Dallin Warne

Clarifying Technical Obfuscation

US Ski and Snowboard Association Riddled with Vulnerabilities, Hacked Website

The UtahCyberCheck project found the US Ski and Snowboard Association (USSA) puts the data of tens of thousands of its members at risk and violates its terms of use and privacy policy by using software with critical vulnerabilities and running at least one hacked website. The association, despite multiple attempts to contact them, has ignored reports about these serious issues. (UPDATED to reflect new developments.)

Continue reading

Utah Cyber Check: The Small Picture

As a security professional, I keep tabs on industry news especially when it pertains to education and government organizations. Regularly there are breaches announced by these types of institutions usually right after ransomware hits a county office or a university suddenly shuts down most of its servers to stop malware from infecting everything.

I have sympathy for small shops trying to do the best they can and commend them for doing remarkably well given their constraints. That’s one reason why I’m giving my time. But the IT and internet climate is changing, and these organizations need to adapt. It is no longer sufficient to rely on a small local staff to handle the cybersecurity challenges that even the largest companies and governments struggle with.

One dominating characteristic of municipalities and education that contributes to their security posture is their small size. Smaller sizes means they have a smaller internet presence, which means a smaller attack surface. There is a smaller chance an attacker will be able to get a foothold. Think of it like shopping for a special grocery item such as soy sauce. A supermarket is practically guaranteed to have it (hopefully in stock), but you could got to half a dozen small convenience stores and still not find it. If a hacker is looking for particular system to attack, they could try dozens of cities or schools and still not find any that use that system.

On the other hand, the small size means there is no dedicated professional security staff. There are a few IT employees who are good at keeping the computers running, but don’t have the time and expertise to adequately protect those systems. Security takes a back seat if thought about at all. When someone does take advantage of a vulnerability (and they will), it’s highly likely to go undetected unless the effects are visible such as a defaced website or ransomware attack.

It is my intention to raise awareness of the current situation in a responsible way that will lead to change and improvement. At the very least, I hope people will acknowledge there is a problem.

You can read the original announcement of my project to highlight deficiencies in local government and education.

« Older posts

© 2020 Dallin Warne

Theme by Anders NorenUp ↑

css.php