Get Your Shit Off The Internet

Amusing Twitter thread by Joe Slowik and accompanying website,,

Seriously – do you really need endpoints directly exposed to the outside world for the sake of efficiency or convenience?

Do you really require your data immediately accessible to external users?


Defense in depth, mother ducker! Segmentation and security controls – love them and implement them!

NoSnoop–A Windows Tool for Detecting HTTPS Interception Attacks

NoSnoop is a Windows-based tool that will let users know if their SSL is being subjected to a man-in-the-middle attack.

NoSnoop is a standalone, browser-independent application that will perform SSL/TLS handshakes with a list of 250 popular websites and examine the certificate chains received from each server. It will alert on any unexpected certificates.

NoSnoop will check for obvious cases (such as interception by a local proxy, your employer’s SSL inspection gateways, or a malware infection), as well as more advanced attacks (for instance, if the root cert is valid but issued by an unexpected organization or country).

An entire scan typically takes less than 30 seconds.

This is currently in beta, so “bugs and/or false positives detections should be expected.”

ID Ransomware

ID Ransomware is a service where you upload a ransom note and/or sample file encrypted by ransomware, and the ID Ransomware service tries to pinpoint exactly which ransomware you’ve been hit with.

This service is strictly for identifying what ransomware may have encrypted your files. It will attempt to point you in the right direction, and let you know if there is a known way of decrypting your files. 

Currently ID Ransomware can identify 750 known strains of ransomware.

“Scaring and Bullying People into Security Won’t Work”

If I were king (or IT superadmin) for a day, I’d force everyone I know who is responsible for information security to read Angela Sasse’s excellent 2015 column, Scaring and Bullying People into Security Won’t Work.

Factors such as fatigue as well as habituation affect performance. In real-world environments, authentication fatigue isn’t hard to detect: users reorganize their primary tasks to minimize exposure to secondary security tasks, stop using devices and services with onerous security, and don’t pursue innovative ideas because they can’t face any more “battles with security” that they anticipate on the path to realizing those ideas. It’s been disheartening to see that, in many organizations, users who circumvent security measures to remain productive are still seen as the root of the problem–“the enemy”–and that the answer is to educate or threaten them into behavior security experts demand–rather than considering the possibility that security needs to be re-designed.

A good example is the currently popular notion that sending phishing messages to a company’s employees, and directing them to pages about the dangers of clicking links, is a good way to get their attention and make them less likely to click in the future. Telling employees not to click on links can work in businesses in which there’s no need to click embedded links. But if legitimate business tasks contain embedded links, employees can’t examine and ponder every time they encounter a link without compromising productivity.

In addition, being tricked by a company’s own security staff is a negative, adversarial experience that undermines the trust relationship between the organization and employees. Security experts who aim to make security work by “fixing” human shortcomings are ignoring key lessons from human factors and economics.

In modern, busy work environments, users will continue to circumvent security tasks that have a high workload and disrupt primary activities because they substantially decrease productivity. No amount of security education–a further distraction from primary tasks–will change that. Rather, any security measure should pass a cost–benefit test: Is it easy and quick to do, and does it offer a good level protection?