Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/25/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Unsung (And Under-Sung) Heroes Of Security

You've heard of the cybersecurity rock stars, but there are plenty of other major contributors to the industry who deserve kudos. In celebration of Dark Reading's 10th anniversary, meet a few of these folks.

Even when it was tiny, the cybersecurity field had no shortage of big personalities. When the industry was altered by a new, outstanding piece of work, sometimes it would also herald the birth of a new security rock star (who might also be an outstanding piece of work).

Other times, the people who carried out tremendous feats go largely unrecognized by history, even as their work lives on. Brilliant discoveries and creations. Better ways of doing the same old thing. Or simply the support or mentorship someone needed to create do those revolutionary things.

Here are just a handful of people of the people who've made big impacts on information security, who we feel haven't quite enough credit from security professionals. Some of them we doubt you'll know. Others you may recognize, but we wouldn't call them "household names," not if we were only counting the nerdiest of homes. 

However, you most definitely know their work. 

 

The Team That Discovered Cross-site Scripting

Back when most people in IT were obsessed with Y2K -- now just a sidebar in the history books -- a team of security researchers at Microsoft and elsewhere gave a name to something that would have a far longer, far darker life: cross-site scripting.

XSS is still a security nightmare, ranked number three on the latest OWASP Top 10 Web Application Vulnerabilities List. Although it's the Microsoft Security Research that claims credit for picking the common name, there's a longer list of contributors who are officially credited in CERT's original advisory, recorded as "malicious HTML tags embedded in client Web requests." Credit goes to "Marc Slemko, Apache Software Foundation member; Iris Associates; iPlanet; the Microsoft Security Response Center, the Microsoft Internet Explorer Security Team, and Microsoft Research."

 

Jeff Forristal

If there is a vulnerability class that is perhaps more pernicious than cross-site scripting, it would have to be injection attacks -- currently reigning at number 1 on the OWASP Top 10. And the Big Daddy of them all, of course, is SQL injection.

The world learned about SQL injection in 1998 thanks to Jeff Forristal, then known more commonly as rain.forest.puppy. Forristal went on to be among the leaders in establishing "responsible disclosure" policies, and made his mark on everything from web apps, to mobile, and physical device security. He's now CTO of Bluebox Security.

 

Shari Steele, John Perry Barlow, John Gilmore, & The Whole EFF Crew 

All the way back in 1990, two concerned citizens -- Sun Micrososystems employee John Gilmore and poet/essayist/lyricist/cattle rancher John Perry Barlow -- came to the legal aid of a man they felt was being wronged by the US Secret Service's electronic surveillance practices. From there, the Electronic Frontier Foundation (EFF) was born.

Since then, the attorneys and staff at EFF have made it their job to know the ins and outs of every technology, online privacy, cybersecurity, and surveillance law the world can throw at us. 

Shari Steele came on board early, serving as legal director for eight years, executive director for 15 years, and now board member. She led the way on some of the issues that hit infosec pros closest to home -- advising the US Sentencing Commission on sentencing guidelines for the Computer Fraud and Abuse Act and the National Research Council on US encryption policy.  

 

Special Agent Elliott Peterson & The Rest Of The Operation Tovar Crew 

The disruption of CryptoLocker and the GameOver Zeus botnet in spring 2014 -- dubbed Operation Tovar by law enforcement -- was revolutionary, because it created a brand new model for the way organized cybercrime groups are taken down. 

It was remarkable for to reasons. First, law enforcement made it a higher priority to disrupt/dismantle the cybercriminals' infrastructure than to capture the criminals themselves; they made only one indictment. Second, the effort was an enormous collaborative effort between both public and private entities in many countries.

Special Agent Elliott Peterson of the FBI was one key member of the team that led the operation, but certainly everyone involved in uniting the forces of good across 11 countries deserves accolades. 

 

John Reed & Citigroup's Executive Team In The Mid-90s 

You might have heard of Steve Katz, "the world's first CISO." But how about a shout-out for the people who had the idea of hiring him in the first place?

As Katz explained to Tom Field of Bank Info Security, he was working for JP Morgan in the mid-1990s when another financial services organization, Citigroup, experienced a security incident. (This was back when such things were taboo and kept very hush-hush.)

Citigroup CEO John Reed put together a committee of executives, which, according to Katz, realized that security was not just a technological issue but a business issue. They created the position of chief information security officer (CISO), and after months of interviews, Katz landed the job, with support from Citi that was "absolutely incredible."

 

The US Postal Service (!)

When sifting through applicants for new information security staff, employers often look for five letters: CISSP. 

ISC(2) created the CISSP certification back in the early 90s, but if it hadn't been for a timely influx of cash from the US Postal Service, it might never have survived to become what it is today. As Harold "Hal" Tipton explained in an ISC(2) interview

 

Carey Nachenberg

Hardly any security products have made it to "household name" status, but Norton Antivirus indubitably has. Norton's co-creator Carey Nachenberg -- now Symantec's senior-most engineer -- is also a name you should know.

In addition to Norton AV, Nachenberg conceived Symantec Insight, the industry's first reputation-based endpoint security tool. He also holds a whopping 85 patents.

Steve Christey Coley

Researchers love to dig up vulnerabilities -- tens of thousands of them. Left to themselves, vuln researchers might treat bugs much like kids treat toys -- have unreasonable arguments about whose were the coolest, then lose track of them entirely once they got a bit old.

Someone needs to bring order to this chaos, and create systems for prioritizing, rating, and cataloguing these bugs. Steve Christey Coley has been one of the foremost of these appsec entymologists. He was co-creator and editor of the Common Vulnerabilities and Exposures (CVE) list and chair of the CVE editorial board for 16 years. He  was technical lead for CWE, the Common Weakness Scoring Scoring System and an active contributor to related community-driven efforts like CVSS and CVRF.

Now taking on the next frontier in infosec challenges, Coley is a principal information security engineer at The MITRE Corporation, supporting the FDA's Center for Devices and Radiological Health efforts to improve medical device security. 

Related Content:

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15930
PUBLISHED: 2020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
CVE-2020-19447
PUBLISHED: 2020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
CVE-2020-3560
PUBLISHED: 2020-09-24
A vulnerability in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on an affected device. The vulnerability is due to improper resource management while processing specific packets. An attacker could exploit this vulnerability by s...
CVE-2020-3509
PUBLISHED: 2020-09-24
A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause the supervisor to crash, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient error...
CVE-2020-3510
PUBLISHED: 2020-09-24
A vulnerability in the Umbrella Connector component of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to trigger a reload, resulting in a denial of service condition on an affected device. The vulnerability is due to insufficient error h...