Data Cleanliness and Patch Verification

Over the past several months I've been working with a few folks including Kurt Seifried from Redhat and Dan Adinolfi from Mitre on improving the CVE numbering process.  Through Daniel, I've met some of his team at Mitre on their campus in Bedford, MA.  Also during this time Kurt began numbering and tracking open source vulnerabilities creating the Distributed Weakness Filing (DWF) project.  I have been recently minted as a ...

Continue reading

Liquidmatrix Career Advice 2016 Edition

I'm guessing like most of you, the list of Slack accounts scrolls off the bottom of the screen. Yesterday I was scrolling through the list to see if I'd missed anything and there was a message on the Canadian Infosec Slack in which the following was posed: Hi James. $PERSON said to reach out to you = For advice and shiz - I'm a pentester. And at the cross roads of ...

Continue reading

It’s a tap!

ICS vulnerabilities are still being discovered, and I don't think that will stop any time soon. I started tracking known ICS vulnerabilites in 2014, and I recently updated my graph (special thanks to Risk Based Security for providing me with ICS data). The years between 2001 and 2010 are "the lost decade" for ICS security...and 2010 on is "the Age of Stuxnet." In today's world, security breaches are inevitable, even for control systems. ...

Continue reading

RMISC: Things To Do In Denver

The new year has started rolling and one of the things that people try to hammer out early in the calendar year is often the training budget. Picking a good security conference can be a problem. What I mean, is it can be difficult to pick the right conference for you. I've been fortunate to have been to many conferences over the years. I've learned a great many things, such ...

Continue reading

Remembering Hurricane Rita

Featured image by NASA/Goddard Space Flight Center Scientific Visualization Studio. This will be a long post. Hurricane Rita 10 years ago today, Shannon and I were staying with Mom and Dad. We had evacuated from our house in Beaumont, Texas a few days or so before. Hurricane Rita was so awesome/frightening on the satellite picture...just like Katrina was. I was assigned to the evacuation team at work. The ...

Continue reading

2015 Black Hat, DEF CON, BSidesLV Survival Guide

A couple weeks ago I wrote a post for veterans of so-called security summer camp, focusing on ways to get the most from it even if the mind has grown jaded. This week, I'm focusing on the newbies. Every year I try to offer some advice for people attending Black Hat, BSidesLV and DEF CON for the first time. As always, it's based on my personal experience. Everyone is different, ...

Continue reading

Data Breach Victims or Enablers?

Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach -- Home Depot and Target have been among this year's biggest poster children ...

Continue reading

5 Things a Revere, MA Upbringing Taught Me About Infosec

Growing up in Revere, Mass., taught me some very simple lessons about information security. Note: When people hear the name Revere, they think of these things: Paul Revere's ride, guns, the IROC-Z automobile, lots of gold chains and language that doesn't include the letter r at the end of a word. Information security? You probably think I've lost what little sanity I had. But I'm serious. Revere incident 1: Me and ...

Continue reading

Blackhat and Defcon Parties 2014

Back for the Blackhat and Defcon Parties 2014...FINALLY! Yet again, sorry I was late getting this published. Here is the list. It is a little short as I didn't take the time to include ones that have already filled up. You can try your hand with the remaining ones. Please note that this sched should work fine in most smart phone browsers. Also, feel free to leave a comment if ...

Continue reading

BH, DefCon, BSidesLV Primer

Many security professionals are making plans for a week in Las Vegas early next month for three big InfoSec conferences: Black Hat, Defcon and BSidesLV. I've been going for years and am familiar with what to expect and how to make the best use of my time there.  If you're a first-time attendee, however, the experience can be overwhelming. For that reason, each year I put together a survival guide ...

Continue reading