I speak and write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.
Click the selectors in the Content pane to filter the content.
My six month Hiatus from SecurityWeek is over! Here's a fun little piece that mostly wrote itself, about all the ways I've seen SMS being bypassed as a 2nd factor of authentication. Cute insider note, when I asked the designers for an image of an older guy looking at his phone, they sent this one, with the caption "there's a sale on adult undergarments!"
I've been talking about this problem for years (it seems), but there's been an update. Toward the end.
This is basically me channelling a series of emails with Marc LeBeau. He gave me permission to submit it as an article and I really like the way it came out. BTW can you guess the racy password that my editors didn't want me to write about?
Someone asked me what I thought about the recently passed Singapore Cybersecurity Statute. So I did some research and turned it into an article for SecurityWeek.
My recommendations on how to spot cryptocurrency mining malware on your network and what to do when you spot it.
My latest piece for SecurityWeek is an analysis of the ROBOT attack against TLS stacks. Check out how many of these I've done now, it's crazy.
All, all those branded SSL vulnerabilities. True to my word, I've continued writing articles comparing them to each other so you can have some idea about how much to freak out. This article adds two more; the DUHK and ROCA vulnerabilities.
SecurityWeek mentions an old column of mine about HTTP Strict Transport Security (HSTS).
Three researchers, two from Bastille Networks, gave a fantastic talk about reverse engineering the Comcast and Time Warner home networks. Really well done! I was surprised no one was writing about it, so here you go!
Part 3 of my "Threat Modeling IoT" series. This one looks at a real world example (smart parking meters) and shows you might run a real threat model against it.
My series on Threat Modeling the Internet of Things continues. This piece explains the process of threat modeling and provides some tips on how to work with your team to get it right.
Here is Part 0 (or part 1) of a series on threat modeling the Internet of Things. Here I introduce these two topics: Internet of Things and Threat modeling and suggest that maybe we need to spend more time putting them together. I like the intro and extro for this piece :)
My response, representing the vendor community, to US-CERT's warning about SSL interception products.
Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.
Here's a funny little piece I wrote about my drinking. No, I mean about making predictions. I mean resolutions. The backstory is that the PR firm always wants a prediction piece, but I think prediction pieces are terrible! Because if I could predict the future I would be way richer than I already am. So instead we disguise these pieces as "resolutions" LOL.
A young hacker came up to me after a talk in Belgium and told me this story. Made for a great article for SecurityWeek.
A fine article about evaluating the risks and creating sound strategy around moving to Office365. In the article I briefly mention 5 threats you should add to your threat modeling for cloud collaboration. Threat modeling for cloud could, and should, be its own article or even series of articles. Remind me to write that! :)
“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.
Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)
User federation is absolutely the best way to provide user authentication in the cloud. But the recent Yahoo! breach may have dimmed enthusiasm for federated Yahoo! logins, which is a shame because reasons. The reasons in this piece :)
In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.
We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.
I've been coming to this hacker con since Defcon 7. So that's 17 years! DC24 was a good one, with some interesting talks. Here's a recap I did for SecurityWeek.
Here's a recap I did for SecurityWeek of some of the more interesting talks at the 2016 Black Hat security conference.
I heard about this problem with a customer in Oslo, Norway. It has to do with an advance in cryptography throwing surveillance devices into darkness.
I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.
When asked for Comment on the Panama papers, I said heck yeah, there are so many questions. So I put them into a SecurityWeek byline, and then answered them. Most of them. Even the one about Simon Cowell.
A look at how a Dridex malware campaign is shifting around the globe.
During my last visit to Australia, I talked with some customers who were running into some fascinating problems trying to secure multiple components across different public clouds. Wrote it up for SecurityWeek.
Should you panic about the DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data? This piece I did for SecurityWeek builds upon the "Stack Ranking SSL Vulnerabilities" article I'd written the year before.
A great piece that came from looking at how the different top tier analysts look at the discipline of Application Security.
I know it sounds like I pick on Let's Encrypt, the free, open CA. And I guess I do kinda. Not in a mean way, because what they are doing is pretty freaking cool. But in a skeptical way, because so often the road to hell is paved with good intentions. On the other hand, there are altruistic endeavors that I would have said would never work, like Wikipedia, and um, well that's about it. Anyway, this piece is a more measured look at the early public stages of Let's Encrypt.
A look back at the mega breaches of 2015: Ashley Madison, the OPM hack, Kaspersky, and more.
A cute little piece celebrating the new year, infosec style.
This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.
My love letter to my favorite algorithm of all time, RC4.
Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.
My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.
A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” Here's my take on it.
Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.
I first ran into the hacker search Shodan engine at Defcon over a decade ago. It's still around; I saw its creator, John Matherly, giving a talk about it in Amsterdam's Hack-in-the-Box conference. My summary for SecurityWeek.
A deeper dive in to the theoretical topic of mobile malware.
I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Here's my write-up where I claim to win!
In 1897, physiologist René Quinton completely replaced the blood of a live, abandoned dog with seawater in an experiment to prove the theory that the chemistry of mammalian blood is formulated from ocean water, with which it shares many properties including salinity and acidity. Sound interesting? It is! A friend of mine called me recently: "Hey man, I was looking up the security of docker containers and read this article and lo-and-behold it was my old buddy Dave who wrote it!"
Three different reasons why tractor companies find themselves in the crosshairs of DDoS attackers.
I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.
I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.
I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.
This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.
Here's an article where I compare Bitcoin (and other blockchain fintech) to another virtual currency, the one promoted and used by tens of millions in Africa: m-pesa.
I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.
"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.