Blog - Author Posts

Gal Shpantzer, Contributing Analyst

Gal Shpantzer has 12 years of experience as an independent security professional and is a trusted advisor to CSOs of large corporations, technology and pharma startups, Ivy League universities and non-profits/NGOs specializing in critical infrastructure protection. Gal has been involved in multiple SANS Institute projects, including co-editing the SANS Newsbites, revising the E-Warfare course and presenting SANS@Night talks on cyberstalking, CAPTCHAs and endpoint security. In 2009, he founded and led the privacy subgroup of the NIST Smart Grid cybersecurity task group, resulting in the privacy chapter of NIST IR 7628. He is a co-author of the Managing Mobile Device Security chapter in the 6th ed. Vol 4 of the Information Security Management Handbook (2010) with the late Dr. Eugene Schultz. Gal collaborated with Dr. Christophe Veltsos to present the ongoing Security Outliers project, focusing on the role of culture in risk management at RSA, CSI, BSides and Baythreat conferences.  Most recently, he was involved as a subject matter expert in the development of the U.S. Department of Energy’s Electric Sector Cybersecurity Capability Maturity Model (ESC2M2) in 2012.  Gal is currently involved in the Infosec Burnout research project and co-presented on this topic at BSides-Las Vegas (2011) and RSA (2012).

He was completely unable to add humorous tone to his bio, and is thus suffering the editorial consequences. Gal can be reached at gshpantzer (at) securosis (dot) com.

Walled Garden Fail

By Gal Shpantzer
Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag) Jeremiah Grossman summarized it best: “XSS to account takeover.” Think about it – this app auto-executes any JavaScript received via email. Oops. I emphasize that this is not Apple’s Mail app included with iOS – it is a third-party app called Mailbox in Apple’s Apple App Store. Initially, I thought, hey, they’ll fix it soon – they just got a public report on it from Spaguolo’s blog. But Michele has updated

Project Communications

By Gal Shpantzer
A note on project management: One client was quite disappointed with me for not showing progress as I went along and said “Fast iteration is better than delayed perfection,” while another client was mad at me because “you’re trickling again,” – showing progress but not a finished product (a\k\a delayed perfection)… A gentle smack upside the head: ask clients how they prefer to deal with project communications! They know what they want and how they want it, and you’d better RECOGNIZE. Note from Rich: In my consulting days I always tried to feel out the client and

LinkedIn Rides the Two-Factor Train

By Gal Shpantzer
Just last week we mentioned the addition of two-factor authentication at Evernote; then LinkedIn snuck a blog post on Friday, May 31st, telling the world about their new SMS authentication. We are glad to see these popular services upgrading their authentication from password-only to password and SMS. It’s not hacker-proof – there are ways to defeat two-factor – but this is much better than password-only. Here’s the skinny on the setup: Log into the LinkedIn website and on the top right, under your name, you’ll see Settings. Click that, and on the bottom left you’ll see Account. Click

Evernote Business Edition Doubles up on Authentication

By Gal Shpantzer
Joining the strong(er) authentication craze (which we enthusiastically support), along with recent entrants Twitter and Amazon Web Services, Evernote is now including two-factor authentication and access logging for its business edition. Two steps in the right direction for security. I expect to see a growing trend of many more of these types of services including security features like this in their paid versions as a valuable upgrade from their freeware.

Wendy Nather abandons the CISSP—good riddance

By Gal Shpantzer
Mood music: Abandono by Amalia Rodrigues… Wendy blogged about not renewing her CISSP. I never had one myself, but as Wendy said it is much less important if you’re not going through the cattle call HR process, which is majorly gebrochen in infosec… but that’s another post. I suppose a CISSP might be useful for people starting out in security, who need to prove that they’ve actually put in a few years at it and know the basics. It’s a handy first sorting mechanism when you’re looking to fill certain levels of positions. But by

Some (re)assembly required

By Gal Shpantzer
Japanese Coast Guard ship (indirectly) sold to North Korea: “The vessel was sold in a state in which information regarding operational patterns of the patrol vessel could have been obtained by some party,” an official told the paper. “We were on low security alert at that time.” That is certainly not the case these days, with heightened tensions on the Korean peninsula and the Japanese coast guard regularly involved in patrols around the disputed Diaoyu (Senkaku) islands. Like hardware, data has a lifecycle. Eventually you will need to dispose of the data and/or the device that stores/processes/transmits