Security

robot workers

A Practitioner’s Guide to Non-Human Identity Security

At some point in the last few years, most of us made a series of very smart decisions. We automated everything we could. Onboarding, offboarding, role changes, cross-system integrations, data pipelines — if it was repetitive, we scripted it, connected it, or orchestrated it. And honestly? It was glorious. Our teams got faster, our error rates dropped, and we stopped doing the digital equivalent of manually carrying buckets between buildings.

What we didn’t fully reckon with is that every automation we built came with an identity attached.

Service accounts. API keys. OAuth tokens. Machine-to-machine credentials. Workflow runner credentials. Integration platform secrets. Every one of these is a non-human identity (NHI) — an entity that authenticates to your systems and performs actions, just like a user does, except it never gets locked out for too many failed attempts, never takes a security awareness training, and never gets offboarded when a project ends.

And here’s the uncomfortable math: in most organizations today, machine identities outnumber human identities by roughly 100 to 1. The even more uncomfortable part? Most security programs were designed for the 1%, not the 99.

A Practitioner’s Guide to Non-Human Identity Security Read Post »

sony hack

The Long Recovery

In 2014, Seth Rogen and James Franco made a comedy about two journalists recruited by the CIA to assassinate Kim Jong-un. It was called “The Interview.” It had a 51% on Rotten Tomatoes and involved a considerable amount of juvenile humor about the supreme leader of North Korea.

At some point, someone showed the trailer to the North Korean government.

They did not find it funny.

The Long Recovery Read Post »

hacking mfa

He Just Kept Asking Until Someone Said Yes

In September 2022, an eighteen-year-old sent an Uber employee a series of WhatsApp messages.

He claimed to be from Uber’s internal IT security team. He told the employee their account had been compromised. He explained that to fix the situation, the employee would need to approve an MFA notification that was about to arrive on their phone.

The notification arrived. The employee didn’t approve it.

He Just Kept Asking Until Someone Said Yes Read Post »

social engineering

Three Teenagers Called. Twitter Answered.

In July 2020, someone compromised the Twitter accounts of Barack Obama, Joe Biden, Bill Gates, Elon Musk, Apple, Uber, Kanye West, and about a dozen others. All at once. On a Tuesday afternoon.

Each hijacked account posted a variation of the same message: send Bitcoin to this address and we’ll send you double back. A classic scam — the kind that would make most people roll their eyes. Except that when it appears to come from the former President of the United States and the founder of Tesla simultaneously, enough people apparently suspend their disbelief to make it worthwhile.

The attackers made about $120,000 in a few hours.

Three Teenagers Called. Twitter Answered. Read Post »

hacking the ac

They Didn’t Hack Target. They Hacked Target’s Air Conditioning Company.

It was November 2013. Thanksgiving week. Target’s busiest stretch of the year, when 40 million Americans would swipe their cards in the checkout line and think absolutely nothing of it.

By Black Friday, attackers had already been inside Target’s network for six days.

By the time the breach was discovered — not by Target, but by a third-party security firm that noticed Target’s stolen card data showing up for sale online — the damage was done. 40 million credit and debit card numbers. 70 million records containing names, addresses, phone numbers, and email addresses. The kind of breach that doesn’t just make the news; it gets its own congressional hearing.

They Didn’t Hack Target. They Hacked Target’s Air Conditioning Company. Read Post »

one password no mfa

One Password. No MFA. Five Thousand Miles of Pipeline.

In May 2021, a ransomware group called DarkSide shut down the Colonial Pipeline — 5,500 miles of fuel infrastructure supplying roughly 45% of the East Coast’s gasoline supply. Gas stations ran dry. Prices spiked. People panic-bought fuel in plastic bags, which is both a fire hazard and a sign that things have gotten genuinely bad.

The FBI got involved. The White House held press conferences. Everyone wanted to know how a piece of critical infrastructure this important could be taken offline.

The answer, when it came out, was embarrassing in the way that only the simplest answers can be.

One Password. No MFA. Five Thousand Miles of Pipeline. Read Post »

Cat Hacker

The Guy in the Hoodie Was Never the Problem

Say the word “cybersecurity” in a room full of non-technical people and watch what happens. Eyes glaze. Attention drifts. Heads begin a slow journey toward chests before you’ve finished the final syllable.

I understand why. The word sounds like homework. The topic sounds like something that happens to other organizations. The training videos sound like they were written by a compliance committee and narrated by someone who has never had a conversation with an actual human being.

And yet the stakes couldn’t be higher.

The Guy in the Hoodie Was Never the Problem Read Post »

private business meeting scene

The Conference Room With a Window

When people say a platform is “encrypted,” they almost always mean transport encryption — data is scrambled while it travels between your device and the platform’s servers. Think of it like a sealed envelope moving through the postal system. The contents are protected in transit. But the post office can still open it.

End-to-end encryption (E2EE) is different. With true E2EE, only the participants hold the keys. The platform itself cannot decrypt the content of your call. Think of it as a conversation in a language only you and the other person speak.

The major platforms — Zoom, Microsoft Teams, Google Meet — all offer E2EE now. But “offer” is doing a lot of work in that sentence. It is almost universally not the default. Teams E2EE only covers one-on-one calls — not group meetings. On Zoom, enabling E2EE turns off cloud recording and phone dial-in. Most organizations haven’t enabled it at all.

The Conference Room With a Window Read Post »

Scroll to Top