Examination of the technical evolution within several industries reveals an approaching precipice of scientific change.  The glacially paced, but inevitable convergence of quantum mechanics, nanotechnology, computer science, and applied mathematics, will revolutionize modern technology.  The implications of such change will be far reaching, with one of its greatest impacts affecting information security.  More specifically, that of modern cryptography.

Read more

Since my participation in Friday's roundtable discussion (see previous blog entry) has probably made some wonder about my level of security comprehension, and question whether English is my first language, I thought I would try to clear up some confusion here, by paraphrasing the thoughts of others. 

One of the questions posed was: What do you think is the ultimate solution to end the patch/hack/patch cycle, which is the cornerstone of today's enterprise security?

Read more

Last Friday, I participated in a roundtable discussion on the topic of "Best innovations in Security."  Joined by notable security minds Jamey Heary, Dave Kearns, and Andreas Antonopoulos, an hour long chat room session ensued.

Read more

Another 0100 years have passed and the Olympic games have come to a close.  While most of the world fixated on the athletes and their events, a few of us focused our attention on the competitive hacking in cyberspace.  This year's largest event appeared to be that of "web defacement", with several countries demonstrating impressive efforts.

Read more

As a geek growing up, I had always admired and respected such magazines as Byte and Scientific American.  While perhaps not understanding every article as a 12 year old, I still appreciated the technological significance of their content.  In fact, I still posses my original edition of Volume 237, Number 3 of Scientific American, from September 1977.   Containing the articles, "Microelectronics", by Robert Noyce and "Microelectronics and the Personal Computer" by Alan Kay, this is obviously one of my treasured documents.

Read more

While heading to Vegas for the mother of all hackercons, the back-to-back Black Hat USA 2008/Defcon 16 conferences,I had some technical difficulties with my travel arrangements. I managed to take a wrong turn somewhere and I now find myself in Austin, TX. However, all is not lost.

Read more

As a security researcher, analyzing malware trends is a common task.  This includes tracking data on the numerous types, variants, vectors and growth rates.  Occasionally, the byproduct of research yields information more interesting then the data itself.  One frequently occurring type of information is the reporting of statistics.

Read more

The seventh and last HOPE (Hackers on Planet Earth) conference took place last weekend, bringing the 14 year old biennial hacker con to an end.  Emmanuel Goldstein (Eric Corley), publisher of 2600 magazine, has been the brains behind this production, providing a forum for presenting the true philosophical concepts of hacking culture.  In contrast to the acquired reputation of hacking, that of malicious digital thievery, this conference hosts hacking in the traditional sense-those who possess a strong technological curiosity to understand how things work, with an equally strong desire to know why

Read more

Having to incorporate the term "Web 2.0" into my technocabulary was hard enough, but "Security 2.0" is just too ridiculous for me to absorb.  Assigning words with numerical increments by buzzword hungry media vultures is a disgrace to the development community.

Read more

With over 10,000 magazines published in the US, I rarely have time to read all of them.  But I do make an effort to set aside a few hundred hours each week to read as many of them as I can.

Read more

Ransomware, although somewhat appropriately nicknamed, as it takes your data hostage demanding money for its release, has always implied an unnecessary emotional component.  It is unforgivably insensitive to compare this to any type of real world ransom regarding human life.  Furthermore, there are no "proof of life" concepts, such as sending back a "pinky" of data or letting you briefly see that your data is being safely kept in a Linux environment.

Read more

Assessment of corporate security is a difficult but essential task.  Regardless of industry, most companies allocate their IT resources to maintenance, upgrades, support and alignment with corporate strategy.  While the necessity for improved security continues to be recognized as an important goal, its implementation by in-house IT staff is often inadequate.  Therefore, outsourcing in forms of Security as a Service, auditing, and third-party penetration testing and vulnerability assessments are commonly utilized as solutions

However, microprocessor giant, Intel implements its own threat assessment in its companywide exercise of "war gaming".  Featured in the fourth (and most recent)  issue of Intel's own

Read more

Although this news item first broke several weeks ago, I have been awaiting public analysis regarding its impracticability.  Bereft of criticism, I will provide my own.

The Internet began as a "store-and-forward" packet switching network, connecting computers via Interface Message Processors.  In 1969, the first interconnected network, ARPANET, allowed communication between the first four nodes located at UCLA, Stanford, UCSB and University of Utah.  When the project was acquired by the Department of Defense in 1975, it became known as DARPANET (Defense Advanced Research Projects Network). 

Read more

Catching up on my reading of unscrupulous behavior, I came across some interesting information from the Federal Communications Commission (FCC).  Their Consumer Inquiries and Complaints Division is in charge of reviewing, mediating, responding and resolving the public inquiries, concerns, and complaints filed towards the FCC.   The results are published in quarterly reports and, believe it or not, are occasionally interesting.   One can track the historical spikes of complaints following incidents such as certain broadcasted radio comments by Howard Stern or the televised Jackson-Timberlake debacle of Super Bowl XXXVIII.

Read more

You purchased your clothes, you're wearing your clothes, but now someone else 0wns them.

Read more

Redmond has recently published their semi-annual recap on the (in)security of their leading products.  The Microsoft Security Intelligence Report (MSIR), released approximately two weeks ago, provides an "in-depth perspective" for the second half (Jul-Dec) of 2007.  As usual, a professional appearing report with statistics and graphs are presented to the reader.   Although, after successfully downloading and reading their Key Findings Summary, it appears to have been co-authored by

Read more

Hackers of the world will once again unite at DEFCON 16, this August 8th, one of the industry's top conferences.  The world's best and brightest security minds will deliver presentations and papers, sharing their latest research during the three day event.  As usual, DEFCON is home to a number of classic hacker contests, including the Phreaking Challenge, Capture the Flag, Mystery Challenge, Hacker Jeopardy and the once great, Spot the Fed contest.  A few new events debuting this year include, BuzzWord Survivor, Hardware Hacking Village and the unnecessarily controversial Race-to-Zero contest.

Read more

For those of you illiterate in British comedy, the Ministry of Silly Walks is a fictitious British organization, which only existed in the world of Monty Python in the 1970's.   The classical comedy sketch presents a man in need of funding to further develop his "silly walk", yet due to the government's economic constraints of financing Defense, Social Security, Health, Housing, Education and Silly Walks, he is told the Ministry of Silly Walks cannot help, due to their budgetary limitations.....and also because his walk was simply not silly enough.  (At the end he is offered a research fellowship)

What is the relevance of this s

Read more

Evidence of a new "attack pack" has surfaced, reports Shaun Nichols, providing further proof of the organized complexity of exploit code.  The web-based toolkit, called Tornado, is speculated to have been in operation for at least six months.  This attack tool supposedly exploits up to 14 browser vulnerabilities, although I am not certain which ones, nor can I verify the true number at this time.   While its php code was only recently released, it is believed to be responsible for numerous iframe injection attacks during the end of last year, according to Symantec.

Read more

The National Security Agency/Central Security Service (NSA/CSS) Information Assurance Directorate is currently holding its 8th Annual Cyber Defense Exercise.  It started on April 21st and will be coming to a close this Thursday (04/24/08)--the day officially open for journalist's media coverage. 

This annual competition, between numerous service academies, challenges student teams with the task of defending their computer networks from constant attack.  However, they're not just protecting their infrastructure from automated penetration platforms.  They'll be subjected to a barrage of attacks from a network offensive operations team (Red Team), composed of NSA and Department of Defense experts, during the four day hack-a-thon.

Read more