Author Archives: Taylor Armerding

A very merry Christmas could give way to a not-so-happy New Year security hangover for enterprises, once a few million more Internet of Things (IoT) devices are unwrapped and migrate from homes into the workplace.

So, a webinar this week hosted by The Security Ledger titled: “Who Let the IoT in?: Finding and securing wireless devices in your environment,” was designed to offer some advance advice on how to cope with it.

Paul Roberts, founder and editor in chief of The Security Ledger, who moderated the event, began by framing part of the problem: Although the IoT is now well established, many of the legacy tools enterprises still use to identify and manage vulnerable devices were, “designed for the ‘Internet of Computers’ rather than the IoT.

To read this article in full or to leave a comment, please click here

A very merry Christmas could give way to a not-so-happy New Year security hangover for enterprises, once a few million more Internet of Things (IoT) devices are unwrapped and migrate from homes into the workplace.

So, a webinar this week hosted by The Security Ledger titled: “Who Let the IoT in?: Finding and securing wireless devices in your environment,” was designed to offer some advance advice on how to cope with it.

Paul Roberts, founder and editor in chief of The Security Ledger, who moderated the event, began by framing part of the problem: Although the IoT is now well established, many of the legacy tools enterprises still use to identify and manage vulnerable devices were, “designed for the ‘Internet of Computers’ rather than the IoT.

To read this article in full or to leave a comment, please click here

Believe it – you too can become a successful cyber criminal! It’s easy! It’s cheap! It’s short hours for big bucks! No need to spend years on boring things like learning how to write code or develop software.

Just download our simple ransomware toolkit and we can have you up and running in hours – stealing hundreds or thousands of dollars from people in other countries, all from the comfort of your home office – or your parents’ basement. Sit back and watch the Bitcoin roll in!

OK, that’s not the literal pitch coming from the developers of ransomware. But, given the rise of Ransomware as a Service (RaaS) – a business model in which malware authors enlist “distributors” to spread the infections and then take a cut of the profits – it sounds like it could be a candidate for the kind of “direct-response” TV ads that made the late pitchman Billy Mays famous.

To read this article in full or to leave a comment, please click here

It was an especially happy Thanksgiving for security researchers, thanks to what they have called long-overdue exemptions to the Digital Millennium Copyright Act (DMCA).

Those exemptions, which took effect Oct. 28, provide a two-year window allowing “good-faith” researchers to break into the software that controls most consumer and commercial Internet of Things (IoT) devices – those used in everything from “smart” homes to smartphones, cars, medical devices, voting machines and more – without violating copyright laws.

To read this article in full or to leave a comment, please click here

It was an especially happy Thanksgiving for security researchers, thanks to what they have called long-overdue exemptions to the Digital Millennium Copyright Act (DMCA).

Those exemptions, which took effect Oct. 28, provide a two-year window allowing “good-faith” researchers to break into the software that controls most consumer and commercial Internet of Things (IoT) devices – those used in everything from “smart” homes to smartphones, cars, medical devices, voting machines and more – without violating copyright laws.

To read this article in full or to leave a comment, please click here

The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.

While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.

But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).

To read this article in full or to leave a comment, please click here

Chris Nickerson is CEO of Lares, which focuses in hyper-competitive areas of cybersecurity like penetration testing, red-team testing and adversarial attack modeling.

But delivering the closing keynote at UNITED2016, the Rapid7 Security Summit in Boston this week, he came across as more Zen master than battle-tested general.

Nickerson never actually said the “Z” word. But he said real empowerment in cybersecurity isn’t a matter of being “bullied” into a decision by charts, graphs and data sets, but from freedom to choose.

In his view, there is a vast difference between choosing and deciding. “One of them – choosing – has freedom,” he said. “Deciding is totally different. I’ve been bullied by data sets around me into decisions.”

To read this article in full or to leave a comment, please click here

In the cybersecurity world, the law doesn’t always treat the good guys like good guys.

As Harley Geiger put it in a talk titled, “Fighting for Legal Protection for Security Researchers” at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, “doesn’t seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm.”

Yet laws at both the federal and state level, “tend to undermine that,” he said.

Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.

To read this article in full or to leave a comment, please click here

It didn’t have to happen.

Last month’s massive distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) service provider Dyn, which used a botnet of thousands of Internet of Things (IoT) devices to disrupt dozens of major websites including Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times, could “easily” have been prevented.

That contention comes from the Online Trust Association (OTA), creator of what it calls the “IoT Trust Framework”, 31 principles designed to improve the security and privacy of connected devices and data, which it released this past March (see sidebar).

To read this article in full or to leave a comment, please click here

Effective leadership isn’t what it used to be, because what it was doesn’t work any more.

That declaration comes from one who ought to know – one of the US military’s most prominent and celebrated leaders of the past decade – retired Gen. Stanley McChrystal, former commander of the Joint Special Operations Command (JSOC) in Iraq and commander of US and international forces in Afghanistan.

McChrystal, who gave the opening keynote at the UNITED2016 Rapid7 Security Summit in Boston Wednesday, admitted at the start that it was the early failure of elite US forces to defeat the terrorist group al Qaeda in Iraq that taught him what it would take to succeed.

To read this article in full or to leave a comment, please click here