10 Security Blogs You Need to Know

Want to appear prescient to your customers?

Give them a heads up on a new ransomware variant days or weeks before it’s all over the mainstream press. The best way to accomplish that feat is to pay attention to a select group of security experts who have deep expertise, high-powered contacts and the ability to explain concepts clearly — because we’re not Mr. Robot.

Some of these blogs are from independent experts, some are large security vendors, a few are more properly classified as news sites. All are worth clicking through now and again, if only to not sound like a n00b at dinner parties and customer meetings.

Follow editor-in-chief @LornaGarey on Twitter.

Schneier on Security is the granddaddy of security blogs. Bruce Schneier has been documenting security issues since 1998 and is currently the chief technology officer of IBM’s Resilient Systems, a fellow at Harvard’s Berkman Center and a board member of EFF. His coverage is often high-level and focused on IoT and government hijinks, such as questionable election security.

Channel will be interested in: A transcript of Schneier’s testimony to Congress on the role of connected devices in recent attacks. It’s straightforward, descriptive and terrifying. “Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you’ve never heard of to consumers who don’t care about your security.”

Timely quote: In his November newsletter, Schneier digs into the possibility that election results were tampered with.

“We have a patchwork of voting systems: different rules, different machines, different standards. I’ve seen arguments that there is security in this setup – an attacker can’t broadly attack the entire country ­– but the downsides of this system are much more critical. National standards would significantly improve our voting process.”

PLUS: If you like to listen to your security news, preferably with a side of snark, and don’t mind some commercials and NSFW bits, check out Paul’s Security Weekly. Paul Asadoorian and his guests on the Hack Naked podcast strike a good balance between technical and newsy.

Brian Krebs’ Krebs on Security blog is a frequent target of malicious hackers, including some disgruntled botnet operators that recently knocked the blog offline in the largest DDoS attack recorded to date. Krebs is a solid source for cybercrime coverage and news of breaches.

Channel will be interested in: Visa Delays Chip Deadline for Pumps To 2020, in which Krebs discusses a decision by Visa to give fuel station owners an additional three years to install at pumps payment terminals that are capable of handling more secure chip-based cards. You may recall that new PCI regulations called for enhanced PoS terminals by October.

Timely quote: From Akamai on the Record KrebsOnSecurity Attack

“Internet infrastructure giant Akamai last week released a special State of the Internet report. Normally, the quarterly accounting of noteworthy changes in distributed denial-of-service (DDoS) attacks doesn’t delve into attacks on specific customers. But this latest Akamai report makes an exception in describing in great detail the record-sized attack against KrebsOnSecurity.com in September, the largest such assault it has ever mitigated.”

Microsoft resellers should follow Troy Hunt, an Australian Microsoft Regional Director and also a Microsoft Most Valuable Professional for developer security. Hunt doesn’t just cover Microsoft, and he takes a global view of security, valuable if you have customers outside the United States.

Channel will be interested in: Hunt’s site recently saw a huge spike in traffic, much as a retail customer might if a product were mentioned by an influencer on social media. Here’s how he managed it with Azure and some help from CloudFlare.

Timely quote: From “Ad blockers are part of the problem,” discussing ways to monetize a content site without driving away users.

“Earlier this year, I wrote about bad user experiences on websites and foremost among these were the shitty things some sites do with ads. Forbes’ insistence that you watch one before manually clicking through to the story, full screen and popover ads and ads that would take over your screen after you started reading the article were all highlighted. Unanimously, we hate this experience.”

PLUS: Microsoft’s official TechNet Blog is the source for malware protection and threat research information.

Another blogger with global flair, Graham Cluley is also a podcaster and has a programming background. Cluley has done stints with Sophos (he founded the Naked Security blog) and McAfee.

Channel will be interested in: Sell DRaaS? Check out his YouTube video on the San Francisco Muni ransomware attack and how backups saved big bitcoin.

Timely quote: From Gooligan hooligans have compromised at least 1 million Google accounts:

“Attackers are using an Android malware campaign known as Gooligan to target Android users and breach the security of their Google accounts. So far, the malicious hackers have compromised one million Google accounts, but each day, they hack an additional 13,000 devices.”

Here are some top blogs from the big security dogs. All draw content from high-powered research labs and are great sources for up-to-date information on new malware variants and vectors.

• Cisco has two main security blogs: one more general, one for the Talos threat research team. Both are frequently updated.
• The Kaspersky Labs official blog is organized into interviews, new, tips, malware and product updates. Kaspersky also runs the popular ThreatPost blog, a good source of rising malware and risks.
• McAfee’s blog is themed “Securing Tomorrow. Today” and features consumer updates as well as content from the company’s labs.
• Sophos Naked Security mixes news, tips and updates from SophosLabs.
• Symantec Connect isn’t fancy, but it often highlights health care, banking and other verticals.

Channel will be interested in: Whichever security vendors are on your line card.

Timely quote: ThreatPost reported on an under-the-radar Chrome fix from Redmond.

“Microsoft appears to have silently fixed a two-year-old bug in in Windows Kernel Object Manager that could have allowed for the bypass of privileges in Google’s Chrome browser.”

The Securosis blog is run by an information security research and advisory firm. It veers between very technical posts and more accessible information on securing data in the cloud.

Channel will be interested in: Adrian Lane’s post on Cloud Database Security: 2011 vs. Today highlights the need to take different steps to secure customer databases in the cloud versus on-premises.

Timely quote: In the Dynamic Security Assessment: The Limitations of Security Testing series, partners can learn about the ins and outs of hiring penetration testers versus using automated tools.

“The increasing sophistication of adversaries is not your only challenge assessing your environment and understanding risk. Technology infrastructure seems to be undergoing the most significant set of changes we have ever seen, and this is dramatically complicating your ability to assess your environment.”

Bleeping Computer is a technical support and self-education site. You can often find great deals, like 95 percent off Essential Microsoft MCSE Certification Exams Training, and tips such as the fact that holding shift + F10 during Windows 10 updates opens the root CLI and bypasses BitLocker.

Channel will be interested in: Upcoming WordPress Features Will Require Hosts to Support HTTPS

Timely quote: From As of Today, U.S. Law Enforcement Has New Hacking Powers:

“Also included in Rule 41 is a clause that allows judges to issue warrants that allow law enforcement to hack or seize devices part of a botnet. Nowadays we have botnets of IoT smart devices, botnets of infected home Wi-Fi routers, botnets of infected PCs, botnets of infected mobile devices, and so on. Any malware that infects any device and uses an online command and control server is a botnet, even annoying adware families. Almost all malware families today use C&C servers, and indirectly form a botnet. Technically, the FBI and U.S. law enforcement can hack anything they want on the suspicion a device has been infected with malware.”

The Sucuri Blog, maintained by the website security provider of the same name, features a number of customer case studies showing how sites were hacked. It’s fairly specialized, but if you depend on an e-commerce site or have many retail clients, this is useful info.

Channel will be interested in: New XM1RPC SEO Spam and Backdoor Campaign

Timely quote: From Malicious Redirect Injected in Magento One Page Checkout

“With the holiday season around the corner, e-commerce sites are very valuable to website owners and equally attractive to attackers. Hackers have been targeting Magento installations in order to steal sensitive information like credit -9card data or PayPal logins, but in this case, promote websites for their monetary gain. Being PCI compliant is becoming increasingly critical as attacks on e-commerce sites continue to evolve.”

The Security Ledger isn’t a blog, precisely. It’s an independent security news site that “explores the intersection of cybersecurity with business, commerce, politics and everyday life.” But the site boasts a strong slate of contributors and a section on IoT security.

Channel will be interested in: IBM Launches Watson Internet of Things Consulting Practice

Timely quote: From It’s Time To Stop Ransomware Shaming

“Hospitals have not been “as diligent in combating cyber threats such as ransomware as other sectors,” experts were quoted saying in this Associated Press article, with one expert saying that hospitals are “about 10 to 15 years behind the banking industry” in combatting cyber threats.”

Also typical were articles like this one, at the Bitcoin news site newsbtc.com, that made the case that paying the ransom should never be necessary. Rather: “Falling to ransomware was evidence of a kind of technological turpitude.”

Like Security Ledger, Security Current collects news, analysis, advice and more from journalists, researchers and senior contributors, including Verizon chief security evangelist Mark Rasch. It’s run by veteran journalist and IT network security marketing executive Aimee Rhodes. There’s a lot of content here by and for CISOs that can help you relate to customer security execs.

Channel will be interested in: A comprehensive listing of security suppliers, broken down by specialty. Need to partner with a penetration testing firm? There are 11 to explore.

Timely quote: From Verizon’s Rasch in Failure to Secure – No Harm, No Foul?

“If a tree falls in the forest and there is nobody there to hear it, does it make a sound?? If a company has a data security event exposing sensitive data, but nobody is harmed by the exposure, is it a violation of the law?  A recent case from a federal appeals court in Atlanta LabMD v. FTC. suggests not.” 

PLUS: Dan Goodin from Ars Technica keeps a close eye on mobile security.