Newsletter Archives

  • Check your defenses


    Susan Bradley

    By Susan Bradley

    On March 21, the US president issued a warning about the possibility of Russian cyberattacks against American businesses, an outgrowth of the conflict with Ukraine.

    As part of the administration’s briefing on the topic, the White House issued a fact sheet, “Act Now to Protect Against Potential Cyberattacks.” The short document contains a list of recommendations, along with the exhortation: “We urge companies to execute the following steps with urgency.”

    Here are some of those recommendations.

    Read the full story in our Plus Newsletter (19.13.0, 2022-03-28).

  • The web has a padlock problem

    Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.

    Internet users are being taught to think about online security the wrong way, which experts warn might actually make them more vulnerable to hacking and cyberattacks.

    HTTPS encrypts that information, allowing the transmission of sensitive data such as logging into bank accounts, emails, or anything else involving personal information to be transferred securely. If this information is entered onto a website that is just using standard HTTP, there’s the risk that the information can become visible to outsiders, especially as the information is transferred in plain text.

    Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure. The aim of this is to reassure the user that the website is safe and they can enter personal information or bank details when required. Users have often been told that if they see this in the address bar, then the website is legitimate and they can trust it.

    “This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

    …the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

    I’m sure many of us will have seen information by Troy Hunt and Scott Helme in recent months, on browser security. Changes are afoot in how browsers indicate websites’ security; e.g. Firefox’s recent changes on how padlocks work is related.

    WSJ indicate the depth of the problem here:

    The use of security certificates, once a badge of authenticity for the internet, among phishing websites has almost doubled, rising to 15% in 2019 from 8.5% in 2018

    Even CASC (Certificate Authorities Security Council) recently published, in a very interesting article:

    The padlock is putting users in danger

    We all need to get used to these changes, for our own safety.

  • Bank-Grade Security

    Before you do your online banking next, you might like to check out a website that rates the security of bank websites. It might have you rethinking just how secure they are.

    Bank Grade Security
    When companies say they have “Bank Grade Security” they imply that it is a good thing.
    In reality banks have poor security

    Check it out at

    And while you are looking at online security issues, today marks the release of Chrome 68, which marks sites not using HTTPS as insecure. Security Researchers Troy Hunt and Scott Helme have just launched a new website, listing websites not using https. It’s not reassuring to see universities, government departments and many popular sites not using https yet, but there are early reports of sites changing to https as a result.

    You’ll find it at

  • Microsoft security’s unseemly jab at Google

    In yesterday’s Windows Security blog post Browser security beyond sandboxing, Microsoft’s Jordan Rabet (part of the “Microsoft Offensive Security Research team” – no, I didn’t make that up) took aim at Google. There’s a whole lot of technical discussion about the superiority of Edge in that article. There’s also a deep dig at Google.

    Catalin Cimpanu at Bleepingcomputer boils it down:

    The problem that Rabet pointed out was that the fix for the bug they reported was pushed to the V8 GitHub repository, allowing attackers to potentially reverse engineer the patch and discover the source of the vulnerability.

    It didn’t help that it took Google three more days to push the fix to the Chromium project and the Chrome browser, time in which an attacker could have exploited the flaw.

    Taking into account that this happened in mid-September, Microsoft had no reason to detail a bug in a Chrome version that’s not even current. Chrome 62 is the latest Chrome version.

    Paul Thurrott has a great article, turning Microsoft’s old words against itself.

    What Microsoft should have done is take the high ground. Do the right thing for your shared customers and just shut up about it. But it didn’t.

    It’s time for both sides to grow up and work together. Take potshots at each other, sure. But not over security.

    If you’re interested in browser security, I suggest you read it.

  • How secure is your browser?

    Catalin Cimpanu (who’s rapidly become one of my favorite security writers), in BleepingComputer’s Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs

    Google’s automatic fuzzer, named Comato, finds more bugs in Edge than in Internet Explorer. Chrome’s best, of course, followed by Firefox.