Archive for the “disclosure” category

House Oversight Committee on Equifax

by nsadmin on December 11, 2018

The House Oversight Committee has released a scathing report on Equifax. Through the investigation, the Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and (…)

Read the rest of this entry »

GAO Report on Equifax

by nsadmin on October 12, 2018

I have regularly asked why we don’t know more about the Equifax breach, including in comments in “That Was Close! Reward Reporting of Cybersecurity ‘Near Misses’.” These questions are not intended to attack Equifax. Rather, we can use their breach (…)

Read the rest of this entry »

You say noise, I say data

by adam on September 20, 2016

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest (…)

Read the rest of this entry »

Why Don’t We Have an Incident Repository?

by adam on September 14, 2016

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a (…)

Read the rest of this entry »

FBI says their warnings were ignored

by adam on August 17, 2016

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are (…)

Read the rest of this entry »

The New Cyber Agency Will Likely Cyber Fail

by adam on February 10, 2015

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: (…)

Read the rest of this entry »

Security 101: Show Your List!

by adam on January 5, 2015

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m (…)

Read the rest of this entry »

Employees Say Company Left Data Vulnerable

by adam on October 7, 2014

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow (…)

Read the rest of this entry »

BSides LV: Change Industry Or Change Professionals?

by adam on August 27, 2014

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, (…)

Read the rest of this entry »

What Security Folks Can Learn from Doctors

by adam on June 11, 2014

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when (…)

Read the rest of this entry »