Andrew Storms

Rethinking Black Hat: Building, Rather Than Breaking, Security

By Andrew StormsNo doubt breaking things is fun. I remember back when I was 10 years old when
I took apart a squirrel cage fan, flipped some wires and so forth, and then
attempted to plug it back in. Good thing my mom stopped me seconds before I
was about to get a literal jolt of reality. These days, I still keep that
same inquisitive and maniacal mentality. Yes, I was the guy wearing an
assortment of makezine t-shirts at Black Hat, but I also often wore collared
shirts and a belt. Because I keep a foot in both of these worlds, I¹d
like to propose an adjustment to the security community.

Forget Epsilon, Fear the Angry Bird

By Andrew StormsNo doubt you read about the huge email security breach Epsilon announced earlier this month. You may have received letters from companies that use Epsilon services about the possible loss of your email information. A lot of people are justifiably concerned that spear phishing and other nefarious attacks will be launched against millions of people as a result of that breach.


By Andrew StormsExploit tools are the new point and shoot video games. If my grandma were alive, she could probably figure out how to install a Firefox plug-in and pwn all her nursing home friends on Facebook.  Unfortunately, you can¹t say it’s getting easier to protect yourself on the Internet. If anything, it’s getting much harder.

By Andrew StormsThe year was 2001. Code Red, the Microsoft Web Server worm was running rampant and underscored every security professional’s perception that Microsoft products were both a necessary evil and a serious security liability.

Fast-forward to nine years later. Microsoft products still contain more than a few nasty bugs, but the company is more likely to be considered a valued partner than a security liability by the security community.

By Andrew Storms
Two years ago I took some hard hits from my peers for calling the iPhone “a security nightmare.” Two years later, I can’t find a single person who doesn’t agree that the iPhone is the number one mobile target of security researchers.Fast forward to today: Is the iPhone still a security nightmare or have those problems been relegated to annoyance status?

Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.

You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.

By Andrew Storms

Managing IT for a software company has its challenges.  For me, the lines between efficiency, security and innovation are difficult to draw at a company like nCircle where engineers require some freedom to perform their best.  The panelists at the RSA session “Responding to the ignored threat – Macs in the Enterprise” seemed to face the same kind of problems I do.

By Andrew Storms
The looming mobile malware threat of the past decade has yet to materialize. The reason for its lack of fruition, according to scientists, is due to geography and the lack of a dominant market shareholder.  However well done the math, the scientific study is flawed nonetheless.  “Understanding the Spreading Patterns of Mobile Phone Viruses” a new paper by 4 scientists fails take into account modern malware trends and operational knowledge of security vendors like those of antivirus companies.

By Andrew Storms

Transparency is a common theme in politics and Wall Street these days. The 2008 elections, dealings of TARP, financial institutions run a-muck are all places where we hear the word transparency bandied about on a daily basis. While many security professionals speak about transparency when it comes to information security, very few definitions fit the overarching idea of transparency. I believe that the time has come for information security professionals to both dig deeper and out of the idea of transparency to gain a better understanding of this concept.