The Week That Was - 9/10/2012

The news reporting is a little light this week, folks.  Yet again, responsible adulthood gets in the way of fun and frivolity.  I still have a few gems for you though. First, let's talk about the new attack on SSL/TLS. [9]  It relies on a man-in-the-middle (MITM) attack and works a lot like the Beast exploit released earlier this year.  It's tough to gather data describing the frequency of MITM attacks, but I suspect they are not as frequent as we'd suspect.  The risk is from this weakness is probably low if my suspicions are correct.  Still, the frequency with which people are finding cracks in this security workhorse is a little unnerving.  If anyone has some data on the frequency of MITM attacks, I'd love to see it as it would help determine the real risk around the issue.  Share in the comments if you would be so kind.

Wendy Nather over at Dark Reading had an interesting article on a new attack technique. [12]  Given the popularity of reputation based defense tools, it might be possible to compromise an organization just for the sake of wrecking its reputation and making it difficult to do business.  I'm calling this a Denial of Reputation (DoR) attack.  (Please send the royalties this way as you bandy about that phrase.)   I'm not sure of the feasibility or overall utility of this attack, but I think it has hacktivism written all over it as the "protest" organizations that generate large amounts of revenue from their online presence.  I'm curious to hear other thoughts on DoR attacks.  Speak up in the comments.

The Risk Hose podcast had a good episode this week. [4] I listened to it twice while I was running.  They had some good discussion on accuracy vs precision.  This is more important than you think when communicating INFOSEC risk to the business.  Also, they had a really good discussion about risk models.  Key take away from that discussion is: Risk = (Irony x Alanis Morissette) + σ(Celine Dion)

Speaking of risk, we have a couple of new sources of threat event data to reference this week. [1],[7]

That's all I got this week, kids.  See you next time.


“2012 Norton Cybercrime Report.” Symantec, Sep-2012.
R. A. Grimes, “3 security mistakes your management is making now,” InfoWorld, 05-Sep-2012. [Online]. Available: [Accessed: 06-Sep-2012].
J. Brodkin, “Court ruling that NSA spying violated 4th Amendment remains secret,” Ars Technica, 30-Aug-2012. [Online]. Available: [Accessed: 31-Aug-2012].
J. Jacobs, A. Hutton, and C. Hayes, Episode 25: Daniel’s Risk Epiphany - The Risk Hose Podcast. .
L. Greenemeier, “Forget Passwords: How Playing Games Can Make Computers More Secure,” Scientific American, 04-Sep-2012. [Online]. Available: [Accessed: 04-Sep-2012].
S. Nichols, “FTC sets benchmark for mobile app privacy,”, 05-Sep-2012. [Online]. Available: [Accessed: 06-Sep-2012].
T. Wilson, “Global Cost Of Cybercrime: $110 Billion,” Dark Reading, 06-Sep-2012. [Online]. Available: [Accessed: 06-Sep-2012].
“Marketing Your Mobile App: Get It Right from the Start,” Federal Trade Commission Bureau of Consumer Protection, Sep-2012. [Online]. Available: [Accessed: 06-Sep-2012].
D. Fisher, “New Attack Uses SSL/TLS Information Leak to Hijack HTTPS Sessions,” ThreatPost, 05-Sep-2012. [Online]. Available: [Accessed: 06-Sep-2012].
J. Brodkin, “Police seizure of text messages violated 4th Amendment, judge rules,” Ars Technica, 05-Sep-2012. [Online]. Available: [Accessed: 06-Sep-2012].
K. Jackson-Higgins, “Second Middle Eastern Utility Hit By Malware Attack,” Dark Reading, 30-Aug-2012. [Online]. Available: [Accessed: 31-Aug-2012].
W. Nather, “Talking  ’Bout My Reputation,” Dark, 01-Sep-2012. [Online]. Available: [Accessed: 04-Sep-2012].