From The Shadows of BlackHat/DEFCON


On the eve of BlackHat, I sat down from Las Vegas with ABC News Alex Stone to talk about what I would call, the “Hunger Games of Hacking” at the annual BlackHat and DEFCON hacker conference. While there are a lot of good reasons to go, attendees may also want to protect themselves when they’re in town  and it’s the one place where it might be better if you just disconnect. Comprised of over fifteen thousand hackers and cyber security experts, its the highest concentration of elite skilled “cyber sleuths” in the world convening in one place. For the most part, in any given two mile radius of Las Vegas, you stand to be a hacking target. Interested in hearing more details? Take a listen via SoundCloud here as I discuss ABC News Radio.

What’s The Future of Your Online Identity, Authorization, Authentication and Access Controls?


WTOP Federal News RadioToday’s cyber security threat landscape has completely changed from the years where a Common Access Card (CAC) or Personal Identity Verification (PIV) card could provide reasonable security. For example, in 2015 the United States Central Command Twitter account was hacked. The Department of Defense has limited ways to secure this resource well beyond any kind of current identity controls.

Besides out-of-network networks, another concern is the multitude of devices that were never even conceived when CAC and PIV standards were written. Today we have smart phones, tablets, even a plethora of sensors from the Internet of Things. We must consider other options for identity that go beyond CAC and PIV.

In the midst of recent news surrounding Russian hacking, global ransomware attacks and data leaks, I  joined WTOP Federal News Radio in Washington, DC for a multi part special segment to talk “Federal Identity Governance”, insider threats and much more to address these issues.

Want to hear more? Tune-in to the first segment by clicking here.



MIT Technology Reivew – Smart Cities Could Be Crippled by Dumb Security


Dallas, TXOn April 7, residents of Dallas, Texas struggled to get sleep as 156 of the city’s hurricane warning system sirens sounded all in one shot and it didn’t stop at that….triggering another 15 times. Prior to this incident, I wrote a Smart City security Q/A op-ed for IT Pro Portal on what would keep a city leader up at night and this was certainly one of them as the New York Times reported the hurricane emergency warning system was hacked!  Connected living and Smart Cities are here and security concerns are building up faster than we can find solutions. As the MIT Technology Review outlines, “Researchers have been finding vulnerabilities in connected city hardware, from traffic signals to smart meters, for several years now. The concern is that as such infrastructure proliferates, with devices increasingly connected by the Internet of things, hackers will identify more flaws and and use them to plunge whole cities into chaos.”

Do you think you live in a connected or Smart City? Worried about your connected living security? Read more of my comments as I weigh in with Jamie Condliffe and the MIT Technology Review.

Preparing for Australia’s data breach notification legislation


Breach NotificationAustralia’s Privacy Amendment (Notifiable Data Breaches) Act 2017 marks a milestone for information security legislation, but industry is still questioning the need for legal intervention.

Australia is not the first country to introduce strict breach notification laws, nor is it likely to be the last. To date, approximately 90 countries have introduced legislation or have existing laws for breach notification with varying degrees of strictness, enforcement and penalties. And yet data breaches still go undetected and unreported. The United States has approximately 47 states with separate breach notification laws and has yet to introduce a consolidated and unified law at the national level.

It’s not a matter of strictness, breadth or depth that makes digital privacy and breach notification laws effective. In fact, the only way the effectiveness of breach notification and data privacy laws is measured is anchored on whether the legislation helped prevent breaches from happening in the first place. Measuring effectiveness of legislation is a “fuzzy science” at best…….[read my complete article featured in ComputerWorld].


Is the U.S. in a cyberwar now?


Kim Komando ShowRecently I sat down with the Kim Komando Show to talk all things cyberwar and Russian hacking. As we engaged in our discussion we concluded its likely the United States is under cyber attack right now and no one knows exactly where some of the attacks are coming from. Take a listen to this Komando on Demand podcast as I weigh in with Kim Komando and Peter W. Singer for proof of these attacks and how they could lead to a much bigger war in the near future.

Listen to the podcast free via iTunes or on YouTube


Super Bowl “Digital Deflategate” Is Not Just Air


When we think of large entertainment venues and events, it’s not just ticket fees and concessions anymore. Sporting is entertainment and this year’s Super Bowl LI (51) is one of the most complex, technologically orchestrated events in the world; ranging from tablet-based play books to RFID wearable sensors on players sending real time performance data and analytics to coaches and mobile apps. Supply chain attacks can affect virtually any industry that relies on complex IT and infrastructures, as well as data delivery networks. While we typically think of large retailers, this weekend’s NFL event stands to be one of the most high-value targets for cyber criminals and other sophisticated attackers intent on mass disruption, manipulation and/or destruction. The number of third-party vendors involved in supporting the “game of all games” is comprised of one of the most complex interlocked networks imaginable. It’s “mind bending” to think of the network of suppliers, each introducing unique vulnerabilities and cyber security issues into the overall infrastructure, resulting in “breach exposure windows” during a very compressed period of time when sponsors, vendors, broadcast networks and advertisers have hundreds of millions at stake.

Just days away from Super Bowl LI, I talked with Dan Stoller of Bloomberg BNA on the possibility that we may be seeing a “national digital deflategate debate” if a major Super Bowl cyberattack were to happen. Let’s face it, data has changed athletics and sporting to a point where game play is based on bioinformatics, data science and using technology to increase marginal gains for competitive advantage. It shouldn’t be the case that the amount of air in a ball is scrutinized and debated, but it has become a material breach in proprietary competitive data and intellectual property lending an unfair advantage to teams in one of the only sporting entertainment events that owns its own day of the week. Read more as I weigh in with Bloomberg BNA.

Public sector ‘outgunned’ on ransomware


Just sat down with StateScoop’s Jake Williams and the State of California’s Chief Information Security Officer Peter Liebert to discuss all things ransomware. Take a listen to a preview of this edition of StateScoop’s Virtual Roundtable series as I discuss emerging threats and what it means for state and local governments across the country.

You can listen to the full virtual roundtable via SoundCloud  here.


DubaiEye Radio – Rogue Drones Can Be Tackled by Smart Cities & IoT Security


Recently I sat down with DubaiEye Radio 103.8FM to talk all things IoT and Smart Cities cyber security. One area of particular interest were “rogue drones” and the recent havoc at airports causing massive flight and safety disruptions. The adoption of smart city/connected living technology across the United Arab Emirates (UAE) is the answer to ‘rogue drones’ causing havoc at local airports, that being the ability to monitor and detect the billions of IoT connected devices to include internet enabled drones.

Click below to listen to the interview and hear my thoughts on IoT, connected living and drones.

Here’s How Your Refrigerator Broke the Internet Last Week


Your refrigerator might have helped bring down the internet last Friday.

 As many users noticed, shortly before last weekend a massive cyber-attack disrupted service to major websites ranging from the New York Times to PayPal and many more. The attack took place in three stages, all targeted at the Domain Name Services (DNS) company Dyn, Inc.
Dyn’s business, domain name services, is often referred to as the roadmap of the internet. It’s what translates URLs like into the 12-digit IP address at which websites reside. This isn’t because IP addresses are secret (at time of writing, for example, this website’s address was They’re simply tough for human beings to remember… the full article here with my comments as I weigh in with TheStreet author Eric Reed .

THE DYN Attack – How IoT Can Take Down the “Global Information Grid” Backbone (Part I)


Imagine that you are driving through downtown New York City (NYC) and only relying on your GPS for directions. All of a sudden, the GPS stops working and you are stuck in mid-town Manhattan traffic during rush hour. If you have ever tried to drive in NYC, you know it’s easier to navigate a corn maze blindfolded than to attempt to navigate the complicated NYC streets.

A Domain Name System (DNS) is much like a GPS, in that DNS gets you from point A to point B online. While a GPS allows you to look up any destination in the world and find a path to that destination, DNS is your map, navigator, and transportation all rolled up in one, specifically for the internet. Behind every domain name is an intimidating looking series of numbers called an internet protocol (IP) address (Example: 172.217.0.XX) and it gets much worse with next generation addresses which may look something like (2606:2800:220:6d:26bf:1447:1097:XXX). The bottom line is it’s much easier to remember a name (i.e. – Google dot com) rather than commit to memory a series of random numbers for every destination on the internet. DNS is the foundation that translates the domain name you type into your browser to the correct IP address and routes your request to the right place in real time. It just works, but when it doesn’t, it becomes one of the most disruptive roadblocks for the web.

On October 21st, 2016, various media outlets reported multiple waves of Distributed Denial of Service (DDoS) attacks that targeted New Hampshire based-DNS provider Dyn, which led to the disruption of the company’s ability to provide its subscribers with DNS services – resulting in massive issues for 17 of the top 100 most visited sites such as Twitter, Github, Reddit, AirBnB, Spotify, Soundcloud, Netflix and PayPal… more here.

By Nick Murray and Peter Tran

« Older Entries