Akamai Security Advocate Dave Lewis and I made Tripwire's list of "Top Influencers in Security You Should Follow in 2015."
For each security practitioner selected, Tripwire included Twitter handles, blog URLs and reasons for selecting the individuals. Tripwire also asked us what infosec-related superpower we wished to have, in keeping with this year's theme of "InfoSec Avengers."
Thanks to Tripwire for including us on the list!
The following PLXsert advisory came out last week, but I'm just back from vacation and catching up on what I missed. This one is high-risk and worth mentioning here.
Public dumps of compromised data from several high-profile attacks have fueled an increase in automated and systematic attempts to reuse stolen credentials at multiple websites.
The requests show user agents are systematically randomized. One of the most targeted sectors is online financial services. Other industries targeted by these brute force attacks are online entertainment, high tech consulting and Software-as-aService(SaaS).
The January meeting of OWASP Boston is Wednesday, 6:30 p.m., at Akamai Headquarters -- 150 Broadway, on the 2nd floor.
Akamai CSIRT's Patrick Laverty will give a talk called "How a Hacker Views Your Web Site."
Laverty offered these details of the talk:
As defenders, we have to be right 100 percent of the time where an attacker only needs to be right once. The attack surface of a modern web site is incredibly large and we need to be aware of all of it. Additionally, individual attacks may not always be effective but sometimes using them together can gain the desired effect. In this talk, we'll take a look at the whole attack surface for a typical web site and the various ways that an attacker will use to compromise a site.
Laverty gave this presentation at the Boston Application Security Conference (BASC) in October, and it was well received.
Boston OWASP (The Open Web Application Security Project) meetings happen the first Wednesday of each month, usually at Akamai headquarters.
You can also watch Laverty deliver a talk on the differences between vulnerability management and penetration testing here.
Compiling a full list of security conferences for a 12-month period is hard. There are the obvious ones, like RSA, Black Hat and Defcon. But there are countless more with content and networking opportunities security practitioners can benefit from.
To that end, I want to direct you to this excellent list from Henry Dalziel, a security blogger with Concise Courses. It's the most comprehensive list I've ever seen.
I've never been a fan of security predictions, though I've written about them too many times to count.
I guess that makes me a hypocrite. I could take the high road and tell you my bosses always make me write about it, but why pass the buck? In the world of tech media, we ALL write about predictions.
Call it a case of doing one of those tasks you hate because, like changing diapers or taking out the trash, it has to be done.
Akamai's Prolexic Security Engineering & Response Team (PLXsert) has issued a new advisory about a Xsser mobile remote access Trojan (mRAT) attackers are using to target iOS and Android devices.
The Xsser mRAT is spread through man-in-the-middle and phishing attacks and may involve cellphone tower eavesdropping for location-specific attacks.
Vulnerability assessment and pen testing both deal with finding and fixing security holes. But they are not the same thing. In this whiteboard presentation, Akamai security researcher Patrick Laverty explains the differences between the two, and how both are critical to the vulnerability management process at Akamai.
At Akamai, incidents happen daily. Despite strong controls, it's inevitable that problems will arise when so much content is being handled, processed and distributed within Akamai and on behalf of customers. To deal with that reality, the company has a set of procedures to manage incidents as they materialize. Most incidents are resolved by small interventions in the network. In this whiteboard presentation, Bill Brenner gives an overview.