security-week

They call me the content machine. I write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.

Click the selectors in the Content pane to filter the content.


June 12, 2017 tags:  infosec security-week

Threat Modeling the Internet of Things Part 2: Three Steps to Pizza

My series on Threat Modeling the Internet of Things continues. This piece explains the process of threat modeling and provides some tips on how to work with your team to get it right.


May 4, 2017 tags:  security-week

Threat Modeling the Internet of Things

Here is Part 0 (or part 1) of a series on threat modeling the Internet of Things. Here I introduce these two topics: Internet of Things and Threat modeling and suggest that maybe we need to spend more time putting them together. I like the intro and extro for this piece :)


March 29, 2017 tags:  SSL-TLS cryptography security-week

US-CERT's Warning on SSL Interception vs. Security is a False Dichotomy

My response, representing the vendor community, to US-CERT's warning about SSL interception products.


March 1, 2017 tags:  SSL-TLS cryptography security-week

Encryption Smackdown: PlayStation 4 vs. XBox One!

Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.


Dec. 28, 2016 tags:  infosec security-week

Five New Year's Resolutions for the Security Community

Here's a funny little piece I wrote about my drinking. No, I mean about making predictions. I mean resolutions. The backstory is that the PR firm always wants a prediction piece, but I think prediction pieces are terrible! Because if I could predict the future I would be way richer than I already am. So instead we disguise these pieces as "resolutions" LOL.


Dec. 7, 2016 tags:  hackers security-week

Hacking Europe's Smart Cities

A young hacker came up to me after a talk in Belgium and told me this story. Made for a great article for SecurityWeek.


Nov. 28, 2016 tags:  infosec security-week

Evaluating Risks to Identity and Access When Moving to the Cloud

A fine article about evaluating the risks and creating sound strategy around moving to Office365. In the article I briefly mention 5 threats you should add to your threat modeling for cloud collaboration. Threat modeling for cloud could, and should, be its own article or even series of articles. Remind me to write that! :)


Nov. 24, 2016 tags:  ddos in-the-news security-week

This Web-based Tool Checks if Your Network Is Exposed to Mirai

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.


Oct. 28, 2016 tags:  ddos hackers security-week

What's the Fix for the IoT DDoS Attacks?

Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)


Oct. 14, 2016 tags:  infosec hackers security-week

Another Potential Victim of the Yahoo! Breach: Federated Login

User federation is absolutely the best way to provide user authentication in the cloud. But the recent Yahoo! breach may have dimmed enthusiasm for federated Yahoo! logins, which is a shame because reasons. The reasons in this piece :)


Sept. 28, 2016 tags:  SSL-TLS cryptography infosec security-week

I Got 99 Problems, But SWEET32 Isn't One

In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.


Sept. 16, 2016 tags:  SSL-TLS cryptography security-week

You Can't Find What You're Not Looking For Because of Goat Parkour

We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.


Aug. 17, 2016 tags:  cryptography infosec hackers security-week

Dispatches from DEFCON 24

I've been coming to this hacker con since Defcon 7. So that's 17 years! DC24 was a good one, with some interesting talks. Here's a recap I did for SecurityWeek.


Aug. 8, 2016 tags:  cryptography infosec hackers security-week

Dispatches from Blackhat USA 2016

Here's a recap I did for SecurityWeek of some of the more interesting talks at the 2016 Black Hat security conference.


June 29, 2016 tags:  SSL-TLS cryptography infosec security-week

New X25519 Cipher Throws Enterprise Surveillance for a Loop

I heard about this problem with a customer in Oslo, Norway. It has to do with an advance in cryptography throwing surveillance devices into darkness.


June 2, 2016 tags:  cryptography travel infosec hackers security-week

Cyber Espionage Report: APT at RUAG

I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.


May 18, 2016 tags:  infosec hackers security-week

Mysteries of the Panama Papers

When asked for Comment on the Panama papers, I said heck yeah, there are so many questions. So I put them into a SecurityWeek byline, and then answered them. Most of them. Even the one about Simon Cowell.


April 29, 2016 tags:  infosec hackers security-week

New Dridex Malware Campaign Shifts to U.S.

A look at how a Dridex malware campaign is shifting around the globe.


April 13, 2016 tags:  SSL-TLS cryptography infosec security-week

Is Multi-Cloud the Ultimate Use Case for the Zero Trust Model?

During my last visit to Australia, I talked with some customers who were running into some fascinating problems trying to secure multiple components across different public clouds. Wrote it up for SecurityWeek.


March 23, 2016 tags:  SSL-TLS cryptography infosec security-week

Is DROWN a 'Hello Kitty' SSL Vulnerability?

Should you panic about the DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data? This piece I did for SecurityWeek builds upon the "Stack Ranking SSL Vulnerabilities" article I'd written the year before.


Feb. 29, 2016 tags:  infosec security-week

Should Application Security Become its Own Discipline?

A great piece that came from looking at how the different top tier analysts look at the discipline of Application Security.


Feb. 4, 2016 tags:  SSL-TLS cryptography infosec security-week

Let's Encrypt's Public Beta--Panacea or Placebo?

I know it sounds like I pick on Let's Encrypt, the free, open CA. And I guess I do kinda. Not in a mean way, because what they are doing is pretty freaking cool. But in a skeptical way, because so often the road to hell is paved with good intentions. On the other hand, there are altruistic endeavors that I would have said would never work, like Wikipedia, and um, well that's about it. Anyway, this piece is a more measured look at the early public stages of Let's Encrypt.


Jan. 13, 2016 tags:  infosec hackers security-week

Was 2015 the Year of Breach Fatigue?

A look back at the mega breaches of 2015: Ashley Madison, the OPM hack, Kaspersky, and more.


Jan. 6, 2016 tags:  infosec security-week

New Year's Resolutions for the Security Minded

A cute little piece celebrating the new year, infosec style.


Dec. 9, 2015 tags:  SSL-TLS cryptography infosec security-week

Paris Attacks: What kind of Encryption Does the PlayStation 4 Use, Anyway?

This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.


Nov. 12, 2015 tags:  SSL-TLS cryptography infosec security-week

In Memoriam: Goodbye to RC4, an Old Crypto Favorite

My love letter to my favorite algorithm of all time, RC4.


Oct. 28, 2015 tags:  SSL-TLS cryptography infosec security-week

What's the Disconnect with Strict Transport Security?

Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.


Sept. 24, 2015 tags:  SSL-TLS cryptography infosec security-week

How "Let's Encrypt" Will Challenge The CA Industry

My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.


Sept. 9, 2015 tags:  infosec hackers security-week

Should You Be Worried About BGP Hijacking your HTTPS?

A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” Here's my take on it.


July 30, 2015 tags:  SSL-TLS cryptography infosec security-week

Stack Ranking SSL Vulnerabilities for the Enterprise

Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.


July 8, 2015 tags:  infosec hackers security-week

Hacker Search Engine Becomes the New Internet of Things Search Engine

I first ran into the hacker search Shodan engine at Defcon over a decade ago. It's still around; I saw its creator, John Matherly, giving a talk about it in Amsterdam's Hack-in-the-Box conference. My summary for SecurityWeek.


June 4, 2015 tags:  ddos infosec hackers security-week

Three Reasons Mobile DDoS Never Materialized

A deeper dive in to the theoretical topic of mobile malware.


May 17, 2015 tags:  ddos infosec security-week

Where is the Android DDoS Armageddon?

I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Here's my write-up where I claim to win!


April 15, 2015 tags:  infosec security-week

Disrupting the Disruptor: Security of Docker Containers

In 1897, physiologist René Quinton completely replaced the blood of a live, abandoned dog with seawater in an experiment to prove the theory that the chemistry of mammalian blood is formulated from ocean water, with which it shares many properties including salinity and acidity. Sound interesting? It is! A friend of mine called me recently: "Hey man, I was looking up the security of docker containers and read this article and lo-and-behold it was my old buddy Dave who wrote it!"


March 17, 2015 tags:  ddos infosec hackers security-week

Why do Bulldozers Incite DDoS Attacks?

Three different reasons why tractor companies find themselves in the crosshairs of DDoS attackers.


Feb. 17, 2015 tags:  SSL-TLS cryptography security-week

Why "Let's Encrypt" Won't Make the Internet More Trustworthy

I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.


Feb. 15, 2015 tags:  SSL-TLS cryptography infosec security-week

How to Tap the Hardware Random Number Generator in Your Load Balancer

I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.


Feb. 10, 2015 tags:  SSL-TLS cryptography hackers security-week

Was SSL3 killed by a POODLE? Surveys says…Maybe!

I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.


Jan. 7, 2015 tags:  ddos infosec security-week

The Real Story Behind the Kate Upton Nude DDoS Attack

This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.


Dec. 18, 2014 tags:  SSL-TLS cryptography travel infosec security-week

The Virtual Currency Taking Over the World isn’t the One You Think

Here's an article where I compare Bitcoin (and other blockchain fintech) to another virtual currency, the one promoted and used by tens of millions in Africa: m-pesa.


Dec. 2, 2014 tags:  SSL-TLS cryptography infosec security-week

Convergence Replacement Throwdown! DANE vs. TACK vs. CT

I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.


Nov. 6, 2014 tags:  cryptography travel infosec security-week

When Encryption isn't Enough

"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.