A Summary of the Equifax Hack and What to Do Next

What Happened?

Last Thursday, Equifax disclosed an information security breach that compromised personal information on approximately 143 million people in Canada, the United Kingdom, and the United States. The compromised data included:

  • Social Security Number (SSN)
  • Date of Birth (DoB)
  • Address
  • Driver’s License (DL) Number

The breach also disclosed the Credit Card (CC) Primary Account Number (PAN) for 209,000 people. Another 182,000 people suffered the compromise of their Personally Identifiable Information (PII). [1] [2]

So What?

This is a Big Deal™ because Equifax is one of the three primary credit reporting companies in the United States and drives the credit reporting industry and this breach affects 45% of the U.S. population. Given the volume and sensitivity of the data involved, this is one of the most significant breaches in the last 5 years. [3] [4]

As a result, you or someone you know is probably affected by the breach.  This increases the chances of becoming a victim of identity theft because Equifax collects the following information to create your credit report [6]:

  • Name
  • Address
  • SSN
  • Financial account numbers
  • Credit agreement details
  • History of when and how you pay your bills
  • Amounts you owe
  • Types and lines of credit
  • How much credit you have available
  • Inquiries into your credit over the past 2 years
  • Delinquency status of your accounts
  • Collection information
  • Public records

What Should I Do?

A breach of this magnitude and scope can be overwhelming if you think about it too much. The good news is that you can take steps to limit its impact on you and your family. Here are steps you can take immediately to avoid falling victim:

  1. See if you are affected using the Equifax Cybersecurity Incident & Important Consumer Information web page. There has been some discussion regarding the accuracy of the results, but it is a good place to start. [5]
  2. Use the Equifax page above to keep an eye on the situation.
  3. Check your accounts for unusual activity.
  4. Consider implementing a credit freeze. You can learn more from the Federal Trade Commission.
  5. File taxes as soon as possible to avoid fraudulent submissions.
  6. Use 2-Step authentication whenever possible. This is usually done through a one-time PIN sent via text message.
  7. Be extra vigilant for phishing attacks and other scams.
  8. Enroll in an independent credit and identity monitoring service. Here is a good assessment of the offerings available.


[1]     Equifax, Inc., "Cybersecurity Incident & Important Consumer Information," 9 September 2017. [Online]. Available: https://www.equifaxsecurity2017.com/potential-impact/. [Accessed 11 September 2017].

[2]     M. Nunez, "Everything you need to know about the massive Equifax data breach," Mashable, 9 September 2017. [Online]. Available: http://mashable.com/2017/09/08/everything-you-need-to-know-equifax-hack/#tFkncQmf7kqd. [Accessed 11 September 2017].

[3]     T. Seals, "Equifax Breach , Affecting 45% of US Population, Raises Big Questions," Infosecurity Magazine, [Online]. Available: https://www.infosecurity-magazine.com/news/equifax-breach-affecting-45-raises/. [Accessed 11 September 2017].

[4]     Information is Beautiful, "World's Biggest Data Breaches," 10 September 2017. [Online]. Available: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/. [Accessed 11 September 2017].

[5]     B. Krebs, "Equifax Breach Response Turns Dumpster Fire," Krebs on Security, 8 September 2018. [Online]. Available: https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/. [Accessed 11 September 2017].

[6]     D. Moogalian, "How Does Equifax Get the Information for My Credit Report?," 8 October 2012. [Online]. Available: https://blog.equifax.com/credit/how-does-equifax-get-the-information-for-my-credit-report/. [Accessed 11 September 2017].

[7]     D. Eitelbach, "Best Identity-Theft Protection 2017," Tom's Guide, 8 September 2017. [Online]. Available: https://www.tomsguide.com/us/best-identity-theft-protection,review-2083.html. [Accessed 11 September 2017].

[8]     L. Myers, "Equifax breach: 5 defensive steps to take now," Sophos, Inc., 11 September 2017. [Online]. Available: https://www.welivesecurity.com/2017/09/11/equifax-breach-5-defensive-steps/. [Accessed 11 September 2017].

[9]     L. Spitzner, "Awareness Officers - What to Communicate About the Equifax Hack," SANS Awareness Blog, 8 September 2017. [Online]. Available: https://securingthehuman.sans.org/blog/2017/09/08/awareness-officers-what-to-communicate-about-the-equifax-hack. [Accessed 11 September 2017].

[10]     E. Price, "What to Do If You Were Affected by the Equifax Hack [Updated]," Lifehacker, 10 September 2017. [Online]. Available: http://lifehacker.com/what-to-do-if-you-were-affected-by-the-equifax-hack-1803081696. [Accessed 11 September 2017].

[11]     P. Wagenseil, "What to Do After a Data Breach," Tom's Guide, 08 September 2017. [Online]. Available: https://www.tomsguide.com/us/data-breach-to-dos,news-18007.html. [Accessed 11 September 2017].

Thoughts on Fiat Chrysler's Patching Dilemma

I am the INFOSEC Hipster.  

I am the INFOSEC Hipster.  

Hi, my name is Aaron and I'm an INFOSEC hipster.  I was worried about the security of our increasingly connected cars back in 2013, which is waybefore it was cool to be worried about such things.  Someone fetch me some thick, black framed glasses and a PBR while I configure my retro NFR IDS.  While you're doing that, let's take a look at Fiat Chrysler's situation and their options.

Auto safety regulators have hit Fiat Chrysler with a $105 million fine and a 1.4 million vehicle recall.  This is their reward for being first car company to have a remotely exploitable software vulnerability affecting the operation of its vehicles released to the public.  As an added reward, they get to blaze the trail for fixing this kind of error and current reports suggest their remediation strategy isn't firing on all cylinders.  Let's take a look at the options they offer according to a ZDNet Report:

  1. Drive to a dealer and have them install the update
  2. Download an update to a flash stick and install yourself
  3. Request Chrysler send the owner a flash stick with the update and install yourself

Over the air updates would be the best solution but they are not an option.  I'm uncertain of the constraints preventing this.  Given the three options above, which is the next best thing?  I'd recommend taking it into the dealer for an update.  While this is a hassle, you have a reasonable expectation that the software is legit and the mechanic is certified to click the "Next" button in the proper sequence.  If something goes wrong, it's clear where the responsibility lies.  You can treat it just like any other recall-related service.

The other two options are interesting but they give me a little pause.  These options provide convenient social engineering vectors.  It would be very easy for someone to spoof the Fiat Chrysler web site and send you a trojaned version of the software update.  Similarly, sending a bunch of USB sticks claiming to be from Chrysler but containing backdoor software and keyloggers would be a low tech, but great way to compromise a lot of systems.

Fiat Chrysler needs to consider how it will authenticate the software it sends out to the DIYers.  For the "Download from the Internet" option, SSL certificates for the site are a good start.  Making the update available only to users that have registered and logged on to a web site would be a good next step.  Finally, I think you'd want to follow up with hash values for the update package.  You might need to provide a YouTube video or similar to help people understand what the hash does and why it's important.

For the "Wel'l send you a USB stick in the mail" option, Fiat Chrysler would have to make it clearly an Opt-In choice.  Their customers would log on to a SSL-authenticated web site and request the USB stick.  Fiat Chrysler might also want the users to pick code word or unique image of their choosing to include in a letter accompanying the USB stick.  This would help the customer get comfortable that the USB stick is actually from Chrysler and not a social engineering attack.

That's my take on the situation.  Rather than throw stones at the first guys in the chute, let's help them figure out how to solve the problem effectively and securely.  Let's be clear: Fiat Chrysler is just the first car maker with a big public vulnerability.  They are not the only one.  Get ready to see more of this kind of thing in the future.

What options have I missed?  How would you do it differently?

Is doxing a solution to bullying?

I found this story this morning: Twitter troll fired, another suspended after Curt Schilling names and shames them To summarize, Curt Schilling's daughter was accepted to Salve Regina University where she will be the pitcher for the softball team.  Great stuff any proud dad would tweet.  Then the troll problem emerged with snarky comments escalating to threats of rape and other assorted nastiness.  Mr. Schilling responded by tracking down the most egregious offenders, finding their real names, schools, and residences.  Then he called them out, by name, online.  He basically doxed them.  This resulted in many of the offenders being suspended from school and/or sports teams.

This caused my head to explode a little.  First off, as the father of a daughter, my emotional reaction is that those trolls need to be strung up by their testicles and punched in the throat.  Repeatedly.  Secondly, my perspective as an INFOSEC guy chimed in.  One guy, who is presumably not a techie, just doxed a bunch of people and derailed their school and sports careers pretty significantly.  How do the ethics of this situation sort themselves out?  I'm not entirely certain.

Here are my observations:

  1. This doxing attack was pretty effective.  The interesting question is how much did Curt Schilling's fame amplify the success?  Would I have similar results?
  2. I checked out his Wikipedia Page.  Other than founding a software gaming company, he doesn't have much tech cred. I'm sure he is a bit more savvy than the typical user, but probably not by much.  Given this experience, he was able to track down the real identities of previously unknown people.  Think about that for a minute.
  3. Reputation is simultaneously powerful and fragile, especially now.  What are we doing to secure it as individuals and as organizations?
  4. I'm not a lawyer, but Schilling's actions don't seem to be slanderous or libelous.  However, could there be legal liability on his part for calling out these trolls?

I don't have any answers in this post.  Mostly I just wanted to get these thoughts out of my head and process them a bit.  What do you guys think?

MasterCard and Visa to end password authentication

This is an interesting article: MasterCard and Visa to end password authentication Biometrics are starting to go mainstream as a means of authentication.  My one word of warning to anyone looking at biometrics as a form of authentication is to consider a "proof of life" requirement for biometric authentication.  If the stakes are high enough, there are many people who would not think twice about cutting off your finger to get to your bank account. If you think I'm exaggerating, I urge you to consider the problems of human trafficking, organ trafficking, and genocide.  Cutting off a finger is small potatoes compared to that stuff.

On a less gory note, it has become clear to me that single-factor authentication is no longer sufficient.  You might be able to make a case for it in low stakes environments, but multi-factor is the way to go anytime your identity, cash, or reputation is involved.  Google and Apple have multi-factor authentication and you should use it.  Yes, two-factor authentication can be a bit of a hassle.  However, that hassle is nothing compared to the hassle of removing a fraudulent charge from your credit card, loosing your checking balance through your debit card, or trying to clean up your reputation after your identity has been stolen. I see two-factor authentication as a Time Asset in the larger perspective.  I think you should consider it as such also.

Feel free to argue in the comments.

Some Brief Thoughts on Logging

I found this article in my news feed this morning: Why PCI Will Issue Log Monitoring Guidance I tried tweeting it but could not properly rant in 144 characters or less so here we are on the blog. This article brings up two very important aspects of information security management.  The first one is log monitoring.  You gotta log. But more importantly, you gotta look at the logs and figure out what they are telling you.  Log analysis can be tricky mostly because of volume.  The signal to noise ratio can be pretty low even if you use a Security Information and Event Management (SIEM) system.  It can be a little like a shaman reading the entrails of some unfortunate goat, but in this case the shaman is your incident responder, the goat is a network node, and its entrails are a syslog file.  (Perhaps not one of my best analogies but we're going with it.)

I'm not a log analysis expert but know enough to be dangerous.  Here are some things to keep in mind when looking at the logs:

  1. Keep a copy of critical logs on a remote system.  The bad guys will cover their tracks and deleting or editing logs is one of the ways they do it.
  2. Logs will be helpful in detecting blatant attacks.  If you get popped with a Metasploit attack, your IDS/IPS or firewall will probably detect it and log it.  New member of the Admin group added?  Probably in your logs.
  3. Logs will be less helpful in detecting pivots within your network after initial compromise.  The bad guys use the same tools to connect to remote systems and manipulate data as you do.  Your log analysts will have to have a good idea of what normal for your network looks like.  Poaching guys and gals from the server and network teams can provide some very insightful log analysts and incident responders.
  4. Get a SIEM if you can afford it.  It will automate your process and act as a good filter when properly configured.  (EDITOR'S NOTE: Continuous and proper configuration is not a trivial process.) *
  5. Establish a dedicated team to check the logs and respond to events.  Full FTEs would be ideal, but you can make do with a couple of partials and a solid process.  If you can't do either of those, look into a Managed Security Service Provider (MSSP) to do the work for you. *

The second issue the article discusses is vendor management, which I'll leave on the table for now.  It deserves its own rant.

* Reach me via private message on LinkedIn if you want some pointers on vendors I've had good luck with in the past.  

Marketing and Public Relations: Social Engineering on an Industrial Scale

I stumbled across this article this morning in my Twitter feed: Richard Berman Energy Industry Talk Secretly Taped (Hat tip to Phil Plait AKA @BadAstronomer) The ethics of the actions described are certainly up for debate.  That's not what I want to ponder with you this morning.  What I do want to ponder is how the ven diagram looks for Social Engineering, Marketing, and Public Relations.  I think it looks kinda like this when you look at everything at the same scale:

You can see I think that there is a ton of overlap among these skill sets when you adjust for scale.  Social engineering is generally a targeted activity, e.g. spear phishing or pretexting phone call. However, regardless of scale, the objective of all three areas is the same: Influence someone to do or believe something that benefits another.

So what does that mean for information security professionals?  I think it means that as we draft our strategies to defend against social engineering attacks we need to make sure that the Marketing and PR Departments have a seat at the table.  Make friends with those folks.  Understand how they go about influencing the masses to purchase the goods and services your organization offers.  Then consider how you would use those techniques to sell malware or elicit information from a single target rather than a larger population.

Let me know what you think in the comments.

Thoughts on the CurrentC Hack and Active Defense

According to this article, it looks like CurrentC has suffered a compromise of some sort during its testing phase.  From the article:

MCX spokeswoman Linda Walsh said the CurrentC application itself was not impacted, and many of the email addresses were for dummy accounts. An investigation is underway and merchants in the consortium with compromised email addresses have been notified.

This got me thinking about active defense techniques we can use even before an application goes to production.  If we use some honeypot-like technology or use some dummy identities while in a pilot mode, we might be able to ferret out the attack techniques that will ultimately be used against the production version of the product.  Even more interesting, perhaps we can seed the content with some beacons to show us where the bad guys are coming from.  The fine folks at Black Hills Information Security offer the Active Defense Harbinger Distribution (ADHD) with some nifty tools to do this.

As with all things related to active defense and honeypots, talk to your legal team before taking action on active defense.  However, this kind of activity in non-production environments could provide some useful intel.

Has anyone tried this or discussed doing it at their organization?  How did it go?

PS - Looks like it's been about a year since my last post.  It's been especially hectic for me over the past year.  I'm hoping to do more blogging but they will mostly be short quick hits like this one.  

The Week That Was - 2013.11.25

I'm trying a slightly different format this week.  The article titles I'm discussing are hyperlinked titles introducing the commentary.  I think this breaks it up a little better and lets you pick and choose more easily.  Let me know if you have an opinion one way or the other. This week we discuss Cryptolocker and how to defend against it.  The Register discusses your privates.  A journalist convinces random people he is clairvoyant.  (And he sorta is but needs Instagram to make it happen.)  We get to see which Cloud providers have a handle on data encryption.  And last but not least, we talk about the other operating system on your smartphone.

CryptoLocker: What is it? And how do you protect against it?

CryptoLocker seems to be one of the more successful pieces of malicious code we've seen in some time, at least from a publicity perspective.  I found that there is a decent number of non-INFOSEC people asking questions about it and how should the protect themselves.  I've pieced together the blurb below to help raise awareness.  Feel free to copy and paste if you find it useful.  I just ask that you give me attribution credit/blame and a link back to this post.

Some of you might have heard about CryptoLocker over the past several days. It is a piece of malicious code that encrypts your files and holds them for ransom. This article gives a solid overview that’s easy to understand even if you are not a technical person. The highlights include:

  • CryptoLocker most frequently arrives as an email attachment
  • It encrypts many of your important files like Word, PowerPoint, Excel, and pictures
  • Requires a ransom paid in Bitcoins (Virtual Currency) or MoneyPak (Cash Card)

If you get hit with CryptoLocker, you best defense is having your files backed up ahead of time. You are probably covered at work, but you are on your own at home. Use File History Backup on Windows or TimeMachine on a Mac. Other services you might look into include BackBlaze and Carbonite, for a monthly fee.

For the cost of an external hard disk and a fancy cup of coffee each month, you can protect yourself against Cryptolocker, floods, fires, and accident-prone friends and relatives.  Backup is like insurance. You hope you never need it, but are really glad you have it when things go south.

UPDATE: Encrypt the Web Report: Who's Doing What

Cloud-based services are increasingly common in business process. There is a lot of advantage and agility to be gained through the use of Cloud services. However, we make a tradeoff for these advantages. That tradeoff is ceding direct control of data, where it’s stored, how it’s shared, and potentially how it’s used. The Electronic Frontier Foundation has a great report on what the major Cloud providers are doing to protect data when it is stored on their respective Clouds. This assessment focused on how vendors encrypt the data entrusted to them. Dropbox, Facebook, Google, Sonic.net, and SpiderOak all have the encryption aspect well in hand. Other providers are still grappling with the problem. Check out the chart in the article for more detail. Organizations must consider these factors and more as they decide how to embrace Cloud technology.

 Social Media Experiment

Do you use social media? Many of us do, but don’t realize exactly how much we share. On the surface you might think that the only people interested in your Instagram account would be friends and relatives. That’s a bad assumption. Watch this video and then think about what you’ve been sharing and with whom. While you’re at it, go check out your organization's social media policy to make sure you are staying on the right side of the law.


Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES

First off, I don’t make the headlines. I just share them. Direct any concerned comments regarding the headline to John Leyden at The Register. However you feel about this headline, Mr. Leyden has some interesting insight into what makes the world of hacking go round. Not to spoil the surprise or anything, but money is what makes it go. (See earlier article about CryptoLocker.)

I find the underground economy fascinating.  I think I can make a good argument that it is the closest approximation of a perfect market theoretical economists fantasize about.  There is zero regulation, equitable costs of market entry and exit, and some of the most well-informed consumers available.  As INFOSEC professionals, it might be sensible to go make friends with an economist and chat about creative ways we could wreck this perfect market.  Wrecking the economic drivers might be more effective than any technology, policy, or user education problem we can devise.  Discuss.

The second operating system hiding in every mobile phone

The gist of this article is that your phone has an operating system in addition to Android, iOS, or Windows. It’s an operating system that runs the radio and all the core functions needed to communicate on the wireless network. Unfortunately, many of these operating systems were developed in the 90s when security was not a consideration. With the right tools and a little time, security researchers have found ways to exploit these second operating systems to take control of your phone. No indication on how easy this is to do or how wide spread it is.

 Link Dump

[1]  G. Burnison, “2014: A ‘New’ War for Talent,” LinkedIn, 19-Nov-2013. [Online]. Available: http://www.linkedin.com/today/post/article/20131119001515-281874400-2014-a-new-war-for-talent. [Accessed: 19-Nov-2013].

[2]  A. Newitz, “All the leaked NSA documents, rounded up into one place,” io9, 20-Nov-2013. [Online]. Available: http://io9.com/all-the-leaked-nsa-documents-rounded-up-into-one-place-1468650331. [Accessed: 21-Nov-2013].

[3]  Q. Hardy, “Amazon Bares Its Computers,” Bits Blog, 15-Nov-2013. [Online]. Available: http://bits.blogs.nytimes.com/2013/11/15/amazon-bares-its-computers/. [Accessed: 19-Nov-2013].

[4]  M. Riggs, “An Ex-Cop’s Guide to Not Getting Arrested,” The Atlantic, 07-Nov-2013. [Online]. Available: http://www.theatlanticcities.com/politics/2013/11/ex-cops-guide-not-getting-arrested/7491/. [Accessed: 20-Nov-2013].

[5]  B. X. Chen, “Carriers Reject a ‘Kill Switch’ for Preventing Cellphone Theft,” Bits Blog, 19-Nov-2013. [Online]. Available: http://bits.blogs.nytimes.com/2013/11/19/carriers-reject-a-kill-switch-for-preventing-cellphone-theft/. [Accessed: 20-Nov-2013].

[6]  L. Vaas, “‘Catch me if you can’, alleged burglar posts on Facebook - so they did, in 5 minutes,” Naked Security, 22-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/22/catch-me-if-you-can-alleged-burglar-posts-on-facebook-so-they-did-in-5-minutes/. [Accessed: 22-Nov-2013].

[7]  G. Cluley, “CryptoLocker: What is it? And how do you protect against it?,” Graham Cluley, 18-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/cryptolocker-protect/. [Accessed: 18-Nov-2013].

[8]  B. Krebs, “Cupid Media Hack Exposed 42M Passwords,” Krebs on Security, 20-Nov-2013. [Online]. Available: http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/. [Accessed: 20-Nov-2013].

[9]  M. Mimoso, “EFF Scorecard Shows Crypto Leaders and Laggards,” Threatpost - English - Global - threatpost.com, 20-Nov-2013. [Online]. Available: http://threatpost.com/eff-scorecard-shows-crypto-leaders-and-laggards/102987. [Accessed: 21-Nov-2013].

[10]  Encrypt the Web Report. 2013.

[11]  L. Vaas, “FBI: Anonymous has been exploiting Adobe flaws in year-long, ongoing assault on US government sites,” Naked Security, 20-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/20/fbi-anonymous-has-been-exploiting-adobe-flaws-in-year-long-ongoing-assault-on-us-government-sites/. [Accessed: 20-Nov-2013].

[12]  P. Ducklin, “Firefox 25.0.1 - the security update that wasn’t?,” Naked Security, 18-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/16/firefox-25-0-1-the-security-update-that-wasnt/. [Accessed: 18-Nov-2013].

[13]  “Global forest change,” Flowing Data, 20-Nov-2013. [Online]. Available: http://flowingdata.com/2013/11/20/global-forest-change/. [Accessed: 20-Nov-2013].

[14]  E. Howell, “How habitable is Mars? A new view of the Viking experiments,” Phys.org, 21-Nov-2013. [Online]. Available: http://phys.org/news/2013-11-habitable-mars-view-viking.html. [Accessed: 21-Nov-2013].

[15]  K. Zetter, “How the Feds Took Down the Silk Road Drug Wonderland,” Threat Level, 18-Nov-2013. [Online]. Available: http://www.wired.com/threatlevel/2013/11/silk-road/. [Accessed: 18-Nov-2013].

[16]  G. Cluley, “How to freak out Instagram users, and why they need to be more private,” Graham Cluley, 18-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/instagram-twitter-location-privacy/?utm_source=feedly. [Accessed: 20-Nov-2013].

[17]  G. Cluley, “How your LG Smart TV can spy on you,” Graham Cluley, 20-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/lg-smart-tv-can-spy/. [Accessed: 20-Nov-2013].

[18]  Q. Hardy, “Mapping Bitcoin,” Bits Blog, 19-Nov-2013. [Online]. Available: http://bits.blogs.nytimes.com/2013/11/19/mapping-bitcoin/. [Accessed: 20-Nov-2013].

[19]  M. Williams, “Nationwide Insurance follows banks, using simpler language,” The Columbus Dispatch, 17-Nov-2013. [Online]. Available: http://www.dispatch.com/content/stories/business/2013/11/17/clear-cut-policies.html. [Accessed: 18-Nov-2013].

[20]  “NTRU public key crypto released to open source community,” Help Net Security, 22-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15997. [Accessed: 22-Nov-2013].

[21]  G. Cluley, “Serious security hole in Gmail password reset system found by security researcher,” Graham Cluley, 22-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/security-hole-gmail-password-recovery-system/. [Accessed: 22-Nov-2013].

[22]  R. Shaw, “SIM Card Forensics: An Introduction,” InfoSec Institute, 19-Nov-2013. [Online]. Available: http://resources.infosecinstitute.com/sim-card-forensics-introduction/. [Accessed: 20-Nov-2013].

[23]  K. Jackson-Higgins, “SMBs Unsure And At Risk, Survey Finds -,” Dark Reading, 19-Nov-2013. [Online]. Available: http://www.darkreading.com/vulnerability/smbs-unsure-and-at-risk-survey-finds/240164100. [Accessed: 20-Nov-2013].


[25]  J. Leyden, “Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES,” The Register, 22-Nov-2013. [Online]. Available: http://www.theregister.co.uk/2013/11/22/cybercrime_market_prices/. [Accessed: 22-Nov-2013].

[26]  “The risks of having a false sense of security,” Help Net Security, 22-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15996. [Accessed: 22-Nov-2013].

[27]  T. Holwerda, “The second operating system hiding in every mobile phone,” OS News, 12-Nov-2013. [Online]. Available: http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone. [Accessed: 18-Nov-2013].

[28]  R. Rachwald, “Top Security Predictions for 2014,” FireEye Blog, 21-Nov-2013. [Online]. Available: http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-2014.html. [Accessed: 21-Nov-2013].

[29]  K. Opsahl, N. Cardozo, and P. Higgins, “UPDATE: Encrypt the Web Report: Who’s Doing What,” Electronic Frontier Foundation, 20-Nov-2013. [Online]. Available: https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what. [Accessed: 21-Nov-2013].

The Week That Was - 2013.11.15

This week we have a wide spectrum of topics.  Facebook subtly calls out Adobe.  We discuss the nuance of malicious code on the International Space Station (ISS), which includes our first ever Bonus Link at no additional cost!  We briefly mention some new published research papers and take a trip in the Way Back Machine to World War II.  And, for those of you who are so inclined, there is a neat data visualization of the Bourbon Whiskey family tree buried in here too.  I'm making you hunt for it though.  Now, for the news... The Adobe breach was bad enough that Facebook wanted to make sure the affected Adobe users were not using the same passwords at Facebook. [7]  Facebook checked to see if their users used any of the Adobe passwords. If they found any, they isolated the offending users until they changed passwords. Seems like a great idea until you ask yourself “Wait a minute. How is Facebook checking my password? Can they read it?” The good news is no, they can’t read your password. Facebook stores passwords properly and can’t read them. Instead they took all the plain text passwords from Adobe and ran them through the normal code they use to hash passwords. If your password hash matched and Adobe password hash, you were sent to the penalty box. Kudos to Facebook for proactive user protection.

The Pwn2own guys are at it again.  [19]  This is why we can’t have nice things. Security researchers continue to find new and creative ways to use mobile devices in ways the designers never intended. That’s a nice way of saying everybody's hacking these things six ways to Sunday and we don’t know what they’re going to do next. I console myself by saying that this is the same pattern we went through in the late 90s and early 2000s.  We'll eventually get our act together enough to keep the benefit outweighing the cost.

And speaking of challenges keeping your act together, the International Space Station fell into a bit of a kerfuffle this week. [20]   When you get a computer virus, troubleshooting normally involves an updated antivirus definition and a reboot. If it’s really bad, you need to reinstall the operating system from scratch. That’s much trickier when you live in your computer and it happens to be an over grown beer can whirling around the Earth at 17,100 MPH held in place by a tenuous thread of gravity. Use that example with your users next time the grouse about rebooting to apply a security patch.

Bonus Link: Interview with Astronaut Chris Hadfield, ISS Commander He talks about things going wrong when they upgraded the ISS operating system. Also other cool stories about living on the space station for extended periods.

We had some good research published last week for those of you who like data.  Microsoft issued their Security Intelligence Report (SIR) v15.  [23]  It includes some interesting data on denial of service attacks.  Tripwire also published The State of Risk-Based Security Management: U.S. & U.K. 2013 [27], which impressed me with its data transparency.  You know the sample size, they discuss the opportunities for error, and generally present their findings in an up-front manner.  I've not had a chance to review these documents in detail yet, but I am looking forward to doing so.

I’m still not sure if the general population truly understands the importance cryptography played in sculpting the events of World War II. This conflict arguably changed the course of human history more than any other. As a cryptanalyst deciphering Enigma-encoded messages, Mavis Batey made significant contributions to the Allies’ victory and she must be recognized for her efforts. Cryptography continues to play a huge role in the course of human events as evidenced through the Edward Snowden leaks. This is a quick and fascinating read that is worth your time.

Link Dump

[1]  T. Hunt, “Adobe credentials and the serious insecurity of password hints,” Troy Hunt, 12-Nov-2013. [Online]. Available: http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html. [Accessed: 12-Nov-2013].

[2]  C. Watson, “AWS Security Guidance and Information,” Web Security, Usability, and Design, 13-Nov-2013. [Online]. Available: https://www.clerkendweller.com/2013/11/13/AWS-Security-Guidance-and-Information. [Accessed: 13-Nov-2013].

[3]  C. Spoelman, “Chart: The Family Tree of Bourbon Whiskey,” GQ. [Online]. Available: http://www.gq.com/life/food/201311/bourbon-whiskey-family-tree. [Accessed: 15-Nov-2013].

[4]  P. Muncaster, “Chinese Bitcoin exchange DISAPPEARS, along with £2.5 MEEELLION,” The Register, 12-Nov-2013. [Online]. Available: http://www.theregister.co.uk/2013/11/12/bitcoin_gbl_hong_kong_collapse/. [Accessed: 12-Nov-2013].

[5]  M. Rawat, “e-Whoring: Darker Way to Earn Money - InfoSec Institute,” INFOSEC Institute, 15-Nov-2013. [Online]. Available: http://resources.infosecinstitute.com/e-whoring-darker-way-earn-money/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+infosecResources+%28InfoSec+Resources%29. [Accessed: 15-Nov-2013].

[6]  “Exploring risk-based security management in the industrial sector,” Help Net Security, 13-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15937. [Accessed: 13-Nov-2013].

[7]  L. Vaas, “Facebook locks users in a closet for using same passwords/emails on Adobe,” Naked Security, 13-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/13/facebook-locks-users-in-a-closet-for-using-same-passwordsemails-on-adobe/. [Accessed: 13-Nov-2013].

[8]  “Free mobile security scanning apps and SDK,” Help Net Security, 13-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15938. [Accessed: 13-Nov-2013].

[9]  L. Vaas, “Google: US data requests have more than tripled since 2009,” Naked Security, 15-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/15/google-us-data-requests-have-more-than-tripled-since-2009/. [Accessed: 15-Nov-2013].

[10]“hashcat - Multi-Threaded Password Hash Cracking Tool,” Darknet - The Darkside, 13-Nov-2013. [Online]. Available: http://www.darknet.org.uk/2013/11/hashcat-multi-threaded-password-hash-cracking-tool/. [Accessed: 13-Nov-2013].

[11]  “How Classified NSA Exploit tools RADON and DEWSWEEPER Work,” InfoSec Institute, 12-Nov-2013. [Online]. Available: http://resources.infosecinstitute.com/classified-nsa-exploit-tools-radon-dewsweeper-work/. [Accessed: 12-Nov-2013].

[12]  P. Ducklin, “In memoriam - Mavis Batey MBE, codebreaker extraordinaire at Bletchley Park,” Naked Security, 15-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/15/in-memoriam-mavis-batey-mbe-codebreaker-extraordinaire-at-bletchley-park/. [Accessed: 15-Nov-2013].

[13]  X. Mertens, “Keep an Eye on Your Amazon Cloud with OSSEC | /dev/random,” /dev/random, 15-Nov-2013. [Online]. Available: http://blog.rootshell.be/2013/11/15/keep-an-eye-on-your-amazon-cloud-with-ossec/. [Accessed: 15-Nov-2013].

[14]  “Malware Analysts have the Tools to Defend Against Cyber-Attacks, But Challenges Remain.” ThreatTrack Security, Nov-2013.

[15]  B. Schneier, “Microsoft Retiring SHA-1 in 2016,” Schneier on Security, 13-Nov-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html. [Accessed: 14-Nov-2013].

[16]  D. Batchelder, J. Blackbird, D. Felstead, P. Henry, B. Hope, J. Jones, A. Kulkarni, M. Lauricella, R. McRee, C. Mills, N. Ng, D. Pecelj, A. Penta, T. Rains, V. Sekhar, H. Stewart, M. Thomlinson, T. Thompson, and T. Zink, “Microsoft Security Intelligence Report, 2013-1H.” Microsoft Corp., Jun-2013.

[17]  T. Wilson, “New IE Vulnerability Found In The Wild; Sophisticated Web Exploit Follows -,” Dark Reading, 12-Nov-2013. [Online]. Available: http://www.darkreading.com/vulnerability/new-ie-vulnerability-found-in-the-wild-s/240163814. [Accessed: 12-Nov-2013].

[18]  “Prediction of sexual orientation through Facebook friends,” Flowing Data, 13-Nov-2013. [Online]. Available: http://flowingdata.com/2013/11/13/prediction-of-sexual-orientation-through-facebook-friends/. [Accessed: 14-Nov-2013].

[19]  I. Thomson, “Pwn2Own crackers leave iOS and Samsung mobe security IN RUINS,” The Register, 14-Nov-2013. [Online]. Available: http://www.theregister.co.uk/2013/11/14/pwn2own_crackers_leave_ios_and_samsung_handsets_wide_open/. [Accessed: 14-Nov-2013].

[20]  R. Jennings, “Russians infect space with USB malware, Stuxnet found in nuclear reactor,” Computerworld, 12-Nov-2013. [Online]. Available: http://blogs.computerworld.com/malware-and-vulnerabilities/23118/russians-space-usb-malware-stuxnet-nuclear-reactor-itbwcw. [Accessed: 12-Nov-2013].

[21]  L. Vaas, “San Diego quietly slips facial recognition into the hands of law enforcers,” Naked Security, 12-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/12/san-diego-quietly-slips-facial-recognition-into-the-hands-of-law-enforcers/. [Accessed: 12-Nov-2013].

[22]  B. Schneier, “Schneier on Security: Defending Against Crypto Backdoors,” Schneier on Security, 22-Oct-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/10/defending_again_1.html. [Accessed: 22-Oct-2013].

[23]  “Security Intelligence Report (SIR) v15 Now Available - Cloud Computing | Microsoft Trustworthy Computing Blog - Site Home - TechNet Blogs.” [Online]. Available: http://blogs.technet.com/b/trustworthycomputing/archive/2013/11/08/security-intelligence-report-sir-v15-now-available.aspx. [Accessed: 12-Nov-2013].

[24]  B. Crocker, “Six Degrees of Separation: Why Your Data is More Valuable than You Think,” FireEye Blog, 04-Nov-2013. [Online]. Available: http://www.fireeye.com/blog/corporate/2013/11/six-degrees-of-separation-why-your-data-is-more-valuable-than-you-think.html. [Accessed: 13-Nov-2013].

[25]  K. Jackson-Higgins, “Survey Exposes The Dirty Little Secret Of Undisclosed Breaches -,” Dark Reading, 07-Nov-2013. [Online]. Available: http://www.darkreading.com/attacks-breaches/survey-exposes-the-dirty-little-secret-o/240163717. [Accessed: 12-Nov-2013].

[26]  “The operations of a cyber arms dealer,” Help Net Security, 12-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15928. [Accessed: 12-Nov-2013].

[27]  “The State of Risk-Based Security Management: U.S. & U.K. 2013.” Tripwire, 2013.

[28]  C. Morello and T. Mellnik, “Washington: A world apart,” Washington Post, 09-Nov-2013. [Online]. Available: http://www.washingtonpost.com/sf/local/2013/11/09/washington-a-world-apart/. [Accessed: 13-Nov-2013].

The Week That Was - 2013-11-05

I'll get this regular publication thing down yet.  I'm shooting for every Friday.  One of you data nerds out there find a good over/under number for the days past Friday I post a Week That Was article. Now for the content.

Last week I talked about the fact that LinkedIn’s new application called “Intro” included its content in Apple’s Mail application via man-in-the-middle (MITM) attack. This article [4] does a great job of explaining the detail behind this new feature. Keep your eyes on the warning messages Google throws at you. They really work to let you know when strange behavior is afoot that warrants caution.

Bruce Schneier has an interesting piece entitled The Battle for Power on the Internet.  [11]  I found it very thought-provoking.  The Internet entered the scene as a disruptive force for public communication and commerce just about 20 years ago.  It is not settling in to its role in society and there are two major groups in this organization: The Quick and The Strong.  The Quick are the small activist groups that are the new disruptors.  The Strong are the government and corporate entities that have harnessed and institutionalized the Internet for marketing and surveillance objectives1. Security, risk, and data professionals are the soldiers in this fight. What does that mean for us?  What side are we on?  Did we choose that side or did it choose us?  Do we care?  Should we be principle-driven soldiers or mercenaries?  Some really interesting existential questions in this article.  It's a long read but worth it.

This next issue will be a significant tipping point in the battle between the Quick and the Strong.  The United States is still trying to determine if forcing a suspect to disclose his or her  password is a violation of the 5th Amendment.  [5]  This is huge.  Encryption is incredibly important for both sides and the ability to compel someone to decrypt their secure data is a huge boon for the Strong side of the equation.  The question at the core of the matter is whether a password is more analogous to a physical key or a piece of incriminating knowledge.  That is a tough question with far-reaching repercussions.  I guess that is why the Supreme Court Justices get paid the big bucks.  And, as a side note, biometric authentication is considered a physical key and the court can compel you to open data systems locked via biometrics.  Think about that when you buy a new iPhone.

However, the Quick side of the equation is not encumbered with the restrictions of the U.S. Constitution or any other laws for that matter.  They are free to use social engineering techniques freely and with remarkable success.  They have ways of making you talk and you might not even know you're talking.  This point is illustrated in the The DEF CON 21 Social-Engineer Capture the Flag Report brought to us by the fine folks at Social-Engineer.org.  [17]  There are some really interesting and troubling results described in this report.  Defending against social engineering is a tough one because you rely on people for your defense.  This is like relying on your database to protect itself from compromise.  This one is worth a read.

The last item today is a tool you can use in your organizations.  It's a video from Akamai CEO Andy Ellis explaining a Zero Day vulnerability.  [19]  I think it could be useful in user awareness training or a clarifying tool for business executives that need a quick explanation to review at their convenience.  I hope you find a good use for it.



Side Note: I'm not convinced there is a huge difference between marketing and surveillance.  That's probably a post all by itself.

Link Dump

[1]  L. Vaas, “‘You can’t have your privacy violated if you don’t know your privacy is violated’,” Naked Security, 31-Oct-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/10/31/you-cant-have-your-privacy-violated-if-you-dont-know-your-privacy-is-violated/?utm_source=feedly. [Accessed: 31-Oct-2013].

[2]  A. Brading, “Adobe breach THIRTEEN times worse than thought, 38 million users affected,” Naked Security, 30-Oct-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/10/30/adobe-breach-thirteen-times-worse-than-thought-38-million-users-affected/. [Accessed: 30-Oct-2013].

[3]  “Agents of Change: Women in the Information Security Profession.” (ISC)2, Oct-2013.

[4]  T. Hunt, “Disassembling the privacy implications of LinkedIn Intro,” Troy Hunt, 31-Oct-2013. [Online]. Available: http://www.troyhunt.com/2013/10/disassembling-privacy-implications-of.html. [Accessed: 31-Oct-2013].

[5]  M. Mimoso, “EFF Makes Case That Fifth Amendment Protects Against Compelled Decryption,” Threatpost - English - Global - threatpost.com, 31-Oct-2013. [Online]. Available: http://threatpost.com/eff-makes-case-that-fifth-amendment-protects-against-compelled-decryption/102767. [Accessed: 01-Nov-2013].

[6]  P. Ducklin, “Firefox moves up to Version 25, fixes a bunch of memory mismanagement problems,” Naked Security. [Online]. Available: http://nakedsecurity.sophos.com/2013/10/30/firefox-moves-up-to-version-25/. [Accessed: 30-Oct-2013].

[7]  “FoxOne Free OSINT Tool - Server Reconnaissance Scanner,” Darknet - The Darkside, 30-Oct-2013. [Online]. Available: http://www.darknet.org.uk/2013/10/foxone-free-osint-tool-server-reconnaissance-scanner/. [Accessed: 30-Oct-2013].

[8]  “Hidden spots: Michigan’s best-kept secrets of trout streams and fishing holes,” MLive.com. [Online]. Available: http://www.mlive.com/outdoors/index.ssf/2011/04/hidden_spots_michigans_best-ke.html. [Accessed: 29-Oct-2013].

[9]  P. Ducklin, “Please don’t spread the Facebook ‘giraffe picture’ hoax!,” Naked Security, 30-Oct-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/10/30/please-dont-spread-the-facebook-giraffe-picture-hoax/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29. [Accessed: 30-Oct-2013].

[10]  B. Schneier, “Schneier on Security: NSA Eavesdropping on Google and Yahoo Networks,” Schneier on Security, 31-Oct-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/10/nsa_eavesdroppi_2.html. [Accessed: 01-Nov-2013].

[11]  B. Schneier, “Schneier on Security: The Battle for Power on the Internet,” Schneier on Security, 30-Oct-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/10/the_battle_for_1.html. [Accessed: 30-Oct-2013].

[12]  K. Jackson-Higgins, “Social Engineers Pwn The ‘Human Network’ In Major Firms,” Dark Reading, 30-Oct-2013. [Online]. Available: http://www.darkreading.com/vulnerability/social-engineers-pwn-the-human-network-i/240163379. [Accessed: 31-Oct-2013].

[13]  “Thanks to a False Sense of Security, Small Businesses Are Skipping Cyber-Protection,” Infosecurity, 01-Nov-2013. [Online]. Available: http://www.infosecurity-magazine.com/view/35374/thanks-to-a-false-sense-of-security-small-businesses-are-skipping-cyberprotection/. [Accessed: 01-Nov-2013].

[14]  P. Ducklin, “The ‘BadBIOS’ virus that jumps airgaps and takes over your firmware – what’s the story?,” Naked Security, 01-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/01/the-badbios-virus-that-jumps-airgaps-and-takes-over-your-firmware-whats-the-story/?utm_source=feedly. [Accessed: 01-Nov-2013].

[15]  B. Kasanoff, “The Best ‘Positioning’ Statement Ever,” LinkedIn, 30-Oct-2013. [Online]. Available: http://www.linkedin.com/today/post/article/20131030105955-36792-the-best-positioning-statement-ever. [Accessed: 30-Oct-2013].

[16]  R. Barnes, “The Conditional Complexity of Risk Models,” The State of Security, 29-Oct-2013. [Online]. Available: http://www.tripwire.com/state-of-security/featured/conditional-complexity-risk-models/. [Accessed: 30-Oct-2013].

[17]  M. Fincher and C. Hadnagy, “The DEF CON 21 Social-Engineer Capture the Flag Report.” Social-Engineer.org, Oct-2013.

[18]  B. Brenner, “Video: What’s a Zero-Day Vulnerability? - The Akamai Blog,” The Akamai Blog, 30-Oct-2013. [Online]. Available: https://blogs.akamai.com/2013/10/video-whats-a-zero-day-vulnerability.html. [Accessed: 30-Oct-2013].

[19]  “What is a Zero Day Vulnerability with Akamai Chief Security Officer Andy Ellis,” YouTube. [Online]. Available: http://www.youtube.com/watch?v=E23Ok3W_wsU. [Accessed: 30-Oct-2013].

[20]  D. Melancon, “Whose Responsibility is CEO ‘Tech Literacy?’,” The State of Security, 30-Oct-2013. [Online]. Available: http://www.tripwire.com/state-of-security/security-data-protection/whose-responsibility-ceo-tech-literacy/. [Accessed: 31-Oct-2013].

[21]  “Women crucial for taking INFOSEC industry to next level.” [Online]. Available: http://www.net-security.org/secworld.php?id=15857. [Accessed: 30-Oct-2013].

The Week that Was - 10/28/2013

Last week had a number of interesting developments.  Two of them involved the law, privacy, and security implications. First, the Third Circuit Court ruled that GPS tracking devices attached to vehicles require a probable cause warrant. [9]   I think this is an important ruling for privacy and the 4th Amendment.  I'm a proponent for keeping tabs on the bad guys, but I'm a bigger proponent of maintaining the rights and principles on which we founded the United States.  Unreasonable search and seizure is one of the reasons that the United States decided to declare its independence in the first place.  The fact that we would act in a cavalier manner towards our constitutional right to privacy should give us all pause.  We've developed incredible technology to monitor and investigate our population.  We can certainly develop technology to expedite the management of those investigations in a manner consistent with our Constitution.

Related our responsibility to maintain and uphold our founding principles is this piece from Bruce Schneier.  [25]  He makes an astute observation that the government's ability to monitor its citizens is quickly beginning to merge with private companies' capability.  This is significant given the data stores that the likes of Google, Facebook, Twitter, and Amazon have amassed.  Given the impressive analytic capabilities developed in concert with their databases, there is a compelling argument that these private companies understand your activity and preferences better than you do.  That provides a powerful surveillance and investigation tool.  What are the checks and balances to manage this growing partnership?

Former Secretary of Homeland Security, Michael Chertoff, asserts that cybersecurity is the most significant threat we face presently.  [6]  He made this statement at the PCI Annual Meeting.  (Note: This particular PCI refers to the Property and Casualty Insurers Association of the Americas.)  As you might expect, he feels that the insurance industry can provide significant value to the American economy as a means to mitigate risk related to cybersecurity events.  Underwriting cybersecurity risks could be a good way to enforce a common set of standards.

There was another interesting article about Malwarebytes releasing its enterprise edition product.  [16]  They tout its zero day protection.  I agree this is an important feature, however, we need to nail down known vulnerabilities first.  If our patching programs aren't keeping up, the bad guys don't need to bother with zero day vulnerabilities.  They can use the old stuff that has been laying around since 2009.  Why spend $10,000 to $250,000 on a zero day exploit if you can get a functioning old one for free that accomplishes the same result?  Hacking is a business.  Make yourself a cost prohibitive resource.

In the vein of new product offerings, LinkedIn just released a new feature for its iPhone application.  [15]  This feature integrates with the Mail client to include contact information from your LinkedIn contacts.  The interesting thing is that Apple is very particular about its core applications like Mail.  Nobody touches these applications but Apple.  So how did LinkedIn get their information integrated into your Mail communications?  They used a man-in-the-middle attack.  Their application basically proxies your email before it sends it to its final destination.  What else are they doing with your email before it reaches the recipient?  Be careful out there, folks.

Finally, here is a bit of fun from Skully Helmets. [24]  Skully manufactures motorcycle helmets with Google Glass-like heads up displays integrated.  It is a really cool application of technology and I can see it as a boon to motorcyclists.  The Bluetooth connectivity gives me some pause, but I suppose if you configure it correctly, it's just as safe as Bluetooth connectivity in your car.  The only problem I see is that distractions on a motorcycle seem more dangerous than distractions in a car.  Discuss.  Here's a video demo:


Link Dump

[1]  I. Winkler and S. Manke, “4 ways metrics can improve security awareness programs,” CSO, 23-Oct-2013. [Online]. Available: http://www.csoonline.com/article/741898/4-ways-metrics-can-improve-security-awareness-programs. [Accessed: 24-Oct-2013].

[2]  A. Schaub, “A Brief Rant Regarding Facebook Privacy,” SCHAUBA SEC, 21-Oct-2013. .

[3]  A. Zeeberg, “A Computer Program That Hacks Language & Exposes US Secrets,” Nautilus, 22-Oct-2013. [Online]. Available: http://nautil.us/blog/a-computer-program-that-hacks-language--exposes-us-secrets. [Accessed: 23-Oct-2013].

[4]  B. Krebs, “Breach at PR Newswire Tied to Adobe Hack,” Krebs on Security, 16-Oct-2013. [Online]. Available: http://krebsonsecurity.com/2013/10/breach-at-pr-newswire-tied-to-adobe-hack/. [Accessed: 21-Oct-2013].

[5]  J. Leyden, “Call yourself a ‘hacker’, lose your 4th Amendment right against seizures,” The Register, 23-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/23/hacker_loses_4th_amendment_rights_case/. [Accessed: 24-Oct-2013].

[6]  C. Hemenway, “Chertoff: Our Biggest Threat is Cyber Security; Insurance Industry Can ‘Play a Pivotal Role’,” PropertyCasualty360, 22-Oct-2013. [Online]. Available: http://www.propertycasualty360.com/2013/10/22/chertoff-our-biggest-threat-is-cyber-security-insu?eNL=5266d4f8150ba0206c00014e&utm_source=PC360DailyeNews&utm_medium=eNL&utm_campaign=PC360_eNLs&t=tech-management&_LID=72340538. [Accessed: 23-Oct-2013].

[7]  P. Muncaster, “Chinese hotel guests find data spaffed all over the internet,” The Register, 22-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/22/china_hotel_data_breach_victims/. [Accessed: 22-Oct-2013].

[8]  “CISOs’ Role Becoming More Strategic, But there Are Growing Pains,” Infosecurity, 22-Oct-2013. [Online]. Available: http://www.infosecurity-magazine.com/view/35208/cisos-role-becoming-more-strategic-but-there-are-growing-pains/. [Accessed: 23-Oct-2013].

[9]  K. Zetter, “Court Rules Probable-Cause Warrant Required for GPS Trackers,” Threat Level, 22-Oct-2013. [Online]. Available: http://www.wired.com/threatlevel/2013/10/warrant-required-gps-trackers/. [Accessed: 23-Oct-2013].

[10]  J. Leyden, “D-Link hole-prober finds ‘backdoor’ in Chinese wireless routers,” The Register, 22-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/22/tenda_router_backdoor/. [Accessed: 22-Oct-2013].

[11]  “Facebook data mining tool uncovers your life,” Help Net Security, 21-Oct-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15795. [Accessed: 21-Oct-2013].

[12]  D. duChemin, “Follow Your Passion?,” David duChemin - World & Humanitarian Photographer, Nomad, Author., 22-Oct-2013. [Online]. Available: http://davidduchemin.com/2013/10/follow-your-passion/. [Accessed: 23-Oct-2013].

[13]  “How to social engineer a social network,” Help Net Security, 22-Oct-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15805. [Accessed: 22-Oct-2013].

[14]  “‘Likely service disruption’ strikes Facebook,” Phys.org, 21-Oct-2013. [Online]. Available: http://phys.org/news/2013-10-disruption-facebook.html. [Accessed: 21-Oct-2013].

[15]  M. Mimoso, “LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say,” Threatpost - English - Global - threatpost.com, 24-Oct-2013. [Online]. Available: http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-attack-experts/102683. [Accessed: 25-Oct-2013].

[16]  “Malwarebytes Growth Validates Need For Zero-Day Protection -,” Dark Reading, 23-Oct-2013. [Online]. Available: http://www.darkreading.com/endpoint/malwarebytes-growth-validates-need-for-z/240163061. [Accessed: 24-Oct-2013].

[17]  “Most young adults not interested in a cybersecurity career,” Help Net Security, 24-Oct-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15817. [Accessed: 24-Oct-2013].

[18]  B. Donohue, “NIST Publishes Cybersecurity Framework Draft, Seeks Public Comment,” Threatpost - English - Global - threatpost.com, 23-Oct-2013. [Online]. Available: http://threatpost.com/nist-publishes-cybersecurity-framework-draft-seeks-public-comment/102667. [Accessed: 24-Oct-2013].

[19]  I. Thomson and 22nd October 2013, “NSA-friendly cyber-slurp law CISPA back on the table with new Senate bill,” The Register, 22-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/22/cispa_back_on_the_agenda/. [Accessed: 23-Oct-2013].

[20]  D. duChemin, “On Authenticity, Again.,” David duChemin - World & Humanitarian Photographer, Nomad, Author., 18-Oct-2013. [Online]. Available: http://davidduchemin.com/2013/10/on-authenticity-again/. [Accessed: 21-Oct-2013].

[21]  B. Donohue, “Report: UN Nuclear Regulator Infected with Malware,” Threatpost - English - Global - threatpost.com, 23-Oct-2013. [Online]. Available: http://threatpost.com/report-un-nuclear-regulator-infected-with-malware/102670. [Accessed: 24-Oct-2013].

[22]  J. Leyden, “Scared yet, web devs? Google smears malware warnings over PHP.net,” The Register, 24-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/24/php_site_malware_warning_flap/. [Accessed: 24-Oct-2013].

[23]  B. Schneier, “Schneier on Security: Defending Against Crypto Backdoors,” Schneier on Security, 22-Oct-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/10/defending_again_1.html. [Accessed: 22-Oct-2013].

[24]  D. Lowney, “Skully reveals Google Glass-like motorcycle helmet [w/video],” Autoblog, 23-Oct-2013. [Online]. Available: http://www.autoblog.com/2013/10/23/skully-hud-motorcycle-helmet-video/. [Accessed: 23-Oct-2013].

[25]  B. Schneier, “The Trajectories of Government and Corporate Surveillance,” Schneier on Security, 21-Oct-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/10/the_trajectorie.html. [Accessed: 21-Oct-2013].

[26]  S. Sharwood, “US Veep’s wireless heart implant disabled to stop TERRORIST HACKERS,” The Register, 21-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/21/us_veeps_wireless_heart_implant_disabled_to_stop_terrorist_hackers/. [Accessed: 21-Oct-2013].

[27]  E. Chickowski, “Visualizing Security Analytics That Don’t Stink,” Dark Reading, 22-Oct-2013. [Online]. Available: http://www.darkreading.com/visualizing-security-analytics-that-dont/240162973. [Accessed: 23-Oct-2013].

[28]  S. A. Mathieson, “Why Bletchley Park could never happen today,” The Register, 25-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/25/feature_bletchley_could_not_happen_today/. [Accessed: 25-Oct-2013].

[29]  “Young employees don’t care about corporate policies,” Help Net Security, 24-Oct-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15815. [Accessed: 24-Oct-2013].

A Brief Rant Regarding Facebook Privacy

Throwing metaphorical rocks at Facebook for the privacy practices seems to be pretty popular these days.  Here is a link to a recent effort showcased at the Hack In the Box conference.  Yes, you can reverse engineer Facebook's social graph and stalk people.  Guess what, you can already stalk people on Facebook.  This is just a novel way to do so. Getting mad at Facebook for sharing the private data you publish on its service is like getting mad at Phillip-Morris for your lung cancer after smoking their cigarettes for 20 years.  In both cases, you had a choice and you decided to choose the riskier option.  Now you're dealing with the consequences you're upset that you made a bad decision.  You don't want to admit it's your fault.

Man up1 for crying out loud!  Own your decision and do something about it.  Whining isn't going to help at this point.

Just like we all know cigarettes cause cancer, we know that using social media will compromise our privacy.  It just chaps my hind end that people publish their data and are shocked when others have the audacity to read it.  Just to be clear, here is the definition of publish courtesy of Meriam-Webster:

pub·lish\ˈpə-blish\   transitive verb

1. To make generally known; to make public announcement of

2.  To disseminate to the public; to produce or release for distribution; specifically, to issue the work of (an author)

Brace yourself, but that definition implies you want the general public to hear what you have to say.  Quit lobbing rocks at Facebook and take some responsibility for your own privacy.

1"Man up" is not intended to be sexist.  If you happen to be a woman, I encourage to take similar pride in your gender.  Same goes for our friends out there whose gender identity is less clear cut.  Just grab what ever you have down there with both hands and show some courage and personal responsibility.  That's all I'm saying.

The Week That Was - 10/18/2013

I'm getting back in the saddle this week.  Sorry for the long break. I have a bit of a mix this week.  Some are security-related and others aren't, but they are still worth looking at.  Here are some items of note:

There is big news from Oracle. The have issued a Patch-a-lanche™ for Java.  [8]  This update contains 127 patches and 50 of those are remotely exploitable.  Wow.  The good news is that we at least have a fix for them.  Get those updates out there as soon as you can and be sure to send a little pizza and coffee to the QA Department to say thanks for the late nights spent regression testing all the critical apps.

Apple's iCloud protocols seem to have been compromised.  [1]  The compromise doesn't surprise me as there is significant economic incentive to do so. The guys at Elcomsoft who achieved the crack are legit researchers driving a respectable business.  That's one economic driver.  I'm sure there are other, less legit organizations out there working on the same thing to use for black market purposes, which is the other economic driver. The take away is that vendor-supplied encryption for Cloud services constitutes table stakes.  Vendors just need it to compete.  However, there are many highly motivated entities out there working to crack the encryption and other protection schemes.  The bad guys will succeed eventually.  We as consumers need to take matters into our own hands and make sure that we have protected our data appropriately before flinging it into the Cloud.

Hackers breached Adobe's networks pretty thoroughly.  [5]  Not only did they access customer data but also source code to some of its most popular applications.  I doubt the compromised source code will result in an avalanche of new vulnerabilities flooding the market.  However, I have no doubt that analysis of the code will yield a number of new and interesting vulnerabilities.  Just remember, sharing those new goodies widely is just not good business.  Whoever executed the breach would be best served to find the new vulnerabilities, keep the good ones for themselves, and sell the rest discretely to interested parties.  That's how the bad guys make money of a breach like this.

Is nothing sacred?  [3]  TruCrypt has been a go-to tool for security data in one-off situations.  There is a lot of trust in the tool but that trust is now questioned.  I know the golden rule of cryptography is Never Write Your Own Crypto, but we might have to revisit that rule in certain circumstances.  It might make sense to roll your own if we continue to suspect NSA backdoors at every turn.  I'm not say that it's cheap or easy, but for your high-value data, it might be worth having an in-house crytpographer to cook up some custom algorithms.  Feel free to discuss in the comments.

Tech-savvy pirates have a new weapon in their arsenal.  [4]  Researchers can compromise the Automated Identification System (AIS), which is responsible for exchanging position data with other vessels.  I see how this could be really handy if you had a promising career as a high seas pirate.  At the very least, this weakness could compound the already intense confusion of a pirate attack.  At worst, I could see it causing a navigational error that results in physical damage to the ship.  The vendor response has been less than confidence inspiring.  Be careful out there, folks.

Link Dump


“Apple’s iCloud protocols cracked and analyzed,”

Help Net Security

, 17-Oct-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15787. [Accessed: 17-Oct-2013].


S. Tappin, “Can Angela and Tim Create Apple 3.0 -- Or Not?,”


, 15-Oct-2013. [Online]. Available: http://www.linkedin.com/today/post/article/20131015180259-13518874-can-angela-tim-create-apple-3-0-or-not. [Accessed: 17-Oct-2013].


J. Leyden, “Can you trust ‘NSA-proof’ TrueCrypt? Cough up some dough and find out,”

The Register

, 15-Oct-2013. [Online]. Available: http://www.theregister.co.uk/2013/10/15/truecrypt_security_audit/. [Accessed: 17-Oct-2013].


“Digital ship pirates: Researchers crack vessel tracking system,”

Help Net Security

, 16-Oct-2103. [Online]. Available: http://www.net-security.org/secworld.php?id=15781. [Accessed: 17-Oct-2013].


K. Jackson-Higgins, “Hacking The Adobe Breach -,”

Dark Reading

, 07-Oct-2013. [Online]. Available: http://www.darkreading.com/attacks-breaches/hacking-the-adobe-breach/240162362. [Accessed: 17-Oct-2013].


“Infosecurity - EU’s Data Protection One-Stop-Shop Inches Forward,”


, 08-Oct-2013. [Online]. Available: http://www.infosecurity-magazine.com/view/34922/eus-data-protection-onestopshop-inches-forward/. [Accessed: 17-Oct-2013].


“Most pirated flicks are those Hollywood will not sell,”


, 17-Oct-2013. [Online]. Available: http://www.techeye.net/security/most-pirated-flicks-are-those-hollywood-will-not-sell. [Accessed: 17-Oct-2013].


M. Mimoso, “Oracle Quarterly Update Includes Patches for 50 Remotely Executable Java Bugs,”


, 16-Oct-2013. [Online]. Available: http://threatpost.com/oracle-quarterly-update-includes-patches-for-50-remotely-executable-java-bugs/102596. [Accessed: 17-Oct-2013].


Kerr, “Samsung Galaxy Round brings curve to smartphones,”


, 08-Oct-2013. [Online]. Available: http://news.cnet.com/8301-1035_3-57606620-94/samsung-galaxy-round-brings-curve-to-smartphones/. [Accessed: 17-Oct-2013].


B. Schneier, “Schneier on Security: How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID,”

Schneier on Security

, 07-Oct-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html. [Accessed: 17-Oct-2013].


A. McDuffee, “Special Ops Uniform Will Transform Commandos Into an Iron Man Army,”

Danger Room

, 11-Oct-2013. [Online]. Available: http://www.wired.com/dangerroom/2013/10/ironman/. [Accessed: 17-Oct-2013].


H. G. Buffet, “Warren Buffet’s Warning: Don’t Lose the Game by Trying to Bat a Thousand,”


, 15-Oct-2013. [Online]. Available: http://www.linkedin.com/today/post/article/20131015101315-264657321-warren-buffett-s-warning-don-t-lose-the-game-by-trying-to-bat-a-thousand. [Accessed: 17-Oct-2013].

How to React to the NSA Attack on Standard Cryptosystems

I found an article asking With crypto being insecure, whom do you trust? while reading through the news this morning.  It referenced the joint article from The New York Times and Pro Publica, Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.  The question is a good one: Who can you trust?  I have a few thoughts on the matter. First thought: If this surprises you, you haven't been paying attention.  The NSA's job is to crack encryption and backdoor systems to gain actionable intelligence for the United States and make it difficult for its adversaries to do the same to the U.S.  Here is the actual mission from its website:

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.

Given some of the liberties taken with the Fourth Amendment in the past and this mission statement, I think it's clear that the "Ends Justify the Means" argument has some advocates at NSA.

Second Thought: The notion of online privacy is obsolete.  We can argue it has never been viable.  Either way, you can't trust your date to be private online.  Expect it to be the subject of a breach.

That leads me into my Third Thought.  All online transactions are now, more than ever, an exercise in risk management.  All electronic transactions are compromised.  How frequently will those compromises result in loss?  How big will that loss be?  This goes for personal and business transactions.  Make sure the benefit you get from the transaction is larger than the potential loss.

And now for my Final Thought on the matter: Now what?  My recommendation for maintaining privacy in this new age of certain breach is to go Old School.  If you have data that must remain private at all costs, grab a notepad and a pen.  As long as you don't scan or photocopy the handwritten document, it won't show up on Google.  If you need to talk to someone about something private, arrange a conversation with them rather than fling email at each other or calling on the phone.

In summary, here are my observations on NSA-compromised cyptosystems:

  1. If you are surprised, you haven't been paying attention
  2. Online trust is obsolete
  3. All online transactions are now an exercise in risk management
  4. If you really want privacy, break out the pad and pencil

Leave a comment if you want to discuss further.

The Week That Was - 2013-05-13

I have a decent sized batch of links for you all this week.  As a warning, I'll occasionally wander out of the purely INFOSEC or risk realms.  There are a couple of those items thrown in this week.  It's important to look around at other subjects to give us perspective and insight.  Part of that extra perspective this week comes from a guest appearance by Superchunk (with some NSFW lyrics). But, I'll still focus mostly on the INFOSEC side of things.  For example, SQL Injection is still a favorite.  [1]  The bad guys like it because it works.  There's no sense in working harder when smarter gets you there faster.  Web application security continue to be an important block in the foundations of our security programs.

While web application security has been a part of our basic INFOSEC blocking and tackling for some time, mobile devices are quickly becoming another fundamental area we need to master.  This week had one notable development in the mobile department.  The U.S. Department of Defense has approved the Samsung KNOX platform for use in its networks on the Galaxy S4.  [25]  The KNOX platform sports containerization, encryption, and VPN support natively.  It's a brave new world, everyone.

And Big Brother is a part of that new world as evidenced by a few stories I found this week.  [5], [9], [12]  Apple is collecting too much personal information according to the German courts.  No more location-based advertising for Apple when dealing with German citizens.  Also, The Happiest Place on Earth, takes a step towards creepy.  Now you and your entire family get RFID chipped at Disney World so the Mouse can herd you to the rides and attractions with the shortest lines.  Oh, and develop a pretty detailed consumer profile of your entire family while they're at it.  Finally, India has instituted a system to collect and monitor all mobile phone traffic and Internet traffic in the interest of national defense.  Some days, a quiet compound in the middle of Montana doesn't sound so bad.

Finally this week I'd like to point out that me and my Generation X cohorts aren't nearly as screwed up as you all thought we'd turn out.  [16]  In fact, we're doing a pretty good job of staying educated and we even plan to move our of our parents' basement next month.    Superchunk can explain further (Lyrics NSFW):


Link Dump

[1]  E. Chickowski, “10 Reasons SQL Injection Still Works,” Dark Reading, 08-May-2013. [Online]. Available: http://www.darkreading.com/database/10-reasons-sql-injection-still-works/240154405. [Accessed: 08-May-2013].

[2]  O. Räisänen, “A determined ‘hacker’ decrypts RDS-TMC,” Absorptions, 04-May-2013. [Online]. Available: http://windytan.blogspot.fi/2013/05/a-determined-hacker-decrypts-rds-tmc.html. [Accessed: 07-May-2013].

[3]  “Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2013,” May-2013. [Online]. Available: http://www.defense.gov/pubs/2013_China_Report_FINAL.pdf.

[4]  T. Wilson, “Anonymous, LulzSec, OpUSA Plan Broad Attacks On Government Agencies, Banks On Tuesday,” Dark Reading, 07-May-2013. [Online]. Available: http://www.darkreading.com/perimeter/anonymous-lulzsec-opusa-plan-broad-attac/240154309. [Accessed: 07-May-2013].

[5]  L. Whitney, “Apple ordered by German court to change its privacy rules,” CNET, 07-May-2013. [Online]. Available: http://news.cnet.com/8301-13579_3-57583241-37/apple-ordered-by-german-court-to-change-its-privacy-rules/. [Accessed: 08-May-2013].

[6]  E. Weese, “Battelle helping Bechtel destroy chemical weapons at plant in Kentucky - Columbus - Business First,” Columbus Business First, 08-May-2013. [Online]. Available: http://www.bizjournals.com/columbus/news/2013/05/08/battelle-assisting-in-destruction-of.html?ana=RSS&s=article_search&utm_source=feedly&utm_medium=feed&utm_campaign=Feed%3A+bizj_columbus+(Business+First+of+Columbus). [Accessed: 09-May-2013].

[7]  D. Hubbard, “Breaking news: Traffic from Syria Disappears from Internet,” Umbrella Security Labs, 07-May-2013. [Online]. Available: http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/. [Accessed: 08-May-2013].

[8]  J. Morariu and A. Emery, “Conquering the Dusty Shelf Report: Data Visualization for Evaluation,” Visualizing Data, 07-May-2013. [Online]. Available: http://www.visualisingdata.com/index.php/2013/05/conquering-the-dusty-shelf-report-data-visualization-for-evaluation/?utm_source=feedly. [Accessed: 07-May-2013].

[9]  M. Phillips, “Disney’s $1 billion plan to take even more of your money at Disney World,” Quartz, 08-May-2013. [Online]. Available: http://qz.com/82499/disney-1-billion-plan-to-take-even-more-of-your-money-at-disney-world/. [Accessed: 08-May-2013].

[10]  “Done is better then perfect,” VizWiz, 08-May-2013. [Online]. Available: http://vizwiz.blogspot.com/2013/05/done-is-better-then-perfect.html. [Accessed: 09-May-2013].

[11]  D. Hamermesh, “Font Improvement,” Freakonomics, 07-May-2013. [Online]. Available: http://www.freakonomics.com/2013/05/07/font-improvement/?utm_source=feedly. [Accessed: 07-May-2013].

[12]  P. Muncaster, “India introduces Central Monitoring System,” The Register, 08-May-2013. [Online]. Available: http://www.theregister.co.uk/2013/05/08/india_privacy_woes_central_monitoring_system/?utm_source=feedly. [Accessed: 08-May-2013].

[13]  B. Schneier, “Intelligence Analysis and the Connect-the-Dots Metaphor,” Schneier on Security, 07-May-2013. [Online]. Available: https://www.schneier.com/blog/archives/2013/05/intelligence_an.html?utm_source=feedly. [Accessed: 07-May-2013].

[14]  R. Cave, “Into the Rabbit Hole: Protocol Anomaly Detection,” Solutionary Minds, 07-May-2013. [Online]. Available: http://blog.solutionary.com/blog/bid/96750/Into-the-Rabbit-Hole-Protocol-Anomaly-Detection. [Accessed: 08-May-2013].

[15]  L. Mirani, “It’s not just about China and America—smaller countries want to wage cyberwar too,” Quartz, 07-May-2013. [Online]. Available: http://qz.com/81997/its-not-just-about-china-and-america-smaller-countries-want-to-wage-cyberwar-too/. [Accessed: 08-May-2013].

[16]  “Live and learn: Most GenXers continue their education.” [Online]. Available: http://phys.org/news/2013-05-genxers.html. [Accessed: 07-May-2013].

[17]  M. Lee, “Meeting aliens will be nothing like Star Trek—fact,” Phys.org, 08-May-2013. [Online]. Available: http://phys.org/news/2013-05-aliens-star-trekfact.html. [Accessed: 08-May-2013].

[18]  “Microsoft confirms zero-day vulnerability exploiting IE8,” Network World, 06-May-2013. [Online]. Available: http://www.networkworld.com/community/node/83000. [Accessed: 07-May-2013].

[19]  J. Leyden, “Microsoft plasters IE8 hole abused in nuke lab PC meltdown,” The Register, 09-May-2013. [Online]. Available: http://www.theregister.co.uk/2013/05/09/ie8_0day_stop_gap_fix/?utm_source=feedly. [Accessed: 09-May-2013].

[20]  S. Gallagher, “Network Solutions seizes over 700 domains registered to Syrians,” Ars Technica, 08-May-2013. [Online]. Available: http://arstechnica.com/tech-policy/2013/05/network-solutions-seized-over-700-domains-registered-to-syrians/. [Accessed: 09-May-2013].

[21]  C. Mims, “New Zealand isn’t exactly outlawing software patents—it’s doing something more interesting,” Quartz, 09-May-2013. [Online]. Available: http://qz.com/82945/new-zealand-declares-software-isnt-an-invention-and-cant-be-patented/. [Accessed: 09-May-2013].

[22]  R. Beckhusen, “Pentagon Wants ‘Human Surrogate’ for Ray Gun Tests,” Danger Room, 08-May-2013. [Online]. Available: http://www.wired.com/dangerroom/2013/05/pain-ray-dummies/. [Accessed: 08-May-2013].

[23]  P. M. Sandman, “Peter Sandman: Guestbook 2013,” The Peter Sandman Risk Communication Website, 07-May-2013. [Online]. Available: http://www.psandman.com/gst2013.htm#advisory-committees?utm_source=feedly. [Accessed: 08-May-2013].

[24]  “Prolexic Tracks More Than 47 Million DDoS Attack Bots Worldwide; Public Portal Now Available,” Dark Reading, 07-May-2013. [Online]. Available: http://www.darkreading.com/attacks-breaches/prolexic-tracks-more-than-47-million-ddo/240154325. [Accessed: 07-May-2013].

[25]  M. Mimoso, “Samsung’s Secure Version of Android Gets DoD Blessing,” Threatpost, 06-May-2013. [Online]. Available: http://threatpost.com/samsungs-secure-version-of-android-gets-dod-blessing/. [Accessed: 07-May-2013].

[26]  G. Cook, “Secrets of the Criminal Mind: Scientific American.” [Online]. Available: https://www.scientificamerican.com/article.cfm?id=secrets-criminal-mind-adrian-raine&utm_source=feedly. [Accessed: 07-May-2013].

[27]  T. Woody, “Tesla hits its first profitable quarter and sets its sights on Europe and Asia,” Quartz, 09-May-2013. [Online]. Available: http://qz.com/82886/tesla-motors-delivers-its-first-profitable-quarter-and-sets-sights-on-europe-asia/. [Accessed: 09-May-2013].

[28]  S. Musil, “U.S. says Chinese government behind cyberespionage,” CNET, 06-May-2013. [Online]. Available: http://news.cnet.com/8301-1009_3-57583158-83/u.s-says-chinese-government-behind-cyberespionage/. [Accessed: 07-May-2013].

[29]  C. Farivar, “US financial regulator: We could regulate Bitcoin ‘if we wanted’,” Ars Technica, 07-May-2013. [Online]. Available: http://arstechnica.com/business/2013/05/us-financial-regulator-we-could-regulate-bitcoin-if-we-wanted/. [Accessed: 07-May-2013].

[30]  L. Brassell-Cicchini and C. Laufer, “Worst-Case Planning: 10 Steps to Effective Crisis Response,” Risk Management, 07-May-2013. [Online]. Available: http://www.rmmagazine.com/2013/05/07/worst-case-planning-10-steps-to-effective-crisis-response/?utm_source=feedly. [Accessed: 08-May-2013].


Some Quick Thoughts on Automotive Technology

DISCLAIMER: This post is just a chance to think out loud with you all a bit.  I've pondered the matter previously for about a grand total of 5 minutes. I just read an article over on Quartz about the fact that Tesla Motors just turned its first profit.  Good for them!  As a car guy and a tree hugger1, I'm excited to see the electric car industry succeed.  Not only do electric cars produce less green house gas, but from what I understand, the torque that comes out of these electric motors is massive and instantaneous.  This bodes well for Bat Out of Hell Grade acceleration.  Few things are more satisfying than stomping the little pedal on the right and getting jammed into the back of your seat.  Also, I'm led to believe that the batteries tend to sit low in the chassis providing a ridiculously low center of gravity enabling spectacular performance in the corners.  Other than the price and current range restrictions, there's not much to dislike about an electric car.  At least from a performance perspective.

The area that makes me nervous is the increasing use of technology in vehicles.  I'm sure many of you have seen the Buick commercials with the family starting its car from the plane after it has landed.  OnStar can unlock your cars remotely.  Flow is selling us black boxes for our cars to reduce our insurance premiums.  On-board navigation is just about ubiquitous.  As the technology adopt these technologies we're making a tradeoff and I'm not sure that tradeoff is widely understood. 

Each one of those technologies I just mentioned has a software weakness.  That is an educated guess, but based on my observations of the software development process in many organizations, there will be a weakness somewhere.  Case in point is the "determined hacker" who cracked the RDS-TMC encryption algorithm with a pencil and note pad.  She gets free navigation service when she eventually buys a car.  Not a great example in terms of financial loss, but it does speak to the resistance strength of one particular technology and it makes me wonder how the other technologies compare.

Could an attacker exploit the mobile app controlling your Buick to kill your engine in the middle of the highway?  Can Flow get subpoenaed by your spouse for GPS coordinates if they suspect you are cheating?  How about your employer for that matter if they are investigating a worker's compensation claim?  Could there be cross over into physical crime that enables a mugger to lock your car doors to prevent your escape?  I don't know the answers to these questions, but their answers could have a big impact for many people given the role cars play in society.

Has anyone else thought about the issue of software weaknesses in vehicles?  Am I getting my knickers in a twist over nothing?  Is this a reasonable concern to have?  Hit me in the comments to discuss further.


1 I am an advocate of protecting nature and the environment.  I also believe that we have a symbiotic relationship with the world around us.  The more we abuse the environment, the more we abuse ourselves in the long run.