Articles on Web Security

Below are my perspectives on Web Security, drawn from my work as a security leader and practitioner.

• Social Engineering Conversation With a Tech Support Scammer
  This tech support scam used no malware, just a calm sales pitch built on legitimate tools and fake diagnostics. Each step sounded like helpful advice, which is what made the pitch work.
• Social Engineering The Manipulative Nature and Mechanics of Visitor Survey Scams
  A 'free reward' survey scam doesn't care how you answer its questions. Filling them out makes you invested enough to pay a small 'shipping fee' you would otherwise refuse.
• Web Security Free Online Tools for Looking up Potentially Malicious Websites
  A curated list of free online tools for investigating potentially malicious websites, ranging from services that provide historical reputation data to those that examine URLs in real time. Options...
• Tools Common Failures of Information Security Tools (Part 1)
  Security tools have side effects like medicine. Network firewalls cause connectivity issues; WAFs block legitimate traffic after site updates and are difficult to troubleshoot; antivirus tools may...
• Social Networking How Clickjacking Attacks Work
  Clickjacking tricks users into clicking invisible elements from other sites—commonly used to propagate Facebook links. Advanced variations can de-anonymize visitors by capturing their identity when...
• Authentication We Still Suck at Protecting Logon Credentials
  Recent breaches at Lockheed Martin, Mt. Gox, PBS, and Sony PlayStation show we still fail at protecting credentials. Attackers compromise them via remote password guessing, SQL injection to retrieve...