Category Archives: endpoint

Consumer Infosec Tech is Hard – No Wonder So Many are Pwned

I’ve been a MacBook Pro user for close to fourteen years now, both at home and at work. At home, I write my many books and conduct supporting research on my personal MacBook Pro.

Since I’m an infosec professional, I’m aware of threats to MacOS and associated components, so I run several security tools, among them Cylance, Malwarebytes, and Sophos. I use privacy-centric browsers and search tools.

Starting yesterday morning, my browser (Brave) started acting up quite badly: new pages simply would not load, and the browser would throw nonresponsive page errors left and right. I also use Firefox, which continued to function normally, Safari too, so I was pretty sure the problem was with Brave itself.

I cleared all cache and cookies, tried building a different profile in Brave, and even removed and reinstalled Brave. No go. I posted an entry in the Brave Community in the hopes that someone else would recognize my problem in case I could not fix it. I am somewhat tied to Chromium-based browsers, but prefer not to use Google Chrome. SRware Iron is an alternative, but they don’t update it frequently enough for my needs.

Since other browsers were working normally, I could dismiss my Internet connection, my local network, and DNS as possible culprits.

Next, I turned to my security tools. I had noticed that Cylance had been using about 90% of a CPU core for a few days, so that was my first object of study. I shut down Cylance, and immediately my Brave browser problem was solved. I turned Cylance back on, and the problem returned. Gotcha!

I removed and reinstalled Cylance, hoping that this would solve the problem. That was a few hours ago, and Brave is happy as a pig.

Retrospective: I cannot imagine ordinary consumers going through troubleshooting like this. My decades of daily hands-on software / network / systems / OS / security engineering on Unix and other OS’s helped me zero in on this fairly quickly. I shudder to think that most consumers just turn security tools off when things stop working, and go unprotected thereafter.

Browser Switch: SRWare Iron to Brave

I’ve recently switched from one Chromium-based browser to another

I’ve been a fan of Chromium-based browsers for years. Eschewing Google Chrome‘s propensity to snitch on every little thing I do on a browser, I switched from Google Chrome many years ago to SRWare Iron, which, like Google Chrome, is a Chromium-based browser that looks and feels like Chrome, runs Chrome extensions, but doesn’t tell Google what I’m doing.

On another computer (both Macs), I’ve been using Brave, yet another Chromium-based browser that, similar to SRWare Iron, runs Chrome browser extensions and also doesn’t tell Google what I’m doing.

With these computers side by side, I’ve noticed something peculiar: Brave updates came in regularly, while SRWare Iron updates were infrequent. I also keep my eye on the frequency that Google Chrome is updated – it feels quite regular to me, often associated with new malware exploits that Google squashes. With the number of advisories and browser updates occurring, I’ve begun to feel that SRWare Iron is behind the curve.

A quick check on Wikipedia shows that the latest version of Brave on Mac was released five days ago, while the latest update of Iron on Mac is five months old. My perception, then, is that SRWare Iron has several months worth of unmitigated vulnerabilities. Being an infosec professional, I can’t live with that.

I’m not keeping detailed records on this – my perception is based mainly on gut feel.

If someone who represents SRWare Iron can rebut this, be my guest. I’m interested in learning whether SRWare has mitigated recent Chromium browser vulnerabilities in some other way.

Challenges to endpoint security

Managing security on endpoint systems, even in mature organizations, is especially difficult, in part because the shape of the attack surface is different on every individual endpoint. Users often have the ability to change at least some of their endpoints’ security settings, as well as install software programs and browser plug-ins. The only safe conclusion that a security manager can arrive at is that many endpoints in their organizations are easily exploitable.

— excerpt from an upcoming book on stopping zero-day exploits

A perspective on endpoint security

I’m preparing a webinar on endpoint security and was thinking about the problem while on a flight to Chicago. Consider it this way: in an organization with 10,000 employees, you’ve got your servers in the data center managed by IT. But you’ve got 10,000 more machines with the same – or more – complication than those servers. These machines also have access to sensitive data and often store it themselves.

But there’s more. Those 10,000 machines are managed by non-technical people who have the same system-level privileges as trained and certified system engineers. And not only that, but those 10,000 machines are not in your data center but out of your physical control, often operating in external environments away from really important network security controls such as firewalls, data leakage prevention, command & control detection, and intrusion prevention systems.  These are our endpoint systems. Is it any wonder we are living in the era of colossal security breaches?

This is insanity, but there is a way out.