It’s amazing how you write one article about 25 infosec gurus making stupid security mistakes, and then you get infosec gurus coming to you voluntarily to tell you their mistake.
Such was the case of Adam Shostack (@adamshostack), co-author of “The New School of Information Security,” who told me the story of how his blog got PWNED because he forgot to update his blog statistics package. This little slip resulted in his site getting taken over as a botnet command and control server. Ouch.
Shostack wanted to tell his story because he felt the article of security mistakes was so important to tell for the entire industry. Often in security there’s an attitude that I’m a professional and we don’t make mistakes, said Shostack. But that’s not possible. We’re all human and we have to make mistakes. As I was interviewing Shostack he admitted it was tough to talk about his blunder, especially on camera.
With all the talk of the security buzzwords, so much of security comes down to important human basics that can cause problems on their own. And those alone can have an enormous impact, said Shostack.
In the end Shostack did learn from his mistake. He now patches his software, password protects it, and he’s put himself on an announcement list of all his software so he’ll always know about the latest updates.
Stock photo of “Duh” sign courtesy of Shutterstock.