The news reporting is a little light this week, folks. Yet again, responsible adulthood gets in the way of fun and frivolity. I still have a few gems for you though. First, let's talk about the new attack on SSL/TLS.  It relies on a man-in-the-middle (MITM) attack and works a lot like the Beast exploit released earlier this year. It's tough to gather data describing the frequency of MITM attacks, but I suspect they are not as frequent as we'd suspect. The risk is from this weakness is probably low if my suspicions are correct. Still, the frequency with which people are finding cracks in this security workhorse is a little unnerving. If anyone has some data on the frequency of MITM attacks, I'd love to see it as it would help determine the real risk around the issue. Share in the comments if you would be so kind.
Wendy Nather over at Dark Reading had an interesting article on a new attack technique.  Given the popularity of reputation based defense tools, it might be possible to compromise an organization just for the sake of wrecking its reputation and making it difficult to do business. I'm calling this a Denial of Reputation (DoR) attack. (Please send the royalties this way as you bandy about that phrase.) I'm not sure of the feasibility or overall utility of this attack, but I think it has hacktivism written all over it as the "protest" organizations that generate large amounts of revenue from their online presence. I'm curious to hear other thoughts on DoR attacks. Speak up in the comments.
The Risk Hose podcast had a good episode this week.  I listened to it twice while I was running. They had some good discussion on accuracy vs precision. This is more important than you think when communicating INFOSEC risk to the business. Also, they had a really good discussion about risk models. Key take away from that discussion is: Risk = (Irony x Alanis Morissette) + σ(Celine Dion)
Speaking of risk, we have a couple of new sources of threat event data to reference this week. ,
That's all I got this week, kids. See you next time.