This is The Security Skeptic's Typepad Profile.
Join Typepad and start following The Security Skeptic's activity
Join Now!
Already a member? Sign In
The Security Skeptic
Hilton Head Island, South Carolina, USA
Dave Piscitello is a 40 year networking and Internet veteran who now focuses on Internet Security. The opinions expressed here are my own and do not necessarily represent the opinions of my employer (ICANN) or organizations with whom I have formal relationships (GCSP, APWG).
Interests: Fitness & free weights, historical fiction, cooking, gardening, inclusive society, unintended consequences of commoditizing technology without consideration of privacy or security.
Recent Activity
Image
By guest author Cristina Ion Today, even the smallest company can generate huge sets of data. Fortunately, technology has kept pace with storage needs. With the dawn of Big Data, we are now able to store and analyze huge sets of digital information. What we must remember here is that, whereas this may appear to be a “Big Answer”, there is an even Bigger Question at stake. Big Data is not about exploring and finding new sources of information: it's more like modern day archaeology: it is about using newly found methods to collect and unveil information that is already... Continue reading
Posted Mar 8, 2017 at The Security Skeptic
Image
An earlier version of this post originally appeared at ICANN blog on 15 Sep 2015. Nearly every day, we see news stories or tweets that reveal another "cyber attack" against a well-known brand, bank or government agency are commonplace today. These are almost always characterized as sophisticated hacking schemes. Some are described as acts of hacktivism. In an effort to characterize certain attacks as the most sophisticated ever, one enthusiastic Wikipedia contributor uses the phrase advanced targeted computer hacking attack. However, the reality is that a cyber attack doesn't necessarily involve hacking, and a great many hacks have nothing to... Continue reading
Posted Feb 20, 2017 at The Security Skeptic
These are very good insights and certainly worth considering as we attempt to develop a deeper understanding or framework. Thank you!
Matthew Bryant's recent post, Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target, describes attacks against authoritative name servers. These are the name servers that host DNS records for your domain name (A, NS, MX, CNAME, TXT...) and thus the definitive or authoritative sources for resolution, i.e., they host the database that applications use to resolve host names such as your web site name to an Internet address. Name server hijack example Bryant's post describes scenarios where domain name resolution for an organization's domain name can be hijacked by an attacker. In one scenario, (a) an organization has... Continue reading
Posted Feb 3, 2017 at The Security Skeptic
Andra Zaharia invited me to share my thoughts in her recent Heimdal Security blog, Is Internet Security A Losing Battle? Please read the other 30+ experts thoughts at Andra's blog. Here, I've complemented what I shared with Andra with some additional thoughts. To answer Andra's question directly, any battle that you engage on your enemy’s terms, with indefensible assets or limited offensive capabilities, and where your enemy’s risk and cost of attack is small is arguably a losing battle. However, I’m not certain that warfare remains the right analog for Internet security today. I'm convinced that it's wrong. I say... Continue reading
Posted Dec 21, 2016 at The Security Skeptic
Image
Image by Henrik Berggren This post originally appeared at ICANN blog on 15 Sep 2015. Nearly every day, we see news stories or tweets that reveal another "cyber attack" against a well-known brand, bank or government agency are commonplace today. These are almost always characterized as sophisticated hacking schemes. Some are described as acts of hacktivism. In an effort to characterize certain attacks as the most sophisticated ever, one enthusiastic Wikipedia contributor uses the phrase advanced targeted computer hacking attack. However, the reality is that a cyber attack doesn't necessarily involve hacking, and a great many hacks have nothing to... Continue reading
Posted Dec 15, 2016 at The Security Skeptic
I was invited to speak at the Eastern European DNS Forum/UADOM on 1 December 2016 in a session on the Internet of Things (IoT). I followed A. Baranov's fine presentation about the promises and benefits of IoT with a presentation on IoT characteristics, challenges and threat landscape. I concluded the presentation asking, "is the past a prelude to the future?", explaining that if we don't learn from our past mistakes and haste to market decisions, the IoT cannot deliver all that we aspire it to be but instead may pose an Internet of Threats. I want to thank my ICANN... Continue reading
Posted Dec 1, 2016 at The Security Skeptic
I was invited to speak at the Eastern European DNS Form/UADOM on 1 December 2016 in a session entitled Tackling cybercrime: challenges and roles. I described the many activities I and my fellow Identifier Systems Security Stability and Resiliency team engage in as part of our $dayjob, from threat awareness and preparedness, to subject matter expertise outreach and capability building (training). Great audience. Excellent question and answer session. Thank you to those who attended and participated so attentively and enthusiastically! To those who could not, view the presentation here. If you have questions, please ask! Continue reading
Posted Dec 1, 2016 at The Security Skeptic
Image
This post originally appeared at ICANN blog on 10 Aug 2015. Some of the most commonly used security terms are misunderstood or used as if they were synonymous. Certain of these security terms are so closely related that it's worth examining these together. Today, we'll look at several related terms – threat, vulnerability, and exploit – and learn how security professionals use these to assess or determine risk. Remember the Objective: Protect Assets The reason we put security measures in place is to protect assets. Assets are anything that we determine to have value. An asset's value can be tangible;... Continue reading
Posted Oct 27, 2016 at The Security Skeptic
Image
This post originally appear at ICANN blog on 13 July 2015 In this installment of Raising Security Awareness, One Security Term at a Time, I'll explain two-factor authentication; how this improves the security of your online accounts or logins, and where you'll find two-factor authentication in use today. Begin at the beginning: What is authentication? Authentication is a security term for demonstrating that you are who you claim to be. The formal language used to describe this activity is "verifying your identity". Throughout military history, sentries posted at a military encampment would challenge anyone who approached to say the password... Continue reading
Posted Oct 7, 2016 at The Security Skeptic
Image
Note: The views expressed here are mine alone. Image by Mike Morris The Centralized Zone Data Service (CZDS) was introduced to facilitate and accelerate the process of requesting access to generic Top Level Domain (TLD) zone data. CZDS is included in the new TLD registry operator contractual obligation: Registry Operator will enter into an agreement with any Internet user, which will allow such user to access an Internet host server or servers designated by Registry Operator and download zone file data. The agreement will be standardized, facilitated and administered by a Centralized Zone Data Access Provider, which may be ICANN... Continue reading
Posted Oct 3, 2016 at The Security Skeptic
Have you contacted Verisign and completed the Agreement at https://www.verisign.com/en_US/channel-resources/domain-registry-products/zone-file/index.xhtml? If you state a legitimate purpose for zone access and you provide valid contact information, Verisign should honor your request. If you have a problem, please contact me via the email widget
Social engineering is an attempt to influence or persuade an individual to take an action. Some social engineering has beneficial purposes; for example, a company may distribute a healthcare newsletter with information intended to influence you to get a flu shot. But social engineering is commonly used by criminals to cause the recipient of an email, text, or phone call to share information (such as your online banking username and password, or personal identifying information such as your social security or passport number) or take an action that will benefit the criminal, not the individual. Criminal social engineering often has... Continue reading
Posted Sep 2, 2016 at The Security Skeptic
en inglés Muchos administradores de red piensan sólo en proteger los recursos privados de ataques externos en la evaluación de amenazas de seguridad. El panorama de hoy está lleno de amenazas que emanan de los equipos dispositivos infectados con malware. Los atacantes pueden utilizar éstos para recoger y transmitir información sensible de su red, para atacar o para enviar spam a otras redes. Las organizaciones están mejor protegidas cuando los administradores de red están también preocupados por las amenazas que están asociadas con las conexiones de salida. En esta columna, se discuten alternativas que pueden mejorar su perfil de riesgo... Continue reading
Posted Jul 11, 2016 at The Security Skeptic
Image
Image by Khadija Dawn Carryl What once was a seasonal phishing or phone call scam is now a year-round threat. Criminals are not only more aggressive with tax scam email or phone calls than ever, but they’ve contrived scams that claim victims before, during, and after what we traditionally consider tax preparation time in the US. What is IRS Tax Scam? IRS Tax Scam calls are impersonation scams that lure a target into speaking with a scammer who impersonates an IRS agent. The scammer often threatens a tax filer with legal action, arrest, deportation, or seizure of assets for delinquent... Continue reading
Posted Jul 5, 2016 at The Security Skeptic
Los ataques contra el sistema de nombres de dominio (DNS) se producen con más frecuencia que la mayoría organzations imaginan y ninguna organización es inmune a los ataques. Cada organización debe mirar a "las personas, procesos y tecnología" para proteger sus DNS de los ataques. Las organizaciones también deben considerar cómo la evidencia de otros ataques que se pueden obtener mediante el control de sus DNS. Esta presentación de Ciberseguridad Semana en Quito describe muchos tipos y clases de ataques contra el DNS. (Disculpas si mi español tiene errores.) Attacks against the Domain Name System (DNS) occur more frequently than... Continue reading
Posted Jun 28, 2016 at The Security Skeptic
El sistema de nombres de dominio (DNS) es un servicio muy importante a Internet. Todos usamos el DNS para obtener las direcciones de Internet que están asociados con los nombres de dominio de uso fácil. El DNS es una "infraestructura crítica". Los ciber delincuentes y hacktivistas tienen fuertes incentivos para atacar el DNS. Esta presentación de Ciberseguridad Semana en Quito describe muchos tipos y clases de ataques contra el DNS. Download Ataques contra el DNS.pdf (2414.5K) The Domain Name System (DNS) is an extremely important Internet service that is used by every Internet user to obtain the Internet addresses of... Continue reading
Posted Jun 27, 2016 at The Security Skeptic
Image
My patience with naming malware as if they were Marvel super heroes or X-Men is at an end. Slammer, Sasser, Flame, BlackEnergy. Instead of naming malware in ways that flatter or aggrandize the attackers, please let's use names that call attention to the systemic problem rather than the clever, tricksy software. For example, WORM:Win32/TriedToWinAnIpodFromAControlSystem.A TROJ:Win32/Surfed4PornFromARootAccount.C WORM:Win32/ConnectedMyInfectedDeviceToIndustrialNetwork.A!sys I was reminded yesterday of the Sun Tzu quote, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a... Continue reading
Posted Jun 2, 2016 at The Security Skeptic
Image
Package delivery services to both business and home are common events in this age of online commerce. Services like UPS, DHL and Fedex deliver thousands of packages daily. To compete, these services use email to provide customers with package tracking and problem resolution. These correspondences are low hanging fruit for phishers. Today's example is a recent attack against DHL that was crafted well enough to initially evade desktop and gateway antispam measures. The subject line, About your package with DHL, is intended to raise curiosity. The sender contains the string dhllogistics. Phishers know that users often read only what they... Continue reading
Posted Apr 26, 2016 at The Security Skeptic
Image
by Dave Piscitello and Greg Aaron In its Beijing Communiqué of 11 April 2013, the ICANN Government Advisory Committee (GAC) called on ICANN to have new gTLD registry operators find and act upon a variety of abuseive activities occurring within their TLDs. This led to a requirement in the new gTLD contracts: Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a... Continue reading
Posted Mar 2, 2016 at The Security Skeptic
Image
I'm often asked, “I’ve found the IP address of a criminal, where do I find information about the criminal associated with this address? I’ve begun using the following explanation to help investigators so that they appreciate context and relationships between Internet identifiers – domain names, IP addresses, or Autonomous System Numbers (ASNs) – and criminal acts and actors. People and networks use Internet identifiers to name or number individual computers (hosts) so that these can communicate. These identify location, for example, in the most basic interpretation: IP addresses identify Internet’s streets and house numbers Autonomous System Numbers identify the Internet’s... Continue reading
Posted Feb 11, 2016 at The Security Skeptic
I came across an article colleague Stephen Kent and I wrote in 2003. The Sad and Deplorable State of Internet Security, and was struck once again at how little progress we've made on issues we were lamenting over a decade ago. The issues that most concerned us in 2003 were: Insecure Architectures. In 2003, we said that security problems frequently arise due to "time-to-market priorities, inadequate security understanding by product architectures and the (perceived) conflict between ease of use and security." Lack of User Awareness or complacency. In 2003, we said "Many non-technical users are entirely unaware that their systems... Continue reading
Posted Jan 21, 2016 at The Security Skeptic
Image
My colleagues Sandro Rosetti and Paolo Dal Checco introduced me to a tiny, inexpensive little wireless router and shared a post that explains how to install Tor on the router. Operating anonymously is ideal for conducting investigations so I bought a NEXX WT3020F, visited the post, and followed the installation. The NEXX is one of many tiny routers to choose for investigating from home, office, or on the road and most can support WiFi, Ethernet and even 3G/4G. Unfortunately, like many posts, including some of mine I'm sure, the instructions included broken external hyperlinks or mistyped scripts. Fortunately, by reading... Continue reading
Posted Jan 13, 2016 at The Security Skeptic
A recent New York Times editorial, Fear in the Air, Americans Look Over Their Shoulders begins with “The killings are happening too often. Bunched too close together. At places you would never imagine." The article continues by saying, ... a wide expanse of America’s populace finds itself engulfed in a collective fear, a fear tinged with confusion and exasperation and a broad brew of emotions. The fear of the ordinary. Going to work. Eating a meal in a restaurant. Sending children to school. Watching a movie. Gun related murders, whether perpetrated by terrorists, troubled teens, or sociopaths, are altering how... Continue reading
Posted Dec 16, 2015 at The Security Skeptic
Frank Adversego, the socially awkward, retiring, glamorless hero of Andrew Updegrove's tech thrillers, is back. Frank made his inaugural appearance in The Alexandria Project: A Tale of Treachery and Technology. In my review, I explain how Frank stumbles upon a malware infection at the Library of Congress, is accused of orchestrating the attack, and in the process of proving his innocence helps avert a disaster of apocalyptic scale. In The Lafayette Campaign: A Tale of Deceptions and Elections, Frank is $famous, for some value of fame. He's traveling once again through the Western States in his high high tech camper,... Continue reading
Posted Nov 16, 2015 at The Security Skeptic