A Failed Hacker Unmasking Exercise

"A ridiculous article which purports to show us the face of a hacker..." -- Chris Wysopal, CTO of Veracode, in a tweet The ability of media outlets to create sophisticated images and graphics is light years beyond what it was when I was a young journalist in the 1990s. The technology has spawned a lot of cool projects, like this visual of a botnet from my former employer, CSOonline.com. ...

Continue reading

Bad Anti-Hacking Laws: We Can Educate the Public

There's much alarm in the security community over new anti-hacking laws President Obama plans to float in his State of the Union address next week. The alarm is justified. What he proposes, as my friend Rob Graham (@ErrataRob) wrote in this important post, "are blunt political solutions which reflect no technical understanding of the problem." Obama's proposed anti-hacking laws are designed to arm companies with legal protections for sharing information ...

Continue reading

Microsoft Wrong to Cancel Patch Alerts

For the last few years I've been praising Microsoft for taking great strides to improve security. This morning, I'm tempted to take it all back. For the last decade, Microsoft has issued advance notifications the Thursday before each security patch release. It's been a valuable service, helping IT security practitioners to be better prepared. Yesterday, the software giant announced it was ending the service, claiming that not enough people are ...

Continue reading

UPnP Devices Used in DDoS Attacks

Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai's Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory. PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That's about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the ...

Continue reading

Data Breach Victims or Enablers?

Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach -- Home Depot and Target have been among this year's biggest poster children ...

Continue reading

After 9-11, Fear Made Us Stupid

Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don't forget how many rights have been taken from us in the name of fighting terrorism. He's got that right. There's been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of ...

Continue reading

Exposing Gregory Evans: It Can Be Done

Thanks to the efforts of Attrition.org, we've known for years that LIGATT Security and Gregory Evans can't be trusted. That article includes a long list of examples where Evans has committed plagiarism and threatened those who question his credentials as a hacker. There are court documents on the Internet that add to the evidence. I won't go into the full summary of misdeeds here, because veteran security professionals have ...

Continue reading

The Stupid, It Burns

There are times where I just marvel at the abject stupidity of some folks. Case in point was the posting on Pastebin over the weekend where a group of "hackers" (wow, I use that term lightly) calling themselves "Wycked" posted a database dump from McDonald's Malaysia. The premise being that they compromised the site. Small problem with that however. You see, the "Havij Injection Project" already posted that same database ...

Continue reading

Privacy under fire: Aaron Sorkin saw it coming in 1999

I've long been a fan of "The West Wing," which follows the drama of fictional president Josiah Bartlet and his senior staff. The series launched well before the privacy debates that are now the norm. But series creator Aaron Sorkin was way ahead of his time all those years ago when he focused on Internet privacy in the season one episode "The Short List." In the episode, Bartlet has nominated ...

Continue reading

No Cyber Experience? Strategy! Um…

Michael Daniel is the person who is on point for shaping cyber security in the US government. I find it rather disquieting that the White House cyber security coordinator espouses his lack of technical knowledge as a plus. From Gov Security: "Being too down in the weeds at the technical level could actually be a little bit of a distraction," Daniel, a special assistant to the president, says in an ...

Continue reading