Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/25/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Unsung (And Under-Sung) Heroes Of Security

You've heard of the cybersecurity rock stars, but there are plenty of other major contributors to the industry who deserve kudos. In celebration of Dark Reading's 10th anniversary, meet a few of these folks.

Even when it was tiny, the cybersecurity field had no shortage of big personalities. When the industry was altered by a new, outstanding piece of work, sometimes it would also herald the birth of a new security rock star (who might also be an outstanding piece of work).

Other times, the people who carried out tremendous feats go largely unrecognized by history, even as their work lives on. Brilliant discoveries and creations. Better ways of doing the same old thing. Or simply the support or mentorship someone needed to create do those revolutionary things.

Here are just a handful of people of the people who've made big impacts on information security, who we feel haven't quite enough credit from security professionals. Some of them we doubt you'll know. Others you may recognize, but we wouldn't call them "household names," not if we were only counting the nerdiest of homes. 

However, you most definitely know their work. 

 

The Team That Discovered Cross-site Scripting

Back when most people in IT were obsessed with Y2K -- now just a sidebar in the history books -- a team of security researchers at Microsoft and elsewhere gave a name to something that would have a far longer, far darker life: cross-site scripting.

XSS is still a security nightmare, ranked number three on the latest OWASP Top 10 Web Application Vulnerabilities List. Although it's the Microsoft Security Research that claims credit for picking the common name, there's a longer list of contributors who are officially credited in CERT's original advisory, recorded as "malicious HTML tags embedded in client Web requests." Credit goes to "Marc Slemko, Apache Software Foundation member; Iris Associates; iPlanet; the Microsoft Security Response Center, the Microsoft Internet Explorer Security Team, and Microsoft Research."

 

Jeff Forristal

If there is a vulnerability class that is perhaps more pernicious than cross-site scripting, it would have to be injection attacks -- currently reigning at number 1 on the OWASP Top 10. And the Big Daddy of them all, of course, is SQL injection.

The world learned about SQL injection in 1998 thanks to Jeff Forristal, then known more commonly as rain.forest.puppy. Forristal went on to be among the leaders in establishing "responsible disclosure" policies, and made his mark on everything from web apps, to mobile, and physical device security. He's now CTO of Bluebox Security.

 

Shari Steele, John Perry Barlow, John Gilmore, & The Whole EFF Crew 

All the way back in 1990, two concerned citizens -- Sun Micrososystems employee John Gilmore and poet/essayist/lyricist/cattle rancher John Perry Barlow -- came to the legal aid of a man they felt was being wronged by the US Secret Service's electronic surveillance practices. From there, the Electronic Frontier Foundation (EFF) was born.

Since then, the attorneys and staff at EFF have made it their job to know the ins and outs of every technology, online privacy, cybersecurity, and surveillance law the world can throw at us. 

Shari Steele came on board early, serving as legal director for eight years, executive director for 15 years, and now board member. She led the way on some of the issues that hit infosec pros closest to home -- advising the US Sentencing Commission on sentencing guidelines for the Computer Fraud and Abuse Act and the National Research Council on US encryption policy.  

 

Special Agent Elliott Peterson & The Rest Of The Operation Tovar Crew 

The disruption of CryptoLocker and the GameOver Zeus botnet in spring 2014 -- dubbed Operation Tovar by law enforcement -- was revolutionary, because it created a brand new model for the way organized cybercrime groups are taken down. 

It was remarkable for to reasons. First, law enforcement made it a higher priority to disrupt/dismantle the cybercriminals' infrastructure than to capture the criminals themselves; they made only one indictment. Second, the effort was an enormous collaborative effort between both public and private entities in many countries.

Special Agent Elliott Peterson of the FBI was one key member of the team that led the operation, but certainly everyone involved in uniting the forces of good across 11 countries deserves accolades. 

 

John Reed & Citigroup's Executive Team In The Mid-90s 

You might have heard of Steve Katz, "the world's first CISO." But how about a shout-out for the people who had the idea of hiring him in the first place?

As Katz explained to Tom Field of Bank Info Security, he was working for JP Morgan in the mid-1990s when another financial services organization, Citigroup, experienced a security incident. (This was back when such things were taboo and kept very hush-hush.)

Citigroup CEO John Reed put together a committee of executives, which, according to Katz, realized that security was not just a technological issue but a business issue. They created the position of chief information security officer (CISO), and after months of interviews, Katz landed the job, with support from Citi that was "absolutely incredible."

 

The US Postal Service (!)

When sifting through applicants for new information security staff, employers often look for five letters: CISSP. 

ISC(2) created the CISSP certification back in the early 90s, but if it hadn't been for a timely influx of cash from the US Postal Service, it might never have survived to become what it is today. As Harold "Hal" Tipton explained in an ISC(2) interview

 

Carey Nachenberg

Hardly any security products have made it to "household name" status, but Norton Antivirus indubitably has. Norton's co-creator Carey Nachenberg -- now Symantec's senior-most engineer -- is also a name you should know.

In addition to Norton AV, Nachenberg conceived Symantec Insight, the industry's first reputation-based endpoint security tool. He also holds a whopping 85 patents.

Steve Christey Coley

Researchers love to dig up vulnerabilities -- tens of thousands of them. Left to themselves, vuln researchers might treat bugs much like kids treat toys -- have unreasonable arguments about whose were the coolest, then lose track of them entirely once they got a bit old.

Someone needs to bring order to this chaos, and create systems for prioritizing, rating, and cataloguing these bugs. Steve Christey Coley has been one of the foremost of these appsec entymologists. He was co-creator and editor of the Common Vulnerabilities and Exposures (CVE) list and chair of the CVE editorial board for 16 years. He  was technical lead for CWE, the Common Weakness Scoring Scoring System and an active contributor to related community-driven efforts like CVSS and CVRF.

Now taking on the next frontier in infosec challenges, Coley is a principal information security engineer at The MITRE Corporation, supporting the FDA's Center for Devices and Radiological Health efforts to improve medical device security. 

Related Content:

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27180
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
CVE-2021-27181
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
CVE-2021-27182
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
CVE-2021-27183
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
CVE-2021-29449
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.