Threats

IT Risk And The Zombie Apocalypse: Surviving The Onslaught

One of the most vexing problems that faces IT organizations these days is how to measure their relative risk of being hacked or otherwise attacked. This sounds like pretty dry stuff, but it’s not. Failing to adequately account for your risks and exposure can mean the difference between swatting away an annoying intrusion attempt, and watching as foreign competitors or nation-states siphon off your critical intellectual property, bleeding your company of its competitiveness. But raising the alarm about this is always a tricky matter. Soft pedal it, and nobody takes you seriously. Scream from the rafters and …well…you’re screaming from the rafters. My friend and former colleague Josh Corman, however, found a good metaphor for the whole affair: the ZOMBIE APOCALYPSE. It’s all a bit of fun – though Mr. Corman is dead serious about the zombie stuff. Still, the idea is simple: attacks on your network and those of […]

Continue Reading

Google Will Use Cash To Clean Up Open Source

The widespread use of vulnerable or buggy third party code is serious problem facing public and private sector organizations, alike. Just this week, for example, The Wall Street Journal reported that an independent audit of Healthcare.gov, the star-crossed Federal Government website that is the primary health exchange in more than 30 states, is choking on poorly integrated or extraneous code that “served no purpose they could identify.” But what happens when the third-party code in question is open source code? Things get more complex. For one thing: open source is the salt and pepper of the software world: a common ingredient in applications of all sorts. And, as security researchers have noted: many of the so-called “smart devices” that are populating the physical world run variants of Linux, the open source operating system. But because those source code repositories are managed cooperatively and collectively by volunteers, security often takes a […]

Continue Reading

Video: Weaponizing Your Coffee Pot

The third annual DerbyCon wrapped up last week. Alas, I wasn’t able to make it down to Louisville, Kentucky and don a pork-pie hat with the smart people there. Still, there were some great presentations, and most of them are available online. One worth checking out if you’re into the Internet of Things hacking -thing is Daniel Buentello’s (@danielbuentell0) presentation of “Weaponizing Your Coffee Pot.” This is a repeat performance for Daniel, who also presented it at the ToorCon Conference in Seattle back in July. The first half of this talk is a high level overview of IoT and the security implications thereof. Mostly this is stuff you’ve read on this blog before. In the second half, Daniel goes down into the weeds on hacking a couple of classic IoT devices: Belkin’s WeMo IP enabled power outlet and Nest’s iconic thermostat. Without getting into all the details (its worth watching […]

Continue Reading

Bombshell: Adobe Says Massive Hack Netted Source Code, Customer Info

In what sounds like a worst-case scenario, Adobe Corp. admitted on Thursday that a massive breach of its corporate network resulted in the theft of information on close to three million customers and source code for two widely-used products: Adobe Acrobat, Acrobat Publisher, Cold Fusion and “other” as-yet undisclosed products. The news came in a string of announcements late Thursday on Adobe’s corporate blog as well as the news site Krebsonsecurity.com. The revelation came after Brian Krebs, the reporter behind that site, and Alex Holden, the Chief Security Officer of Hold Security, discovered what is described as “a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.” After being informed of the find, Adobe investigated and acknowledged the theft. In a blog post by Chief […]

Continue Reading

Health Exchanges Need A Fail Whale

In a blog post on Veracode’s blog today, I write about the problems encountered at government-run online health exchanges that were intended to connect millions to private insurance plans under the Affordable Care Act. The exchanges opened to the public on Tuesday, and they got off to a rocky start, with reports of web sites paralyzed as millions of uninsured Americans logged on to sign up for subsidized health insurance. In some cases, the problems appear to have been caused by “external factors.” New York State’s online health exchange was felled by the weight of more than 10 million requests of dubious origin, The New York Post reported. But other exchanges, including Healthcare.gov the federal government’s main health insurance storefront, which is used by residents or more than half of the states, were victims of their own success: overwhelmed when the doors swung open and millions of eager customers poured […]

Continue Reading
1 183 184 185 186 187 216