

We've all seen the issues, many of them disastrous, that companies have with third party vendors and it's something that the security community still needs to take seriously. If the Target breach wasn't engouh to wake you up regarding the control of your third party accounts, I don't know what is. You need to have policy in place that limits these accounts and the ability to monitor them as well as possible. In these two article I speak about ways to ensure network security when working with third party vendors.

Here are the two links:

Article 1 of 2
Article 2 of 2

Thursday, May 28, 2015

Infosec Pulp Fiction

Whoever made this meme deserves a slow golf clap. Well done, sir.


Wired Magazine on the Silk Road saga

Just finished reading the two part series from Wired Magazine on the Silk Road saga. Gotta say that this was a fine piece of work by Wired. It was an interesting read knowing a few people that were involved on both sides of this case. If you haven't already picked up the past two months of Wired Magazine (April and May) that review the case, I'd highly recommended it. Good read.

Here's the link to the first part (April).

Wednesday, May 27, 2015

Why Two Factor Authentication Is Important

We've seen so many hacks today that focus on stealing user credentials and using them to pivot or escalate in a network. In this article I explain where two factor authentication should be used and alternate methods of technology that are available to implement this protection. Two factor isn't just for big business, either. It's for personal use too.

http://blog.algosec.com/2015/05/two-factor-authentication-why-when-and-how.html

Monday, May 11, 2015

Thinking about purchasing a MDM solution?

In this article I write about six questions you need to ask yourself before purchasing an MDM solution. If you're considering MDM, already in a PoC, or have a system already installed, it might be helpful to determine if your MDM meets up to these six criteria. Let me know what you think and if there are other areas you think should be added to the list of recommendations.

http://searchsecurity.techtarget.com/feature/Six-questions-to-ask-before-buying-enterprise-MDM-products