Chris Wysopal

Ten Years After, the Attackers Have Taken the Lead

By Chris WysopalIn the days following 9/11 we heard alarmist warnings of a coming wave of cyberterrorism. In the early days of the war in Afghanistan when an Al Qaeda computer was found, it was treated as evidence that terrorists knew how to use computers so therefore they would soon be sending worms to shut down or blow up our power plants. During that time I was interviewed on a CNN talk show describing what a terrorist might be doing with a computer that was found to have computer aided design (CAD) software on it.  I said it might be used to figure out the best place to plant a bomb to cause the most damage to a structure.  This wasn’t cyberterrorism. It was using the computer as an engineering tool.  Somehow this got lost by the host of the show who kept on plugging away that cyberterror from Al Qaeda was coming soon.  That never materialized and in the last 10 years I don’t think there has been any documented cases of cyberterrorism.

The Pitfalls of Website Vulnerability Research and Disclosure

By Chris WysopalVulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer Experts Face Backlash”.

A Cyberwarfare Reality Check

By Chris Wysopal, Veracode
Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that lets the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks.