This is David Harley's Typepad Profile.
Join Typepad and start following David Harley's activity
Join Now!
Already a member? Sign In
David Harley
Interests: movies, the guitar, blues and opera, good wine and food.
Recent Activity
Recently, one of my colleagues forwarded one of those memes currently circulating through social media about the joys of password authentication, with the thought that it might offer a way of mixing advice and humour. In this case, the meme takes the form – slightly exaggerated, but maybe all too close to reality in some cases – of a service user’s attempts to create a password acceptable to the service's authentication mechanism, with the user’s increasing frustration expressed through the increasingly vulgar passwords he tries to create in order to meet the increasingly . As it happens, I have indeed... Continue reading
Posted Aug 30, 2014 at (ISC)² Blog
I was asked – as happens from time to time – for commentary for an upcoming security article. (As also happens from time to time, I have no idea whether the journalist has used it or not. Since the request came via an agency, I don’t actually know the who or where, either, so I feel quite comfortable about expanding on that commentary here…) In this case, the topic was a report from Silent Circle. I’d be happy to provide a link to it, but I haven’t been able to find one. Apparently, though, the report summarizes the opinions of... Continue reading
Posted Jun 29, 2014 at (ISC)² Blog
Android tech support scams? Not quite, but technical accuracy isn't a scammer's priority and Android users' money is as desirable as anyone else's. If you read some of the recent reports based on an excellent article by Jérôme Segura for the Malwarebytes blog, you might have got the impression that tech support scams and scammers are finally moving on from Windows users (especially XP users) to target users of smart/mobile devices (smart phones, tablets). (Not to mention Mac users.) That isn’t quite what he’s saying, though, and it’s not really the case. While the scammers he describes have been luring... Continue reading
Posted Jan 29, 2014 at (ISC)² Blog
Like lots of people, I have an account on LinkedIn, the social networking website used by so many professionals in IT (and other areas, of course). It must be said, though, that at this point I don’t access it much. Being already semi-retired, I’m not too concerned about having a network of people I can approach about alternative employment if I suddenly lose my customers in the security industry. The groups I’m a member of sometimes flag an interesting issue, but an increasing number of the messages I get via LinkedIn are a little annoying. For instance: People I barely... Continue reading
Posted Nov 10, 2013 at (ISC)² Blog
It’s important to keep improving products as they move further and further away from static detection, but if we’re to counter misinformation from other security sectors, we also need to make it clearer to our audiences and customers – not necessarily the same thing - what we really do and what they can realistically expect from us. Continue reading
Posted Sep 17, 2013 at (ISC)² Blog
I’ve noticed a number of articles recently based on historical summaries of threats past – for instance, a ‘brief history of Apple hacking’ (see also my commentary for Infosecurity Magazine) and SC Magazine’s Ten Devastating Computer Viruses. In general, I’m more fascinated by the fact that the media and the reading public are so taken with top ten lists – in fact, I’ve considered the phenomenon a couple of times with some seriousness, as in Perfect Ten: Truth and Prognostication – than I am by the prospect of putting my own lists together. Though I have done from time to... Continue reading
Posted Jul 12, 2013 at (ISC)² Blog
Cold-call tech support scams. Didn't they go away when the Federal Trade Commission cracked down on them in the US? Actually, while the FTC crackdown wasn't quite as comprehensive as it might have seemed, there's no doubt that the number of classic "I'm-ringing-from-Microsoft-to-tell-you-that-you-have-viruses-but-I-can-help-you-for-a-small-fee" cold-calls has declined (round here at any rate, but maybe they just figured that ringing someone who wrote as extensively as I do about the scam wasn't much of a sales prospect). Still, it seems that what is happening here is evolution, not extinction. Last month, my colleague Jean-Ian Boutin reported malware that not only combined fake... Continue reading
Posted May 11, 2013 at (ISC)² Blog
PPI (Payment Protection Insurance) has been a hot potato in the UK for some years. There has long been widespread concern that the insurance, frequently added on to loans, mortgages and overdrafts, was frequently sold in circumstances inappropriate to the needs of the customer, while offering disproportionately large benefits to the lender/insurance provider (especially banks). In consequence, there has in recent years been pressure on financial institutions to review their sales practice and repay customers for mis-sold PPI services. In the last year or so, I've noticed an upsurge of nuisance messages relating to PPI rebates: these range from automated... Continue reading
Posted Jan 29, 2013 at (ISC)² Blog
From time to time, I find myself having to rail against the misuse of VirusTotal’s service as a sort of surrogate AV product test. Sadly, I feel the need to do it again here, in the light of a current news item. Continue reading
Posted Dec 10, 2012 at (ISC)² Blog
My friend and colleague Stephen Cobb has shared some interesting survey data in a blog article indicating that the age group between 18 and 34 is less likely than older groups to use complex passwords or even to use different passwords according to the sensitivity of the context. Kevin Townsend had his own take on the article, and in fact we talked subsequently about his suggestions that: More mature people have had more negative experiences in life which make them more cautious/security conscious People with more to lose will make more effort to protect what they've got. I agree that... Continue reading
Posted Oct 19, 2012 at (ISC)² Blog
Do you trust Oracle to do better from now on? Do you need Java anyway? If enough ... apps and services ... reconsider their dependence on an unpopular service, and then Oracle will really have a problem. [But] responsible disclosure demands responsible (and responsive) remediation. Continue reading
Posted Sep 3, 2012 at (ISC)² Blog
With news breaking of a further wave of "fake malware-laden apps", let's hope that Google has seen ENISA's analysis of appstore security, and will not assume that Bouncer app review is enough... Continue reading
Posted Feb 6, 2012 at (ISC)² Blog
Many are concerned that the current forms of SOPA and PIPA, will be ineffective, and will hamper other attempts to make the internet safer. Continue reading
Posted Nov 16, 2011 at (ISC)² Blog
According to the FAS Project on Government Secrecy, using data tabulated in the report, 4,266,091 people held security clearances in the US for access to classified information. Continue reading
Posted Sep 21, 2011 at (ISC)² Blog
Laws tend to adjust slowly to social and technological trends, especially trends that change with the dramatic speed that modern IT allows. Continue reading
Posted Aug 16, 2011 at (ISC)² Blog
The cold war is back (if it ever really went away). Only now, anyone can play. Nations - including the UK, where I have the pleasure of residing - are queueing up to announce that they're developing cyberwarrior capabilities. Continue reading
Posted Jun 9, 2011 at (ISC)² Blog
I'm not actually going to write about the Epsilon fiasco as such here. I can think of at least two journalists who will be grateful for that, but I'm not going to let them off quite that easily, even though I can empathise with their ennui. Larry Seltzer notes that he has received far too many pitches using Epsilon as a hook. I can sympathise with that: I'm bored out of my skull with it, and I don't do much more than skim Epsilon-related articles to see if they're worth flagging on a resources blog, with or without commentary. John... Continue reading
Posted Apr 8, 2011 at (ISC)² Blog
It probably hasn’t escaped your notice that there’s a lot of malware/SEO/scamming whenever a major disaster occurs. A few days ago I started to put together a list of commentary (some of it my own) and resources relating to the Japanese earthquake and tsunami, in anticipation of that sort of activity. Originally, I was using several of my usual blog venues, but decided eventually to focus on one site. As ESET has no monopoly on useful information, I wanted to use a vendor-agnostic site. Actually, I could have used this one, but for better or worse, I decided to use... Continue reading
Posted Mar 14, 2011 at (ISC)² Blog
After well over 20 years involved in some aspect or another of the security industry, several of them supplying services to the anti-malware industry, I can say with some confidence that AV product testing has given me more white hairs than any other security topic. Only a true obsessive, a hallucinating optimist or hopeless masochist would admit to being a Director of AMTSO, the Anti-Malware Testing Standards Organization, so I won't mention that... But I will mention that the next AMTSO members meeting is at San Mateo, California, on the 10th and 11th February, conveniently and non-coincidentally arranged just before... Continue reading
Posted Jan 24, 2011 at (ISC)² Blog
I've been in this business too long to be easily riled by hoaxes and semi-hoaxes, electronic Pearl harbours, rumours and gossip. But after enforced immersion into various aspects of the Win32/Stuxnet issue (from remediation-related discussion with SCADA sites to code analysis, to data mining from distribution data), I've become more than usually frustrated with articles and discussion threads adding two and two to make infinity. Here, briefly, is what we know. Stuxnet used an unusually rich selection of 0-day attacks, exploiting the LNK and print spooler vulnerabilities recently patched by Microsoft and a couple of Elevation of Privilege issues that... Continue reading
Posted Sep 26, 2010 at (ISC)² Blog
The Anti-Phishing Working Group has asked its members to publicize the forthcoming Counter eCrime Operations Summit (CeCOS) in Brazil. I've already blogged this in quite a few other places, but given the impact of phishing and identity theft on the online community, it seems reasonable to assume that the Summit will be of interest to (ISC)2 members and readers of this blog, so I'm addressing it again here. Apologies to those who will have come across it elsewhere. This year the APWG is hosting it's fourth annual Counter eCrime Operations Summit (CeCOS IV) on May 11, 12 & 13 in... Continue reading
Posted Mar 21, 2010 at (ISC)² Blog
The Harvard Business School has words of wisdom at in an article on "Why your employees are losing motivation," by David Sirota, Louis A. Mischkind, and Michael Irwin Meltzer. It's not directly about security, but the fact that it seems to be striking a chord with so many security bloggers and microbloggers is significant. The article's closing words about the ways in which management may unwittingly demotivate staff are applicable to many, many people who aren't security professionals, of course: "Many companies treat employees as disposable... ...Employees generally receive inadequate recognition and reward: About half of the workers in... Continue reading
Posted Feb 20, 2010 at (ISC)² Blog
In the US, the holiday season is approaching fast, with Thanksgiving a week away on 26th November. I guess most of us outside the US are aware of Thanksgiving if we work with Americans, since almost the entire country closes down on the 4th Thursday in November. (Apologies to the Canadians in the audience, who had their own Thanksgiving celebration back in October.) However, fewer people outside the US will be aware of Black Friday (the day after Thanksgiving) and Cyber Monday (the following Monday – that’s the 30th November this year) unless they’re in global retail. Black Friday isn’t... Continue reading
Posted Nov 19, 2009 at (ISC)² Blog
An article in PC Pro by Asavin Wattanajantra quotes Dr Steve Marsh, who is deputy director at the Office of Cyber Security in the Cabinet Office, as saying (in respect of EU policy on protecting Europe from cyber attack, whatever you may understand by that term) that: "the main focus of botnets would be to target and extort money from private companies, rather than bring down public sector networks [and] .... in a sense [it is] not in their interest to bring down infrastructure which is earning them money." This isn't a million miles away from something I was saying... Continue reading
Posted Nov 16, 2009 at (ISC)² Blog