Informationweek Influencer
Chris Wysopal (@WeldPond)
- Twitter Bio:
- Application security, former L0pht researcher, L0phtCrack and Netcat for Windows developer, Veracode CTO & co-founder
- Location:
- Boston, MA
- Website:
- http://www.veracode.com/blog/
Chris Wysopal's Selections From the Web
Disclosing a flaw in a widely used system without making someone at least a little angry requires a delicate touch. But Andrew Auernheimer, a.k.a. “Weev,” a 26-year-old finder of security vulnerabilities, is anything but delicate.Two years ago, Auernheimer and a friend made a surprising discovery about the way AT&T was protecting its web database of iPad cellular data accounts: That is, AT&T wasn’t protecting it at all. Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer
Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target’s Twitter account. Messages can then be sent to Twitter with the source number spoofed.Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.Facebook and Venmo were also vulnerable to the same spoofing attack, but the issues were resolved after disclosing to their
Joseph I. Lieberman, Democrat of Connecticut, is chairman of the Senate Homeland Security and Governmental Affairs Committee. He co-sponsored cybersecurity legislation that was blocked in the Senate this summer.The threat of a cyber attack on our electric grid, water supply system, financial networks, or oil and gas lines is anything but hype. I have been concerned about this threat for years, and the evidence has grown exponentially that sophisticated adversaries could paralyze the nation with targeted cyber attacks on critical networks. Some have even penetrated networks in the oil and natural gas sector. That's only a few keystrokes away
Symantec's chart shows a distribution of zero-day exploits based on how long they persist before being discovered. The average is close to 10 months. (Click to enlarge.)Software vendors are constantly on the watch for so-called “zero day” vulnerabilities–flaws in their code that hackers find and exploit before the first day companies become aware of them. But the term “zero-day” doesn’t capture just how early hackers’ head-starts often are: Day zero, it seems, often lasts more than 300 days.That’s one of the findings of a broad study of hackers’ zero-day exploits by two researchers at the antivirus firm Symantec that they plan to present at the
Smartphones and tablets are powerful and popular, with more than a thousand new mobile apps hitting the market each day. In this fast-moving era of entrepreneurship and creativity, is security keeping up? Apps and mobile devices often rely on consumer data — including contact information, photos, and location to name a few — and can be vulnerable to digital snoops, data breaches, and real-world thieves. The Federal Trade Commission (FTC), the nation’s consumer protection agency, offers these tips to help developers approach mobile app security.There is no checklist for securing all apps. Different apps have different security needs. For
Securities and Exchange Commission guidelines on when companies should disclose cyber-attacks have become de facto rules for at least six companies, including Google Inc. and Amazon (AMZN).com Inc., agency letters show.
The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks werenât important enough to reveal.
The general in charge of the National Security Agency on Monday said the lack of national cybersecurity leglislation is costing us big and amounting to what he believes is "the greatest transfer of wealth in history."
U.S. Army Gen. Keith B. Alexander urged politicians to stop stalling on approving a much-needed cybersecurity law - of which various versions currently are circulating in Congress. At the same time, he implored private companies to better cooperate with government agencies, many of whom remain mum because of privacy concerns.
"We can do the protection of civil liberties and privacy and cybersecurity as a nation.
ExploitShield has been marketed as offering protection “against all known and unknown 0-day day vulnerability exploits, protecting users where traditional anti-virus and security products fail.” I found this assertion quite extraordinary and exciting! Vulnerabilities in software applications are real problems for computer users worldwide. So far, we have been pretty bad at providing actual technology to help individual users defend against vulnerabilities in software.In my opinion, Microsoft has made the best advances with their Enhanced Mitigation Experience Toolkit. EMET changes the behavior of the operating system to increase the effort attackers
Digital video recorders have revolutionized home and business security, making it possible to easily store and play back hundreds of hours of surveillance camera footage. But a few design flaws in their software, it seems, can quickly turn the watchers into the watched.Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall, according to tests by two security researchers. And one of
FBI agents may not have been the first to rumble the affair between CIA director David Petraeus and his biographer that led to the four-star general's resignation on Friday.Anyone with a copy of the leaked Stratfor databases, a half-decent PC, some political nous and a barrel of luck could have uncovered the fling months ago, it has emerged.Paula Broadwell, the former spy chief's mistress and biographer, was a customer of Stratfor, the private intelligence outfit that was attacked by Anonymous hackers last year. Buried in the megabytes of subsequently leaked information was Broadwell's Yahoo! email address and her hashed Stratfor login password.
Upcoming Events
Live Events
- I Can See Clearly Now - E2 Conference Boston
- Discover the opportunities and challenges associated with mobile retail - Mobile Commerce World - Mobile Commerce World
- Explore best practices for marketers in the new mobile world - Mobile Commerce World - Mobile Commerce World
- The E2 Social Business Leaders - E2 Conference Boston - E2 Conference Boston
- How to Choose a SaaS Vendor - E2 Conference Boston
This Week's Issue
Free Print Subscription
SubscribeSpecial Issue
Current Government Issue
- The Government CIO 25: These influential and accomplished government IT leaders are finding ways to be cost efficient and still innovate.
- Rethink Video Surveillance: It's not just about networked cameras anymore. New technology provides analytics, automation, facial recognition, real-time alerts and situational-awareness capabilities.
- Read the Current Issue
Related Whitepapers
- HP Newsletter with Gartner Research: Maximizing Your Infrastructure through Virtualization
- Understanding Holistic Database Security 8 Steps to Successfully Securing Enterprise Data Sources
- Information Protection: The Impact Of Big Data
- A How-To Guide on Using Cloud Services for Security-Rich Data Backup
- IBM index reveals key indicators of business continuity exposure and maturity
Related Reports
